Are you sure that the best way to hide the fact that you have found an attack against Skype is to advertise a contest with a billion dollar reward to anybody who can find the same attack (or any other one)?
But as soon as they use this evidence against someone in court, their cover will be blown. And, if they can break the encryption but refuse to use it to convict anyone, it's still safe for criminals to use.
We aren't dealing with a police agency, remember. We are dealing with a "national security" agency, and that phrase is an umbrella term that covers every type of shady business governments have engaged in since time immemorial. The NSA does not deal in "evidence" and "courts." It deals in "should we sic CIA assassins on this leader?" and "should we orchestrate a smear campaign against these nearly successful activists?" and other fun questions.
Has this really been established, or is it just presumed?
I vaguely remember reading something about the skype team saying they would "cooperate" with law enforcement officials, but I'm not sure if that meant actually listening in on encrypted conversations or just sharing the IPs and time of connections to servers.
In the US they are probably required to provide CALEA interception capabilities to law enforcement for their dial-out service, but I doubt they have some secret interception backdoor in the software itself.
If somebody who is reverse engineering Skype found it, and it would eventually be found, the company would be ruined.
I think you underestimate the importance of skype as a international means of communication, and overestimate the value most people place on privacy. When living abroad, it's the primary tool for keeping in touch with people back home or in other parts of the world. And why not? It's (mostly) free.
Even if skype came out and said they were recording every conversation, I don't know if all that many people would stop using it. There wasn't all that much outrage over immunity for the big telcos, for instance.
Or did you mean the company would be ruined for some other reason besides loss of reputation? Maybe I misunderstood the comment.
Yes, I may be overestimating the reaction that people would have but it's not so much about privacy as abusing the trust of their users. I think most people would consider it pretty dishonest for Skype to place backdoors in their client application so that intelligence agencies can spy on their conversations.
It's more intentionally malicious to distribute software with a backdoor than to do what AT&T did so I really think it would upset people more.
Remember the Sony 'rootkit' fiasco? And that wasn't even really harmful, just annoying.
I'm absolutely positive, no doubts whatsoever, totally sure that it means that they can't but by saying that they can't they're trying to get you to think that they can and want their opponents to use something else.
Heise reported last year that the Austrian police is able to listen in on Skype connections. Neither Austria nor Skype confirmed or denied the story back then.
The Zfone FAQ page mentions, that Skype uses VBR codec for audio which is insecure:
"Johns Hopkins University researchers have observed that when voice is compressed with a variable bit-rate (VBR) codec, the packet lengths vary depending on the types of sounds being compressed. This leaks a lot of information about the content even if the packets are encrypted, regardless of what encryption protocol is used. We strongly recommend that you avoid using VBR codecs if you want to make a secure phone call.
<...>
...This means that Skype is vulnerable to VBR leakage regardless of the quality of Skype's built-in crypto."
I don't think the encryption issue is the big problem. I am sure skype's codec has been hacked already. The p2p issue could be addressed by just placing giant routers in isp's like the US did at the telcos. The bigger problem would be transcribing a million streams at once. Also, transcribing arabic words. Thats probably what they are mostly interested in.
There are good acoustic models for english but I doubt there are for arabic. Even if there were, the processing power requirement would be insane. I doubt amazon EC could handle a million streams at once even if they used smaller grammars focusing on suspicious words.
Offering "billions" sounds a bit ridiculous. Wouldn't you start with a couple million and see if there are any contenders before you break out the big blank check? Something's fishy...
Isn't it enough money to just pay for the phone calls?
See the headlines now - NSA offers free VOIP service - no payment necessary, no advertising, just the fact that you have to be OK with them listening in on your calls.
By its very nature, eavesdropping on P2P is a tough. How do you monitor all the packets that are routed through different paths? The only way would be Deep Packet Inspection. But again the packets are encrypted with 128 bit key. So even if you get the packets, you'll have a tough time decrypting it.
The Skype binary also is heavily obfuscated. It wont even run if a ring 0 debugger is on your system.
Skype is pretty much based on the Kazaa p2p stack. Which was cracked by quite a few people. It was quite an impressive reasonably secure system, but not rocket science.
Did Kaaza support real time packet transfer? I guess the voice part was added on to Kaaza by the Skype Team. Or the team behind the P2P framework. I forget the name. Its owned by a Estonian Company if I'm right.
But you're right. Its definitely breakable. Kind of challenge that tickles those brain cells.
Um, the best antireversing/antidebugging people in the world still don't have casual game crackers beat. For "a billion dollars", I might substitute "free xbox".
The argument was made that Skype is a hard target, in part because they went through some trouble to obscure the binary. I'm just refuting that portion of the argument.
And so is facebook too, donchaknow? Given that HN attracts all the smartest people who would probably figure this stuff out, I'd wager that pg is really a CIA operative. In fact, I suspect Microsoft is as well. I mean, if you are the NSA, what better way is there of looking at everyone's personal, electronic data?
Iam not sure if NSA is serious about the money. However, iam sure NSA can force skype to provide them with the encryption algorithm for wiretapping. So instead of spending billions of money on third-party vendor, they might as well can work with skype. My 2 cents
You could definitely be correct. But the article isn't that old, unless they got bought in the last thirty or so days. Quoting the article this time shows an interesting choice of words:
"But corporate parent eBay, having had to write down $1.4bn already following its $2.6bn purchase of Skype back in the bubble-2.0 days of 2005, might see an opportunity here. A billion or two from the NSA for a backdoor into Skype might make the acquisition seem like a sensible idea."
By "parent", if they get into trouble with an agency like the NSA and Ebay is U.S based (for the sake of argument), even though Skype was acquired, couldn't they 'break free' so-to-speak, and head back to Europe with their main operations? Correct me if I'm wrong, but Europe appears to still be their main base of operations while Ebay is like a corporate funding "parent"... that's how I view it from the article, but I could no doubt be mistaken.
Actually, Dan Goodin at The Reg is a really credible industry reporter, who really does do actual reporting. This runs under someone else's byline, though.
There's no actual publication (outside of academia) that is good on crypto.
Without getting into drama, let me suggest that Schneier's personality and notoriety may not match his nuts-and-bolts contributions to the field. I wonder what cperciva thinks about that, but he's also far more polite than me.
I second that. And also rise to very questionable policies, in particular patenting things not clearly his. Also personal experience with his people not playing ball in standards committees.
The NSA is hoovering up packets at AT&T switching stations and now they want to listen to some encrypted phone calls.
Here's my interpretation of the offer. They have no intention of paying for an attack. If somebody attempts to claim the reward they will say "Oh, no thanks, we don't really want your attack" and then rediscover the attack themselves.
The overwhelming majority of "persons of interest" using Skype are on Windows, but substitute any other OS and the equation is no different: you're suggesting that the NSA would pay billions of dollars for a break in a protocol that runs exclusively on endpoints that the NSA can get a shell on at will.
As a practitioner I would be shocked (shocked!) if there wasn't a way within the Skype protocol to pop a shell on anyone running a Skype-branded Skype client.
Not billions, but I could certainly imagine them paying millions if someone provided them with a passive break.
Much easier to tap a few fibre optic cables (either with or without the cooperation of telcos) than to crack individual systems -- and the risk of discovery is much less, too.
this sounds like a diversion - it doesn't address what would seem to be a much larger problem of knowing which conversations are worth listening to. also wouldn't help establish the context of the conversation/decode its actual meaning.
You only need to read a few books on the history of spying to know GCHQ, NSA et al have repeatedly made major technological breakthroughs and kept them hushed up to exploit a new edge over their adversaries. You wouldn't expect them to say Skype was easily compromised, would you? They would say the opposite.
