Skype Encryption Stumps German Police

TallGuyRacer writes "German police are unable to decipher the encryption used in the internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer, Joerg Ziercke, said. "The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it. That's why we're talking about source telecommunication surveillance — that is, getting to the source before encryption or after it's been decrypted.""

Skype unbreakable?

[niceone (992278)]

Well, it seems they are not really trying - they are not even talking to Skype about it.
What they want is permission to install spyware - something that is illegal in Germany at the moment:

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

That's the real point of the story, not that Skype is unbreakable.

Re:Skype unbreakable?

[Silver Sloth (770927)]

Indeed. Also from TFA

Spyware computer searches are illegal in Germany, where people are sensitive about police surveillance due to the history of the Nazis' Gestapo secret police and the former East German Stasi.

I would hope that they are illegal in any civilised country.

Re:

[BobTheLawyer (692026)]

Why? If the police can, in extreme situations, apply to a court for a warrant to search a suspect's house, open their mail or tap their phone - and the US and almost every other country allows this - why shouldn't they be able to search a suspect's computer?

Re:Skype unbreakable?

[TheRaven64 (641858)]

It seems to me that, even if it were legal, it would be very hard to admit as evidence in court. If a computer is compromised then the defendant has a good defence against being responsible for anything found or done with the computer. The hard part, usually, is proving that the computer was compromised. If the prosecution are claiming that they are the ones that compromised it then there is no way a decent barrister would fail to convince the jury that their client had absolutely no responsibility for anything done to the computer.

Re:

[sumdumass (711423)]

The idea of compromised is a subjective term in most situations. When the Government or police do it, it is a tool, when credit card number spamer is doing it, it is compromised.

You see, the idea behind the compromised portion deals a lot with the intent of who compromised it. Compromised means that you don't know their intent, what they have done and cannot trust the computer for anything. This wouldn't necessarily be the case when the police do it. At least not in the virgin eyes of the courts who still b

Re:Skype unbreakable?

[TooMuchToDo (882796)]

If the police can compromise a computer, then anyone else with the right tools can. Therefore, anything found on the computer should not be admissible as there's no way to verify who (myself, the police, or a remote malicious user) has manipulated the contents of the PC.

Re:Skype unbreakable?

[corsec67 (627446)]

Especially since the police hack could introduce other vulnerabilities into the system that makes it easier for other people to exploit.

Re:

[sumdumass (711423)]

When the tight tools means physical access to the machine or a direct connection through the ISP, then the likelihood of all else drops dramatically.

There is a possibility that everyone whoever has been arrested had been framed, but the likelihood is so small that not everyone claims it nor do others think it. IT would depends a lot on what steps needed to be taken and how likely someone else could take those steps. I could also be possible that the police end up seeing some other party putting the incrimin

Re:Skype unbreakable?

[ewn (538392)]

Well they can already do that now, for example by installing microphones in suspect's homes, but it requires a court warrant and a considerable amount of work. The Bundestrojaner would make snooping simpler, both in technical and in legal terms. And we know that if technology is cheap and simple, it's going to be used more. That is, i think, the government's goal here: gaining the ability to infiltrate a large number of computers, say of a significant percentage of Muslim citizens, or the globalization sceptics of Attac, or any other group that potentially features undesirable behaviour. No court would ever allow such a sweeping surveillance, and the police doesn't have the resources to bug thousands of homes anyway.

Re:Skype unbreakable?

[bhima (46039)]

I've thought about this idea that the Bundestrojaner would make snooping cheaper and easier. I think it would have another effect: About 15 minutes after they let the first one out into the wild some teenager in Slovenia would publish a CLI app that would detect and disable it or alternately hijack the app to share the contents of the drive on whatever P2P app Slovenian teenagers are into this week. Then everyone who *really* had a reason to make sure they were not infected would have this app and only the average Joe would be out there sharing his hard drive contents with the world.

Re:Skype unbreakable?

[Sique (173459)]

There is a big difference between tapping a phone or a search warrant on the one side and a secret search of one's computer.

For a search warrant to be executed the suspect has to be present, or at least an outside witness has to be present. (I don't know about the legal situation in the U.S., but at least in Germany this is the case.)

Phone tapping can't create phone conversations that never happened.

But if you can install a software on a person's computer without him noticing, then you could also put counterbande files like the oh so beloved bomb construction howtos or kiddie porn on the computer.

The main problem with secretly spying on a computer is that it compromises the computer. From a legal point of view material gained with a secret computer search shouldn't be brought to court, because there is no way to prove that the evidence isn't faked.

Re:

[Yokaze (70883)]

In Germany, secret searches of homes are prohibited. IRC, they have to happen in the presence of a member the household, or a neighbour. The telephone, mail and internet communication are not part of the home, and can be secretly monitored under the observation of a judge. The suspect has to be informed afterwards. The home enjoys a much stronger constitutional protection than communication.

Of course, the ministry of interior and the police argue, that they can't stop the terrorists, if they can't secretly

Re:Skype unbreakable?

[Sique (173459)]

I like the old calculation we had in statistics:

- There is a severe sickness, which only one of 100,000 people gets.
- There is a test for this sickness, which is 99,9% accurate, that means, that the result of only 1 in 1000 persons is wrong. (In reality you have two numbers, one giving how high the rate is to give a false positive, and another one for the false negatives, but for the sake of the calculation we consider them equal).

How high is the chance, after you got tested positive, that you in fact have the severe sickness?

In 99 out of 100 this was a false positive.

The same goes for the search of terrorists.

Terrorists are very seldom, lets say that only 1 in 100,000 persons in Germany is a terrorist (this still gives 800 terrorists living in Germany, far too much compared with the number of terroristic acts committed!). Lets say that the police has means to be 99,9% accurate to tell beforehand if a suspect is a terrorist or not, before asking for secret computer searches.

It still means that in 99 out of 100 cases a complete innocent person's computer will be searched.

Re:

[Sique (173459)]

It's simple math.

If you randomly test 100000 people, only one of them will have the sickness. 99999 are healthy. Of those 99 will be tested positive because one out of 1000 will falsely be tested positive.

Re:Skype unbreakable?

[GroeFaZ (850443)]

Exactly. The Anti-terror craze has long reached German lawmakers, and they are in a rage creating law after law (though not as bad as in the US and UK) and seeing what survives the Bundesverfassungsgericht, the court that decides if laws are against the German Grundgesetz (Basic Law, comparable to the US Constitution).

In the case of the "Federal Trojan", it was decided in 02/07 that such measures are illegal to conduct, and decisions made by the Bundesverfassungsgericht are equivalent to laws. So what they're doing now, they're keeping the discussion (and the fear-mongering) alive and continue to develop the trojan despite it being illegal, in an effort to undermine that decision. Most notorious for this behaviour is, of all people, our Minister of Interior, Wolfgang Schäuble. He repeatedly clamored and still clamors for this and other measures which are explicitely forbidden by the Grundgesetz and the Bundesverfassungsgericht, for example shooting down abducted planes. He's one of the single largest threats to what he has to protect by job description, namely the Grundgesetz.

Re:Skype unbreakable?

[Vlad_the_Inhaler (32958)]

The term GröFaZ was *not* something you wanted to be caught using when the Nazis were in power. It is a (disrespectful) abbreviation of 'Größte Führer aller Zeiten' (Greatest leader of all times) which was what the Nazi party propaganda machinery used to call their big boss.

Re:

[OrangeTide (124937)]

Governments often tell us that there is some threat that they want to protect us from, and if we just give up a little bit of our freedom they will make society much safer. We fall for this trick over and over again.

Re:Skype unbreakable?

[oliverthered (187439)]

As a good example,
The US managed to get the UK to agree to deport anyone they asked for in case they were terrorists.

The first people the chose to ask to be deported were a bunch of bankers that had done some dodgy dealings, hardly terrorists.

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Re:

[vrai (521708)]

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Not that I'm defending this treaty in anyway, nor the period during which it was unilateral, but the US Senate signed off on it last year [bbc.co.uk]. Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

Re:Skype unbreakable?

[by Anonymous Coward]

Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

So the US government supports terrorism. Presumably only if it is done by white people with cute accents.

The US people also supported terrorism back in the day (well, those that claim to be Irish), before they understood the actual reality of terrorism.

I doubt the UK government would want to get into the hassle that extraditing any such people would inevitably lead to of course, but if the US is harbouring and protecting terrorists willingly then it really needs to sort out what its story is regarding terrorism.

Re:

[Vlad_the_Inhaler (32958)]

Back in the days of Ronnie R, the governments of Mozambique and Angola were:
a) - Communist (they may be still be)
b) - Neighbours of South Africa and supporting the ANC against the Apartheid S African government.
c) - Opposed by S African-sponsored rebel organisations (S Africa was trying to destabilise the opposition).

Both rebel organisations fit pretty much any definition of 'Terrorist' you can come up with. The US under Reagan helped finance both sets of terrorists in the name of opposing Communism.

The Co

Re:Skype unbreakable?

[Dogtanian (588974)]

I think that comment is too broad reaching. Specifically, the senators from New York and Massachusetts, where the Irish-American political influence is strongest, opposed this extradition treaty.

That's the ultimate hypocritical irony. You'd think that New Yorkers would be less inclined to support terrorists after 9/11, but it looks like the old double standard is still in place. Or at least if there are a few votes in it.

The rest of the country didn't care, but it was never high on the U.S. priorities.

They probably didn't care because the UK had already enacted its side of the bargain. Frankly, the UK government should have shoved this alleged agreement to the bottom of the pile until the US stopped trying to appease a (supposedly) tiny minority of sentimentalist fuckwits.

And frankly, if the rest of the country didn't care about this anti/pro-terrorism double standard and blocking their side of a bargain that was supposed to be in their interest, then they're just as guilty.

Can you imagine what would have happened if- during the 1980s- an organisation had tried to kill senior members of the U.S. government, including the president, and had come damn close to succeeding? And the UK had continued to allow fundraising for this organisation? That's exactly what happened in reverse with the IRA, and it defies belief that there was so little diplomatic fall-out- and it's also damn obvious that if the Americans were victims this would never happen in reverse.

And years later, when it's the US's turn to suffer the effects of terrorism, and the sycophantic UK government led by that contemptible poodle, Tony Blair, is going along with virtually *everything* their government wants, the US is still letting a bunch of sentimentalist IRA-sympathising scum and hypocritical vote-seeking senators dictate the same old double standards?

Seriously, this is beneath contempt.

Re:

[Mattsson (105422)]

It's rather obvious that what you regarded as terrorism depends on who you are.
There isn't many who see themselves as evil terrorists who's only goal is to murder and destroy.
They see themselves as freedom fighters, holy warriors, the peoples saviors, etc, etc.
Those who get shot, bombed, maimed, etc, see them as terrorists and any who support them as supporters of terrorism.

Re:

[bug1 (96678)]

Well, what if it DOES make society safer?
Safer for society as a whole, or safer for the elites ?

is there a balance of some sort to be found?
A perception of balance... balance according to which perspective ?

What's a good place to draw the line?
Does there have to be a "line", can freedom vs security be seen in black and white ?

People always repeat the "he who sacrifices liberty for security..." line, but what would a better solution be?
Those with power will always say they need more of it, how can those with

Re:Skype unbreakable?

[presarioD (771260)]

Well, what if it DOES make society safer?

History has repeatedly proven that when a government asks its citizens to give up liberties it is working against making society safer but more absolute and submissive. Can you provide with any example where people who gave up their freedoms became safer? I can cite alot of counterexamples: nazi/fascist/communist governments that miserably failed in all fronts, including safety (the state safety-keeping apparatus turned against the citizens). Now neo-capitalism wants to join the club and they are going to be different exactly why?

Please don't use the words "democracy and freedom" in your answer, I've just eaten...

I long for the day

[GroeFaZ (850443)]

when technology allows brain implants and wireless brain-to-brain communication. Oh joy.

Re:

[MichaelSmith (789609)]

when technology allows brain implants and wireless brain-to-brain communication.

Then Governments will want to install spy ware in your brain to listen in on your illegal communications/thoughts. Just make sure you aren't remembering any songs against the wishes of the copyright holders.

Re:

[KiloByte (825081)]

Naturally, it would be strange if no one thought of making such a phone. What bothers me is, no one seems to use encryption. We're swamped with news about latest new and shiny phones, yet there's never a word about a real phone having such a feature. This /. article, for example, talks about Skype which is not available on portable devices -- and even if it was, black-box encryption is worthless. Skype is known to cooperate with China, for example -- so their encryption may be trustworthy enough against

Great

[dalmiroy2k (768278)]

Not only Skype gives us free, multiuser lag-free video conference with excellent quality, now we know our conversations are private.
I have nothing to hide, but nothing to share either.

Re:Great

[paulhar (652995)]

Assumption: this isn't dis-information designed to make us all feel safer about using Skype's encryption

Hanlon's Razor

[Moraelin (679338)]

While normally I would encourage a moderate dose of paranoia, I'd also recommend it to be balanced by Hanlon's Razor: never attribute to malice, that which is adequately explained by stupidity.

This being Germany, for a start you have to realize that the police doesn't seem to be particularly incline toward conspiracies, nor any good at it. They're also (still) more monitored than what, judging by the news coming from the USA, seems to be the case with the FBI and CIA. These guys will tell you up front that

Re:

[abigor (540274)]

I wouldn't trust skype encryption to be secure, after all everyone has the capability of decrypting it with the skype client.

I can't see how it would be that difficult to monitor traffic through an ISP's gateway.

This is incorrect - Skype uses RSA and symmetric session keys, not a permanently fixed symmetric key. Only the person(s) you want to hear your call will be able to hear it.

There is no way to monitor Skype traffic at the ISP.

You can read an independent security review here: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf [skype.com]

Re:

[Slashidiot (1179447)]

Just to be extra-safe, I'll be using skype and talking in ROT13.

isn't that the point of encryption?

[petes_PoV (912422)]

encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it.

Whether it's the police or just some nosey old git (Q: how can you tell the difference?) who's eavedropping on your conversation, the point is that only the person you're talking to should be able to decrypt the data.

If the police don't like that, that can always try to outlaw it - or require that keys are made available to them.

The problem you get then is people who "spoof" an encrypted datastream by just sending random numbers (tho' not from a Microsoft source as we've recently been told) down the line.
How do you know when a stream of apparently encrypted data has been decoded anyway?

Re:isn't that the point of encryption?

[sid77 (984944)]

If the police don't like that, that can always try to outlaw it

If cryptography is outlawed, bayl bhgynjf jvyy unir pelcgbtencul.

Good Police Work

[hanssprudel (323035)]

This is a good thing. Having to install monitoring at the source or destination means an operation that requires effort and, hopefully, a court order. This means that their is judicial oversight, and that to catch criminals police have to do, you know, police work rather than just sitting around spying on us.

Ubiquitous encryption does not make law enforcement impossible. It just makes indiscriminate law enforcement impossible.

Plenty of attacks left, thank you very much

[Noryungi (70322)]

According to this PDF document [skype.com], Skype encryption is based on open standard (such as AES, SHA-1, etc).

According to this article [wired.com], our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype.

And, then, according to this other article [theage.com.au], it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks.

And, of course, there is the question of using a 'secure' communication system on a completely insecure operating system, such as Windows. Why do you think they talk of intercepting the communication before it becomes encrypted? Probably because the vast majority of suspects use Windows. Using Linux, or MacOS, would not be much of an improvement either.

Conclusion? Well, the Bundespolizei (that's German police to you) may not have the means to decipher your skype communications right now. But it's getting there, thank yo uvery much. And there are agencies out there who certainly can, and will.

And what happened to free german crypto? I thought Germany had the only sane policy about crypto in the industrial world?

Re:

[SerpentMage (13390)]

Yeah I think they can't break the encryption, and not because they can't break the encryption itself. But if you read the article look at what it says.

>> Experts say Skype and other Voice over internet Protocol (VoIP) calling software are difficult to intercept because they work by breaking up voice data into small packets and switching them along thousands of router paths instead of a constant circuit between two parties, as with a traditional call.

That's the real problem. The packets are scattered a

yes, it's not rot13

[borkee (661922)]

and german police is not alan turing, obviously

Don't throw me in dat dere briar patch!

[fishdan (569872)]

We cannot break Skype encryption, and we have publicly announced that, so it's perfectly safe for you to keep on using it! Really!

Re:

[Fzz (153115)]

This is exactly what I would proclaim if I was able to decrypt the traffic and want users to think that I couldn't. Maybe not all whatever terrorists would fall for this but some would.

But then again, maybe they're smarter than this. Maybe they really can't break it. But they want you to think they can break it, so they tell you they can't, because they know terrorists (and slashdotters) always expect the government to try and mislead them. Great way to undermine confidence in Skype in circles of suspi

Snatch 2007

[moro_666 (414422)]

couldn't resist. this is just so "snatch" :

Turkish: F*ck me, hold tight. What's that?
Tommy: It's me belt, Turkish.
Turkish: No, Tommy. There's a Skype in your trousers. What's a Skype doing in your trousers?
Tommy: It's for protection.
Turkish: Protection from what? "Zee Germans"? ;-)

It's all about building trust..

[OlivierB (709839)]

Oh noes, the police can't decipher Skype! We're all gonna die!
Yeah right.
If you are paying attention, Skype is incorporated in Luxembourg, which is part of the EU, just like Germany (they actually share borders).
Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?

Now for the real story; German Police is putting on a little show so people actually trust *more* the closed-source Skype software.

If the German Police had no way of eavesdropping they would either (a) Shut up about it or (b) Actually say they have supercomputers that can decipher anything (even if this is not true). (a) or (b) would create enough FUD for "terrorists" to actually distrust Skype as a communication medium.

This is all spin doctor speak, and I would never trust Skype for sensitivie material communications. The Zfone project http://zfoneproject.com/ [zfoneproject.com] is a much more secure system.

Getting Through the Encryption Not the Story

[segedunum (883035)]

Getting through the encryption is not the story here. What they want to do is this:

"There are no discussions with Skype. I don't think that would help," he said, adding that he did not want to harm the competitiveness of any company. "I don't think that any provider would go for that."

If you are talking about getting to data after encryption, or before, why wouldn't you talk to Skype?

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

This is completely unrelated to being able to tap encrypted communications. This is on a whole different level, and contravenes many laws brought into many countries for spyware and data protection.

These searches are especially important in cases where the suspects are aware that their internet traffic and phone calls may be monitored[?????!!!!!!] and choose to store sensitive information directly on their hard drives without emailing it.

God only knows what this means.

Ziercke said worries were overblown and that on-line searches would need to be conducted only on rare occasions.

How would they propose to do this, and get 'software' installed undetected?

"We currently have 230 proceedings related to suspected Islamists," Ziercke said. "I can imagine that in two or three of those we would like to do this."

Well, being an Islamist or belonging to some other group is not a crime, and I dare say if you searched many peopless hard drives for stuff about bombs and explosives then you could find something. That doesn't mean that they're going to do anything.

This is yet another old and decrepit security services organisation, worried about its future, worried about its funding, people who are worried about their jobs and worried about its place in the world.

Re:

[bhima (46039)]

"Islamist" is newspeak for a militant extremist Muslim. In my mind, because it lacks militant or extremist, it is double plus ungood.

I hear it on the English language news broadcast in Austria / Germany all the time. Don't they use it in the US?

Smells like BS to me

[DrXym (126579)]

Even assuming the crypto is perfect, the police would still be able to infer a lot from who is calling who. A terrorist communicating with another terrorist, shows they know each other, where they are in the world, what their calling routines are (frequency, time, who they call next), the length of conversation and so on. They might even be able to infer who is doing the most talking from the amount of traffic in each direction. All without knowing the actual conversation text.

And that assumes the crypto is perfect and the police / intelligence services are incapable of decrypting it, playing man in the middle, or failing that installing a trojan, or planting a bug, or listening through a wall or whatever.

It sounds like BS. Even perfect crypto gives them more information that they had to begin with. It sounds like they want to have their cake and eat it too.

I'm concerned about my uncles dog.

[forgoil (104808)]

Are they really thinking that they can thwart terrorists and such with this kind of surveillance? Any nonsense sentence can be a code to act, it's been used for ages. The idea of the intelligence organization sitting in cubicles and spying from a chair is bound to fail, and has failed many times over. So this is both useless, and effectively is spying on a countries citizens. This is what Stasi did, this is classic KGB, it smells of Gestapo, is this what we call freedom? Privacy is more important than it has ever been, and we will fight for it, and declaring war on your own people because they want their privacy is just as bad as the terrorists and the mafia.

Idiots, Skype decrypts calls for all authorities!

[barwasp (1116567)]

Skype is a telecommunications company and for having their teleoperator license required to allow wiretaps for law enforcement purposes - so it works also in USA. Or do you thing that USA would just allow osama bin laden to host conference calls with wannabe terrorists using Skype. In fact Skype clearly admits [usatoday.com] that they decrypt the calls for all requesting authorities.

Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided.

The german police just wants to install trojan horses for monitoring the germans. If the polizei were really after those encrypted skype calls they would just sue skype, and not be whining their lack of skills in public.

Lost in Translation

[DancesWithBlowTorch (809750)]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to emplo

Re:

[Alphager (957739)]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.

Nope, Ziercke is President of the BKA, the Bundeskriminalamt. That's the federal equivalent of the LKA aka Landeskriminalamt aka Police.