Russian FSB Can Reportedly Tap Skype Calls 136
An anonymous reader writes "Previous reports of a Microsoft provided backdoor to Skype has been unconfirmed. However, there are now reports that Russian federal security service FSB is able to tap call and locate users. 'FSB and the Internal Affairs Ministry (MVD) have been capable to wiretap and locate Skype users for some years already, reported Vedomosti on Thursday [Google translation of Russian original]. The newspaper is citing experts on information security. "Special services have been capable for several years not only to wiretap but also to locate a Skype user. That's why, for instance, employees of our company are forbidden to discuss business-related topics on Skype," General Director of Group-IB, Ilya Sachkov, says to Vedomosti. "After Microsoft acquired Skype in May 2011, it updated the software with technology allowing legitimate wiretapping," says Maksim Emm, Director of Peak Systems.'"
Ah, the consequences of closed-source (Score:5, Insightful)
The Skype P2P protocol has always been an issue to worry about. It's hard to break/understand, and I've seen research papers that just scratched the surface of the protocol.
I never doubted that really smart minds (like Russians) would eventually crack it and exploit it. This would never happen with an open-source protocol.
Re:Ah, the consequences of closed-source (Score:5, Interesting)
no one with a smart mind cracked it, microsoft just rolled over for the russian government
Comment removed (Score:4, Informative)
Re:Ah, the consequences of closed-source (Score:5, Insightful)
Microsoft has never met a dictator or despot they didn't like.
Nor has any other business approaching the size of Microsoft. In fact, nobody can get that big without 'assistance' from the authorities. Despotism is big business, the rewards are well worth the collateral damages.
Re: (Score:2)
the rewards are well worth the collateral damages. ... unless you happen to be the collateral, of course.
"If you sup with the devil you need a long spoon."
Re: (Score:2)
Re:Ah, the consequences of closed-source (Score:4, Funny)
Microsoft has never met a dictator or despot they didn't like.
What about Steve Jobs? *ducks*
Re: (Score:3)
For the most part, at least during the Jobs era, Apple products were beyond the reach of most 3rd-worlders, so catering to despotic countries wasn't an issue. In fact, so much so, it was not part of the Apple business model. (Apple products were this justly marketed as 'aspirational', and this model is working well over the long-term for Apple).
Re: (Score:2, Insightful)
Re: (Score:2)
Re:Ah, the consequences of closed-source (Score:4, Informative)
Microsoft regularly rolls over for the Chinese government too.
Microsoft has never met a dictator or despot they didn't like.
Microsoft has never met an entity with a boatload of cash they didn't like.
FTFY
Re: (Score:2)
Re:Ah, the consequences of closed-source (Score:4, Informative)
Yeah, MS rolled over for the Russian government six years before they bought Skype. Good future planning on Balmer's part.
The reading comprehension skills here astound me.
Re: (Score:1)
Apparently, Microsoft changed the way certificates are generated in a software patch shortly after taking over Skype. It used to be the case that certificates where generated locally on the client. They changed that to centrally generated certificates on MS servers which should enable them to sell(?) the ability to tap Skype calls.
Would anyone happen to know if you could somehow override that?
Re: (Score:1)
Re: (Score:3, Insightful)
Ofcource if I worked for FSB and was unable to tap into Skype, I'd start spreading FUD about how well I can tap into it. To make them more over to less secure means of communication.
Anyway, I hope this will lead to boost in developing a solution with good crypto. Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...
Re: (Score:2)
Re: (Score:3)
They're not caring all that much about medium sized crime syndicates that can afford to channel their stuff through TOR. There are different methods to get those.
Spying on skype is about spying on big and small players who use it, such as large international conglomerates, as well as very small people who have no access to technical expertise necessary for TOR.
You're essentially making the infamous wrench mistake in assuming that technological problems and solutions are the only ones that exist in the world
ZRTP (Score:2)
Like jingle or SIP with encyption and it's wide adoption. Not that it's happening anytime soon, but a man can dream...
Jingle and SIP with encryption is called ZRTP (it's just adding an encryption layer over the usual RTP channels used for voice/video chat). And is already supported in several software out-of-the-box (like Jitsi which if often talked about here. But also Twinkle, and others).
For message, you have Off-The-Record, which works above almost any messaging channel. It's also supported by serveral software package out-of-the-box (Jitsi again, or Adium) or with a plugin (Pidgin).
These are technologies which exist R
Not FUD, in EULA (Score:2)
Micro$soft may be providing backdoors now but prior? No way. This is FUD by the Russians.
That's not FUD. Skype's EULA has been clear about it since even before being acquired by Microsoft.
(Or at least it was back when I looked at it)
They will comply with local legal requirement, including investigation assisting.
For me that sounds that back-doors have always been a possibility should they be legally required to include them.
Re:Ah, the consequences of closed-source (Score:4, Funny)
Since when has "knowing what youre talking about" been a requirement to post on slashdot?
Re: (Score:1)
Re:Ah, the consequences of closed-source (Score:4, Interesting)
they're acting as if they were a phone company and russkies are probably asking them to comply as if they were one.. to provide taps.
and they're just locating the ip address of course. it's not like their tap is made of magic sauce.
+they would spread fud about it anyways.
the big problem with it if you're discussing sensitive things is plain and simply that it has centralized control.
SECOND OPTION: it's entirely possible the russkies are tapping them on client side. if not by other means then by bugging the headsets. that would certainly explain how they know EXACTLY where the call is taking place since they're spying the site in person. it's fsb/kgb after all.
Re: (Score:2)
This would never happen with an open-source protocol.
Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?
Re: (Score:3, Informative)
Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?
You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.
Re: (Score:2)
Sometimes I stare at some code for hours, debug it and still have no idea how it works. And I wrote it.
Re: (Score:1)
You obviously do not understand open source. If a protocol or software gets big enough that a lot of people use it, it will also get a lot of developers looking at it. If a backdoor is written in, eventually someone will find it and report/patch it.
And further to that, there will also typically be a handful of uber-devs who get to accept or reject patches - getting a rogue patch past one of these people, who know the code better than anyone in the entire world, is going to be near impossible.
Re:Ah, the consequences of closed-source (Score:4, Interesting)
This would never happen with an open-source protocol.
Why not? If a protocol was open source, writing backdoors into it would be even easier. I mean, how many people know how to inspect code and remove the parts that are malicious?
Not many, I'm sure. But even one is sufficient. And unlike closed-source, that one person may pop up any time, anywhere in the world, including places where it's not possible for interested governments to muzzle him in time to raise the alert.
One of the reasons WHY open-source is so popular is that things like that can occur, hence open-source people are more likely to pay attention to how secure the stuff they're using is. And conversely, paranoid people will prefer open-source.
The best time to worry about security is before you need to. Afterwards, it may be too late.
Re: (Score:1)
Re: (Score:3)
Oh yeah, because Russia today is so much more desirable and has completely stopped all its spying activities.
Re:A reminder. (Score:5, Insightful)
Soviet Union was disbanded in the 90's
And????
Russia still remains. The KGB is now the FSB. Russia is more open, but it's still not the USA.
And speaking of the USA, you do realize that Project Echelon and similar efforts have been busily tapping into communications in the Land of the Free for longer than there was a Skype?
Re:A reminder. (Score:5, Insightful)
You speak of the US as if they wouldn't do exactly the same thing (and almost certainly are). This is why there should be an open implementation that supports proper security.
Re: (Score:2)
http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol [wikipedia.org]
Re: (Score:2)
... and I'll throw this [jitsi.org] out there as well.
I thought I read right here (Score:3)
Re: (Score:3)
Re: (Score:2, Funny)
The denial is strong in this one.
Re: (Score:3)
Nobody can possibly be this ignorant. Are you a paid government troll by any chance?
Project echelon has been widely reported on by a number of mainstream news sources. Do you think CBS news qualifies as a bastion of "tinfoil hattery"?
http://www.cbsnews.com/8301-18560_162-164651.html [cbsnews.com]
The Church committee hearings in the late 1970s revealed extensive details about the multi-decade long MK Ultra program, including a trove of 20,000 related documents. Do Congressional hearings not count as "official reports"?
Re: (Score:2)
"The greatest trick the Devil ever pulled was convincing the world he didn't exist." -- Keyser Soze
Re: (Score:1)
"The greatest trick the Devil ever pulled was convincing the world he didn't exist." -- Keyser Soze
Damn that Keyser Soze, it's obviously him we have to thank for that bloody phrase. Always, the mind of man seeks to dominate and enslave through whatever means possible.
Re: (Score:1)
Feb 10th 2013's yer last post. Took ya that long to "eat yer words" http://it.slashdot.org/comments.pl?sid=3417867&cid=42756893 [slashdot.org] eh, after this here http://slashdot.org/comments.pl?sid=3427183&cid=42849825 [slashdot.org] ? Hahahaha.
Hi there, clue-free stalking APK chatbot! Pleased to see you're back in action.
You do have an interesting obsession though. You spend a lot of effort and try very hard indeed to prove that people 'eat their words' when arguing with you.
You'll never prove anyone a 'beaten opponent', because you cannot rebut a logical argument. Your opponents soon realise there's no value in debating with fools - especially those that mindlessly post lists by way of argument - and move on to more interesting things. To my gre
Re: (Score:1)
Thanks for illustrating my point for me. :-)
Re: (Score:1)
Hahhahahahahahaa keep making my argument for me, you sad old manchild.
Re: (Score:1)
Blah blah blah, obvious APK post is obvious, blah blah blah.
Closed source. Closed standards (Score:4, Insightful)
And therein we learn the lesson about closed source software and proprietary methods. If folk had adopted something based on SIP, XMPP, IAX or any other open and documented protocol, we'd be able to communicate using a tried and tested security mechanism.
For something like communications, if you're totally and absolutely reliant upon a third party then you also need to have total and absolute trust in that third party or you should consider all your communications using them to be public.
Re: (Score:3)
SIP is end to end P-P once a connection is established.
If you need to hide your IP for a Skype session, use a SIP to Skype gateway.
http://www.dslreports.com/forum/r26518054-SIP-to-Skype-Skype-to-SIP-new-method [dslreports.com]
If I Skype you, my IP will resolve to the gateway address. Skype me at skype2ipp, then enter my user name when prompted.
Re: (Score:3)
Encrypted SIP may be more secure, but does nothing to hide your IP address. A recently mentioned encrypted SIP client is Jitsi.
https://jitsi.org/ [jitsi.org]
Not sure if it if capturing keys for a man in the middle attack is difficult. A MIM attack by Russia should only be possible when crossing a Russian server. US and Carnivor abilities is unknown.
Re: (Score:1)
If only anybody made that stack of rawhide software, frameworks and standarts into usable software...
I mean I can set up a xmpp client with OTR or GPG encryption, haven't tried doing that with SIP, but take Skype users. For most of them comprehencing what needs to be done is akin to building a fusion reactor out of household items...
As for the corporations: all of them gladly uses XMPP standart for their own ends, but only Google bothered to abandon the walled garden ideology and enabled XMPP federation on
Re: (Score:2)
Even if it were open source it could still be tapped. Just maybe not as easily.
Re: (Score:2)
How shocking! (Score:5, Insightful)
Closed source software with obscure network protocol, now owned by a corporation whose main concern isn't the users' best interest, turns out to be not so nice after all. News at 10...
The best way to do use Skype for anything more important than saying hello to your grandmother for free on the internet is not to use Skype. Everybody with half a brain has known that for many years.Duh...
OMG, you can tap data sent over a wire (Score:2)
shouldn't be too hard to trace all packets coming out of an ISP's network in Russia and decode them? or at least decode enough packets for part of a call
and how many fiber connections go into russia from foreign countries? for all we know the FSB has tapped them all and is reading all the data
the NSA was doing something like this a decade ago with Narus appliances
Re: (Score:2, Insightful)
You say "decode" as though it is trivial.
You should read up a bit on encryption.
Russian Front Side Bus? (Score:1)
Am I the only one who mentally interpreted the headline as: "Russian Front Side Bus Can Reportedly Tap Skype Calls"?
Re: (Score:2)
Re: (Score:2)
No ^^
Re: (Score:2)
Uncertain. I suggest you check your power source, and reboot just to be sure. o|o
Maybe they should tell the French? (Score:3, Funny)
Would save a lot of trouble.
Re: (Score:2)
People do use Skype for business reasons. Skype sells products for business [skype.com] reasons. I use Skype for business reasons (but my business is basically public knowledge anyway, so no need to steal it). Does the business version come without the back door? Didn't think so.
One of the major sticking points with ECHELON for many was not that it was used to spy on middle school gossip, but that it was used to pass corporate intelligence to favoured "partners of the state".
It's only a matter of time before the back d
Re: (Score:2)
It also means the FSB has access to the largest porn collection in the world, and they aren't sharing.
Why? (Score:3)
Why would someone with something to hide use Skype?
Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.
Re: (Score:3)
Why would someone with something to hide use Skype?
Seriously - if you've got something to hide, use something to which you have the source and can control the encryption used.
or use skype steganography
http://www.economist.com/news/science-and-technology/21571120-tinkering-skype-can-allow-people-send-undetectable-messages-speaking [economist.com]
Re: (Score:2)
They use encryption for work, are very secure in all their data handling at home and clean when travelling.
That person becomes a target of the CIA, FSB, MI6...
Personal calls might give insight into life outside marriage/work
Drugs, debt, stress, parties, music, hobbies, lifestyle failures/happiness, addictions to a type of adult ma
Special services (Score:4, Insightful)
Special services have been capable for several years not only to wiretap but also to locate a Skype user.
Special services have been capable for several years not only to wiretap but also to locate cellular phone and landline users.
Jitsi (Score:2)
Jitsi provides ZRTP encrypted voice chat. It's free, open source, and cross platform. Why use Skype?
Re: (Score:3)
Because everyone else uses skype.
People who dont get this are the same people who dont understand why facebook is more popular than Diaspora.
Re: (Score:2)
There are two people in every conversation. If one uses Jitsi and one uses Skype, why should they settle on the insecure option?
Re: (Score:3, Informative)
If one uses Jitsi and one uses Skype, why should they settle on the insecure option?
They'll choose Skype because that's the one that the person who isn't a tech expert already has working. Unless you're really keen on doing more free tech support...
Re: (Score:2)
If it's anything remotely important, a little tech support is a small price to pay for security.
Re:Jitsi (Score:4, Insightful)
aka "The Path to Idiocracy". It's true, though, and it should be an object lesson that technically sound software needs to be trivially easy to install and configure as well if it's to do much societal good.
Re: (Score:3)
Its not idiocracy, it just seems that way because youre technically minded.
Just the other day I was trying to answer several questions about hacking, viruses, computer security, etc for a family member, and I realized (for the millionth time) just how hard it is to convey the framework that a non-techie would need in order to begin understanding a lot of this stuff.
And in order for everyone to decide to use a more secure option, everyone needs to realize that the current option is really really bad and what
Re: (Score:1)
As I've posted elsewhere, and advocated forever, the 1st distro to offer a combined client/server platform that runs only with encryption (gpg), TSL/SSL, etc... will win the day.
Non-techies won't have to know all the details of why their home machines are safer; only that they are using the best security has to offer.
With easy-2-use gui's for configuration of their services/servers and a dydns addresss, they would have complete granularity over what they share and how.
Nice pipe dream of mine.
Re: (Score:2)
Using GPG requires others who have GPG keys that are integrated with your keychain. That takes work. You also need to educate the userbase on how to differentiate unsigned, signed, and tampered with email. Ditto SSL.
As always, the hardest problems in computing are the human ones.
Re: (Score:1)
Agreed. And a working solution might be to consider trading the issue of net-neutrality w/the telcos in exchange for them allowing end-users to run their own servers/services.
This way everyone can have their own XMPP and give accounts to those they want to 'talk' to.
Installing something like "Deb-Secure", end-users could run their own 'face-book' webapps and have fine-grained controls over what gets shared - no advertising; and over SSL/TLS - less DPI.
Decentralization has always been found to be a good anti
Re: (Score:2)
yeah, because google puts your data into al bore's social security lockbox and won't ever use it for marketing
Re: (Score:3, Funny)
Why the hell would I want a Skype account?
Because otherwise people won't talk to you. That's nice at first (very nice!) but after a while it leads to you not getting paid any more, which is very much not nice. The issue? People who communicate are better at making contacts and better at winning business. Over the longer term, this is a very important effect.
But at least there's one thing. If the FSB listen into my skype conversations, the joke will be on them. In particular, those meetings are so incredibly boring that they'll lose the will to live
Re: (Score:2)
You wouldnt, if you have noone you care about talking to. If you do, you can either use skype, or accept the fact that you arent going to convince them to use Jitsi.
Re: (Score:1)
Nothing confirms a story like an official denial.
caveat emptor (Score:2)
This is a report in a newspaper citing unspecified sources. Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are. A large grain of salt is definitely in order.
Re: (Score:1)
Moreover, it is in FSB's interest to have people believe that they are more capable/powerful then they really are.
You don't state why, but I'm guessing for intimidation/control purposes. Which is certainly a point.
However:
It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack..
It is also in the FSB's interest to have people have a roughly correct idea of their capabilities, because when their real c
Re: (Score:2)
> You don't state why, but I'm guessing for intimidation/control purposes.
Correct.
> It is also in the FSB's interest to have people underestimate their powers so they will be incautious, using systems they believe are secure which the FSB can crack.
I doubt it. Perhaps for NSA it is true, but most of FSB's power is based on raw force and intimidation, not any particular competence.
And people who are really serious about security would use more secure systems in any case.
Next! (Score:1)
This is why the anti-trust watchdogs have backed off in the US -- MS agreed to build in backdoors for spying in its OS.
I had suspected it, but proof was hard to come by.
I predict antitrust problems for Google Chrome/Android products in a few years.
Re: (Score:2)
I predict antitrust problems for Google Chrome/Android products in a few years.
Nah, they've already rolled over. It's not a violation of "do no evil" to piss on the Constitution as long as the Government tells you it's ok.
Rather the FSB than the NSA (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
You know Kaspersky is best buds with FSB.
My point exactly - if I'm going to be spied on I'd rather have it be done by some outfit that has no real interest in me and no real power over me. I also "trust" them in the sense that I doubt they're going to mess w/ my bank account or something (unless they're doing charity and want to make a deposit).
If you have interesting tastes in websites and have high security I am sure they would consider using that as leverage to get you to act as an agent for them.
True, but I have no security clearance and the most interesting website I read is Slashdot. Now that's sad.
Re: (Score:2)
A solution? (Score:1)
How could we guarantee no spying or eavesdropping via Skype? I think some sort of scrambling/de-scrambling/encryption program that sits at both ends of the Skype connection would do the trick. I'm surprised nothing like this already exists.
Re: (Score:2)
If you are willing to go through that trouble, just use something else.
Re: (Score:2)
Exactly, and if you are using Windows then what is the point of making Skype 'secure' when it runs on an unsecured platform. Did everyones _NSAKEY Marble fall out of their memory?.
Hmmmm (Score:2)
So can the FBI (Score:2)
Is this supposed to be a big surprise or big deal? It's not to anyone who knows about information security.
I wonder.. (Score:1)
Simple Black bag job: Skype, Google, *all* of them (Score:1)
The strength of session keys does not matter. Forget difficulty of proprietary protocol reverse engineering, it is child's play.
Key negotiation is where the gold is, and there is only one real security wall that exists today among symmetric security systems: the Public Key Infrastructures with their strong prime factorization wall.
There are no other walls, only hurdles.
If someone were to pass along one little flash drive with the Certificate Authority chain signing and actual operating SSL private keys to N
skype is listening (Score:1)
Re: (Score:2)