Forgot your password?
typodupeerror
Communications Microsoft

Microsoft Won't Say If Skype Is Secure Or Not. Time To Change? 237

Posted by Unknown Lamer
from the disinfo-campaign dept.
jetcityorange writes "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]. Microsoft was granted a patent a month after purchasing Skype that covers 'legal intercept' technology designed to be used with VOIP services. Is it time to consider more secure alternatives like Jitsi like Tor's Jacob Appelbaum suggests?"
This discussion has been archived. No new comments can be posted.

Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?

Comments Filter:
  • Seriously? (Score:5, Insightful)

    by Anonymous Coward on Tuesday July 24, 2012 @12:04AM (#40745337)

    The more shocking idea is the assumption that any major VOIP service based in a major country does not allow intercepting on their services.

    • Re:Seriously? (Score:5, Informative)

      by arbiter1 (1204146) on Tuesday July 24, 2012 @12:08AM (#40745363)
      agreed, its dumb to assume your calls can't be tapped. Its like your using WIFI at McDonald's and thinking you are 100% secure. MS has to work within the law.
      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Yeah, another non-story.

        And no, we will not switch to your unheard-of, no-name, pet-fav, video conferencing software. Definitely not because some guy from the tor project said we should.

        Our families all use Skype and it works fine.

        • Re:Seriously? (Score:5, Insightful)

          by Anonymous Coward on Tuesday July 24, 2012 @12:34AM (#40745573)
          This is the sort of thing that should be attacked at the source, which is the government, not the companies/people that are obliged to abide by the laws set out by that government.
        • Our families all use Skype and it works fine.

          Skype used to work fine. Lately it drops a lot of calls on me and sound quality seems to be going downhill, lots of stutters and outright strange garbage. And lag on the presence notifications has gone through the roof. Now I really can't trust what I see when Skype tells me somebody is on or offline. And it's not my network, Google talk works just fine including video.

          Another thing that's gone downhill on Skype: nobody seems to hang out there any more. It used to be, I'd see all my contacts whenever they a

      • Speaking of the law as well, let's assume that they actively doing intercepts for law enforcement. They might just be bungling being overly careful.

        They say they are secure: Someone finds a way to hack and listen in to a VOIP call. Risk being sued for misrepresenting the security of their system.

        They say there are flaws, or even there could be flaws, maybe even acknowledging one day they might be forced to allow the equivalent of a wire tap: Attacked relentlessly even if they don't know if any flaws actu

    • Re:Seriously? (Score:5, Interesting)

      by houstonbofh (602064) on Tuesday July 24, 2012 @12:09AM (#40745373)
      I guess that is why the OP mentioned Jitsi. That and a server of several different types, or direct site to site, and there is no "service."
    • Anything transmitted online - whether it be VOIP or cleartext or whatever - can be tapped
       
      Even when you tunnel your channel, even when you employed all the evading/security technologies that you can think of, if TPTB wants to know what you do, they could find ways to _CAN_ tap you
       
      But of course, we _are_ talking about Microsoft in this case, which makes it even more poignant to understand how frail our security situation really is, online
       

      • Re:VOIP (Score:5, Insightful)

        by houstonbofh (602064) on Tuesday July 24, 2012 @12:13AM (#40745409)
        However, with minimal security, you can at least avoid any automated eavesdropping. And arguably, there is consumer level security that can stand up to almost anything short of someone hitting you with a wrench.
      • Re:VOIP (Score:4, Insightful)

        by Sir_Sri (199544) on Tuesday July 24, 2012 @12:23AM (#40745483)

        But of course, we _are_ talking about Microsoft in this case

        Which comes with benefits too. Microsoft being a big, publicly traded company with offices in all major countries has to follow consumer protection and privacy laws too, and they can be in for a world of hurt if they don't. Using some 'inherently private' setup runs the risk that somewhere along the line that system both has a bug in it, and that bug is being actively exploited against you - and you have no recourse against the company running it (or the peers).

        • Re:VOIP (Score:5, Insightful)

          by davester666 (731373) on Tuesday July 24, 2012 @01:27AM (#40745821) Journal

          That's funny.

          What 'world of hurt' would Microsoft be in for?

          Don't you remember what the US gov't did to help out their friends at AT&T and the rest of the 'conventional' phone industry when they happened to get caught assisting the gov't in mass recording of phone calls?

          Is there any gov't that is not interested in even occasionally listening in some Skype calls? No. Any countries passed a law preventing wiretapping VOIP calls? No. So having a back-door into every call is legal around the world.

          All that's left to argue about is how that back-door is used. And surely you can trust Microsoft to do what's right.

          And I'm sure they've only occasionally wiretapped calls where neither user is within the borders of the requesting country.

          • Re:VOIP (Score:4, Informative)

            by Sir_Sri (199544) on Tuesday July 24, 2012 @01:54AM (#40745959)

            caught assisting the gov't

            That is, immediately, a separate problem from one of them just spying on you for their own purposes, selling that information to other people or the like.

            Wiretap (and intelligence) are lawfully chartered, you may not like it, but you have to accept that governments can do those things, because they've given themselves the right to. They also tell companies what they can't do, and penalize them for such behaviour if they are so inclined, an entity not attached to country where you have legal standing can basically do whatever the hell it wants to you and you can't do anything about it.

            • Re:VOIP (Score:5, Insightful)

              by TheGratefulNet (143330) on Tuesday July 24, 2012 @03:49AM (#40746501)

              I like how you phrased that. that the govs *give themselves* the right to wiretap. this was NEVER a right transferred from the people to their rulers.

              "but we can catch bad guys!"

              yeah, and you can catch good guys, too. is this balance worth it? when we all lose our sacred (imho) right to private comms with each other, as we choose? when we have to wonder 'is someone going to use this out-of-context such and such against me if they tap into my comms?'

              chilling effect. its here and its disturbing.

              but the govs gave themselves this right. they STOLE this right without due process.

              no one seems angry about it as its all explained as 'well, if we catch bad guys, how can you be against this?'

              we once used to think that it was more just to let a few bad guys go than to have even one innocent guy be punished. but we have broken this idea with our privacy. we think that trading privacy for security is a 'win'.

              we didn't always think this way, though.

              every time I hear 'lawful intercept', I throw up a little. it makes me sick what we do to our dignity and personal rights. its NOT a fair trade! and we were NOT asked!!

        • by gl4ss (559668)

          USA government can make things legal retroactively IF they get caught pants down. they've done it before and will do it again. moreover they're giving de facto immunity to companies helping them trample on international and domestic law every single day.

      • Re:VOIP (Score:5, Insightful)

        by EdIII (1114411) on Tuesday July 24, 2012 @12:37AM (#40745595)

        That's a rather defeatist attitude.

        Sure, the government could fake an anal probing and install their monitoring infrastructure in my nether cavities, but is it worth all that trouble?

        It's not about if you can be tapped, but how much resources were used to do the tapping. ZRTP (endpoint-to-endpoint encryption) mentioned in their alternative Jitsi, would substantially raise the bar for casual automated interception.

        That's the idea really. Make it to where everything they intercept is heavily encrypted with well used, well scrutinized encryption methods. If they want to bypass that encryption it will require having direct control over your device, to have direct influence on the platforms and software, or well known backdoors in software. That substantially raises the bar on multiple fronts since it will require specially crafted malware, special legislation (boy will that be unpopular), and maintained secrecy (conspiracy theorists say that have it already) with cooperating companies. As for the secrecy, we are discussing patented technology to help the government automate eavesdropping right? Not like it is a big secret....

        The article has the answer already. It is time to move on. Find a newer platform that will not allow eavesdroppers and act only as a middleman to setup heavily encrypted communications. There are plenty of SAAS providers that only store encrypted data so they can turn over that data on demand to law enforcement and not have the keys.

        What may help the most, is what is lagging ass... IPv6. I can see a future with DNS records and open source P2P services that will allow us to directly control who can initiate communications with us. Once you get around not requiring a middleman to punch through NAT for VOIP services it becomes substantially easier to perform call setup and tear down.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          I don't disagree with your comment, but..

          ZRTP (endpoint-to-endpoint encryption) mentioned in their alternative Jitsi, would substantially raise the bar for casual automated interception.

          I'd say it'd make it nearly impossible (without resorting to active attacks using malware and stuff like that). It uses no PKI, unlike HTTPS, and you can enforce and define which encryption methods to use (public cryptosystem, hash function, cipher). If you're worried about the NSA being able to break AES, you can run your conversations over AES+Blowfish+Serpent or something silly like that.

          If they want to bypass that encryption it will require having direct control over your device, to have direct influence on the platforms and software, or well known backdoors in software

          True, but in the case of Jitsi (and stuff like Pidgin-OTR), there are no "key

      • Re:VOIP (Score:5, Insightful)

        by Nursie (632944) on Tuesday July 24, 2012 @12:53AM (#40745659)

        "Anything transmitted online - whether it be VOIP or cleartext or whatever - can be tapped"

        I would dispute this. Or do you mean "They could tap it given several centuries and all the computing power on the earth" ?

        Some of encryption is that good, and no I don't believe that the secret, shadowy, magical NSA have backdoors in every encryption library on the planet.

    • by stms (1132653)

      I know this is /. and all but come on this has been the case with Skype for years the editor had skimmed the wiki [wikipedia.org] they would know this is not News. Do we really need an anti-Microsoft story everyday?

    • Re:Seriously? (Score:4, Insightful)

      by Zemran (3101) on Tuesday July 24, 2012 @02:04AM (#40746015) Homepage Journal

      For personal, of interest to no one, type communication your point is valid but if I am communicating with regard to trade secrets it is very important to me to know that my communication is secure. Skype used to be secure and therefore this is an issue.

    • by dbIII (701233)
      If it's not encrypted and somebody has the ability to run the traffic through a bridge it won't be all that difficult for them to intercept it.
  • seriously? (Score:5, Insightful)

    by GNULinuxGuy (2483278) on Tuesday July 24, 2012 @12:09AM (#40745371) Homepage

    If you are serious about privacy Skype was never even an option! ;)

    • Privacy, self esteem, independence... Problem is that video over IP is/was notoriously difficult to make plug and play and every non technical person can only go as far as DLing on program without shopping around so they would just install Skypee and be done with it, which arguably is the `safe` in the "non time consuming" way choice. No matter that centralized communications like these are wrong from inception on they are the wide standard because it made sense to some company and said company invested int

      • Problem is that video over IP is/was notoriously difficult to make plug and play

        The thing is, it shouldn't be - the "difficulty" is largely down to the shitness of the software. I've got hardware VoIP phones from Grandstream that pretty much "Just Work" (you plug 'em in, enter your SIP login details and they do what they are supposed to). Meanwhile all the softphone software I've tried is pretty much balls: on Linux, Ekiga is "ok" but rather too buggy for every day use. On OS X I've yet to find any SIP software that does video except for Xmeeting, which is buggy as hell (to the poin

    • Amen,

      I used Skype for work. I had my Bluetooth earpiece in and was using my laptop. Out of the blue, with no action on my own part, I'm listening to two people talking. It was a conversation held over Skype. I contacted support and told them what had happened and asked for an explanation. In response I got some canned non-answer.

      I don't use Skype anymore.

  • by houstonbofh (602064) on Tuesday July 24, 2012 @12:10AM (#40745381)
    If there is a third party running the server in the middle, there can be no trust. Run your own server if you need security. There are lots...
    • by silas_moeckel (234313) <silas&dsminc-corp,com> on Tuesday July 24, 2012 @12:53AM (#40745665) Homepage

      I would have to disagree. I can insure that my communication is not tapped between me and other parties even going through third parties. This is the basis of public key crypto. The third party can still track who I communicated with but not what was said. Tor and similar systems are meant to take care of that (if your seriously paranoid systems to connect two parties have existed since well before the modern computer).

    • by Tom (822)

      That's totally wrong and everyone who modded that up should go sit in the corner and re-read "Applied Cryptography".

      You can build a service providing data exchange between two parties with a server handling the connection without that server (or anyone else) being able to listen in. What we don't know if Skype was built this way or not. And that's the problem.

  • by guises (2423402) on Tuesday July 24, 2012 @12:15AM (#40745423)
    It's been assumed for a long time that Skype is insecure, as one would expect from a prominent closed-source solution like that. The thing that's new (to me, I hadn't heard it) is that Microsoft purchased Skype. I have no particular fondness for Microsoft but they're more upstanding than Ebay, which gave up a lot of customer information after 9/11 without warrants and denounced other companies for not doing the same.
  • We've used OTR when we want to IM about something sensitive - is there any sort of similar plugin for Skype? It appears there's a text chat OTR plugin... but a video version would be more useful for most people.

    • I don't think there are any that use the major video chat clients (skype, etc), but you can set up a private ejabberd server fairly easily and do video-chat over SSL using that. I've actually set that up in the middle of a park with no internet connection (ejabberd was pre-configured on a laptop). Best part is there are xmpp/jabber clients for just about ANY platform (including iOS and android). Blackberry is the only one we haven't tried yet.
  • by tftp (111690) on Tuesday July 24, 2012 @12:16AM (#40745427) Homepage

    I just tried Jitsi while /. was in maintenance mode. It does not work on this very standard Win7 box. Incoming audio is missing; logs are missing. Uninstalled already - not usable. Bria works fine. My VoIP server (3CX) is on the local subnet.

    But even beyond that, Jitsi is not a solution; it's a component. The only way to make it into a solution is by selling your soul for cheap to the likes of Google and Facebook. That would be counter-intuitive for a product that sells itself as a secure thing.

    The only reasonably secure way is to run Jitsi on your own SIP server. However that is not an exercise for everyone. A geek can deploy a SIP server, but a common man cannot even understand what we are talking about here.

    I'd say that 3CX people already have a solution. First, they have a TCP tunnel that you can use to go through firewalls and specifically NAT. Then they support encryption [3cx.com]. And finally, their stuff works. (This is important, despite what some geeks say.) They also have a client for Android (besides the usual suspects.)

    However in terms of simplicity Skype leads the pack.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      I tried Jitsi like you did. I've been looking for an alternative to Skype for a while but could not find one.

      I consider myself to have above-average knowledge of computers. However, compared to a pro, I'm just an average person.

      I ran in the exact problem you describe: I figured out that while Jitsi lets me use many different services to log in with (e.g. msn, yahoo, etc.), the only really secure ones were SIP and XMPP.
      The problem was, I couldn't figure out how to use these (what are they anyway? protocols?)

      • by FireFury03 (653718) <slashdot@@@nexusuk...org> on Tuesday July 24, 2012 @03:28AM (#40746427) Homepage

        I will ask a friend who works in IT if he can help me, but I'm pretty sure he will tell me that he's not familiar enough with SIP to help me out.

        Googling for "Asterisk" is a pretty good place to start.

        I'm not entirely sure why it's so complicated in this day and age to cut out the middle men and connect with your relatives directly through the Internet, but well, that's the way it is at the moment.

        Largely you can blame NAT. Some background on how SIP works when you place a call to someone:
        1. The calling phone sends a SIP message to the callee's phone asking it to ring. The SIP message also tells it where (ip address / port) to send the media (audio / video)
        2. The callee's phone rings
        3. The callee picks up
        4. The callee's phone sends a SIP message to the caller's phone telling it that the call has been picked up. The SIP message tells it where (ip address/port) to send the media.
        5. Both sides start sending media over RTP to the other, since they have now exchanged media destination address details.
        6. The two parties have a conversation.
        7. One of the parties hangs up
        8. The hanging up phone sends a SIP message to the other phone telling it the call has terminated
        9. Both sides stop sending media

        This fundamentally does not require any middle-men - you can tell your phone to call someone else's directly if you know its IP address (which you could discover using DNS, for example). However, there are some issues with this simple view on things:
        A. In the real world, phones don't have static IP addresses, they move around the internet. This problem is fixable with dynamic DNS, although now you've introduced a third party (the DNS server).
        B. People usually have firewalls between them. If the callee's phone isn't directly accessible from the caller's network, the caller can't send the initial "ring" SIP message. This could be fixed by poking a hole in the firewall for port 5060. More usually its fixed by having a SIP registration server somewhere on the internet - your phone connects to that server and that server is responsible for relaying SIP messages to it. So calling phones actually send the SIP packet to the registration server rather than directly to the callee's phone (this also fixes problem (A) without the need to resort to dynamic DNS too, since the callers nw only need to find the registration server rather than the phone itself). Of course, your registration server is a "middle man", but luckilly only carries the signalling traffic - the media still goes directly between the phones, which is good since it takes the shortest network path, therefore inproving the quality of service.
        C. This one is the killer - NAT. Remember the phones exchanged addresses to send the media to? Well, the problem is that once you stick NAT in the way, those addresses change... and they change in a way that is completely unpredictable. So now the endpoints have no idea where the hell to send the media. The work around to this is to send the media via a server too. And there you go, the dream of true peer-to-peer VoIP has been completely shot out of the sky.

        Once IPv6 is widespread we can go back to just sending the signalling via external servers rather than the entire media stream, but I'm afraid NAT is way too widespread to get away with that on the IPv4 network.

        Of course, there's nothing stopping the phones doing end-to-end encryption on the media, which would largely make the existence of a middle-man irrelevant, from a security perspective. On a closed system like Skype, there's no way to know which nodes are able to decrypt/decode the data though, so in that case you're always going to have to trust the vendor to tell you the truth instead of being able to independently confirm the security of the system.

        • If you think companies are going to let all their systems talk to the internet at large just because they use IP6 then you're off with the pixies. Its almost certain that most corps will limit ip6 devices to link local only addresses and use some form of address translation as a "security" measure. The only thing IP6 will gain us is huge increase in general network complexity.

          • If you think companies are going to let all their systems talk to the internet at large just because they use IP6 then you're off with the pixies. Its almost certain that most corps will limit ip6 devices to link local only addresses and use some form of address translation as a "security" measure. The only thing IP6 will gain us is huge increase in general network complexity.

            Ok, who said anything about "companies" here? The discussion was a general "why can't we do VoIP without any middle-men?", not a specific "why can't we do VoIP without any middle men in a highly restricted corporate network?".

            So lets divide this up into the three markets:

            Home users:
            Currently these usually have an RFC1918 network and do NAT and ingress firewalling at the point they connect to the ISP. Usually there is no egress firewalling. These people want devices they plug into their network to Just Wo

    • they have a TCP tunnel that you can use to go through firewalls and specifically NAT.

      Sending voice/video over TCP is a monumentally silly idea, (and doesn't really offer an advantage over UDP for NAT traversal)

      • by tftp (111690)

        Perhaps, but you need to tell that to 3CX developers. It was them, not me, who added the tunnel. As they say themselves [3cx.com], there is a reason for the madness:

        We are pleased to announce a new release of 3CXPhone for Android, build 1.3.1, which includes the 3CX Tunnel. With the 3CX Tunnel feature, you can proxy all SIP and RTP traffic over a single port and bypass any restrictions that telecom providers implement to block VoIP calls. Often telecom providers will block common VoIP ports.

        I have it configured on my Android tablet, and it works fine when I connect from a remote location. A TCP connection is a tad more reliable than a bunch of hacks upon hacks (also known as NAT, STUN and other stuff.) At least proper routing of packets of an established connection is a required and supported function of every router, very much unlike han

      • by gl4ss (559668)

        it's not silly if it gets the job done.

        routing tcp over upd is silly only until it's the only way to route data from the app you want to where you want, then it becomes just a question of if it's fast enough or not.

        • it's not silly if it gets the job done.

          The thing is, it won't get the job done reliably. Google "head of line blocking" - if you drop a voice packet you want to make do without it (phones usually try and predict what would've been in the packet to fill the gap - that tends to be "good enough" to make your brain think there wasn't much disruption most of the time). Holding up the entire media stream until you arrange for a packet that's already too late to be retransmitted (thereby making a lot more of the packets too late) is the worst thing y

      • by drinkypoo (153816)

        Sending voice/video over TCP is a monumentally silly idea, (and doesn't really offer an advantage over UDP for NAT traversal)

        Yes, in fact, it does offer an advantage. It can work if one party doesn't have any ability to open incoming ports. That is significant.

    • by makomk (752139)

      If I understand the technologies it's using correctly, I think that 3CX may allow the PBX to intercept voice communications and it doesn't appear to be designed to ensure communication that goes outside the PBX is encrypted. So it's probably less secure than using Jitsi which - even if it does require you to sell your soul to Google - doesn't trust the server you're using and gives you a way to detect if someone's trying to MITM you.

      • by tftp (111690)

        I think that 3CX may allow the PBX to intercept voice communications

        Normally the media streams bypass the PBX, so it cannot intercept the voice even if it wants to. The call setup can be intercepted, of course, because that's what the server does.

        One exception is common to all PBXes that implement it. If your configuration warrants that, you can configure the system so that media streams go through the PBX, for one reason or another. This however is not scalable. But then you can record. Some businesse

  • by Nostrada (208820) on Tuesday July 24, 2012 @12:17AM (#40745439)

    . . . with my Family are of interest to any government. Come on, Skype is for keeping in touch with the old folks at home. For anything serious you would use something more peer to peer without any 3rd party involved. And even then . . .

  • Here we go: Microsoft is a major multinational corporation, with a substantial base, substantial assets, most of their higher-ups, and a fat load of juicy contracts within the jurisdiction of the United States(and a number of other countries that have less clout; but are no more savory)...

    Now, according to the feds [fcc.gov]"CALEA Compliance for Packet Equipment, And Equipment for Facilities-Based Broadband Internet Access Providers and Providers of Interconnected VoIP

    All facilities-based broadband Internet access pr

    • Re:Ok... (Score:5, Informative)

      by starfishsystems (834319) on Tuesday July 24, 2012 @01:53AM (#40745955) Homepage
      It isn't entirely clear whether PC-PC skype connections would be treated as part of that 'interconnected VoIP service' or whether, because they aren't directly interconnected, they are treated separately.

      As someone involved with engineering a CALEA intercept appliance, I can offer a practical answer to your question. If you operate a network under jurisdiction of the United States and you receive a court-ordered request to intercept packets transiting that network to or from an IP address or a person as identified in that court order, you must intercept those packets and only those packets, and you must make them available for retrieval by the law enforcement agency identified in the order. If you fail to do so, you're subject to a substantial fine for each day of non-compliance.

      It doesn't matter what data the packets may be carrying, or whether the LEA knows how to interpret them. Your responsibility is simply to perform the packet capture and make the data available. What Microsoft thinks about this has absolutely no bearing on the problem.
      • since you have some experience in calea, I'm curious about this: suppose the user is employing end to end encryption. is that not 'obstruction of justice' by the 2 end users, then? afterall, the gov is giving itself the right to tap you. if you 'hinder them', aren't you obstructing?

        and if so, then how is end to end encryption legal in the US?

        it seems like an arms race with the population. we users want privacy and are prepared (some of us) to use it. the gov, otoh, wants every single fucking line to be

        • by Sabriel (134364)

          Not the GP, but as far as I know (not a lawyer) at least in the US "obstruction of justice" has a specific meaning and requires your knowledge that there is justice (in the form of an ongoing investigation or trial) to obstruct. Now the govt could say, "hey we're investigating you, so you better not be hiding evidence from us in that encrypted data" and you could say, "I'm not hiding anything from you, that's just standard procedure". They could respond with, "alright then, give us the key" and you could re

        • This has nothing to do with CALEA. See my synopsis above. CALEA is about packet intercept, not interpretation of the resulting packets. The language is quite clear and it says nothing whatever about encryption. Therefore there can be no "obstruction of justice" arising from encryption. Of course it's possible that future legislation could tighten the noose. CALEA can be seen as as strategic move rather than an end in itself. But in that sense, I'm surprised at how little controversy it's raised.

          Mea
  • by 5ynic (755747) <(moc.liamtoh) (ta) (snehpets_yaj)> on Tuesday July 24, 2012 @12:31AM (#40745539) Homepage Journal
    Here's my question - I'm hoping some knowledgeable slashdotter with some IP nouse can clear up my confusion. Are there any technical, or any legal reasons, why a 3rd party app cannot simply wrap Skype, at least for voice calls (leave video aside for now). Lots of 3rd party apps present as printers to the OS, and when you print to that virtual printer, they create an eps file or a PDF file or whatever.... Why is it hard for a 3rd party app, similarly, to present as a headset (mic + speakers) to the OS, allowing the user to run Skype as well as the 3rd part VOIP app, and select that headset in the Skype audio options. You could then run your 3rd party VOIP solution, and have Skype set up to start in the background. calls in either direction to others on Skype could be handled transparently in the 3rd party VOIP app, and that would give users the chance to gradually get their network of friends and family swapped over to open, standards compliant VOIP solutions, without having to give up on contact with those running Skype (face it, that's everyone), or switch between 2 apps for calls (I understand the API already exposes things like accept call...) If this is a viable way to overcome the powerful networking externailities that Skype now has working in its favour as a barrier to new entrants, has it not been done because of a)legal b)technical c)marketing or d)other issues?
  • Microsoft Won't Say If Skype Is Secure Or Not. Time To Change?

    Can all the alternatives solemnly promise me that they're secure too? And to jump to the end of the ensuing discussion, where do I gain the expertise to be a subject matter expert (in several areas) and length of time in which to review all relevant code?

  • by gweihir (88907) on Tuesday July 24, 2012 @12:43AM (#40745613)

    If you are getting concerned _now_, then you have been asleep at the wheel.

  • stands to reason (Score:2, Insightful)

    by roc97007 (608802)

    When I heard Microsoft had purchased Skype, my first thought was "Skype is dead". It only remained to find out in what way it met it's demise.

  • by jhaar (23603) on Tuesday July 24, 2012 @01:29AM (#40745833)

    Then check out his latest venture

    https://silentcircle.com/

  • by guttentag (313541) on Tuesday July 24, 2012 @01:48AM (#40745919) Journal
    They patented VOIP wiretaps so no one else could do it. You can sleep soundly tonight knowing that if anyone* even tries to wiretap your calls, they'll slap them so hard with a patent infringement suit their grandkids will still be indebted to Microsoft.

    *The term "anyone" does not include government agencies, Microsoft business partners, affiliates or Microsoft itself.
  • Perhaps it's not the intention of the Slashdot editor who titled this story, but you know the saying where if a news title is phrased as a question the answer is always "No"? Well this is the case here as well.

    You should always have been aware that Skype might be monitoring your calls, since you don't control the network. Nothing has changed ever since Microsoft took over, so what makes it the case that NOW it's time to change? Besides, change to what? There's nothing else out there which is accessible to m

  • Aside from not padding its encrypted packets, thus leaking data via phonemes, etc., MS will certainly be complying with the "law" to furthest of their abilities -- and then some, I suspect. MySpace was known to essentially gift-wrap user data and send it to law-enforcement, probably with chocolates too. Although it's not an entirely unreasonable question, I think paranoia can be liberally applied to the question of Skype's security.
    One thing that really peeves me about Skype is their assignment of a gener
    • Oh dear, I forgot to add this: http://www.youtube.com/watch?v=qc8i7C659FU&NR=1&feature=endscreen [youtube.com] -- Finspy, man-in-middle (Skype) attack promo video. I am not sure why, but I always chuckle when I watch it. Under the guise of "terror", which by my perspective could be just about anything lately, this stuff might get deployed more often than gets reported. I figure if it's it's in the category of terrorism/domestic-extremism, it is likely exempt from transparency.
  • My mom's Skype account was recently hacked. Apparently the hackers were able to abuse the Skype Manager [skype.com] system to gain control of her account without her authorization, transfer her account balance, and reset her password. Skype's customer service has acknowledged the problem but has not been able to restore access to the account yet.

    (I don't know any more details than that, as I haven't been involved.)

  • Skype is insecure. (Score:5, Insightful)

    by bmo (77928) on Tuesday July 24, 2012 @02:16AM (#40746065)

    "When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]

    Then it's not. When you have to guess, in this case, whether skype is secure, assume the worst. Absence of proof of security is proof of no security.

    --
    BMO

  • Skype is about as secure as your mobile phone's GSM chip which has a deliberate flaw (backdoor) to allow hacking of your phone call.
  • Is it time to consider more secure alternatives

    Why now? How does Microsoft change anything? It was time to consider more secure alternatives from day zero!

  • by TCM (130219)

    What do you mean, change? I never used Skype in the first place, _because_ it's an obscure binary blackbox.

  • When asked repeatedly a Microsoft spokesperson refused to confirm or deny that Skype conversations [could be monitored]

    Skype was just purchased by Microsoft. This is a wild guess, but the software may not be well written, and MS may still have some hard time to figure out what it does exactly, and where. The MS guy may just have answered out of incompetence.

    • The MS guy may just have answered out of incompetence.

      You are very quick throwing around big words like "incompetence". "Incompetence" means not doing his job well. His job, as a PR person, is to tell the press (and bloggers) exactly what Microsoft wants him to tell them - so not answering the question can mean that he is actually very competent. His job is most definitely not to make up answers on the spot if he doesn't know the answer - so at worst, this is lack of knowledge, but not incompetence. And of course he gave a prepared statement as an answer. It i

  • Of course it isn't secure in that sense. Of course your calls can be monitored and recorded.

    If that is not the case then Microsoft are in breach of US laws regarding telecommunications (some brought in over recent years under the banner of national security, some that have been around longer).

    If calls could not be monitored when they bought Skype, they will have changed that soon after, or if they still haven't sorted that yet they will be actively working towards that goal as we speak. Whether the la
  • by unixisc (2429386) on Tuesday July 24, 2012 @06:05AM (#40746991)
    Can anyone tell whether Skype, Jitsi or any other similar service now works w/ IPv6? From what I understand, these sort of applications require end to end connectivity, and since it's increasingly rare in cases of IPv4, I was wondering how they are w/ IPv6. Any idea?
  • by gnasher719 (869701) on Tuesday July 24, 2012 @06:11AM (#40747007)
    "Citing âoecompany policy,â Skype PR man Chaim Haas wouldnâ(TM)t confirm or deny, telling me only that the chat service âoeco-operates with law enforcement agencies as much as is legally and technically possible.â"

    Well, what do you expect? He is a PR person. He can't answer that question, unless the legal department has told him what answer to give. And we haven't actually seen the exact question that was asked and the devil could very well be in the details. Slight difference in questioning might give completely different answer.

    Just as an example: The headline here says "Microsoft won't say if Skype is secure or not". The summary asks whether Skype conversations [could be monitored]. The article headline asks whether Skype can eavesdrop on your conversations. These are three different questions within five minutes, so we cannot possibly know question the PR man refused to answer. My guess: None of those three.
  • I don't use Skype, but I assume they are not happily wasting bandwidth. I'm pretty sure the audio is being reinvited whenever possible (meaning it's just signalling going between you and the skype server, and it just tells you the IP of your peer, and you send your media straight over there through RTP.

  • To...what?
    Last time i looked for an alternative, the only thing I could find was a crappy HP knockoff.
  • Apparently MS got the go ahead to drive users who care to Jitsi. This way they know where to listen for the good stuff.

One good suit is worth a thousand resumes.

Working...