Skype Messages Monitored In China 223
Pickens writes "Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"
an interesting link (Score:1, Informative)
http://afp.google.com/article/ALeqM5iD_wQwD-Ra3ADqTfFRGr1thY8aTA
Seems that the problem was not buggy crypto, but their communist partner company. Should avoid these.
Re:Not the same (Score:2, Informative)
Riiiight.... Here's the problem: if you'd know that one end is a terrorist, you'd go and arrest them. That's because if you have enough information to understand that a specific IP is a terrorist, you know where that IP is coming from and who is sitting behind it. The only reason to eavesdrop in this case is to get more intel, and that's easily achieved with regular FISA-type warrants.
A blanket monitoring system outside of FISA supervision can only exist for one reason: there is not enough information about the conversation to tie it to an existing surveillance program - in other words, the NSA doesn't know that one end is a terrorist. Which in turn means that it is doing blanket surveillance based on something other than pre-existing intel.
Quite frankly, the fact that you swallowed this piece of propaganda scares me more than the fact that it exists. Spooks will always be spooks. However, when the citizens are refusing to do a basic analysis of the propaganda they're being fed, just so that they don't have to deal with the consequences of that analysis, they stop being citizens and start being serfs.
The only difference between what China is doing and what the US is doing is that China is overtly suppressing speech. The US is just reserving its right to do so when someone feels its convenient. That's merely a difference of scale, not principle.
Re:In end-to-end security... (Score:5, Informative)
Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.
I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.
- Text/sms/etc? In the database.
- Voice? Easy to keep a listener on the call. Very easy.
In both cases, there's encryption over the "public wire" but the server's got access to ALL of it. In the U.S., I imagine it's as simple as the NSA visits your CEO and gets full cooperation. CEO tells CTO to cooperate fully with the NSA. All of your communications are now monitored. That is, if the current monitoring at AT&T isn't enough somehow.
The "simple" answer is to decentralize VOIP. How you find and trust VOIP peers is where that ideas falls apart.
Another idea is to encrypt/decrypt the data on the client. Your sms would be good to go.. Encrypting the audio portion of the UDP packets would be very problematic. But it would work.
Running your own communications server is good too. A dumb old P3 with 1GB of ram will run VOIP and mail just fine. In that scenario, you own/control all the parts.
Re:Shocked, I am (Score:3, Informative)
Tibetans make up 40% of the population in Lhasa.
It used to be 100%. That's sort of the problem.
The atrocities committed in Tibet by the Chinese are well-documented - the wilderness photographer Galen Rowell in particular took a large number of very damning photos, smuggled them out of the country, and when they were revealed to the world, the Chinese banned him for life from ever returning.
It doesn't really matter whether you think the Dalai Lama is a great guy or not, or whether the Iraq situation parallels it - two wrongs don't make a right, and many Americans who oppose what's happened to Tibet also oppose the invasion of Iraq.
Re:Not the same (Score:4, Informative)
Secondly COINTELPRO targeted organizations such as the Klu Klux Klan and the Weatherman. Both of those organization were actually terrorist.
COINTELPRO also targeted the following non-violent groups:
They were also investigated by Congress by the Church Committee [wikipedia.org], which talked about COINTELPRO and drug experiments and mind control experiments [wikipedia.org].
So, given their secrecy and refusal to play ball with the courts, and the evidence that they keep of their own wrongdoing, away from public view, I'm not willing to extend them the benefit of the doubt.
If you don't like how the Government is then VOTE.
I have, and many others have. We still do. That doesn't mean we can't disagree and distrust. That doesn't mean we should just hang back and accept.
Re:Shocked, I am (Score:2, Informative)
>>>China tapes phone calls so they can find out who is speaking out against the [] government...
In the U.S. the PATRIOT ACT allows the current president, and the future 2009-2013 president to do the exact-same thing. The only difference is rather than drag the citizen in front of a firing squad, the president takes the citizen to Gauntanamo Bay and holds them in prison without lawyer or trial. Different ends; but same denial of basic human rights.
From Skype's Website (Score:2, Informative)
[Todayâ(TM)s Financial Times posted a story](http://news.ft.com/cms/s/875630d4-cef9-11da-925d-0000779e2340.html) about how Skypeâ(TM)s partner TOM Online is filtering text messages in China.
Skype has a joint venture with TOM Online. As part of that venture, we provide a co-branded version of Skype called TOM-Skype, which is the version of Skype that is available in mainland China.
As part of the joint venture, TOM provides guidance to Skype about how to co-operate with local laws and regulations in China. In every country we operate in, we always work with local authorities to follow local laws and best practice.
TOM operates a text filter in TOM-Skype. The filter operates solely on text chats. The filter has a list of words which will not be displayed in Skype chats.
The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.
It is important to underline:
* The text filter does not affect in any way the security and encryption mechanisms of Skype.
* Full end-to-end security is preserved and there is no compromise of peopleâ(TM)s privacy.
* Calls, chats and all other forms of communication on Skype continue to be encrypted and secure.
* There is absolutely no filtering on voice communications.
Re:Not the same (Score:2, Informative)
The reason people know of the existence of the classified warrantless surveillance program is, as every fool knows, because several concerned whistle-blowers came forward and disclosed illegal details of the program to the NYTimes. The NYTimes then wrote a famous article [nytimes.com] describing the known details of the lawless surveillance program. You should consider reading it. You might learn something, especially with your A in "Reading Comprehension".
Re:Either open-source the Skype engine or abandon (Score:1, Informative)
At least in the US, Skype is legally *required* to provide CALEA-style law-enforcement interception capabilities. You can open source it and they'll still have to do that, like any other VoIP service would.
I dont think End2end means what you think it means (Score:5, Informative)
Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.
I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.
No, sorry no.
End-to-end has nothing to do with those application that provide some toy-protection by securing communication with the server (like IMAPS or SSL protection in stock MSN).
End-to-end means that the whole traffic is encrypted between both *end points*. A direct channel going from my software on my computer, all the way to your software on your computer. Every one else along the chain only sees crypted garbage.
You can't spy an End-to-end encrypted traffic (I mean you can record packets, but you can't understand them). If any one attempts a man-in-the-middle attack (at the server, for example), both end points will see the wrong encryption certificates. (Each end of the communication will see the middle-man's certificate, not the original one).
You could compromise the system :
- at the key exchange step the first time 2 previously unknown people get in touch (if you manage to trick each one into thinking that the key they recieved from *your* the first time they did exchange the key were their keys).
- at the end point of the communication. If something is compromised at the exit of the secure channel, no matter how the channel itself is secure.
The system could be root-kited, or the software could be not trustworthy.
How you find and trust VOIP peers is where that ideas falls apart
Building a chain of trust which tops at meeting the first key persons in real life in order to exchange keys (that as that portion of communication is secured, you can obtain further security tokens from other persons).
Or at least using a separate better trusted channel to confirm the keys' hashes.
Another idea is to encrypt/decrypt the data on the client.
Been done since ages on opensource implementations of IM clients. "Off the Record [cypherpunks.ca]" is currently a very popular application, running on Pidgin (plugin), Adium (out-of-the-box) and several others, and functioning as a layer above the message protocol.
(If both end points are running OTR, when you type a message in your client, the plugin converts it into a cyphered text. Then that message is sent using the classical route of whatever protocol you use underneath (MSN, Jabber, Whatever), the client at the other end receive it too, and its plugin decrypts the message back before displaying it, check also if the encryption key matches.
Regadless of what is the network used, the message that transist is only something looking like line noise. Microsoft's MSN server could log it, its still meaningless.)
Encrypting the audio portion of the UDP packets would be very problematic
Been done for ages too. You should google around for ZRTP (by nothing less than the author of PGP). Supported in several project, including the open source Twinkle, support comming in Ekiga next major release too. Nothing problematic.
Running your own communications server is good too.
...as long as you use end-to-end encryption between the people.
or at least as long as everyone exclusively use secure communications from/to the server.
(but then, *they* shouldn't trust it as they don't control what's happening on the server)
Don't you wish. (Score:5, Informative)
The US taps phone calls in an attempt to uncover evidence of violent crimes, to prevent them from happening, and to prosecute and jail those responsible.
And the US intelligence and law enforcement agencies - at all levels and over essentially all time - have a long track record of misusing their investigations for suppressing political enemies, both individual and movements.
This happens over and over and over. (For starters look at the FBI for a number of examples, including J. Edgar Hover's political blackmail files and the COINTELPRO program.) It normally comes to light only a decade or more later, because it happens in secrecy and is only discovered through chance or later examination of records. So it always looks like "It used to be that way but we've cleaned it up now."
You have to keep a tight rein on the government at all times because such power will ALWAYS be misused.
Re:Shocked, I am (Score:1, Informative)
[in reference to the Tibetan population in Lhasa]It used to be 100%. That's sort of the problem.
When was this exactly? 12th century or something?
from Wikipedia:
The 11th edition of Encyclopedia Britannica published between 1910-1911 noted the total population of Lhasa, including the lamas in the city and vicinity is about 30,000[5]; a census in 1854 made the figure 42,000, but it is known to have greatly decreased since. Britannica noted that within Lhasa, there were about a total of 1,500 resident Tibetan laymen and about 5,500 Tibetan women.[5] The permanent population also includes Chinese families (about 2,000).[5] The city's residence also includes people from Nepal and Ladak (about 800), and a few from Bhotan and Mongolia and other places.[5] The Britannica noted with interest that the Chinese have a crowded burial-ground at Lhasa, tended carefully after their manner and the Nepalese supply the mechanics and metal-workers.[5]
And Tibet before that time has been a part of China at least for the Yuan and Qing Dynasty.
Bush approved eavesdropping program BEFORE 9/11 (Score:5, Informative)
If we're talking the NSA program to secretly mass-monitor electronic communications of US citizens **whether or not** they're guilty, and with no judicial oversight - this program was actually approved by Bush **right after he got into office in January 2001**.
http://www.truthout.org/article/jason-leopold-bush-authorized-domestic-spying-before-911 [truthout.org]
Declassified doc showing that's the case, here: http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB24/nsa25.pdf [gwu.edu]
This is an easy mistake to make - because whenever this program is mentioned, it's always deliberately mentioned in the context of 9/11, and mentions changes made after 9/11. But that is all spin.
It's a shame that we have to look that far into the details to find out when a program was started - but with this administration we apparently do.
And as a side note, it's important to know that this was started well before 9/11 - because it also proves it did nothing to stop the 9/11 attacks. This is more proof that this kind of mass warrantless eavesdropping with no oversight doesn't even make us safer from terrorists - it only puts us in more danger from our government.
Posting this note to the original article also.
Re:Shocked, I am (Score:2, Informative)
"Citizen" being the operative word in the sentence and implying "US Citizen" given the context actually makes him mostly correct....there aren't "a few hundred cases" of US Citizens being down there...