Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications Microsoft Privacy Security

Russian FSB Can Reportedly Tap Skype Calls 136

An anonymous reader writes "Previous reports of a Microsoft provided backdoor to Skype has been unconfirmed. However, there are now reports that Russian federal security service FSB is able to tap call and locate users. 'FSB and the Internal Affairs Ministry (MVD) have been capable to wiretap and locate Skype users for some years already, reported Vedomosti on Thursday [Google translation of Russian original]. The newspaper is citing experts on information security. "Special services have been capable for several years not only to wiretap but also to locate a Skype user. That's why, for instance, employees of our company are forbidden to discuss business-related topics on Skype," General Director of Group-IB, Ilya Sachkov, says to Vedomosti. "After Microsoft acquired Skype in May 2011, it updated the software with technology allowing legitimate wiretapping," says Maksim Emm, Director of Peak Systems.'"
This discussion has been archived. No new comments can be posted.

Russian FSB Can Reportedly Tap Skype Calls

Comments Filter:
  • by staltz ( 2782655 ) on Friday March 15, 2013 @09:16AM (#43182131) Homepage

    The Skype P2P protocol has always been an issue to worry about. It's hard to break/understand, and I've seen research papers that just scratched the surface of the protocol.

    I never doubted that really smart minds (like Russians) would eventually crack it and exploit it. This would never happen with an open-source protocol.

    • by iggymanz ( 596061 ) on Friday March 15, 2013 @09:32AM (#43182261)

      no one with a smart mind cracked it, microsoft just rolled over for the russian government

    • Re: (Score:3, Insightful)

      by Pi1grim ( 1956208 )

      Ofcource if I worked for FSB and was unable to tap into Skype, I'd start spreading FUD about how well I can tap into it. To make them more over to less secure means of communication.
      Anyway, I hope this will lead to boost in developing a solution with good crypto. Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...

      • I think this would just move them over to more secure means of communication, not less. A stupid move. It won't be fun for them when the crooks all route their communication through a couple of global Tor nodes.
        • by Luckyo ( 1726890 )

          They're not caring all that much about medium sized crime syndicates that can afford to channel their stuff through TOR. There are different methods to get those.

          Spying on skype is about spying on big and small players who use it, such as large international conglomerates, as well as very small people who have no access to technical expertise necessary for TOR.

          You're essentially making the infamous wrench mistake in assuming that technological problems and solutions are the only ones that exist in the world

      • by DrYak ( 748999 )

        Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...

        Jingle and SIP with encryption is called ZRTP (it's just adding an encryption layer over the usual RTP channels used for voice/video chat). And is already supported in several software out-of-the-box (like Jitsi which if often talked about here. But also Twinkle, and others).

        For message, you have Off-The-Record, which works above almost any messaging channel. It's also supported by serveral software package out-of-the-box (Jitsi again, or Adium) or with a plugin (Pidgin).

        These are technologies which exist R

    • by gl4ss ( 559668 ) on Friday March 15, 2013 @09:51AM (#43182441) Homepage Journal

      they're acting as if they were a phone company and russkies are probably asking them to comply as if they were one.. to provide taps.
      and they're just locating the ip address of course. it's not like their tap is made of magic sauce.

      +they would spread fud about it anyways.
      the big problem with it if you're discussing sensitive things is plain and simply that it has centralized control.

      SECOND OPTION: it's entirely possible the russkies are tapping them on client side. if not by other means then by bugging the headsets. that would certainly explain how they know EXACTLY where the call is taking place since they're spying the site in person. it's fsb/kgb after all.

    • This would never happen with an open-source protocol.

      Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

        You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.

        • by rastos1 ( 601318 )

          it will also get a lot of developers looking at it.

          Sometimes I stare at some code for hours, debug it and still have no idea how it works. And I wrote it.

        • You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.

          And further to that, there will also typically be a handful of uber-devs who get to accept or reject patches - getting a rogue patch past one of these people, who know the code better than anyone in the entire world, is going to be near impossible.

      • by RabidReindeer ( 2625839 ) on Friday March 15, 2013 @11:50AM (#43183715)

        This would never happen with an open-source protocol.

        Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?

        Not many, I'm sure. But even one is sufficient. And unlike closed-source, that one person may pop up any time, anywhere in the world, including places where it's not possible for interested governments to muzzle him in time to raise the alert.

        One of the reasons WHY open-source is so popular is that things like that can occur, hence open-source people are more likely to pay attention to how secure the stuff they're using is. And conversely, paranoid people will prefer open-source.

        The best time to worry about security is before you need to. Afterwards, it may be too late.

    • Serious journalists stopped using Skype around the time of Arab spring, I always took this to mean it had already been easily broken. Think about it this way, if you control the network that's one thing, if you control the isp that's another level with lots of options but now if you control the entire countries infrastructures that is a completely different ball game. I wonder how well blackberry runs in Russia.
  • by Albanach ( 527650 ) on Friday March 15, 2013 @09:18AM (#43182155) Homepage

    And therein we learn the lesson about closed source software and proprietary methods. If folk had adopted something based on SIP, XMPP, IAX or any other open and documented protocol, we'd be able to communicate using a tried and tested security mechanism.

    For something like communications, if you're totally and absolutely reliant upon a third party then you also need to have total and absolute trust in that third party or you should consider all your communications using them to be public.

    • SIP is end to end P-P once a connection is established.

      If you need to hide your IP for a Skype session, use a SIP to Skype gateway.

      http://www.dslreports.com/forum/r26518054-SIP-to-Skype-Skype-to-SIP-new-method [dslreports.com]

      If I Skype you, my IP will resolve to the gateway address. Skype me at skype2ipp, then enter my user name when prompted.

      • Encrypted SIP may be more secure, but does nothing to hide your IP address. A recently mentioned encrypted SIP client is Jitsi.
        https://jitsi.org/ [jitsi.org]
        Not sure if it if capturing keys for a man in the middle attack is difficult. A MIM attack by Russia should only be possible when crossing a Russian server. US and Carnivor abilities is unknown.

    • If only anybody made that stack of rawhide software, frameworks and standarts into usable software...
      I mean I can set up a xmpp client with OTR or GPG encryption, haven't tried doing that with SIP, but take Skype users. For most of them comprehencing what needs to be done is akin to building a fusion reactor out of household items...
      As for the corporations: all of them gladly uses XMPP standart for their own ends, but only Google bothered to abandon the walled garden ideology and enabled XMPP federation on

    • by elucido ( 870205 )

      Even if it were open source it could still be tapped. Just maybe not as easily.

    • And the the government TLA (FSB in this case) says ok phone company "gime" wit more or less Judaical oversight dependent on your country - its part of the deal of being a phone company.
  • How shocking! (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Friday March 15, 2013 @09:18AM (#43182169)

    Closed source software with obscure network protocol, now owned by a corporation whose main concern isn't the users' best interest, turns out to be not so nice after all. News at 10...

    The best way to do use Skype for anything more important than saying hello to your grandmother for free on the internet is not to use Skype. Everybody with half a brain has known that for many years.Duh...

  • shouldn't be too hard to trace all packets coming out of an ISP's network in Russia and decode them? or at least decode enough packets for part of a call

    and how many fiber connections go into russia from foreign countries? for all we know the FSB has tapped them all and is reading all the data
    the NSA was doing something like this a decade ago with Narus appliances

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You say "decode" as though it is trivial.

      You should read up a bit on encryption.

  • by Anonymous Coward

    Am I the only one who mentally interpreted the headline as: "Russian Front Side Bus Can Reportedly Tap Skype Calls"?

  • by Eunuchswear ( 210685 ) on Friday March 15, 2013 @09:24AM (#43182207) Journal

    Would save a lot of trouble.

  • by mrbill1234 ( 715607 ) on Friday March 15, 2013 @09:36AM (#43182289)

    Why would someone with something to hide use Skype?

    Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.

    • by Xemu ( 50595 )

      Why would someone with something to hide use Skype?

      Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.

      or use skype steganography

      http://www.economist.com/news/science-and-technology/21571120-tinkering-skype-can-allow-people-send-undetectable-messages-speaking [economist.com]

    • by AHuxley ( 892839 )
      Think of a person doing work in another part of the world with security clearance back home.
      They use encryption for work, are very secure in all their data handling at home and clean when travelling.
      That person becomes a target of the CIA, FSB, MI6...
      Personal calls might give insight into life outside marriage/work ...that extra person sharing deepest desires and needs/wants/weaknesses/faith/cult.
      Drugs, debt, stress, parties, music, hobbies, lifestyle failures/happiness, addictions to a type of adult ma
  • Special services (Score:4, Insightful)

    by ls671 ( 1122017 ) on Friday March 15, 2013 @09:40AM (#43182321) Homepage

    Special services have been capable for several years not only to wiretap but also to locate a Skype user.

    Special services have been capable for several years not only to wiretap but also to locate cellular phone and landline users.

  • by Hatta ( 162192 )

    Jitsi provides ZRTP encrypted voice chat. It's free, open source, and cross platform. Why use Skype?

    • Because everyone else uses skype.

      People who dont get this are the same people who dont understand why facebook is more popular than Diaspora.

      • by Hatta ( 162192 )

        There are two people in every conversation. If one uses Jitsi and one uses Skype, why should they settle on the insecure option?

        • Re: (Score:3, Informative)

          by dkf ( 304284 )

          If one uses Jitsi and one uses Skype, why should they settle on the insecure option?

          They'll choose Skype because that's the one that the person who isn't a tech expert already has working. Unless you're really keen on doing more free tech support...

          • by Hatta ( 162192 )

            If it's anything remotely important, a little tech support is a small price to pay for security.

          • Re:Jitsi (Score:4, Insightful)

            by bill_mcgonigle ( 4333 ) * on Friday March 15, 2013 @11:34AM (#43183497) Homepage Journal

            aka "The Path to Idiocracy". It's true, though, and it should be an object lesson that technically sound software needs to be trivially easy to install and configure as well if it's to do much societal good.

            • Its not idiocracy, it just seems that way because youre technically minded.

              Just the other day I was trying to answer several questions about hacking, viruses, computer security, etc for a family member, and I realized (for the millionth time) just how hard it is to convey the framework that a non-techie would need in order to begin understanding a lot of this stuff.

              And in order for everyone to decide to use a more secure option, everyone needs to realize that the current option is really really bad and what

              • As I've posted elsewhere, and advocated forever, the 1st distro to offer a combined client/server platform that runs only with encryption (gpg), TSL/SSL, etc... will win the day.
                Non-techies won't have to know all the details of why their home machines are safer; only that they are using the best security has to offer.
                With easy-2-use gui's for configuration of their services/servers and a dydns addresss, they would have complete granularity over what they share and how.
                Nice pipe dream of mine.

                • Using GPG requires others who have GPG keys that are integrated with your keychain. That takes work. You also need to educate the userbase on how to differentiate unsigned, signed, and tampered with email. Ditto SSL.

                  As always, the hardest problems in computing are the human ones.

            • Agreed. And a working solution might be to consider trading the issue of net-neutrality w/the telcos in exchange for them allowing end-users to run their own servers/services.

              This way everyone can have their own XMPP and give accounts to those they want to 'talk' to.
              Installing something like "Deb-Secure", end-users could run their own 'face-book' webapps and have fine-grained controls over what gets shared - no advertising; and over SSL/TLS - less DPI.

              Decentralization has always been found to be a good anti

  • This is a report in a newspaper citing unspecified sources. Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are. A large grain of salt is definitely in order.

    • Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are.

      You don't state why, but I'm guessing for intimidation/control purposes. Which is certainly a point.

      However:
      It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack..

      It is also in the FSB's interest to have people have a roughly correct idea of their capabilities, because when their real c

      • by snarkh ( 118018 )

        > You don't state why, but I'm guessing for intimidation/control purposes.

        Correct.

        > It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack.

        I doubt it. Perhaps for NSA it is true, but most of FSB's power is based on raw force and intimidation, not any particular competence.

        And people who are really serious about security would use more secure systems in any case.

  • This is why the anti-trust watchdogs have backed off in the US -- MS agreed to build in backdoors for spying in its OS.

    I had suspected it, but proof was hard to come by.

    I predict antitrust problems for Google Chrome/Android products in a few years.

    • I predict antitrust problems for Google Chrome/Android products in a few years.

      Nah, they've already rolled over. It's not a violation of "do no evil" to piss on the Constitution as long as the Government tells you it's ok.

  • As an American I'm less bothered about the FSB doing it that than the NSA. Seriously, for my personal stuff, what does the FSB care? I'm much more concerned about the NSA (and if it can be done, I'm sure they are). For similar reasons I use Kaspersky on my personal computers. The FSB doesn't care about my bank account or the web sites I visit. The NSA/CIA/FBI maybe another story. Not that I'm terribly interesting, but having once looked at a web site that was slightly to the left of the Democratic party, I'
    • You know Kaspersky is best buds with FSB. If you have interesting tastes in websites and have high security I am sure they would consider using that as leverage to get you to act as an agent for them.
      • You know Kaspersky is best buds with FSB.

        My point exactly - if I'm going to be spied on I'd rather have it be done by some outfit that has no real interest in me and no real power over me. I also "trust" them in the sense that I doubt they're going to mess w/ my bank account or something (unless they're doing charity and want to make a deposit).

        If you have interesting tastes in websites and have high security I am sure they would consider using that as leverage to get you to act as an agent for them.

        True, but I have no security clearance and the most interesting website I read is Slashdot. Now that's sad.

  • How could we guarantee no spying or eavesdropping via Skype? I think some sort of scrambling/de-scrambling/encryption program that sits at both ends of the Skype connection would do the trick. I'm surprised nothing like this already exists.

    • If you are willing to go through that trouble, just use something else.

      • Exactly, and if you are using Windows then what is the point of making Skype 'secure' when it runs on an unsecured platform. Did everyones _NSAKEY Marble fall out of their memory?.

  • Even more reason not to use Skype. Use an open source app like Jitsi. It does the same thing as Skype but is open source.
  • Is this supposed to be a big surprise or big deal? It's not to anyone who knows about information security.

  • if there is an audible clicking noise when they intercept a call in progress...
  • The strength of session keys does not matter. Forget difficulty of proprietary protocol reverse engineering, it is child's play.

    Key negotiation is where the gold is, and there is only one real security wall that exists today among symmetric security systems: the Public Key Infrastructures with their strong prime factorization wall.

    There are no other walls, only hurdles.

    If someone were to pass along one little flash drive with the Certificate Authority chain signing and actual operating SSL private keys to N

  • Skype is an eavesdropping service. Im sure all users of it should know that. So what if the FSB can listen in. The bigger news is that Microsoft is tapping all your Skype calls... all the time. The encryption option has nothing to do with Microsofts ability to record everything. And why shouldnt they? Its a great way to build a valuable database of our most private moments. Skype is not regulated by telephone privacy protections laws the way a regular phone provider is. This is why some countries in the EU

"If value corrupts then absolute value corrupts absolutely."

Working...