Skype Encryption Stumps German Police

TallGuyRacer writes "German police are unable to decipher the encryption used in the internet telephone software Skype to monitor calls by suspected criminals and terrorists, Germany's top police officer, Joerg Ziercke, said. "The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it. That's why we're talking about source telecommunication surveillance — that is, getting to the source before encryption or after it's been decrypted.""

Skype unbreakable?

[niceone]

Well, it seems they are not really trying - they are not even talking to Skype about it.
What they want is permission to install spyware - something that is illegal in Germany at the moment:

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

That's the real point of the story, not that Skype is unbreakable.

Re:Skype unbreakable?

[Silver Sloth]

Indeed. Also from TFA

Spyware computer searches are illegal in Germany, where people are sensitive about police surveillance due to the history of the Nazis' Gestapo secret police and the former East German Stasi.

I would hope that they are illegal in any civilised country.

Re:

[BobTheLawyer]

Why? If the police can, in extreme situations, apply to a court for a warrant to search a suspect's house, open their mail or tap their phone - and the US and almost every other country allows this - why shouldn't they be able to search a suspect's computer?

Re:Skype unbreakable?

[TheRaven64]

It seems to me that, even if it were legal, it would be very hard to admit as evidence in court. If a computer is compromised then the defendant has a good defence against being responsible for anything found or done with the computer. The hard part, usually, is proving that the computer was compromised. If the prosecution are claiming that they are the ones that compromised it then there is no way a decent barrister would fail to convince the jury that their client had absolutely no responsibility for anything done to the computer.

Re:

[sumdumass]

The idea of compromised is a subjective term in most situations. When the Government or police do it, it is a tool, when credit card number spamer is doing it, it is compromised.

You see, the idea behind the compromised portion deals a lot with the intent of who compromised it. Compromised means that you don't know their intent, what they have done and cannot trust the computer for anything. This wouldn't necessarily be the case when the police do it. At least not in the virgin eyes of the courts who still b

Re:Skype unbreakable?

[TooMuchToDo]

If the police can compromise a computer, then anyone else with the right tools can. Therefore, anything found on the computer should not be admissible as there's no way to verify who (myself, the police, or a remote malicious user) has manipulated the contents of the PC.

Re:Skype unbreakable?

[corsec67]

Especially since the police hack could introduce other vulnerabilities into the system that makes it easier for other people to exploit.

Re:

[sumdumass]

When the tight tools means physical access to the machine or a direct connection through the ISP, then the likelihood of all else drops dramatically.

There is a possibility that everyone whoever has been arrested had been framed, but the likelihood is so small that not everyone claims it nor do others think it. IT would depends a lot on what steps needed to be taken and how likely someone else could take those steps. I could also be possible that the police end up seeing some other party putting the incrimin

Re:

[TooMuchToDo]

Ah, but the police can't guarantee that the "patch" they install, nor their initial malware install isn't open to vulnerabilities.

Re:Skype unbreakable?

[ewn]

Well they can already do that now, for example by installing microphones in suspect's homes, but it requires a court warrant and a considerable amount of work. The Bundestrojaner would make snooping simpler, both in technical and in legal terms. And we know that if technology is cheap and simple, it's going to be used more. That is, i think, the government's goal here: gaining the ability to infiltrate a large number of computers, say of a significant percentage of Muslim citizens, or the globalization sceptics of Attac, or any other group that potentially features undesirable behaviour. No court would ever allow such a sweeping surveillance, and the police doesn't have the resources to bug thousands of homes anyway.

Re:Skype unbreakable?

[bhima]

I've thought about this idea that the Bundestrojaner would make snooping cheaper and easier. I think it would have another effect: About 15 minutes after they let the first one out into the wild some teenager in Slovenia would publish a CLI app that would detect and disable it or alternately hijack the app to share the contents of the drive on whatever P2P app Slovenian teenagers are into this week. Then everyone who *really* had a reason to make sure they were not infected would have this app and only the average Joe would be out there sharing his hard drive contents with the world.

Re:Skype unbreakable?

[Sique]

There is a big difference between tapping a phone or a search warrant on the one side and a secret search of one's computer.

For a search warrant to be executed the suspect has to be present, or at least an outside witness has to be present. (I don't know about the legal situation in the U.S., but at least in Germany this is the case.)

Phone tapping can't create phone conversations that never happened.

But if you can install a software on a person's computer without him noticing, then you could also put counterbande files like the oh so beloved bomb construction howtos or kiddie porn on the computer.

The main problem with secretly spying on a computer is that it compromises the computer. From a legal point of view material gained with a secret computer search shouldn't be brought to court, because there is no way to prove that the evidence isn't faked.

Re:

[Yokaze]

In Germany, secret searches of homes are prohibited. IRC, they have to happen in the presence of a member the household, or a neighbour. The telephone, mail and internet communication are not part of the home, and can be secretly monitored under the observation of a judge. The suspect has to be informed afterwards. The home enjoys a much stronger constitutional protection than communication.

Of course, the ministry of interior and the police argue, that they can't stop the terrorists, if they can't secretly

Re:Skype unbreakable?

[Sique]

I like the old calculation we had in statistics:

- There is a severe sickness, which only one of 100,000 people gets.
- There is a test for this sickness, which is 99,9% accurate, that means, that the result of only 1 in 1000 persons is wrong. (In reality you have two numbers, one giving how high the rate is to give a false positive, and another one for the false negatives, but for the sake of the calculation we consider them equal).

How high is the chance, after you got tested positive, that you in fact have the severe sickness?

In 99 out of 100 this was a false positive.

The same goes for the search of terrorists.

Terrorists are very seldom, lets say that only 1 in 100,000 persons in Germany is a terrorist (this still gives 800 terrorists living in Germany, far too much compared with the number of terroristic acts committed!). Lets say that the police has means to be 99,9% accurate to tell beforehand if a suspect is a terrorist or not, before asking for secret computer searches.

It still means that in 99 out of 100 cases a complete innocent person's computer will be searched.

Re:

[Sique]

It's simple math.

If you randomly test 100000 people, only one of them will have the sickness. 99999 are healthy. Of those 99 will be tested positive because one out of 1000 will falsely be tested positive.

Re:

[ReeceTarbert]

apply to a court for a warrant

You've just answered the question yourself: without a search warrant, the scope for abuse is immense.

Of course there are the usual, broad categories (terrorist, pedophiles, criminals, etc.) that make it sound as the sensible thing to do, but once you grant such sweeping powers, what's preventing the police to use them to spy on political opponents, activists, or anyone else who just happens to "think different"?

RT
--
Your Bookmarks. Anywhere. Anytime. [simplybookmarks.com]

Re:

[cheater512]

Thats absolutely fine.

However why do they need a trojan horse to search the computer when they have a warrant which gives them physical access to the computer?

Re:

[Slashidiot]

Yes, feels like not being able to eavesdrop Skype conversations is just an excuse to get spyware on people's computer. I'm OK with the police doing that, IF a judge decides there is some kind of spyware warrant for that particular person on that particular time.

Re:

[OrangeTide]

Governments often tell us that there is some threat that they want to protect us from, and if we just give up a little bit of our freedom they will make society much safer. We fall for this trick over and over again.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Scarblac]

Well, what if it DOES make society safer?

I'd say that right now, society is plenty safe enough, but our privacy isn't strict enough. Time to make errors in the direction of privacy for a while.

Re:

[bug1]

Well, what if it DOES make society safer?
Safer for society as a whole, or safer for the elites ?

is there a balance of some sort to be found?
A perception of balance... balance according to which perspective ?

What's a good place to draw the line?
Does there have to be a "line", can freedom vs security be seen in black and white ?

People always repeat the "he who sacrifices liberty for security..." line, but what would a better solution be?
Those with power will always say they need more of it, how can those with

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bug1]

You know, this almost sounds like a troll. Well, I'm taking the bait. I hope it turns into an actual discussion.

In your first post you were being indirect by responding with questions, so i did the same to try and make a point.

It was a bit of a troll.... nothing personal.

Re:Skype unbreakable?

[presarioD]

Well, what if it DOES make society safer?

History has repeatedly proven that when a government asks its citizens to give up liberties it is working against making society safer but more absolute and submissive. Can you provide with any example where people who gave up their freedoms became safer? I can cite alot of counterexamples: nazi/fascist/communist governments that miserably failed in all fronts, including safety (the state safety-keeping apparatus turned against the citizens). Now neo-capitalism wants to join the club and they are going to be different exactly why?

Please don't use the words "democracy and freedom" in your answer, I've just eaten...

Re:

[neomunk]

I'll go through the list, but first let me state that most REASONABLE laws are a balance between two parties' freedoms, not a trade off between liberty and security. There have been many unreasonable laws implemented (as the GP points out) and you offer quite a few of them in your list. Here we go, point by point:

Yelling "fire" in a crowded theater?

Actually, look up the origins of this ole' gem. It was coined in an attempt to stifle political dissent, not a very good example of enhancing security. In the LITERAL case of yelling fire in a

Re:

[Alsee]

You have a stable society when some nut guns down a schoolyard and the law does not change.

I happen to live in New York. I for one refuse to allow terrorists to terrorize. I for one refuse to cower in fear. Terrorists can kill a number of people - any drunk nut with an automatic weapon in a schoolyard or a mall can kill a number of people. However terrorists cannot destroy America. Only Americans can destroy America - fearmongering powermongering gestapo-police-state idiots terrorizing fellow Americans into

Re:Skype unbreakable?

[oliverthered]

As a good example,
The US managed to get the UK to agree to deport anyone they asked for in case they were terrorists.

The first people the chose to ask to be deported were a bunch of bankers that had done some dodgy dealings, hardly terrorists.

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Re:

[vrai]

And what's worse/better is that the US didn't hold up to it's part of the bargain and sign up to a similar agreement.

Not that I'm defending this treaty in anyway, nor the period during which it was unilateral, but the US Senate signed off on it last year [bbc.co.uk]. Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

Re:Skype unbreakable?

[Anonymous Coward]

Apparently the Senate was concerned that the UK might use the treaty to extradite IRA members who had fled to the US and that would apparently be a bad thing.

So the US government supports terrorism. Presumably only if it is done by white people with cute accents.

The US people also supported terrorism back in the day (well, those that claim to be Irish), before they understood the actual reality of terrorism.

I doubt the UK government would want to get into the hassle that extraditing any such people would inevitably lead to of course, but if the US is harbouring and protecting terrorists willingly then it really needs to sort out what its story is regarding terrorism.

Re:

[nyekulturniy]

I think that comment is too broad reaching. Specifically, the senators from New York and Massachusetts, where the Irish-American political influence is strongest, opposed this extradition treaty. The rest of the country didn't care, but it was never high on the U.S. priorities.

Re:Skype unbreakable?

[Dogtanian]

I think that comment is too broad reaching. Specifically, the senators from New York and Massachusetts, where the Irish-American political influence is strongest, opposed this extradition treaty.

That's the ultimate hypocritical irony. You'd think that New Yorkers would be less inclined to support terrorists after 9/11, but it looks like the old double standard is still in place. Or at least if there are a few votes in it.

The rest of the country didn't care, but it was never high on the U.S. priorities.

They probably didn't care because the UK had already enacted its side of the bargain. Frankly, the UK government should have shoved this alleged agreement to the bottom of the pile until the US stopped trying to appease a (supposedly) tiny minority of sentimentalist fuckwits.

And frankly, if the rest of the country didn't care about this anti/pro-terrorism double standard and blocking their side of a bargain that was supposed to be in their interest, then they're just as guilty.

Can you imagine what would have happened if- during the 1980s- an organisation had tried to kill senior members of the U.S. government, including the president, and had come damn close to succeeding? And the UK had continued to allow fundraising for this organisation? That's exactly what happened in reverse with the IRA, and it defies belief that there was so little diplomatic fall-out- and it's also damn obvious that if the Americans were victims this would never happen in reverse.

And years later, when it's the US's turn to suffer the effects of terrorism, and the sycophantic UK government led by that contemptible poodle, Tony Blair, is going along with virtually *everything* their government wants, the US is still letting a bunch of sentimentalist IRA-sympathising scum and hypocritical vote-seeking senators dictate the same old double standards?

Seriously, this is beneath contempt.

Re:

[Mattsson]

It's rather obvious that what you regarded as terrorism depends on who you are.
There isn't many who see themselves as evil terrorists who's only goal is to murder and destroy.
They see themselves as freedom fighters, holy warriors, the peoples saviors, etc, etc.
Those who get shot, bombed, maimed, etc, see them as terrorists and any who support them as supporters of terrorism.

Re:

[Vlad_the_Inhaler]

Back in the days of Ronnie R, the governments of Mozambique and Angola were:
a) - Communist (they may be still be)
b) - Neighbours of South Africa and supporting the ANC against the Apartheid S African government.
c) - Opposed by S African-sponsored rebel organisations (S Africa was trying to destabilise the opposition).

Both rebel organisations fit pretty much any definition of 'Terrorist' you can come up with. The US under Reagan helped finance both sets of terrorists in the name of opposing Communism.

The Co

Re:

[rbanffy]

"So the US government supports terrorism"

No. No... You got it wrong... They are freedom fighters.

See the difference?

All Hail the Nanny State!

[Eggplant62]

The Nanny State knows better than I do how to take care of me. I need the Nanny State in order to properly function as a responsible adult. Without the Nanny State telling me what to do, how am I to know what is right and what is wrong? It's just like having an extension of my Mommy and Daddy around for the rest of my life! I feel SO COMFORTABLE!

This message brought to you by the letters A and Q and the number 5. "A" stands for absurd.

Re:Skype unbreakable?

[GroeFaZ]

Exactly. The Anti-terror craze has long reached German lawmakers, and they are in a rage creating law after law (though not as bad as in the US and UK) and seeing what survives the Bundesverfassungsgericht, the court that decides if laws are against the German Grundgesetz (Basic Law, comparable to the US Constitution).

In the case of the "Federal Trojan", it was decided in 02/07 that such measures are illegal to conduct, and decisions made by the Bundesverfassungsgericht are equivalent to laws. So what they're doing now, they're keeping the discussion (and the fear-mongering) alive and continue to develop the trojan despite it being illegal, in an effort to undermine that decision. Most notorious for this behaviour is, of all people, our Minister of Interior, Wolfgang Schäuble. He repeatedly clamored and still clamors for this and other measures which are explicitely forbidden by the Grundgesetz and the Bundesverfassungsgericht, for example shooting down abducted planes. He's one of the single largest threats to what he has to protect by job description, namely the Grundgesetz.

Re:Skype unbreakable?

[Vlad_the_Inhaler]

The term GröFaZ was *not* something you wanted to be caught using when the Nazis were in power. It is a (disrespectful) abbreviation of 'Größte Führer aller Zeiten' (Greatest leader of all times) which was what the Nazi party propaganda machinery used to call their big boss.

Re:

[risk one]

It also shows what happens in situations like these. Right now, the German police can tap anybody's phonecall, except that of terrorists. If they get their trojans (god forbid), the terrorists will switch to encrypted drives under an obscure operating system with their own voip network over tor. And again, the regular folk that don't care enough to set all that up get spied on for downloading mp3's and the terrorists that mean business evade the police with minimal effort.

The answer is: illegal wiretapping!

[VincenzoRomano]

When the Police or a Judge needs to wiretap phone conversations, they ask the telecom companies to provide them with a "plug" with unscrambled and unencrypted traffic. Every communication company is to comply with this law, at least in United Europe.
This happens for landline, GSM and sat phone calls. And should also happen for Skype-like calls.
If the Police is trying to do it the hard way, well, I fear they are trying to do something illegal!
Or maybe they are trying to make people sure that Skype is unbreak

I long for the day

[GroeFaZ]

when technology allows brain implants and wireless brain-to-brain communication. Oh joy.

Re:

[DiSKiLLeR]

Hmmmm.

That would be nice, but only if our communication was secure with encryption.

Personally, I think its great that skype encrypts everything and think it should be standard with more software.

Re:

[KiloByte]

In the days of smart phones, I wonder why they bother sending the conversations in the plain, encoded in a way open to the phone company, shared with the guvmint, Russian mafia, and anyone who pays a dime.

I personally hardly use my phone, I don't remember the last time I used it for something else than telling my sister of friend that I'm almost there -- so I don't bother with iPhones or any other $500 bricks. For those who do make more than two calls a month and have one of those super-duper new phones, n

Re:

[arivanov]

The software to do that and phones that can do that using GPRS/encrypted VOIP has been out for nearly 4 years now. Forgot the name of the phone, some Swiss company was making it.

Re:

[KiloByte]

Naturally, it would be strange if no one thought of making such a phone. What bothers me is, no one seems to use encryption. We're swamped with news about latest new and shiny phones, yet there's never a word about a real phone having such a feature. This /. article, for example, talks about Skype which is not available on portable devices -- and even if it was, black-box encryption is worthless. Skype is known to cooperate with China, for example -- so their encryption may be trustworthy enough against

Re:

[MichaelSmith]

when technology allows brain implants and wireless brain-to-brain communication.

Then Governments will want to install spy ware in your brain to listen in on your illegal communications/thoughts. Just make sure you aren't remembering any songs against the wishes of the copyright holders.

Re:

[UbuntuDupe]

Remember? Heck, if history is any judge [slashdot.org] they'll order automatic "thought-dumps"!

Re:

[QuantumG]

When we have the technology for brain implant communications we will have the technology for brain implant based thought monitoring.. no thanks.

Re:

[psmears]

wireless brain-to-brain communication

Isn't that what they used to call "talking"? ;-)

Re:

[ultrasound]

Then the DRM will be perfect. Every audio and video source can be directly censored and you won't be able to watch the TV or listen to the radio without the correct NeuroDRM(TM) licence.

Can't wait.

Great

[dalmiroy2k]

Not only Skype gives us free, multiuser lag-free video conference with excellent quality, now we know our conversations are private.
I have nothing to hide, but nothing to share either.

Re:Great

[paulhar]

Assumption: this isn't dis-information designed to make us all feel safer about using Skype's encryption

Re:

[blackest_k]

I wouldn't trust skype encryption to be secure, after all everyone has the capability of decrypting it with the skype client.
I can't see how it would be that difficult to monitor traffic through an ISP's gateway. Let alone the POTS system if it leaves the net to a standard phone.

If you want secure communications then really you need some kind of plugin for both ends of the conversation, although voip is lossy so your unlikely to be able to do this with a voice call pidgin on the other hand does give

Re:

[abigor]

I wouldn't trust skype encryption to be secure, after all everyone has the capability of decrypting it with the skype client.

I can't see how it would be that difficult to monitor traffic through an ISP's gateway.

This is incorrect - Skype uses RSA and symmetric session keys, not a permanently fixed symmetric key. Only the person(s) you want to hear your call will be able to hear it.

There is no way to monitor Skype traffic at the ISP.

You can read an independent security review here: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf [skype.com]

Re:

[Yvanhoe]

Even weaker assumption : This department of German police has a up-to-date encryption group.

Hanlon's Razor

[Moraelin]

While normally I would encourage a moderate dose of paranoia, I'd also recommend it to be balanced by Hanlon's Razor: never attribute to malice, that which is adequately explained by stupidity.

This being Germany, for a start you have to realize that the police doesn't seem to be particularly incline toward conspiracies, nor any good at it. They're also (still) more monitored than what, judging by the news coming from the USA, seems to be the case with the FBI and CIA. These guys will tell you up front that

Re:

[Slashidiot]

Just to be extra-safe, I'll be using skype and talking in ROT13.

Re:

[Tuoqui]

Best. Comment. Ever.

In this day and age of people reciting the mantra 'If you have nothing to hide' that should become the mantra to respond to it 'I have nothing to share either'

Someone mod the parent up please.

Re:

[Scarblac]

As well as, "I have nothing to hide, therefore, you don't need to look."

isn't that the point of encryption?

[petes_PoV]

encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it.

Whether it's the police or just some nosey old git (Q: how can you tell the difference?) who's eavedropping on your conversation, the point is that only the person you're talking to should be able to decrypt the data.

If the police don't like that, that can always try to outlaw it - or require that keys are made available to them.

The problem you get then is people who "spoof" an encrypted datastream by just sending random numbers (tho' not from a Microsoft source as we've recently been told) down the line.
How do you know when a stream of apparently encrypted data has been decoded anyway?

Re:isn't that the point of encryption?

[sid77]

If the police don't like that, that can always try to outlaw it

If cryptography is outlawed, bayl bhgynjf jvyy unir pelcgbtencul.

Good Police Work

[hanssprudel]

This is a good thing. Having to install monitoring at the source or destination means an operation that requires effort and, hopefully, a court order. This means that their is judicial oversight, and that to catch criminals police have to do, you know, police work rather than just sitting around spying on us.

Ubiquitous encryption does not make law enforcement impossible. It just makes indiscriminate law enforcement impossible.

Re:

[zazzel]

It's not as much as good thing as it seems. Ziercke argues for the right to install spyware through a tool called "remote forensic software" - a government trojan!

Re:

[Fred_A]

Ubiquitous encryption does make law enforcement harder. So it's just a matter of how much you value security versus privacy.

What security ?
I'm not threatened by people using encryption since I don't own Big Media (tm) shares.

And as for "evil people", whether they have crypto freely available or not doesn't change anything. Good crypto is available everywhere already. Whether it's outlawed or not people will still use it. Should it vanish overnight for some reason, there are alternatives (one time pads, courriers, etc.).

All of the various hysterical measures taken in the recent years have presumably had marginal effect on securi

Plenty of attacks left, thank you very much

[Noryungi]

According to this PDF document [skype.com], Skype encryption is based on open standard (such as AES, SHA-1, etc).

According to this article [wired.com], our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype.

And, then, according to this other article [theage.com.au], it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks.

And, of course, there is the question of using a 'secure' communication system on a completely insecure operating system, such as Windows. Why do you think they talk of intercepting the communication before it becomes encrypted? Probably because the vast majority of suspects use Windows. Using Linux, or MacOS, would not be much of an improvement either.

Conclusion? Well, the Bundespolizei (that's German police to you) may not have the means to decipher your skype communications right now. But it's getting there, thank yo uvery much. And there are agencies out there who certainly can, and will.

And what happened to free german crypto? I thought Germany had the only sane policy about crypto in the industrial world?

Re:

[SerpentMage]

Yeah I think they can't break the encryption, and not because they can't break the encryption itself. But if you read the article look at what it says.

>> Experts say Skype and other Voice over internet Protocol (VoIP) calling software are difficult to intercept because they work by breaking up voice data into small packets and switching them along thousands of router paths instead of a constant circuit between two parties, as with a traditional call.

That's the real problem. The packets are scattered a

Re:

[Noryungi]

It does not matter if the communication is encrypted and broken down into packets if all that is needed is to intercept the complete communication at one (or both) ends. Under Windows, this can probably be accomplished trivially, since most apps run with administrator privileges under most Windows machines. And, running as a Windows administrator, Skype will alter your firewall configuration [uwaterloo.ca]. Ooops.

What's more, most Internet packets these days pass through one of the MAE. And guess what? Most telecom compan

Re:

[deroby]

WOOHOOOHOOO, I'm sooo scared now.

So what if Skype alters my Firewall settings : I 've strictly allowed it do do so !
(Tools Menu, Options, Advanced, Connection, [v] Allow Skype to modify my firewall settings)

Maybe the setting is on by default, not sure, but if it makes my Skype-experience any better, I don't see why I we have to 'create panic' like this ...
If you don't want any open ports, then don't install software that needs it in the first place, period.

Sigh.

Re:

[Dunbal]

I was thinking more along the lines of:

"Yeah we went to the Planetarium, she's a real meat eater. That night she gave me a blow-job back at my place!"

Re:

[Nursie]

"According to this article, our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype."

Roll your own, use a publicly available AES implementation, or Rijndael's original cipher. Also, the NSA aren't quite as clever as you think. Pretty good I'm sure, but the level of paranoia about them is nuts.

"And, then, according to this other article, it does not matter what technologies you use, if your CPU is wide open to analysis and crypto attacks."

Got any further d

Re:

[Noryungi]

"According to this article, our good friends at the NSA "may" have put backdoors in some of the technologies that could be used by Skype."

Roll your own, use a publicly available AES implementation, or Rijndael's original cipher. Also, the NSA aren't quite as clever as you think. Pretty good I'm sure, but the level of paranoia about them is nuts.

They are clever enough to introduce trapdoors in something most people never even think of checking. Why? Because they understand the game: in crypto, it does not

Re:

[Nursie]

"Oh, please. Windows can be cracked, and has been cracked, simply by pointing at a compromised web page."

Yes, and you have to get me to do that. If I'm a terrorist that's concerned about my privacy, I'm not going to be visiting any websites that I get spammed with, and I'm most likely not using IE either.

"You haven't been paying attention to the news, lately, haven't you?"

Do enlighten me, I know the british government are trying to squeeze keys out of people who may not have them, but otherwise...

They are c

Re:

[Nursie]

"Which is in fact identical to AES. Except that the original supported more different block sizes."

Oh I know, I just thought maybe the paranoid types might trust the cipher as issued by an academic rather than the one the US government eventually issued and accepted as AES!

Re:

[should_be_linear]

Whoa? .... Shit! They just destroyed the grand ingenious plan to save Free World (tm) from Win32-API-based terrorist organizations. Well, there is still hope that Live CDs, Skype and Linux could become illegal too.

Re:

[Alphager]

Conclusion? Well, the Bundespolizei (that's German police to you)

Just nitpicking:
Police in Germany is split between federal and state-police. The states all have LKAs (Landes-Kriminal-Amt), the federal state has the BKA (Bundes-Kriminal-Amt) and the Bundespolizei.
The BKA is responsible for all inter-state crimes and the protection of german politicians. The Bundespolizei is responsible for securing the (nowadays non-existant) borders and Airports&Railways.


Ziercke (the man talking in the article) is head of the BKA.

yes, it's not rot13

[borkee]

and german police is not alan turing, obviously

Don't throw me in dat dere briar patch!

[fishdan]

We cannot break Skype encryption, and we have publicly announced that, so it's perfectly safe for you to keep on using it! Really!

Re:

[Fzz]

This is exactly what I would proclaim if I was able to decrypt the traffic and want users to think that I couldn't. Maybe not all whatever terrorists would fall for this but some would.

But then again, maybe they're smarter than this. Maybe they really can't break it. But they want you to think they can break it, so they tell you they can't, because they know terrorists (and slashdotters) always expect the government to try and mislead them. Great way to undermine confidence in Skype in circles of suspi

Snatch 2007

[moro_666]

couldn't resist. this is just so "snatch" :

Turkish: F*ck me, hold tight. What's that?
Tommy: It's me belt, Turkish.
Turkish: No, Tommy. There's a Skype in your trousers. What's a Skype doing in your trousers?
Tommy: It's for protection.
Turkish: Protection from what? "Zee Germans"? ;-)

It's all about building trust..

[OlivierB]

Oh noes, the police can't decipher Skype! We're all gonna die!
Yeah right.
If you are paying attention, Skype is incorporated in Luxembourg, which is part of the EU, just like Germany (they actually share borders).
Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?

Now for the real story; German Police is putting on a little show so people actually trust *more* the closed-source Skype software.

If the German Police had no way of eavesdropping they would either (a) Shut up about it or (b) Actually say they have supercomputers that can decipher anything (even if this is not true). (a) or (b) would create enough FUD for "terrorists" to actually distrust Skype as a communication medium.

This is all spin doctor speak, and I would never trust Skype for sensitivie material communications. The Zfone project http://zfoneproject.com/ [zfoneproject.com] is a much more secure system.

Re:

[Njovich]

If you are paying attention, Skype is incorporated in Luxembourg, which is part of the EU, just like Germany (they actually share borders).
Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?

Yes.

Re:

[Yvanhoe]

Seconded. But That doesn't mean that I would trust Skype to have any concern about privacy...

Re:

[Sam Lowry]

Skype has actually dedicated people for being points of contacts of the investigating bodies in their Luxembourg offices.

Re:

[Tom]

Do you think the EU would allow for some European company to provide tools to "terrorists" without having eavesdropping ability?

As a matter of fact, yes. Totalitarian police states fell out of favour here twice - once around 1945 and then again in the 90s. The remaining wannabe-dictators are right now importing as much as they can from the USA, but we're not quite there, yet. Especially regarding cryptography, Europe has always been more open than the US.

That doesn't mean I can guarantee there's no backdoor in Skype, but I wouldn't wager any high bets one way or the other.

You are falsely assuming that the police is some kind of sup

From someone on the list

[Eythian]

This was mentioned on cypherpunks today, a reply was:

Caveat: Ziercke is a notorious liar and surveillance apologist.

Take that for what it's worth - I can't back it up nor disprove it.

Getting Through the Encryption Not the Story

[segedunum]

Getting through the encryption is not the story here. What they want to do is this:

"There are no discussions with Skype. I don't think that would help," he said, adding that he did not want to harm the competitiveness of any company. "I don't think that any provider would go for that."

If you are talking about getting to data after encryption, or before, why wouldn't you talk to Skype?

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.

This is completely unrelated to being able to tap encrypted communications. This is on a whole different level, and contravenes many laws brought into many countries for spyware and data protection.

These searches are especially important in cases where the suspects are aware that their internet traffic and phone calls may be monitored[?????!!!!!!] and choose to store sensitive information directly on their hard drives without emailing it.

God only knows what this means.

Ziercke said worries were overblown and that on-line searches would need to be conducted only on rare occasions.

How would they propose to do this, and get 'software' installed undetected?

"We currently have 230 proceedings related to suspected Islamists," Ziercke said. "I can imagine that in two or three of those we would like to do this."

Well, being an Islamist or belonging to some other group is not a crime, and I dare say if you searched many peopless hard drives for stuff about bombs and explosives then you could find something. That doesn't mean that they're going to do anything.

This is yet another old and decrepit security services organisation, worried about its future, worried about its funding, people who are worried about their jobs and worried about its place in the world.

Re:

[bhima]

"Islamist" is newspeak for a militant extremist Muslim. In my mind, because it lacks militant or extremist, it is double plus ungood.

I hear it on the English language news broadcast in Austria / Germany all the time. Don't they use it in the US?

Really?

[pr0nbot]

Maybe they're clever, and they can in fact decrypt it, but they want you to think they can't?

Re:

[account_deleted]

Comment removed based on user account deletion

Suspicious Minds

[LordMidge]

The first thing I though was if I could hack a telephone system out of many what would I do?
Tell everyone I can't and get as many people using that system so that I can listen in onto as many as possible.
I'll go put my tinfoil hat on again now.

take it with a grain of salt ...

[Lazy Jones]

it's very likely that they can decrypt it or that they have access to some backdoor in Skype ... In other interviews (or other cited versions of the same?), Ziercke said that they hadn't talked to Skype yet about access to a backdoor.

Smells like BS to me

[DrXym]

Even assuming the crypto is perfect, the police would still be able to infer a lot from who is calling who. A terrorist communicating with another terrorist, shows they know each other, where they are in the world, what their calling routines are (frequency, time, who they call next), the length of conversation and so on. They might even be able to infer who is doing the most talking from the amount of traffic in each direction. All without knowing the actual conversation text.

And that assumes the crypto is perfect and the police / intelligence services are incapable of decrypting it, playing man in the middle, or failing that installing a trojan, or planting a bug, or listening through a wall or whatever.

It sounds like BS. Even perfect crypto gives them more information that they had to begin with. It sounds like they want to have their cake and eat it too.

I'm concerned about my uncles dog.

[forgoil]

Are they really thinking that they can thwart terrorists and such with this kind of surveillance? Any nonsense sentence can be a code to act, it's been used for ages. The idea of the intelligence organization sitting in cubicles and spying from a chair is bound to fail, and has failed many times over. So this is both useless, and effectively is spying on a countries citizens. This is what Stasi did, this is classic KGB, it smells of Gestapo, is this what we call freedom? Privacy is more important than it has ever been, and we will fight for it, and declaring war on your own people because they want their privacy is just as bad as the terrorists and the mafia.

Tech Savvy terrorists

[nfractal]

The possibility of terrorists using skype is there yes, but right now according to most police forces IMHO is increasingly through use and throw sim cards over plain vanilla cellular networks.

And without any encryption to boot, most conversations are phrases within local dialects which listed out would mean anything from a shopping list to a planned assasination. The point here is rather than spying on the content its the point of origin and the investigative techniques used by most third world countries to

Idiots, Skype decrypts calls for all authorities!

[barwasp]

Skype is a telecommunications company and for having their teleoperator license required to allow wiretaps for law enforcement purposes - so it works also in USA. Or do you thing that USA would just allow osama bin laden to host conference calls with wannabe terrorists using Skype. In fact Skype clearly admits [usatoday.com] that they decrypt the calls for all requesting authorities.

Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided.

The german police just wants to install trojan horses for monitoring the germans. If the polizei were really after those encrypted skype calls they would just sue skype, and not be whining their lack of skills in public.

err...

[Tom]

The encryption with Skype telephone software ... creates grave difficulties for us... We can't decipher it.

Yes, that's why they call it encryption, you know? That's the purpose of it. Because, you know, if you can decrypt it, so can every other clueless fool.

Two points

[Sloppy]

First, it should be unbreakable. If the government can crack it, then so can anyone else. There are so many bogeymen on the 'net, that it would be ridiculously irresponsible to deploy an easy-to-break VoIP system.

Second, Skype is very breakable. There's no secure key exchange: Skype is a totally trusted introducer. Government, if you want to break Skype, just ask them to help with your MitM attack.

But that vulnerability should be Skype-only, and a "serious" VoIP system should be quite resistant. IMHO, phone apps should be built on OpenPGP, except also include some kind of OTP support since most people talk to people they regularly meet in real life. (Actually, I sort of think we need OpenPGP to be expanded to include a standardized OTP.)

Last Year 'German Officials' pwned Skype?

[vic-traill]

So last year we heard that mysterious 'German Officials' were

claiming they had technology for intercepting and decrypting Skype phone calls

from no less of a source than the New York Times (via Skype forums): http://forum.skype.com/index.php?showtopic=54163 [skype.com]

So, who pwns who?

Lost in Translation

[DancesWithBlowTorch]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to emplo

Re:

[Alphager]

That's a translation problem. The agency in question here is the "Verfassungsschutz" (meaning, ironically, "Federal Agency for the Protection of the Constitution"), which is the German Version of the NSA (not that this name is any better). The submitter just couldn't be bothered to go through all that hassle and called it "the police".

Now, while the VS certainly doesn't have the means of the NSA, it is indeed a rather sophisticated service, and I am entirely convinced it is not beyond their means to employ really good security experts.

Nope, Ziercke is President of the BKA, the Bundeskriminalamt. That's the federal equivalent of the LKA aka Landeskriminalamt aka Police.