Skype Calls May Be Impossible to Wiretap

Discussion in 'Technical' started by ghostrider, Feb 19, 2006.

  1. ghostrider

    ghostrider Resident Poltergeist Founding Member

    Skype Calls May Be Impossible to Wiretap
    Saturday, February 18, 2006

    NEW YORK — Even as the U.S. government is embroiled in a debate over the legality of wiretapping, the fastest-growing technology for Internet calls appears to have the potential to make eavesdropping a thing of the past.

    Skype, the Internet calling service recently acquired by eBay Inc., provides free voice calls and instant messaging between users.

    Unlike other Internet voice services, Skype calls are encrypted — encoded using complex mathematical operations. That apparently makes them impossible to snoop on, though the company leaves the issue somewhat open to question.

    Skype is certainly not the first application for encrypted communications on the Internet. Secure e-mail and instant messaging programs have been available for years at little or no cost.

    But to a large extent, Internet users haven't felt a need for privacy that outweighed the extra effort needed to use encryption. In particular, e-mail programs such as Pretty Good Privacy have been considered too cumbersome by many.

    And because such applications have had limited popularity, their mere use can draw attention.

    With Skype, however, criminals, terrorists and other people who really want to keep their communications private are indistinguishable from those who just want to call their mothers.

    "Skype became popular not because it was secure, but because it was easy to use," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc.

    Luxembourg-based Skype was founded by the Swedish and Estonian entrepreneurs who created the Kazaa file-sharing network, which has been the subject of several court actions by the music industry.

    Skype's software for personal computers is distributed for free. Members pay nothing to talk to each other over PCs but pay fees to connect to people who are using telephones.

    Skype software is also being built into cell-phone-like portable devices that will work within range of wireless Internet "hot spots."

    While still somewhat marginal in the United States, Skype had 75 million registered users worldwide at the end of 2005. Typically, 3 million to 4 million users are online at the same time.

    Skype calls whip around the Internet encrypted with "keys," which essentially are very long numbers. Skype keys are 256 bits long — twice as long as the 128-bit keys used to send credit card numbers over the Internet.

    The security is much more than doubled — in theory, Skype's 256-bit keys would take trillions of times longer to crack than 128-bit keys, which are themselves regarded as practically impossible to break by current means.

    "It is a pretty secure form of communication, which if you're talking to your mistress you really appreciate, but if Al Qaeda is talking over Skype you have probably a different view," said Monty Bannerman, chief executive of Verso Technologies Inc.

    His company makes equipment for Internet service providers, including software that can identify and block Skype calls.

    Security experts are not completely convinced that Skype is as secure as it seems, because the company hasn't made its technology open to review.

    In the cryptographic community, opening software blueprints to outsiders who can point out errors is considered to be the safest way to go.

    Because of the complex mathematics involved, a properly designed cryptographic system can be unbreakable even if its method is known to outsiders.

    But according to Schneier, if Skype's encryption is weaker than believed, it still would stymie the kind of broad eavesdropping that the National Security Agency is reputed to be performing, in which it scans thousands or millions of calls at a time for certain phrases.

    Even a weakly encrypted call would force an eavesdropper to spend hours of computer time cracking it.

    Kurt Sauer, Skype's chief security officer, said there are no "back doors" that could let a government bypass the encryption on a call.

    At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities."

    He would not give particulars on the type of support provided.

    The U.S. Justice Department did not respond to questions about its views on Skype's encryption.

    Verso's Bannerman notes that Skype calls are decrypted if they enter the traditional telephone network to communicate with regular phones, so a conversation could be intercepted there. Skype does not reveal how many of its calls run on the phone network.

    "There are other ways of getting at the conversation than brute-force decryption of the hacking," Bannerman said.

    Schneier believes that eavesdropping on the content of calls is not as important to the NSA as tracking the calls, which is still possible with Skype.

    For instance, if a particular account were associated with a terrorist or criminal, it would be possible to identify his conversation partners.

    "What you and I are saying is much less important than the fact that you and I are talking," Schneier says. "Against traffic analysis, encryption is irrelevant."

    Steve Bannerman, vice president of marketing at Narus Inc. (he is unrelated to Verso's Bannerman), said his company's systems enable wiretapping of voice calls routed over the Internet, but not those from Skype.

    The most that Narus' technology, which is used by telecommunications carriers, can do is identify what type of Skype traffic — voice call, text chat or video conference — is being used, and record the scrambled data for law enforcement officials.

    From there, he said, "who knows what those guys can do?"
  2. meyah

    meyah Monkey+++

    if you are serious, you use pre-arranged code words anyway

    anyone can agree to use certain private message boards, on any of thousands of net forums., from Net cafes (no Id, pay cash to access). We have several fee Net access places here in town. It will soon be in every motelroom, just watch. Big brother can't track crap, if you have any sense at all. A fake ID, good enough for motel clerks, is easy to make on your pc, scanner, printer, in about an hour.
  3. melbo

    melbo Hunter Gatherer Administrator Founding Member

    I've been playing around with Gizmo. A free version of Skype, At least for PC to PC gizmo users. Has encryption as well.

    I was trying to see if I could get it to work with my Satellite 'latency'
    The test calls to the Gizmo center seemed to work. I need a headset of something. The microphone on thei laptop isn't very good. That might be because I used to think this little hole was a "reset" button... Took a drilling with a Toothpick awhile back....

    1. Sound effects - Add Sound Effects to your calls. Open the Dialpad at the bottom of Gizmo Project window and press the emoticon button during a call. You can choose other sounds (or upload your own) from the options menu.
    2. Check call quality - Click for the Call Quality Assitant to see bandwidth quality.
    3. Pick online status. Green: Available, Red: Away/Do not disturb, Orange: Idle, Blue: On the phone, Grey: Invisible/Offline
    4. Online status. Gives the current status of all your contacts.
    5. Click Map It to view map of call locations. Get a detailed map of the location of each call.
    6. Instant Messaging (IM) - Chat instantly with your contacts.
    7. Person being called receives call subject. Let them know immediately the purpose of your call.
    8. You can record any call on your Gizmo Project phone with the click of a button. The call record button is in the active call window, next to the mute and hold buttons.
    9. Type in Gizmo name or number here to make a call. Gizmo to Gizmo call always free. You can also call any traditional phone using Call Out.

  4. Aptus

    Aptus Monkey+++ Founding Member

    Gizmo looks cool. I'd probably go with it since they beat Skype's call-out rates, but I already bought myself a Skype-In phone number a couple months back.
  5. melbo

    melbo Hunter Gatherer Administrator Founding Member

    How's Skype landline to PC?
    Quality wise
  6. Aptus

    Aptus Monkey+++ Founding Member

    From the people that I've had call me by phone, they say I sound crystal clear.
  7. CRC

    CRC Survivor of Tidal Waves | RIP 7-24-2015 Moderator Emeritus Founding Member

    I have it...and have talked to my friend in England....Free..and great sound quality...

    Had it on here for almost a year now......

    No problems with it , at all....
  8. melbo

    melbo Hunter Gatherer Administrator Founding Member

    I signed up for Gizm and they now give you a NV phone number for call in Free. with free call in.
  9. martywince

    martywince Monkey+++

    If you really wanted to wear a tinfoil hat.

    Use skype or any VoIP encrypted communications with TOR.

    Of course one of the callers would have to be at a set address. But you could change and rotate who would be toring at any one time.

    Tor basically uses others computers to pass your traffic, sure those users who agree to become tor routers could intercept your traffic, but they wouldn't be able to replay the session data because it's encrypted. Depending on how long skype maintains the session it may make multiple connections utilizing multiple tor routers. This would really give the powers that be a headache.
  10. melbo

    melbo Hunter Gatherer Administrator Founding Member

    OK. Tor looks pretty interesting...
    But, Say I was used as tor router for someone accessing some kiddie porn... would the IP access be ME?

    I was always hesitent to use IP hopping services for this reason.

    Welcome to the Monkey MW!!
  11. nope

    nope Monkey+++ Founding Member

    TOR Concerns

    You can use TOR without being a server. If you run just the TOR client, you won't be passing others traffic through your computer. But if you participate as a server, you would become a proxy for other tor users.

    The whole gist is that even if you do run a tor server you shouldn't be responsible for it's contents or communications. I know that sounds naive in this day and age, but with so many other servers and clients its sort of absolving yourself of the traffic that goes through your node by default. How could anyone be smart enough to reassemble all of what he wanted? Thats the key. Cast your net to catch fragments of a conversation? How possible?

    The problem lies where an authority pops your server for one request that is deemed verboten. Thats why I wouldn't run TOR as a proxy or server.

    Anyways it's a moot point with all the unprotected access points around everywhere. Who needs tor anyways? This is the biggest security risk in the country right now.
survivalmonkey SSL seal warrant canary