News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic. The spybiz exec, …
Grab your tinfoil had, lads...
Who would put money on this being smoke and mirrors?
1. Get a backdoor to a program people trust.
2. Pretend youn don't, offer ludicrous amounts of cash for said backdoor.
3. Never get "official" backdoor, never pay out money.
4. Monitor with impunity or oversight
Old skool roolz!
Of course, in the bad old days, yer spooks had to get out of their comfy chairs and airconditioned offices and go and stick little mics on phones so they could hear what was being said. I'll bet you can stick a little mic on a Skype handset and it'll work just as well. Immune to any software update encryption shenanigans too.
KA-CHING! (That'll be 1 billion US to a numbered Swiss bank account please - just mail me the number.)
Of course, this is a bit obvious as it requires a proper "op" to do it and is a tad more difficult to get away with without all that pesky paperwork in place (court order for wiretap and such).
I guess what they *really* want is a way of listening in to Skype conversations that preserves "plausible deniability" for the top spooks when their underlings are caught listening to things that they're not really allowed to.
The cynic in me thinks that Skype has found a foolproof way to monetise their business stream. The sloth in me wants to go and have a little lie down.
NSA Already does Skype
The Times have already reported that the NSA gave decoded skype calls to the Indian authorities regarding the Mumbai bombings. This sounds like FUD.
eBay will figure out a way to charge the NSA per call, and someone else will set up a site (lin-baden.com) giving a percentage of that to the callers, and a new industry will be born. Half of Asia will be calling each other with robo-dial software for the 0.4 cents per contact.
Then the questions to really ask are:
If they ARE having trouble accessing Skype, as they and several other "super-secret" agencies that never talk about what they are doing claim, why are they advertising that fact? To draw subversive elements into Skype so that a year down the line they can go... well, actually, we could monitor it - thanks for the info?
If Skype is *really* that good (I doubt it, it's probably nothing more than a nice AES with some custom tweaks or other encryption layered over the top), how do they expect anybody to find a solution?
If the encryption *is* that damn good, then you have a copy of the encrypter/decrypter code inside every Skype executable. You might not be able to get people's private keys but the protocol is basically published inside every executable, which are available in a variety of platforms and languages. Ever heard of a disassembler, guys?
I suspect it's more the P2P element that flummoxes them because there is nowhere sensible that they can intercept random calls. The fact is that if they suspect anyone, they can easily target them specifically (keyboard-capture, screen-capture, virus infection, social engineering, etc.) and it's a lot easier than trying to monitor the whole world. But for some reason, governments always want complete control of such things - probably because that is the best way to subvert and hinder your citizens (ala China).
The problem they have is that Skype is pretty much a distributed system so they can't do their mass analysis and come up with "X is a terrorist" just by watching random traffic from everybody in the world (that is, of course, if they ever could).
It seems to me that this and the GCHQ affair are aimed at a political change, not an actual valid call for research. They want the power to monitor everyone for everything so they can pick up on the same trends that they used to be able to. If they say they "can't" do it, maybe the government will ban it, or enforce an alternative, or force backdoors, etc. With P2P, point-to-point encryption with well-known and tested algorithms, it is virtually impossible to break even a simple message and they have to go back to old-fashioned policing - work out who the terrorists are by watching known terrorists and following what they do.
Personally, if this is the case and they have no way to watch it - good. It provides a bit of anonymity and security to the network again. I don't see any reason that any modern protocol should NOT include encryption nowadays, it's so cheap to implement and can apparently stop even these "big guys" in their tracks even when they know the entire protocol and have access to public keys.
This is what happens when you try to control things that don't want to be controlled - they find a way around it. Each time you control something else, the ways around get smarter and more powerful. And before you know what's happening, the entire IPv4/IPv6 infrastructure is nothing more than a carrier for complete encryption for everything that everyone does online.
People already KNOW that wireless has to be encrypted and that secure website are required if they pay by credit card. Soon, the whole internet will be nothing but a huge P2P VPN. And then where will the overbearing legislation get you? You won't be able to stamp on Joe Bloggs because he has encryption technology you can't beat (ala the PGP etc. problems of the early days) and to use ANYTHING online (which is what every government is pushing towards), you'll have to be part of the same network that the government hates because it can't break it, censor it or monitor it.
The Internet has leapfrogged these sorts of organisations and "Big Brother" ideas and they can't handle it. Unfortunately, it was caused (at least in part) by their overbearing manner in the first place - chasing kiddies for downloading songs, etc. They can't break it? Good. Let 'em whinge. While we're at it, let's see how much more terrorism happens without them.
make you very rich
Well just demand it off you for national security reasons and leave you peniless
prolly whack you to keep it quiet we can snoop
"simply buying a way into Skype"
At which point, those of us who think that they should no more be allowed to eavesdrop on VoIP than they should be allowed to wiretap without authorisation will simply find a different VoIP client and leave the NSA to listen to the sound of one PC clapping.
The Trillion Dollar Hole
Isn't it about time populations worldwide started to question what happens to all these billions that seem to get lavished on these surveillance organisations? I can understand the secrecy, but it really gets me worried when they start indiscriminately harvesting of whole populations. Maybe it is difficult to distinguish between the communications of foreigners & the domestic population, but when they do it seems that security services regard US (their paymasters) as the enemy. I think some estimates suggest the NSA costs the US taxpayer over $40 billion a year! Is it money well-spent? What annoys me most is that there have been repeated admissions that the NSA were up to very dubious things & the scale of the spying would be the envy of the Stasi, yet the mainstream American media & Obama seem to be avoiding the issue. Worldwide governments seem to be moving towards a situation where total surveillance of people's movements & behaviour is the norm. And it doesn't seem all that benigh (judging by some of the people the NSA were spying on).
I thought I had read an El Reg article about a China-based Skype service which was providing the Party with decrypted transcripts.
Spooks can already intercept Skype. The can just tap into the ISP's network or break the wireless key. The IP address of the target is known (or knowable)....
ISPs and telcos have been obliged to provide easy access for law enforcement for years.
So the NSA have cracked the 'encryption' offered by Skype and can listen readily to real-time traffic. But they still want the opponents in the War On Terrier to use Skype. So they make out that they can't listen in to Skype traffic by "secretly" (publicly) offering major league money to the company that can get them in.
Ingenious. Even M would have struggled to come up with this.
So much for the constitution.
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
@Grab your tinfoil had, lads...
Get backdoor into something. Offer large cash for backdoor in competing product, suggest you can already do it but at great expense. Drive everyone to other product which you *actually* have a back door into.
A piece of FUD
I mean seriously, Skype is a blob of encrypted binary code. There surely is not only code inside to monitor in- and outgoing calls, but also to activate the microphone and camera or take screenshots. I mean even if Skype would be a honest company, if I was a programmer there, I don't know if I could resist putting such code inside. The risk of detection is near zero.
Besides, the NSA could probably just order such "features" to be implemented.
Simple way to know if they have a backdoor
Which other agencies use it?
The reason we know AES is secure is that the CIA wouldn't use it - if the NSA had broken it, and vice-versa.
A humble suggestion
Broadcast the invitation to tender out into space. Wait a couple of hundred years. With luck some Alien Greys, Greens, and Browns will do the necessary back-of-the-envelope calculations and decide it's worth their while.
Like all encryption products, unless you have access to the source code, a degree in Mathematics to understand the encryption implementation, compile it yourself, have unrestricted access to your machine, KNOW nobody else has access to your machine, AND have the same level of trust at the other end, it's not secure.
I don't trust Skype encryption in the same way I don't trust the lock on my front door to keep out the cops, should I do anything illegal. You can bet that anybody who REALLY has something to hide isn't sending raw audio over Skype, isn't saying things like "OMG LOL LETZ BOM DE EMBAZEE!!1" into the microphone, and isn't going to do it where the World Police expect them to call from.
This is Weird - Not Sure About Validity
Narus already does this for several foreign governments and they've sold their equipment to every single carrier in the U.S.
They can record, track, and throttle VOIP and P2P however they want. Why would they be offering a "reward" for something that already exists?
This is so wrong
NSA can't even stop the mossad from operating in USA with drug sales and now they want to do this?
AIPAC will close down NSA one day soon.
It's an amateurish 'Honey Pot' .......
..... as already suggested by a number of ACs. "The spybiz exec, who preferred to remain anonymous ........"
Does anyone, in their right mind, believe for an instant that the NSA, MI6, SMERSH or Mossad would allow somebody to go public on such a thing and see their next birthday?
To the guys and gals at No Such Agency :-). Come on this isn't even a half assed attempt a honey pot. I mean really seriously an unnamed source who is supposedly a "spybiz exec", that's the best you could come up with? You guys are slipping, you need to go back about thirty years and brush up on your old fashioned espionage skills. To much time sitting and watching CNN is making you rusty.
False sense of security
I suspect they are only saying this to lull the bad guys into a false sense of security.
Skype is European based?
Perhaps I'm missing something, but doesn't E-Bay now own Skype?
Even as a wholly owned subsidiary, do you think that the US government can't put the screws to E-Bay?
As to breaking the P2P... There are some things that they can do ... probably are doing to reduce the amount of data that they have to sift through...
You have two issues...
First identifying the PCs involved in the communication traffic that you want to monitor.
Second decrypting the encrypted message/conversation.
There are things that the NSA can do to identify PCs that they might want to monitor traffic to and from.
Its breaking the encryption in a timely enough manner that is an issue.
If they knew what/how Skype is encrypting the data and which type of encryption, it makes it easier. (But still rocket science)
I think that this is a bit of FUD and I have more faith in the NSA and their billion(s) dollar budget and IT equipment. I wonder how fast you can break AES with a data center filled with PS3s running Linux in a cluster... ;-)
On dodgy ground
So NSA are offering to pay a company for technology designed to decode information encypted by a legitimate application?
I understand that the NSA can do whatever they bloody well like, but wouldn't the company offering these "services" break a whole raft of DRM-protection-related laws?
Would it be so different if the company was offering to decrypt DRM-laden media streams?
Of course the NSA already has the source code, via the usual rubber hose / bribery / black mail technique. So does the FSB and the BND and .... probably only cost them a few minutes of the yearly budget. Why pay the CEO when the underpaid programmer will happily sell out for a fraction of a CEO?
The real problem (as mentioned) is finding the P2P call itself in the internet data stream. This is where a bit more skullduggery is needed and assistance [probably past tense] from at least a small group of the development programming staff, to embed a recognizable symbol string that can be picked off by one of the servers in the path (and ideally also weakening the encryption [also of course past tense] in non-obvious ways if the encryption is any good to start with).
the NSA can suck it.
its privacy invasion.
National Security ?
I cannot understand why US nationals harp on about National Security when they talk about things like this.
Skype are NOT a US based company.
YOUR security is irrelevant to a company that is based in Europe.
NSA can bitch and moan all they want about backdoors and keys to listen into peoples calls, but Skype should extend the middle finger and shove it straight in the face of the NSA.
Now get out into the yard boy, themma hogs are a needin feedin
>>isn't saying things like "OMG LOL LETZ BOM DE EMBAZEE!!1"
I don't understand a word of that, but I will get the boys on it right away!
Hey, Mr NSA- give me
6 months and 2 or 3 of those billions of dollars (or pounds, since I'm British) and I'll find you a backdoor into Skype.
Give me another billion and a year and I'll have a good go at getting into every other VOIP system.
Of course, I find it reprehensible. But hey, a few billion is a few billion...
Of course it's bloody privacy invasion! You are not exactly going to invite the NSA to every phone call you make if you're Osama Bloody Bin Laden are you?
If I was a rich text man/Texan ...... Oliver North type
"We asked the NSA for comment, particularly on the idea of simply buying a way into Skype, but hadn't yet received a response as of publication."
The simplest, quickest and most effective way of purchasing/leveraging of what you want .....from the Intellectual Property owner/head honcho, of course. And money well spent too.
And with regard to " but hadn't yet received a response as of publication." . what would one expect from No Such Agency [practising Stealthy Intelligent Steganographics]
Invariably whatever you think to be true is false, and therefore Skype is well hacked and thus a convenient spooky tracker for Uncle Sam.
Security Through Obfuscation
(in other words, no 'clear text').
Didn't I hear something about our wonderful Government having ordered all ISPs and TSPs to record a years-worth of data for the whole of the UK, at an exorbitant cost to the taxpayer to cover the extra costs of storing all that crap?
Are we now to see a return to the 'bad old days' where the Bad Guys talk in code and the security services hassle "innocent" civvies for inadvertantly using "code" words?
Can see that one going down a bomb when I next meet up with the guys to smoke a few Embassy cigarrettes... oops. Did I just trigger a keyword filter? ;-) (Or will it just be the Health Naz-1-s coming to get me for mentioning smoking?)
Time to clean up in the monkey house, just like T'Pau suggested back in the 80's - or not. That's racist, isn't it? I mean, we're the Human Race, and they're Apes? (The monkeys, not Carol Decker and co. Or is that Specist, and racisim only applies to the things that are all pink and squidgy inside, regardless of the color of the wrapper?).
Ooh, looks like my ride is here - strange, I thought I'd ordered a cab not chartered a helicopt*&^*%(*&(
I'm amazed to read that you could do real-time AES encryption using just 20% CPU time on a 5-year old computer... something you wanna tell us that we don't know, Lee ?
1. Login needs to be authenticated, this will show ip of clients connecting.
2. Use IP intercept gateways to snoop on data between client IP addresses.
3. Use brute force decryption or back door keys to decipher encryption.
I would say this is many many times easier than intercepting normal fixed/mobile network calls.
@Ian Michael Gumby
"I wonder how fast you can break AES with a data center filled with PS3s running Linux in a cluster... ;-)"
Probably not as fast as a few Tesla machines in a cluster.
Ho. Ly. Sh<carrier lost>
The article mentions that Skype updates encryption algorithms regularly. In the UK the network operator 3 is selling mobile (cellular) phones with Skype built in. Does anyone know if the encryption on those phones is updated? If not, would Skype calls to those phones be less secure than those between PCs?
Thought NSA Watched Everything
I am amazed the NSA can't crack and listen in to Skype calls.
How can we accept people having the possibility of a private call, Skype should be banned now.
End of Skype
Well, let's face it. It would mean the end of Skype for that reason. If they go that way & I truly hope they don't it's over. I won't love them anymore.
Skype, stay true & move to Linux only. Unreasonable I know but I am.
Shouldn't the NSA be known as the Nonsense Shite Arsewipes & it's undercovers perhaps Nincom-Spook Arseholes
WTF is the reg playing at?
I mean your bassicly making suggestions to the various government security agencys about buiying skype to introduce a backdoor! Let those bastards do there own job!
We have enough trouble with them and privacy as it is!
I dont use skype but I might now I know they cant easily eves drop! not that I'll ever be of any interest to them.....
With the Democrats back in power, they can complete the plans started under CALEA.
They'll just buy Skype under the guise of saving the economy, have the source code, and game over. What's a couple billion in a Porkulus Bill anyway?
I'm with Lionel...
I'm with Lionel Baden on this one...
a) The US gov't is crooked as hell. The NSA will just claim "state secrets" or something and not pay a cent.
b) They should not be performing wide-scale eavesdropping anyway... and for targetted eavesdropping they can just slap in a microphone.
In conclusion if I DID figure a way to crack Skype I sure as hell wouldn't share it with the NSA.
@FUD "The can just tap into the ISP's network or break the wireless key. The IP address of the target is known (or knowable)....
ISPs and telcos have been obliged to provide easy access for law enforcement for years."
Yes, and at that point they get a nice Skype-encrypted data stream. It could still be that they can crack Skype as well and this is "FUD" (more like obfuscation, really... push people "with sometihng to hide" onto a cracked system)... but the fact is, getting the data off the ISP's network won't do a thing.
I had read an article a while ago about how the NSA has been regularly buying new computers that WOULD be nice and high powered.. if they could run them. But they did not spend to upgrade the building electrics and so could not even plug several of them in. That was several years back, but anyway...
MuI7 upgrade to NSA. Hush Hush Works .... for Better and Beta Skunk Working
The Problem ALWAYS in Intelligence sits between the Chair and the Key Board. ...... and in ALL Cases is IT AIMissing Link/LINQ.
And until that Position is suitably Filled/Fixed, will there always be Internal Conflicts which render their Efforts, Self-Destructive and Ineffectual.
I make no apologies for SHOUTING that, as it is a Fundamental which needs to be Addressed for any Chance of a Solution ...... in any and every Agency which would think to Supply Novel Intel/WMU ..... http://cryptome.org/icd/icd-208.zip
Just move from P2P to PGP (Peer Government Peer). Who needs low latency anyway...
Separate Ward For New Skype Users?
Some relative news for last 3 days, like "Italian Mafia Successfully Uses Skype" or "Agency Pays Mlns For Skype Cracks"... so foolish not to use this grreat opportunity to make calls securely if, as reported, it's passed a field test for penetration -- performed by such successive enterprises!
Some accidental rise in downloads of this sophisticated thing follows. Must be schoolchildren or criminal boneheads warming up engines.
More funds and supercomputers... because she forgot the key.
The problem is, they already let it slip they can break in.
The statements about the way Skype works are dubious at best, and I really can't think of a US COMPANY which would be able to say "no" to the Bush supported NSA - they would have had to close shop already under some trumped up "helping terrorists" charge.
So, fat chance I'll buy that. Sounds more like the mentioned "exec" was seeking to make friends.
re: Using PS3s/Teslas to crack AES
I don't know AES so I may be wrong but i'd wager you couldn't crack it using floating point. Too sodding inaccurate.
That makes the SPEs and Shader Units pretty much useless for this task ...
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...