UPDATE (18 December 2014): I no longer recommend using Skype. (https://antipolygraph.org/forum/index.php?topic=1973.msg38870#msg38870)
Skype is a free program that allows you to have secure voice conversations through your computer. It uses strong encryption and the sound quality is quite good. Encrypted text chat and file transfers are also an option. The interface is similar to that of AOL Messenger in that it allows you to create a list of contacts who are on-line. See:
http://www.skype.com
My Skype user ID is GeorgeMaschke.
id bet that one of the good folks at skype...no wait, more than one, have the capability to decrypt your calls, oh since they encrypted it and all. you're probably better off with a friends' cell phone
Could you explain further the reason(s) for your belief that Skype Technologies can decrypt calls made using Skype? Is there some informed basis for your belief?
Since the discovery of any "backdoor" in Skype's implementation of 256-bit AES would be disastrous to Skype Technologies' goodwill (and ultimately its bottom line), it is hard to understand what would motivate the company to include such.
Note also that Skype communications are end-to-end encrypted by the users' computers, not by Skype Technologies'. The encrypted data packets that make up the communications are transmitted across a peer-to-peer network comprising hundreds of thousands of other Skype users. My understanding is that not all packets between any two parties necessarily travel the same route. And to the best of my knowledge, Skype Technologies has no capability of assembling the packets of any communication to which it is not a party.
If they offer the encryption, regardless of whether it is done on your computer or theirs, shouldn't someone that has access to the source code be able to decrypt it? And if they were to be paid by anyone who is curious, wouldnt they also have access? Give me the source code for the encryption and software, and maybe I could decrypt your phone calls. Someone pays for their research... Also, if music downloaders can be tracked down and persecuted by the RIAA on peer-to-peer networks, who's to say that hacks in the government cant decrypt your 256 bit encryption internet calls. Why would they want to decrypt your calls? Well...why would you want to encrypt them? Encrypted text or maybe a letter might be more secure than that.
Strong encryption does not depend on the alogrithm used being secret. If it were true that simply having the source code to encryption software necessarily enables one to decrypt any data encrypted with it, then why has no one cracked PGP (http://www.pgpi.org), the source code for which has been public for more than a decade now?
The specifications for the Advanced Encryption Standard (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) (AES), also known as Rijndael, is also public. Of course, it is possible that Skype's implementation of AES has some weakness that could be exploited by a would-be eavesdropper. But your suggestion that simply having Skype's source code would enable one to decrypt a Skype call is clearly not necessarily true.
The fact that music downloaders using peer-to-peer networks have been tracked down similarly does not entail that Skype conversations can be decrypted by third parties. In peer-to-peer (P2P) file sharing arrangements, users need to post to the P2P network a list of the files that they are making available for download. It is presumably this information that allows law enforcement to pursue those who unlawfully make copyrighted material available. For this purpose, I do not believe that it is necessary for law enforcement to assemble all the packets of a file transfer between third parties (something that would be necessary to intercept a complete Skype communication).
My point is that if someone really wanted to decrypt those calls, they could...there is always a way no matter how you scatter the bits around sattelites and cables. If there is someone out there paranoid enough to encrypt their phonecalls (especially your average citizen) then there is also a crook or person of interest willing to make the time to decrypt and interpret it. Now whether big brother is going to take the time to do it is another question.
note: im just weary of anyone advertising free secure internet phone calls, despite the medium it encased in..and although you are not "advertising it" you advocate it, and how would i really know that you don't have the capability to do what i mentioned?
compscigeek,
You write in part:
QuoteMy point is that if someone really wanted to decrypt those calls, they could...there is always a way no matter how you scatter the bits around sattelites and cables.
But you have provided no evidence that actually supports this argument.
Quotehow would i really know that you don't have the capability to do what i mentioned?
You cannot know this for sure, but again, you have offered no evidence that I (or anyone else) can do so.
Please forgive me for concluding, based on the arguments that you have provided, that your initial claim that "one of the good folks at skype...no wait, more than one, have the capability to decrypt your calls" is nothing more than idle, uninformed speculation on your part.
yes the first thing i said was uninformed speculation, i don't know a thing about that company, nor do i claim to. i can not provide proof that this can be done other than the common computer knowledge that anything done by a computer can be undone by a computer..anything..if there is a side that is meant to decrypt this, than there is someone other than the person meant to receive it who can find out what you are saying as well...i don't claim to do it...and i don't care to try...the only experience i have with this area is writing programs that encrypt/decrypt information...and i have a limited understanding of how packets are transferred and composed within different protocols....in all reality im this free internet phone is probably safe, but im always the skeptic, and what reason would you have to defend them so quickly and adamently anyway?
Quotei can not provide proof that this can be done other than the common computer knowledge that anything done by a computer can be undone by a computer..anything..if there is a side that is meant to decrypt this, than there is someone other than the person meant to receive it who can find out what you are saying as well...
Perhaps in theory, but not necessarily in practice. A brute force attack to find the key to decrypt a single message encrypted with 256-bit AES would take all the computers ever built billions of years.
My purpose was not so much to defend Skype Technologies (a privately-held company in which I have no material interest), but rather to question the basis of your criticism, which I believe was completely unfounded.
in theory there would be a way in which you could decrypt this as fast as the target, whether it takes additional installation of software on the target's computer or not...which was physically placed there..coupled with the software or magically positioned...etc. it would take you a billion years to decrypt it if you were using the nazi's enigma machine and trying to stumble on the key. the key would be stealing the key, or having access to the key maker....haha ok ok, this is starting to sound like something familiar
Certainly, Skype communications might be compromised by the surreptitious installation of software or a physical eavesdropping device in (or near) a target's computer. But such a scheme requires a potentially risky and expensive covert operation.
If your argument is now simply that nothing is absolutely secure, then all you are doing is stating a truism that is of little practical value to persons looking for meaningful ways of protecting their privacy.
Quote from: compscigeek on Nov 02, 2004, 03:40 AMi can not provide proof that this can be done other than the common computer knowledge that anything done by a computer can be undone by a computer..anything..if there is a side that is meant to decrypt this, than there is someone other than the person meant to receive it who can find out what you are saying as well...i don't claim to do it...and i don't care to try...the only experience i have with this area is writing programs that encrypt/decrypt information...
compscigeek,
While this may sound reasonable, it is really quite hard. So much so that even the simple problem of finding any two 17 byte sequences that produce identical 16 byte MD5 digests has never been solved and it can be easily shown there are zillions of them.
AES and >1500 bit RSA for key exchange is believed to be far harder than this.
Any program may have a backdoor or, even more likely, bugs and that is where the risks are. To learn more about cryptography, a free book on the web "Handbook of Applied Cryptography" will provide you plenty of info and references.
You say you have written programs encrypting/decrypting packets. Was this a school or work project? What algorithms did you use?
-Marty
With project Echelon and all the terror alerts and such I'd be hesitant to use any third party encryption techniques if I were really paranoid that someone (including the U.S. Government) was listening. It's been suggested that NSA harvests nearly 95% of all internet traffic and filters it through complex algorithms that trigger bells and whistles should certain "keywords/phrases" pop up. I'd guess encrypted voice would be more likely to gather attention than not. And if you think they can't crack your little vendor provided encryption, with the bilions of tax dollars we pump into those gargantuan databases and complex computer systems of theirs, I'd bet you're sadly mistaken.
My two cents is that there's no reason to bother with encryption unless you're doing it so that Joe Blo l337 hacker extrordinaire can't hear you discuss which websites you download your porn from, or whatever.
Certainly don't expect that big brother isn't listening...the devil's greatest trick is deceiving you into believing he doesn't exist. Big brother's greatest trick is convincing you that he's not listening...
According to www.skype.com they have "served" over 2 billion minutes of conversation.
If you believe the info at the bottom of this page:
http://www.skype.com/help/faq/#1billion
Quote
What is the "minutes served" counter on skype.com front page?
The counter indicates that in its first year of operation, Skype has served more than 1 billion minutes of free Skype-to-Skype calls to its users. The counter is frequently updated based on the actual current number of minutes.
How do you know how many minutes Skype users have called to each other if all calls are encrypted?
Skype has built-in facilities to automatically gather anonymous usage statistics from its network and users, including the number of minutes spent on calls. We cannot track those minutes back to individual users and calls - your Skype calls are and continue to be secure.
Then I think the liklihood of "Big Brother" listening in is pretty low. Think about it. 2 billion mintes of encrypted voice calls, all routed throuh multiple points on the Internet. No magic vacuum machine computer can suck down all that data then decrypt it, then convert it, despite what Hollywood and Tom Clancy make you think.
I doubt "Big Brother" cares to listen in to your calls in the first place. But I wouldn't have any reservations about using Skype. It is no more dangerous than any other program you didn't personally write.
Believing that Big Brother has these capabilities is the same belief system that makes the polygraph successful. Big Brother's use of the polygraph is the system that keeps smart engineers that can actually build good surveillance systems in private industry making programs like Skype instead of on the government payroll protecting us from bad guys.
thank you mangle, i couldnt have said it better.
I can only imagine a few reasons why anyone would defend this program (because I could really care less about the prog. itself)...one is that theyre affiliated with the company somehow, two is that the possibility of someone actually receiving or filtering their calls is stirring fear within them, and three is that they just like to argue for status, or credibility. This is a free program, where are they getting the funding to make it crack proof from the gov.? I'm sure the gov. knows about it, and If you have something to hide, to the extent that you're going encrypt your phone calls, then I guarentee that some entity in the gov. is curious to know what those calls are about, especially these days. I doubt most of the calls people make are about their follies at the bar last weekend.
compscigeek,
Mangle's remarks don't support your original assertion, either. The Echelon (http://www.fas.org/irp/program/process/echelon.htm) network to which he refers has the ability to search unencrypted communications for keywords of interest, and by all accounts, it scours a significant portion of the world's telecommunications. Echelon casts a very wide net, and the communications of ordinary individuals like you and I are likely to pass through its filters. (This alone, in my opinion, is reason enough for persons who value their privacy to use strong encryption to protect it.)
While Echelon may be able to flag e-mail and voice messages including various words and phrases of interest, there is no indication that it can scan the contents of communications protected by strong encryption, such as the following text, which is encrypted with PGP (http://www.pgpi.org):
Quote-----BEGIN PGP MESSAGE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
qANQR1DDDQQJAwJguIt7K7k8T2DScwFY6LsWu8nAZnlreeS8pvh5JeIwAg4jxRqa
wGWg0Z23ZcPbKtWtX/hN9UU6W325LEpwatbxy79xDidH9nYmzKqIh1iFDHZUoB0c
t9wU4T9Yf0CsPUeo/Xpc+3+rLwo+XnDPvqSBVpin+RDInAYAgDh432Y=
=owHM
-----END PGP MESSAGE-----
Mangle's argument that, because of the size of its budget, the NSA somehow
must be able to crack strong encryption such as 256-bit AES (which he disparagingly characterizes as "little vendor provided encryption") will only be convincing to the simplest of minds.
You go on to question the motives of "anyone would defend this program" (Skype). I would point out that you continue to confuse the questioning of your assertions (which, again, you have failed to support) with defending Skype. Your questioning the motives of those who ask you to support your assertion(s) -- a form of ad hominem argument (http://www.intrepidsoftware.com/fallacy/attack.php) -- is a poor substitute for facts and reason.
You ask:
QuoteThis is a free program, where are they getting the funding to make it crack proof from the gov.?
Again, Skype Technologies didn't have to create their own cipher. They use 256-bit AES (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) (which is also approved by the U.S. Government for transmission of top secret information).
As for where Skype gets its funding from, see the following page, which gives bios of the founders and links to corporate investors:
http://www.skype.com/company/founders.html
Note that while the Skype software is given away for free, the company offers a paid service called Skype Out (http://www.skype.com/products/skypeout/) that allows users to place calls to regular telephones for modest rates, for example, about 2 cents per minute to anywhere in the US. (These calls are necessarily
not encrypted.) This is Skype's main source of revenue.
Note also that computer-to-computer calls, which are free, don't cost Skype anything, either.
While some entities in the U.S. Government might be curious about what Skype users are discussing, it would be a fool's errand to try to investigate all of the rapidly growing millions of Skype users around the world. Especially since most people aren't using Skype primarily because it uses encryption, but rather because it offers free calls with sound quality that is generally superior to that provided by regular telephones. In all likelihood, the great majority of Skype calls are indeed about such personal things as "follies at the bar last weekend."
i hope they paid you to say that, because that was excessive. it's naive to think that the government's capabilities with computing stretch as fas as you and i would like to think. why would the government make it public that their top secret information is 256 bit encrypted....sounds like fairy dust to me. it would be like declassifying the paint used on a stealth fighter. i wouldn't expect them to decrypt your calls unless they had good reason to. i certainly wouldn't expect them to listen in on everyone. it doesn't take much though, you seem to be, after all, a big part of antipolygraph.org..which is working against the gov.'s intentions in some ways isn't it?
Quote from: compscigeek on Nov 10, 2004, 11:08 AMi hope they paid you to say that, because that was excessive. it's naive to think that the government's capabilities with computing stretch as fas as you and i would like to think.
What are you talking about?
Quotewhy would the government make it public that their top secret information is 256 bit encrypted....sounds like fairy dust to me. it would be like declassifying the paint used on a stealth fighter.
See, CNSS Policy No. 15, Fact Sheet No. 1 ("National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information"):
http://www.nstissc.gov/Assets/pdf/fact%20sheet.pdf
Quotei wouldn't expect them to decrypt your calls unless they had good reason to. i certainly wouldn't expect them to listen in on everyone. it doesn't take much though, you seem to be, after all, a big part of antipolygraph.org..which is working against the gov.'s intentions in some ways isn't it?
Again, you have offered no evidence whatsoever that would suggest that the U.S. Government (or anyone else) has any ability to crack 256-bit AES in general or Skype's implementation of it in particular.
if i had that evidence i probably wouldn't be able to give it to you, because it wouldn't be public knowledge...and who cares what that sheet said, they can print anything they want to keep our security safe. anything that the general public knows in the states, is known in the world. wouldn't you rather let everyone think you have a pea shooter, when you really have a cannon?
compscigeek,
So the CNSS fact sheet on AES -- which flatly contradicts one of your previous arguments -- is now part of a grand deception by the U.S. Government? Yeah, sure.
I think that by now it is more than clear that you have been talking through your hat from the very beginning. In view of your continued failure to back up your assertions, your resort to ad hominem attacks, and your unwillingness acknowledge any error, even when it is so clearly pointed out for all to see, I see no point in discussing this matter with you any further.
you can't accept the fact that ive made some good points, and maybe im eating your credibility to sell your anal puckering techniques to pothead-would be government employees. hey, "ive got some jargon that no one will understand and make me sound credible". common sense and good logic isn't enough. great marketing with the cnss policy. skype, this wonderful free program that you love so dearly, is as good as the best technology our country has to provide for our national security. tools...
Compscigeek-
Can you document the good points you supposedly have made in this thread? I've read and re-read these posts and can't really see the good points to which you refer.
To summarize:
Skype can't possibly be secure because two guys couldn't possibly implement industry standard encryption that would defeat the full might and power of the billions of dollars of US government computer technology? And if the government had the capability to easily crack encryption, they couldn't tell us about it because they want to keep it secret and keep us thinking they can't crack encryption?
Is this the just of the good points to which you claim to have made? How does George's dispute of some of your points and asking you for evidence hurt his credibility?
I would agree that the fact packets seem to be encrypted in the first place would draw more attention to those packets. But big deal. The fact that skype has excellent audio and works through most firewalls is reason enough to use it. The fact that your communications would be hidden in billions of other minutes of skype audio, and disperssed through multiple P2P relays would make intercepting it and cracking it difficult even for the most expensive of mythical government systems.
What an interesting discussion I found while I googled for some info on evaluation of Skype's security.
For those searching for some kind of evaluation as I was, better overviews can be found at:
http://www.security-forums.com/forum/viewtopic.php?t=24098&postdays=0&postorder=asc&start=8
(in particular see Justin's reply)
and
http://www.securiteam.com/securityreviews/6K00M2ABFM.html
As for this discussion:
Actually, I think the troll may have made at some good points, whether intentionally or unintentionally, and of course in a very oblique and sometimes offensive manner.
The first issue is whether AES itself is vulnerable. The fact that it appears to be so widely trusted and used, by a variety of different "users", technical, corporate and government, is surely a sign that it works, at least for most purposes. There is no point in evaluating in detail the maths behind it, unless you are willing to put in real effort at becoming proficient (which I for one am not). The fact that it is "open source", and that it has been put forward and scrutinised in academic journals as well as on the internet, without any weaknesses being found, does add to credibility (but I am going off vague and half-remembered second hand rpeorts that no weaknesses have been found). But, by analogy with the Enigma saga (which I think the troll did hint at), it would seem to be possible that there could be a solution to these mathematical encryption schemes, that is held by a few intellectual elites (which all the rest of the mathematicians, even though they are very good, don't know about). Still for practical purposes, it makes sense to assume we have an unbreakable encryption. (The problem of casual snoops and criminals decrypting AES would seem to be allmost impossible, even if at the very highest level the government is playing the double bluff game).
The second, more important issue for Skype specifically, is whether Skype's implementation of AES is robust. Here, we would be able definitely to turn the trolls "point" regarding open source against him. The fact that third parties (such as Justin at the security forum), that we can trust to greater or lesser degrees, cannot look at the implementation because it is poorly documented and not open source, greatly reduces the trust in the product.
But here also, the senior member George has misled slightly, and in some sense has been complicit with the marketing spin of Skype, because he did not point out clearly enough this key weakness of Skype, even though he introduced it as using "strong encryption". Indeed, he only referred to the benefits of open source with regard to AES itself, and missed the opportunity to criticise Skype for not being open source (although he did, albeit briefly, mention the possiblility that their implementation might be inadequate). We only have Skype's word for its efficiency (and they may even have put a deliberate backdoor into the implementation, although points about why they would want to do this and how it would be hard for them to harvest traffic on a large scale are valid). There are a lot of users of Skype, but they seem to be mainly "users" in the consumer sense of the word, and it hasn't been subject to much scrutiny from the corporates or open source community. Given how many users it has got, and given how it hypes the "strong encryption", AES standard, maybe it is time some public spirited techie reverse engineered it and documented the results.
There has been a recent bug fix to fix a buffer overflow in Skype, which in fairness was posted on their site (this does not link to encrytion implementation directly, but if an app allows another to take complete control of your pc, then any enryption is potntially rendered ineffective even if it is a good implementation, aside from all the other problems you will have).
For me, I think I will go ahead and use skype anyway. I don't particularly want random people to be able to hear my conversations, and I am not convinced that Skype will prevent it, but free, reasonable quality phone calls sound too good to ignore. Maybe even a poorish enryption implementation will provide a similar level of security to POTS, becuase it would still require some effort and skill to eavesdrop, unlike with entirely unencrypted traffic.
Oh - I forgot to mention - we might also judge an apps credibility by who has released it, and what apps they have released before. Unfortunately, the authors worked on Kaza before, which is good if we are looking at how popular the app might be, but bad if we judge security. They are not Zimmerman.
Hey Compscigeek,
You can easily prove George wrong...
Just factor his public key and post the two prime numbers that created it.
Course I expect to die of old age first.
Quote from: Algol on Sep 18, 2005, 04:20 AMHey Compscigeek,
You can easily prove George wrong...
Just factor his public key and post the two prime numbers that created it.
Course I expect to die of old age first.
Wow. Talk about digging up an old thread :)
George is right, though. AES has received NSA's seal of approval for the protection of Top Secret data. This isn't a determination made lightly, and if you look at their other criteria and guidelines for dealing with top secret information, it's pretty clear that when it comes to the protection of top secret stuff, NSA doesn't take chances.
It's always possible that someone, somewhere can crack AES. But color me a skeptic that anyone actually can, and yes, that does include the guys at Fort Meade.
At any rate, Skype looks very promising.
With Skype's acquisition by eBay, it may be less secure. Presumably, as a U.S.-owned company, Skype will become subject to the provisions of the USA Patriot Act (http://en.wikipedia.org/wiki/PATRIOT_Act), under which the FBI, by issuing a "National Security Letter" (http://www.aclu.org/nsl/) (no court order required), may demand customer information from telephone companies, Internet service providers, bookstores, and even public libraries. The recipient of a National Security Letter is prohibited from informing the customer that his information has been provided to the government.
PGP developer Philip Zimmermann (http://www.philzimmermann.com), whom the U.S. Government once sought to criminally prosecute (http://www.philzimmermann.com/text/PRZ_case_dropped.txt) for making strong encryption publicly available, is working on a secure VoIP application that is presently called zFone (http://www.philzimmermann.com/EN/zfone/index.html). Unlike Skype, zPhone's source code will be made public for peer review.
Quote from: George W. Maschke on Sep 18, 2005, 07:02 AMWith Skype's acquisition by eBay, it may be less secure. Presumably, as a U.S.-owned company, Skype will become subject to the provisions of the USA Patriot Act (http://en.wikipedia.org/wiki/PATRIOT_Act), under which the FBI, by issuing a "National Security Letter" (http://www.aclu.org/nsl/) (no court order required), may demand customer information from telephone companies, Internet service providers, bookstores, and even public libraries. The recipient of a National Security Letter is prohibited from informing the customer that his information has been provided to the government.
PGP developer Philip Zimmermann (http://www.philzimmermann.com), whom the U.S. Government once sought to criminally prosecute (http://www.philzimmermann.com/text/PRZ_case_dropped.txt) for making strong encryption publicly available, is working on a secure VoIP application that is presently called zFone (http://www.philzimmermann.com/EN/zfone/index.html). Unlike Skype, zPhone's source code will be made public for peer review.
The question would be whether or not Skype could build a backdoor into the telephone. I'm not familiar with the protocol, but a backdoor into the software itself would enable tapping.
I don't see any other method by which the telephone call could be tapped, given the level of encryption.
Here's another possible application (one I've not used, myself). It's called SIPfone:
http://www.stud.uni-hannover.de/~twoaday/winpt.html
You can now use Skype to make free calls within the US and Canada through the end of 2006:
http://news.com.com/2100-7352_3-6072256.html
Skype is a great application..!!!
Cheapest way for doing long distance calls (Ireland). I have not used the encrypted features yet...will have to give it a try.
Ten years ago, I suggested using Skype for "free secure Internet phone calls." I'd like to make clear that I no longer suggest doing that and would advise against it. Documents disclosed last year by NSA whistleblower Edward Snowden reveal that Skype (now owned by Microsoft) has been an NSA PRISM (https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29)-partner, facilitating the surveillance of its customers, since 6 February 2011.
Recently, Tor (https://torproject.org) developer Jacob Appelbaum, whose opinion I respect, posted on Twitter: "Remember: Never use Skype":
https://twitter.com/ioerror/status/545078471639461889
In a reply, I mentioned to him that whenever possible, I use Jitsi (https://www.jitsi.org/) instead, but that at times, when Jitsi won't connect, Skype can be useful (bearing in mind that it is monitored).
He replied to me: "Don't even have Skype installed on your systems. Seriously. Just stop."
I asked for any risk mitigation tips for those who for practical reasons must at times use Skype. Appelbaum replied, "Here is how you mitigate Skype risks: stop using it":
https://twitter.com/georgemaschke/status/545085536646737921