Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Security

More Skype Back Door Speculation 210

An anonymous reader writes "According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations."
This discussion has been archived. No new comments can be posted.

More Skype Back Door Speculation

Comments Filter:
  • by vertinox ( 846076 ) on Saturday July 26, 2008 @10:14AM (#24348273)

    I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

    • Re: (Score:2, Informative)

      gizmo
    • by Naughty Bob ( 1004174 ) * on Saturday July 26, 2008 @10:21AM (#24348323)

      I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

      I asked the internet, she donned her Stupomitron Helmet, et voilà [wikipedia.org]

      • by The Cisco Kid ( 31490 ) on Saturday July 26, 2008 @10:51AM (#24348557)

        An alternative to what? To Skype? To the PSTN? Software running on a PC is always going to be a poor solution, and is far from your only option for Internet voice communication. You do NOT need some app on your PC to do VoIP. What you want is something called an ATA - its a little box that has a jack for a regular phone, and an ethernet port. They are often supplied with service such as Vonage, but are usually 'locked' down to that provider. You can also but them directly, but you will of course still need 'something else' to initiate SIP connections to. For information about real VoIP networks (both net-to-net, as well as PSTN interconnection), visit voip-info.org

      • by FriendlyLurker ( 50431 ) on Saturday July 26, 2008 @11:26AM (#24348817)

        Two words: Network Effect [wikipedia.org]. All the alternatives I have reviewed are harder than skype. Harder to download, setup, use, the list goes on.
        Result: Skype is popular - they nailed delivery to the "masses". No screwing around with the microphone, NAT/firewalls, SIP providers, names etc etc. The average joe can just download and install it in just two url clicks, type in a name and begin to use it. Done deal.
        All the open source VOIP (most of them SIP) I have seen completely miss this most important point, and so all their development effort is ultimately wasted - walled themselves off to the technically proficient crowd and not benefiting from the network effect.

        • by Naughty Bob ( 1004174 ) * on Saturday July 26, 2008 @11:45AM (#24348947)
          I found Ekiga pretty straight forward to get working. Not two clicks, for sure, but you are led through all the necessary steps by the nose.

          And the network effect no longer applies if Ekiga users can call Skype users (And they can [tmcnet.com]).
        • by kwark ( 512736 )

          The couple of SIP providers I toyed with provided a preconfigured (windows) program, no need to screw with settings other than asking the users name/passwd on initial run (not that I tried those since I let my local Asterisk server connect to them, but my experience is that using a stun server solves normal connection problems).

          An other easy way to prevent RTP connection problems is for the SIP provider to remain in the mediapath (which is a nice MIM vector for snooping).

    • Re: (Score:3, Informative)

      by Tsuroerusu ( 775881 )

      I don't use Skype (or VoIP for that matter) but I would be curious if anyone knows of any alternatives that is completely open.

      For Linux there's a decent program called I Hear You (IHU), very simple program, GPL-licensed etc., you can find it at http://ihu.sourceforge.net/ [sourceforge.net]

    • Re: (Score:3, Informative)

      by Kent Recal ( 714863 )

      VoIP/SIP is open.
      You only need a client [voip-info.org] and an account with any of the free SIP providers. Or you setup asterisk (or another free PBX software) and become your own provider.

      The problem with SIP is that few people actually use it whereas skype is everywhere.

      • by raju1kabir ( 251972 ) on Saturday July 26, 2008 @10:58AM (#24348609) Homepage

        The problem with SIP is that few people actually use it whereas skype is everywhere.

        Several orders of magnitude more daily minutes are done with SIP than Skype. SIP is used for corporate networks and calling card providers and lots of other situations.

        • by TheRaven64 ( 641858 ) on Saturday July 26, 2008 @11:06AM (#24348677) Journal
          Very few people on the Internet use it. Most SIP usage is either on private networks (e.g. intra-company) or bridged to POTS at the far end.
        • Well, the SIP protocol is used more, yes. And it's gaining ground as more and more ISPs (at least here in europe) are offering VoIP along with internet access instead of landline + internet access.

          In this case I was referring to the skype standard use-case, though. That is: end-users making calls with a softclient. AFAIK Skype is still the 900# gorilla in this segment, simply because everybody knows "Skype for calls" (akin to "Google for search") and hardly anyone bothers to look beyond.

    • Servers and bandwidth cost money. Sorry, no way OSS can solve this on its own.

      • Re: (Score:3, Informative)

        VOIP is peer-to-peer. A server is only used for matchmaking, and bandwidth is minimal.

        Besides, OSS != guy in basement. Mozilla, Canonical and Red Hat somehow manage to pay for a few servers and a bit of bandwidth.

        • Re: (Score:3, Informative)

          by flape ( 1114919 )
          Not even the central server would be necessary .. there is work underway on p2p version of SIP called p2psip.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If you think of alternatives, you'd expect them to fulfill the same specifications. One of the specifications when switching off the Skype is being able to actually contact other people. Try talking the Average Joe about ie. Ekiga, open source VOIP client. What will happen? You will get that sheepish look and question: "Why would I install that, I already got Skype. BESIDES EVERYONE I KNOW USE SKYPE AND I COULDN'T CALL THEM ANYMORE".

      Such are network effects. There is no alternative for Skype for the specifi

    • Re: (Score:2, Informative)

      by Jorophose ( 1062218 )

      Zfone?

      Encrypted calls > Ekiga.

      Sorry, I love Ekiga myself, especially since it has video, but I don't want to be eavesdropped on. Which is why until Ekiga incorporates Zfone's SDK, it's Zfone all the way. The software is "open source", like PGP is "open source", but the libs and the SDK are GPL. For the program, they won't accept your contributions, and I'm not too sure if they will for the libs, either; I guess it's mostly to keep it untampered, but they should be accepting contributions for the libs and

    • by grumbel ( 592662 )

      When it comes to conference calls I found Mumble (open source) and Teamspeak (non-free, but has a Linux version) far superior to any of the classical VoIP software out there. For normal phone-like calls Ekiga is good enough, but overall I prefer text chat in combination with Mumble/Teamspeak.

    • by lowlands ( 463021 ) on Saturday July 26, 2008 @01:05PM (#24349515) Homepage Journal

      FreeSWITCH (www.freeswitch.org) is completely open, is MPL licensed and supports TLS & SRTP. Make sure you get the right phone with the right firmware because not all phones properly support TLS & SRTP. Ask in the #freeswitch irc channel on freenode.net or the FreeSWITCH mailing list which phones are known to work.

      Asterisk has support for TLS in their development tree. Afaik their SRTP support is an untested patch in the bugtracker. At this point in time Asterisk does not seem to offer a working, stable TLS & SRTP solution.

    • Comment removed based on user account deletion
    • by aliquis ( 678370 )

      Use an open protocol such as SIP, for instance you could use Asterisk and Ekiga.

      KIAX + Asterisk would be another solution.

      http://www.asterisk.org/ [asterisk.org]
      http://ekiga.org/ [ekiga.org]
      http://sourceforge.net/projects/kiax [sourceforge.net]

    • by novakyu ( 636495 )

      There used to be something called Wengophone [openwengo.org] but it looks like its supporting company, Wengo, has moved onto other things.

      As far as I know, the software is still being developed (at least no one admitted that it's being abandoned completely), but I am not so sure about the VoIP service itself. My account still seems to work (and apparently, they are not expiring points after 6 months any more, even though I can't find anything official that says they changed their rules), but I'm not sure if you can open a

  • Decode the protocol? (Score:2, Interesting)

    by forrie ( 695122 )

    Has anyone made attempts at decoding the SKYPE protocol. This would take some clever reverse engineering of the code and some clever wire sniffing.

    I wonder if it would be possible to inject an encryption layer underneath what their service provides.

    On a legal note, in the US, could consumers who purchased SKYPE products sue SKYPE.

    Chances are pretty good that if this backdoor exists, it has for a long time.

  • by Bromskloss ( 750445 ) <auxiliary.addres ... nOspAm.gmail.com> on Saturday July 26, 2008 @10:20AM (#24348315)
    Unless you think it's a good thing that some people can snoop on others conversations, this should be a really good reason to embrace free software.
    • by Opportunist ( 166417 ) on Saturday July 26, 2008 @10:58AM (#24348611)

      You know that as soon as some really unbreakable OSS project takes the place of skype, someone will jump up and claim that OSS is promoting terrorism since it keeps the feds from snooping at you?

      What's scary is that a lot of people will nod their head and agree...

      • by eebra82 ( 907996 )

        You know that as soon as some really unbreakable OSS project takes the place of skype, someone will jump up and claim that OSS is promoting terrorism since it keeps the feds from snooping at you?

        But how will they stop open source? If the feds pulled a move like that, it would be pretty much like the DRM case, where the music industry does so much to prevent us from using non-DRM. Ultimately, however, it will never succeed because they will always be outmanned.

      • Re: (Score:3, Interesting)

        by andymadigan ( 792996 )
        I'm pretty sure it would be trivial to set up a PC to PC voice connection, even with just openssh, assuming the microphone and speaker are both "files".

        I'd imagine on both sides the command would look like this:

        ssh joe@someplace.net 'cat > /dev/snd/out' < /dev/snd/mic

        Obviously I don't know the exact device name, and you might have to use some other program to read in from the mic and such. IF the connection is slow/choppy, use speex. You should still even be able to do it from the command line, assumi
      • Open or not, you can't provide a VoIP-POTS switch service as Skype do, without running into the LI (Lawful Intercept) laws that scatter the world.

      • Re: (Score:3, Funny)

        by g0at ( 135364 )

        You're promoting terrorism because you're making a stupid "you know that as soon as X happens, people will say Y" doomsaying remark.

        There, saved some time.

      • You know that as soon as some really unbreakable OSS project takes the place of skype
        .

        Telephony 101.

        Calls through Skype can reach any phone, anywhere. Your FOSS client can reach a compatible FOSS client.

        There are other lines of attack than brute-forcing the encryption. The geek can spend so much time worrying about the back door he forgets the front door, the cellar, the windows and the roof.

      • You know that as soon as some really unbreakable OSS project takes the place of skype, someone will jump up and claim that OSS is promoting terrorism since it keeps the feds from snooping at you?

        It depends. Is it unbreakable to allow safe voice calls or as a safe place to swap child porn (oh, and the occasional chinese dissident) and terrorism information? Will its development be centered on the needs of normal people or will it be focused on weird features that are only needed by the not-so-friendly types

        • To be honest, I haven't spotted any CP on freenet so far, but then, I wasn't looking too hard. What I did spot was a few pages and areas of freenet dedicated to finding and "outing" people looking for CP on freenet. So generally, if I was a pedo, freenet isn't necessarily where I'd start digging. You have a lot of people with a lot of knowledge about the net against you who are determined to keep their free space "clean" so it won't be shut down.

          People with a determination can be a powerful force.

          • To be honest, I haven't spotted any CP on freenet so far, but then, I wasn't looking too hard. What I did spot was a few pages and areas of freenet dedicated to finding and "outing" people looking for CP on freenet. So generally, if I was a pedo, freenet isn't necessarily where I'd start digging.

            Freenet has a lot of indexes. It's not a place to find this stuff, but to freely share stuff once you know where to get it.

            There are also other kinds of weird stuff at freenet, like lots of indexes maintained by

    • Re: (Score:3, Insightful)

      by Chryana ( 708485 )

      I'm not saying snooping on my calls is a good thing. However, I don't think free software is the answer here. I make calls from my computer to a land line, how can I prevent my provider, Skype or not, from eavesdropping on my conversations? You don't expect me to convince all my contacts to start using their computer to receive calls, do you?

  • by gcnaddict ( 841664 ) on Saturday July 26, 2008 @10:21AM (#24348331)
    So you mean the times we spent talking about CP and Terrorism were bugged?

    Ah, shit.
  • yes (Score:5, Informative)

    by circlingthesun ( 1327623 ) on Saturday July 26, 2008 @10:22AM (#24348341)
    There are quite a number of alternatives based on the open SIP protocol. Have a look at the list: http://www.voip-info.org/wiki-Open+Source+VOIP+Software [voip-info.org]
  • by erroneus ( 253617 ) on Saturday July 26, 2008 @10:23AM (#24348361) Homepage

    I know it's tedious work, but some people actually seem to like it. Isn't it time that people disassemble these suspected binaries in order to issue a report on the matter? Not only on Skype, but on many other suspected programs, libraries and operating systems?

    • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Saturday July 26, 2008 @10:32AM (#24348417) Homepage
      I read a good presentation by people that had tried to disassemble Skype, and basically, Skype do so much to make it very, very difficult. Here's a PDF version [blackhat.com] of it.

      If it was easy, someone would have done it by now, and made Gnype, don't you think?
      • by erroneus ( 253617 ) on Saturday July 26, 2008 @11:00AM (#24348625) Homepage

        I don't think competitive code is as much of a threat as simply knowing what the code does is a threat.

        I have read through a good portion of the PDF and I agree that the analysis of the breakdown and all of the measures Skype makes to conceal what it's doing are both impressive and worrisome. I suppose, perhaps, an alternative measure might be for some sort of "computing trustworthiness" scale to be created where the worst offenders (like Skype) are ranked as "potentially dangerous" until they [Skype] clears the matter up.

        I suppose in the presence of such a [subjective?] scale, there would be a huge list of programs and applications deemed to be offensive in this way, but perhaps a black list such as this could be useful in attempting to get software a bit more open than it is today? After all, if you could cite an application as "2 out of 10" on the trustworthiness scale as a reason not to purchase, people might begin to take notice. I think a scale like this, whether subjective or not, would enable the technically uninterested to read these 'executive summaries' of information and make better decisions -- making it easier for the public to make more informed choices.

        Would lawsuits result? Of course. But the lawsuits against RBLs once happened frequently before people decided it was better to just take measures to stay off the lists. Consumer Reports once found itself at the receiving end of legal actions and demands (and probably still does) but in the end, it's worth the effort they make as they are generally accepted as a trustworthy source. We need a Consumer Reports for software that exposes the privacy and security concerns that different software poses.

        I know this stuff about Skype has given me reason to pause, but that's just me... I can sort of read and understand most of what I read here. But how about the rest of the uninformed? How can we get the point across to them?

  • As it is not for any other telco.
    Especially when one of the parties is behind a firewall, the Skype servers are needed for the communication and in some place there, it gets unencrypted.
    Real P2P encrypted voip communication (a-la Bit Torrent), would make it very difficult to eaves drop the communication.
  • by mseidl ( 828824 ) on Saturday July 26, 2008 @10:41AM (#24348477) Homepage
    Lets find out...

    Do I have a volunteer from the /. audience that wants to bed Skype and see if it's a back door kind of program?
  • by fluch ( 126140 ) on Saturday July 26, 2008 @10:42AM (#24348481)

    With closed source and closed protocol specifications there is no way to disprove the claim of an existing backdoor. Regardless of wether there really exist a backdoor or not. Simple but true and it is the drawback of wanting to provide security in a closed source environment.

    • Re: (Score:2, Informative)

      by jackchance ( 947926 )
      From Skype.com [skype.com] :

      Is Skype secure?
      Yes. When you call another Skype user your call is encrypted with strong encryption algorithms ensuring you privacy. In some cases your Skype communication may be routed via other users in the peer-to-peer network. Skype encryption protects you from potential eavesdropping from malicious users.

      Why are Skype calls encrypted?
      Skype is encrypted end-to-end because it uses the public internet to transport your voice calls and text messages and sometimes these calls are routed

  • by Anonymous Coward on Saturday July 26, 2008 @10:42AM (#24348485)

    All you have to know to monitor someone's Skype is their password. Login with Skype on another machine, set status to invisible. Anything they type or receive in chat you receive.

    1. For IM: Jabber (non-US server) + OTR Plugin + Tor.
    2. For everything else (email/vpn/storage) services as provided by www.xerobank.com will do you good.
    3. TrueCrypt Full Drive Encryption. (Check your local laws - under Dutch law they cannot force me to give up the passwords ... and we don't do waterboarding here) (I hope)

  • The encryption problem has been solved, also in such a way that nobody can listen in, not even the service provider. If anybody can listen in, it is either by hacking the source or target computer (difficult, maybe iollegal and may fail) or by a backdoor in the protocol. They can deny all they want, the backdoor is there. That also means that Skype is unusable for any kind of confidential conversation, as there are enough scum in the intelligence community that are allowed to do industrial espionage (the US

  • Skype is closed proprietary crap. Real VoIP is about open standards and interoperability. Check out Asterisk, OpenPBX for server software. For client-end stuff, skip the PC soundcard crap and get a real ATA, even a basic Sipura SPA-2000 is better than some crap closed application running off a PC soundcard.

  • by speedtux ( 1307149 ) on Saturday July 26, 2008 @10:49AM (#24348547)

    You can be sure that these people are also trying to:

    • get backdoors into Ethernet firmware and BIOSes
    • get backdoors into routers and other infrastructure
    • get backdoors into commercial software
    • get backdoors into open source packages

    You can be equally certain that they are not doing it right and that the backdoors they are trying to put in make your system less secure.

    Running open source software is your best bet, but even there, you aren't completely protected.

    • by g-san ( 93038 )

      Sorry, your c compiler was backdoored a long time ago already. everything you compile, including all the compilers, get the back door compiled in.

      It's too late.

      on another note, where is an ethernet trace of Skype doing something underhanded like making a third connection to another machine mid call, or making two or more connections when normally one was just opened? Your network interface doesn't lie. If you are point to point with your called party, you see everything leaving your system. if there was som

  • by TomatoMan ( 93630 ) on Saturday July 26, 2008 @10:53AM (#24348575) Homepage Journal

    Assume all communication that uses any kind of monitorable infrastructure is bugged. The capacity is there, and the desire is there.

    It is the way of things.

  • by dyfet ( 154716 ) on Saturday July 26, 2008 @10:57AM (#24348607) Homepage

    This is going to be a problem with any so called "secure" communication system that relies on source secret clients and unpublished protocols.

    There are many ways to build such clients to "assist" external intercept, since they often have to first communicate with some central server to locate users. They could for example have a command that forces the client to always route back through the server (like they do for NAT), and use a simple data transformation rather than full encryption so casual packing snooping makes it "appear" encrypted when it is actually not.

    They might also have flaws in their implimentation, particularly with key exchange, that allows an invisible man in the middle. The ZRTP stuff developed by Phil Zimmerman that we use in GNU Telephony secure calling uses extra steps to compute a sas to validate there are not fake public session keys given out by a man in the middle, for one example of how such flaws can effect otherwise "secure in appearence" systems.

    Of course, even secure peer-reviewed protocols and foss clients do not gaurantee security. For example, one can tether a bunch of ZRTP softphones to an Asterisk server using PBX enrollment, but this enables and requires said server to decrypt all traffic as it passes through, as it acts as a "trusted" man-in-the-middle.

    In the end, the best solution, even with ZRTP, remains using pure peer-to-peer (end-to-end) media connections, and when needed transparent proxy media exchange; the latter for dealing with NAT. In ZRTP, sas negotiation assures any such proxy used for NAT "remains" transparent.

    In the case of Skype, source secret clients that can report false call information and source secret protocols are a clear recipe for disaster.

  • SIP Skype (Score:3, Informative)

    by ivoras ( 455934 ) <ivoras&fer,hr> on Saturday July 26, 2008 @11:55AM (#24349015) Homepage

    Asterisk+SIP+Ekiga is not a good replacement for Skype:

    • It's much harder to setup (you can't beat Skype's "start the exe, type in username and password and you're there" experience).
    • It's not encrypted - so all those people saying "Worried about big bad wolf listening to your Skype calls? Switch to SIP because it's open!" are actually making things worse.

    Add to this that Skype has existed for a large number of years (5 years is "long" in "internet time") and it's not exactly known as a big medium for spreading viruses, hack attacks, etc. and you'll realize that security through obscurity actually can work. Of course, past trends are not indication of future behaviour, but you can't argue with results.

  • by Anonymous Coward on Saturday July 26, 2008 @12:00PM (#24349031)

    If you go to the options of the Skype client under the 'Chat Appearance' settings, do have a look at the sample chat displayed. I quote:

    -Does Big Brother exist?
    -of course he exists. The Party exists. Big Brother is the embodiment of the party
    -Does he exist in the same way as I exist?
    -You do not exist
    -I think I exist. I am conscious of my own identity. I was born and I shall die. I have arms and legs. I occupy a particular point in space. No other solid object can occupy the same point simultaneously. In that sense, does Big Brother exist?
    -It is of no importance. He exists.

    To me this is quite conclusive.

    • Re: (Score:2, Informative)

      by Al_Maverick ( 939029 )
      It's a fragment of Orwell's 1984. http://www.orwelltoday.com/how.shtml [orwelltoday.com]
      • by Rayban ( 13436 ) *

        Heh.. the chat log even timestamps it as '84:

        Smith
        12/11/84 5:17 PM
        Does Big Brother exist?
        O'Brian
        12/11/84 5:17 PM
        Of course he exists. The Party exists. Big Brother is the embodiment of the Party

  • Any non-encrypted data communications over the internet can be tapped and understood, no? Maybe Skype has the decryption key, or maybe Skype just has the "tools" for listening in on a skype stream, but I don't see how this is a surprise.

    Maybe the authorities just assumed skype was tappable because they know internet connections are tappable.

  • by bhima ( 46039 ) * <Bhima,Pandava&gmail,com> on Saturday July 26, 2008 @12:36PM (#24349305) Journal

    What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
        If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.

    • by EvilIdler ( 21087 ) on Saturday July 26, 2008 @02:32PM (#24350201)

      A quick search revealed a bunch of companies. Here are some:
      http://sipnumber.com/ [sipnumber.com]
      http://www.ipkall.com/ [ipkall.com]
      http://www.freedigits.com/ [freedigits.com]

      Those are free services. The last one seems to have problems, though.
      Paid services exist, too. Just google it :)

    • What keeps me with Skype is that I can have US telephone number. So no matter where I am my friends and family can call me.
      If there was another service which allowed me to have a US telephone number for incoming calls and let me call any other POTS number I'd use it.

      Ummmm, one of of any number of several hundred VOIP providers [voip-info.org] (or Vonage) with a PC softphone, give you exactly that. In fact, I'm pretty sure it's possible to get free DID's (phone numbers) in major cities. Even here in Canada, LES.NET gives you local VOIP numbers for $8.88/mo (unlimited incoming) and 1.5c/minute North American outgoing. It's a very generic (and open) way to do things. Skype is a just one proprietarized VOIP solution, that happens to be a bit easier to set up.

  • by Toddlerbob ( 705732 ) on Saturday July 26, 2008 @03:17PM (#24350601)
    I was in China a few years ago, and there was somewhat of a controversy whether or not China would allow Skype or block it. Then, all of a sudden, the Chinese had no problem with Skype. The only way for the Chinese government not to have a problem with Skype is if they are somehow able to monitor it. China is the ultimate surveillance society, after all.

    Therefore, if the Chinese have no problem with Skype, Skype must have a back door.

  • Providing free secure communication to absolutely everyone with the requisite equipment cannot happen without accommodating the governments of those being offered the service.

    That means the US and UK must be able to tap the line looking for terrorists, and unfortunately other countries must be able to tap the line looking for dissidents, etc.

    I never expected Skype to be any more secure than a cellular phone anyway. That fact that the software protocols allow for fully secure communication doesn't guarantee

    • by g-san ( 93038 )

      > Last I checked, there wasn't a right to 100% secure long-distance communications in the bill of rights...

      Oh, I wasn't aware we only had the rights granted to us. I thought we could do anything except what "they" tell us is illegal. You seem to think we can only do things we have been given the right to do. Don't want to make you think though.

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...