Slashdot Log In
Skype Messages Monitored In China
Posted by
CmdrTaco
on Thu Oct 02, 2008 12:09 PM
from the privacy-in-stereo dept.
from the privacy-in-stereo dept.
Pickens writes "Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"
Related Stories
[+]
Your Rights Online: European Crackdown On Skype "Loophole" 230 comments
angry tapir writes "Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police. Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions, has announced the opening of an investigation involving all 27 countries of the European Union."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Shocked, I am (Score:5, Funny)
Writing through a scribe over Skype from mainland China, I can confidently say that messages about Falun Gong are not being
Re: (Score:3, Funny)
the system monitors a list of politically charged words that includes words related to the religious group Falun Gong
I hope one of those words is 'lol'
Re:Shocked, I am (Score:5, Insightful)
The US taps phone calls in an attempt to uncover evidence of violent crimes, to prevent them from happening, and to prosecute and jail those responsible.
China taps phone calls so they can find out who is speaking out against the one-party government, or bringing up other embarrassing subjects, so that they can send police to drag them out of their house, and put them in front of a firing squad.
Clearly, the two are not at all different.
Parent
Re:Shocked, I am (Score:4, Insightful)
Don't bother.
The First rule of Slashdot (and US liberalism in general) is that it's ALWAYS the fault of the US.
The Second rule is that if it isn't the fault of the US, what he US does is equally bad or worse.
The Third rule is that, if a situation arises that doesn't fall neatly into the rules above, see the rules above.
Parent
Don't you wish. (Score:5, Informative)
The US taps phone calls in an attempt to uncover evidence of violent crimes, to prevent them from happening, and to prosecute and jail those responsible.
And the US intelligence and law enforcement agencies - at all levels and over essentially all time - have a long track record of misusing their investigations for suppressing political enemies, both individual and movements.
This happens over and over and over. (For starters look at the FBI for a number of examples, including J. Edgar Hover's political blackmail files and the COINTELPRO program.) It normally comes to light only a decade or more later, because it happens in secrecy and is only discovered through chance or later examination of records. So it always looks like "It used to be that way but we've cleaned it up now."
You have to keep a tight rein on the government at all times because such power will ALWAYS be misused.
Parent
Re:Shocked, I am (Score:5, Insightful)
Other than your assertion, got anything to back that up? Certainly, other than China saying it, I see no evidence whatsoever of them having any aspects of being a cult.
I've known several people who were practitioners, and they were some of the nicest, kindest, straight up people I've known. I've skimmed their literature, and I don't see anything in it that I would classify as crazy.
But, the vast majority of what he says about the situation in Tibet is documented, historical fact. And, we listen to what he says because if you read the huge volume of Buddhist writings he's done, he's a very smart guy with a very broad and inclusive world view.
It's awfully hard to come to the conclusion that he's any of the things that China paints him as in light of the rest of the way he has lived his life. Even though it might appear that he has an incentive to distort the truth, the whole package makes it a little implausible that he's secretly evil and sneaky.
Cheers
Parent
First post (Score:5, Funny)
In end-to-end security... (Score:5, Insightful)
...the last thing to trust is closed source implementation or even worse, proprietary protocol.
though I think real paranoid people won't trust something like Skype, right?
Re:In end-to-end security... (Score:5, Insightful)
This is not about real paranoid people. The real paranoid people (like me) never trusted skype (encrypted, closed source binary blob).
This news is for the non-tinfoil-hat people. Now they too know, like us paranoid people, that their conversations are tracked, recorded, monitored and archived. For real. And now they know, if they read and understand the news, that what skype sad to us all ('full end-to-end security is preserved and there is no compromise of people's privacy.') was a lie. Skype (eBay) lied, maybe one time, maybe on other, more important things too, and maybe they will do it again.
Parent
Re:In end-to-end security... (Score:5, Informative)
Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.
I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.
- Text/sms/etc? In the database.
- Voice? Easy to keep a listener on the call. Very easy.
In both cases, there's encryption over the "public wire" but the server's got access to ALL of it. In the U.S., I imagine it's as simple as the NSA visits your CEO and gets full cooperation. CEO tells CTO to cooperate fully with the NSA. All of your communications are now monitored. That is, if the current monitoring at AT&T isn't enough somehow.
The "simple" answer is to decentralize VOIP. How you find and trust VOIP peers is where that ideas falls apart.
Another idea is to encrypt/decrypt the data on the client. Your sms would be good to go.. Encrypting the audio portion of the UDP packets would be very problematic. But it would work.
Running your own communications server is good too. A dumb old P3 with 1GB of ram will run VOIP and mail just fine. In that scenario, you own/control all the parts.
Parent
I dont think End2end means what you think it means (Score:5, Informative)
Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.
I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.
No, sorry no.
End-to-end has nothing to do with those application that provide some toy-protection by securing communication with the server (like IMAPS or SSL protection in stock MSN).
End-to-end means that the whole traffic is encrypted between both *end points*. A direct channel going from my software on my computer, all the way to your software on your computer. Every one else along the chain only sees crypted garbage.
You can't spy an End-to-end encrypted traffic (I mean you can record packets, but you can't understand them). If any one attempts a man-in-the-middle attack (at the server, for example), both end points will see the wrong encryption certificates. (Each end of the communication will see the middle-man's certificate, not the original one).
You could compromise the system :
- at the key exchange step the first time 2 previously unknown people get in touch (if you manage to trick each one into thinking that the key they recieved from *your* the first time they did exchange the key were their keys).
- at the end point of the communication. If something is compromised at the exit of the secure channel, no matter how the channel itself is secure.
The system could be root-kited, or the software could be not trustworthy.
How you find and trust VOIP peers is where that ideas falls apart
Building a chain of trust which tops at meeting the first key persons in real life in order to exchange keys (that as that portion of communication is secured, you can obtain further security tokens from other persons).
Or at least using a separate better trusted channel to confirm the keys' hashes.
Another idea is to encrypt/decrypt the data on the client.
Been done since ages on opensource implementations of IM clients. "Off the Record [cypherpunks.ca]" is currently a very popular application, running on Pidgin (plugin), Adium (out-of-the-box) and several others, and functioning as a layer above the message protocol.
(If both end points are running OTR, when you type a message in your client, the plugin converts it into a cyphered text. Then that message is sent using the classical route of whatever protocol you use underneath (MSN, Jabber, Whatever), the client at the other end receive it too, and its plugin decrypts the message back before displaying it, check also if the encryption key matches.
Regadless of what is the network used, the message that transist is only something looking like line noise. Microsoft's MSN server could log it, its still meaningless.)
Encrypting the audio portion of the UDP packets would be very problematic
Been done for ages too. You should google around for ZRTP (by nothing less than the author of PGP). Supported in several project, including the open source Twinkle, support comming in Ekiga next major release too. Nothing problematic.
Running your own communications server is good too.
...as long as you use end-to-end encryption between the people.
or at least as long as everyone exclusively use secure communications from/to the server.
(but then, *they* shouldn't trust it as they don't control what's happening on the server)
Parent
Sentries (Score:3, Funny)
I'm writing from China right now (Score:5, Funny)
Hold on, someone is at the door...
CHINA IS A GREAT NATION THAT WOULD NEVER INVADE MY PRIVACY. THIS ARTICLE IS UNFOUNDED AND BIASED.
Open source (Score:5, Insightful)
This is also an argument in favor of using open source software. I've been dubious in the past about claims that closes-source vendors couldn't be trusted, but apparently I was being naive.
Sounds like the FSF [fsf.org] got this one right.
A new arms race? (Score:4, Interesting)
There are a couple of messaging softwares that use encryption. People tend to simply not care in the west about things like Tor, Freenet, I2P and encryption options in text messaging but if more scenarios that are NOT linked to child porn arise, maybe people will start to consider the more legitimate reasons to fight for our right to privacy?
I believe we need more crypto-anarchists in this world. Where are the cypherpunks when we need them?
Not the worst nightmare at all (Score:5, Insightful)
'This is the worst nightmares of the conspiracy theorists around surveillance coming true,'
No. The worst nightmare would be when this comes true and no one cares.
Re: (Score:3, Insightful)
For the most part, John Q. Public is happy to hand over their rights, and they _don't_ care - and I am scared.
Either open-source the Skype engine or abandon it (Score:4, Interesting)
Either open-source the Skype engine or abandon it.
Skype devices could still be manufactured only under license, so their profit stream wouldn't dry up. No doubt it's all trademarked and copyrighted and patented to hell and back by the company anyway, so open-sourcing wouldn't be giving free reign to the competition.
But if they want to retain a trusting customer base, the only option now is to open-source the Skype engine and protocol, otherwise it's end of game.
I'll certainly be letting all my friends know about this. While they may be discussing only granny's Xmas presents or their boyfriends' vital measurements, it's no business of the snoop agencies to hear it.
Meanwhile, it's not as if VoIP didn't have any open alternatives. There is no need to support a vendor that cannot be trusted.
Joke about freedom of mail (Score:4, Funny)
A communist from the West decides to move to USSR. He explained to his friends that he would write letters to them. Worried about freedom of mail, he explained them that if he writes anything in red ink, that would mean that reality is opposite from the written.
He moves there, and after a while, the first mail finally arrives. It says: "Everything is great here in USSR. People are happy, wealthy, there is a lot of everything in stores, freedom is enormous. The only problem I have seen here is that you cannot buy any red ink."
Where is the insecurity? (Score:5, Interesting)
Maybe I'm missing something, but is this necessarily evidence that the Skype client and transmission are not themselves secure? The third link [skype.com] indicates that TOM-Skype uses TOM-specific client software that does the filtering (which Skype knew about). Isn't it likely that that software is also what's squealing to the monitoring system (which Skype apparently didn't know about) despite the supposed end-to-end security of the actual transmission over the Skype protocol? Is there any evidence that the monitoring is going on during the transmission, rather than this being a case of the TOM software phoning home separately?
I'm not suggesting that the Skype client should be trusted even outside of China—if it's closed-source, it might as well not encrypt anything at all—and this story certainly seems to cast additional doubt on it. But nonetheless, couldn't the foul play here be limited to the "TOM" side of TOM-Skype?
Bush approved eavesdropping program BEFORE 9/11 (Score:5, Informative)
If we're talking the NSA program to secretly mass-monitor electronic communications of US citizens **whether or not** they're guilty, and with no judicial oversight - this program was actually approved by Bush **right after he got into office in January 2001**.
http://www.truthout.org/article/jason-leopold-bush-authorized-domestic-spying-before-911 [truthout.org]
Declassified doc showing that's the case, here: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf [gwu.edu]
This is an easy mistake to make - because whenever this program is mentioned, it's always deliberately mentioned in the context of 9/11, and mentions changes made after 9/11. But that is all spin.
It's a shame that we have to look that far into the details to find out when a program was started - but with this administration we apparently do.
And as a side note, it's important to know that this was started well before 9/11 - because it also proves it did nothing to stop the 9/11 attacks. This is more proof that this kind of mass warrantless eavesdropping with no oversight doesn't even make us safer from terrorists - it only puts us in more danger from our government.
Posting this note to the original article also.
Re:Not the same (Score:5, Insightful)
That's only if you trust the government's claims. They have a pretty bad track record. Just do some research on COINTELPRO or Mockingbird. Or realize that the FBI was openly recruiting people to spy on protest groups in Minnesota before the RNC.
Also remember that the patriot act has been used 1000's of times against people who have done nothing terror related. Elliot Spitzer was caught because of the patriot act. It has mostly been used to get drug dealers and shut down strip joints.
Parent
Re: (Score:3, Insightful)
Re:Not the same (Score:4, Informative)
Secondly COINTELPRO targeted organizations such as the Klu Klux Klan and the Weatherman. Both of those organization were actually terrorist.
COINTELPRO also targeted the following non-violent groups:
They were also investigated by Congress by the Church Committee [wikipedia.org], which talked about COINTELPRO and drug experiments and mind control experiments [wikipedia.org].
So, given their secrecy and refusal to play ball with the courts, and the evidence that they keep of their own wrongdoing, away from public view, I'm not willing to extend them the benefit of the doubt.
If you don't like how the Government is then VOTE.
I have, and many others have. We still do. That doesn't mean we can't disagree and distrust. That doesn't mean we should just hang back and accept.
Parent
Re:Submitter is a troll (Score:5, Insightful)
I think the poster's point is that Skype is enabling this behavior, and Skype, in case you haven't noticed, has a presence all over the world.
Parent