What is Digg?56 Comments
- Harrison88, on 10/02/2008, -4/+64"Trust" and "privacy" are words that don't exist in China.
- Adamande, on 10/03/2008, -3/+30Your profile says you live in England. The number one country in the world when it comes to public surveillance. That makes your comment kind of funny...and kind of sad.
http://news.bbc.co.uk/1/hi/uk/6108496.stm - artfuldodga, on 10/02/2008, -2/+28well, I just uninstalled skype, NEXT.
- inactive, on 10/02/2008, -2/+26I know I sound like a broken spam machine, but there is no reason for people to chat on crap like skype, aim, msn, icq and such. All of those are easy to monitor. It is part of my job to monitor it. The protocols are designed for ease of recording, sorting and classifying.
Anyone could easily set up irc and an encrypted web front end to it for themselves and run it at home on an encrypted server. I set mine up in about 10 minutes.
Google for unreal ircd, cgi:irc, anope services. It is easy to set up and you can have encrypted anonymous conversations with as many people as you want at the same time, or private channels, etc... You would be able to send them a URL to chat. You could even send the URL to a few thousand people if they use a native IRC client such as XChat that supports SSL. IRC scales to thousands of users on a small machine (P3 700 in my case) and the web front end you could easily handle a few hundred people on your server. - inactive, on 10/03/2008, -0/+15The NSA has been there, done that.
It's a bit late for "uninstalling skype" now. - sputza, on 10/03/2008, -6/+19***** China!
- Adamande, on 10/03/2008, -0/+11What's that world of difference if I may ask?
And please keep in mind the telecom-scandal of the Bush administration.
http://www.networkworld.com/community/node/32875
As well as the massive telecom-surveillance plan the EU is trying to force through in most of Europe in the name of terror-protection.
http://news.bbc.co.uk/1/hi/uk/6108496.stm
I find it interesting, that while we are being subjected to government spying on a massive scale, we keep vilifying China like this is exclusively their type of problem. If you look at this map, based on research done by the US-based Electronic Privacy Information Center and the UK-based Privacy International, you will perhaps moderate your view of the surveillance-issue:
http://www.privacyinternational.org/article.shtml? ... - Atomic1fire, on 10/03/2008, -0/+10And dont forget jabber,
not only is there compatibillity with gtalk, but you can use existing security methods for IM - pbryan, on 10/02/2008, -2/+12Skype client already acts *exactly* like a polymorphic virus; now Skype servers are found to be vulnerable. How will you ensure your client is secure? The lack of transparency throughout's Skype software and service is reason enough to distrust it with any sensitive information, on any sensitive platform (i.e. your computer). If you do insist on using it, at least Sandbox it in a virtual machine to keep it away from your private and sensitive data.
- Kimberlyyan, on 10/02/2008, -1/+10I'm not at all surprised.
- inactive, on 10/03/2008, -0/+9Skype's central directory servers store public keys which are linked directly to Skype accounts. That means the company may provide access to anyone with a warrent to intercept any conversation.
In addition to this, the data is not encrypted when it reaches the application servers at Skype. The payload itself is not encrypted, but rather the transport only. This means that they may log and record all conversations, as all free public chat providers do (for "maintenance purposes only" of course).
If you run your own chat server, you generate the keys. Nobody else has the private keys except you. - Me0wmix, on 10/03/2008, -1/+10If they monitor, they should atleast get rid of the bots. "Hi , i am lonely. U can c my pics here: "
Anyways, BAM skype uninstalled. - inactive, on 10/03/2008, -0/+7I forgot to reply to your MITM attack vector. The way that is done is with an appliance that has the keys nessecary to allow internal DNS and multicast to route the clients to your proxy appliance. Some people refer to these as chat gateways. In my own personal opinion, I believe companies should enable the banners on their gateways that tell people their converations are being monitored and recorded, but legally they are not required to do so as these types of communications are not protected under wiretap laws. An ISP could do this on a individual case basis (per home user) but they will never admit to doing this as it will scare away customers. A tech savy person could see this happening however.
A similar thing may be done with HTTPS traffic, though that requires installing certs on the clients and rarely happens outside of corporate builds or corporate facilitated monitoring. Bluecoat is one such product for this.
MITM attacks against individually created certs are much harder to perform but are not impossible. They are just really improbable to do on a large scale. - telepheedian, on 10/03/2008, -0/+7I never did trust skype, what with the blackboxing and supernodes and whatnot...
- lucy22, on 10/02/2008, -3/+10Well I am not going to use skype now.
- m4csrgh3yk3v, on 10/03/2008, -0/+7So how much do you trust that little padlock in Skype now?
- palehorse864, on 10/03/2008, -0/+7"That makes your comment kind of funny...and kind of sad." ~Adamande
The comments in which he's dying are the best he's ever had? - bit4man, on 10/03/2008, -0/+7WOW - another reason for using open source.
- blankoboy, on 10/03/2008, -0/+5What do you mean by "***** China"? It's the US company eBay that is allowing this....so shouldn't you be saying "***** USA!"? They are definitely doing the same to you. Don't dream for a second that they aren't.
- fattehboi, on 10/03/2008, -0/+5they better not be saving my videos and viewing them...
*****. - Dotcommer, on 10/03/2008, -0/+5But most people don't know how to do that kind of thing, and use it blindly.
- inactive, on 10/03/2008, -0/+5"Fundamentally, the private keys shouldn't be on the Skype servers in the first place".
But unfortunately they are.
Yes the proxy exchanges the keys with the endpoints. That is why the appliances are not end user serviceable. Yes some packets go directly to the end user. I am not saying that it is easy to monitor everyone all the time. Skype was actually designed with a different approach than the other chat clients in that it can use multicast and cache supernodes so that people entering a NATed environment can bypass security in some cases. The application could easily follow instructions from HQ however, though I am not aware of this being done. Either way it is not by any means a guaranteed anonymous or private form of communication. Unless people run and control their own servers, there is no way to assure privacy. Of course not every circle of people have someone that can throw together a chat server quickly, even though in my opinion it is easy. A lack of privacy and anonymity is a trade-off for the convenience as is the case with many things.
In reference to warrants/governments getting private keys, I think you and I both know how well they keep such things secured. That means key revocation becomes quite important along with recognition that keys have been compromised. All it takes is one "accidental" leak of data through a "stolen laptop" and whatever agencies we want to share those keys with will have them. "Ooops, did we give those keys to (insert country here)?" :-)
To be in the middle is easy for any ISP in the routed path. It only takes one weak link to comply. (e.g. AT&T, Verizon are the ones people know about officially)
To your point though, I agree that it is not one that can be monitored all the time unless additional instructions were given to the client. People have seen weird behavior like that in skype, but nobody has officially confirmed what it was.
/removes tinfoil hat - SpudDuffer, on 10/03/2008, -1/+6EVERYONE has something to hide, the Pope, the President,even Aunt Martha, given enough time, incriminating evidence can be gathered on anyone anywhere. If we rely on having, "Nothing to hide,..", as a basis for giving up our freedoms, we will never be free again, you never get rights back, when they're gone they are GONE!
- Ninnux, on 10/03/2008, -0/+4It's not a basis for giving up her freedom and you missed the point...she's first generation. The Chinese have lived like this since the Cultural Revolution. They live their lives, talk to their parents, email their friends, and so on. The difference is that they know people are listening.
- stealthc, on 10/03/2008, -0/+4Is it "tin foil hat" if its true?
- colonelbuckshot, on 10/03/2008, -0/+4neither does "freedom", "individuality", "animal rights", and many other western concepts
- GothAlice, on 10/03/2008, -0/+4Uh, let's not mention the previous news of the encryption scheme being broken… by Chinese researchers. Mmm, let's have trivially weak encryption and security through obscurity. And because it's a peer-to-peer protocol (call packets routed through an unknown number of intermediate skype users vs. a central server) each host along the way can log traffic and decode at their leisure.
Brilliant. - heystoopid, on 10/03/2008, -0/+4But since the writers of "Skippy" are the same ones involved in Kazaa spy on me , the software responsible for tens of thousands of music downloaders seeking the odd 0.015% of the only decent music in town issued by the big four labels in any given month being convicted by the RIAA .
And the latest spyware from this blackhearted mob of crooks and thieves surprises anyone not ? - Cannon49, on 10/03/2008, -1/+5Too bad they already own America.
- ChayesFSS, on 10/03/2008, -1/+4good ***** for just business calls though. Hard to beat 3 bucks a month for local/long distance, great integration with googles grandcentral service
- Joab, on 10/03/2008, -0/+3Who owns Skype again??? On three everyone 1... 2... 3...
- inactive, on 10/03/2008, -0/+3skype use high level of encryption
only skype can read it
or someone given access to it
but you cant even trust your self - hoogie, on 10/03/2008, -0/+3Try QuteCom (formerly Wengophone. Everyone has their own preferences, but for me it was less hassle to set up and is much less CPU intensive, and it has all the features I used in Skype. I still keep Skype around because it's hard to convince all your friends to switch to a new service, but if I have the option I use QuteCom.
http://www.qutecom.org/ - PatrickBrown, on 10/03/2008, -0/+3The difference between the "telecom-scandal" of the Bush administration and the spying that China is doing is that in the US the spying is a scandal, as so noted by yourself, while in China it is passed off as "that is just how it is in China."
There is a huge difference. While people are disgusted by both actions, there is even more disappointment among people towards China because of the lack of disgust by people in China of their own government... and the lack of media that it gets for such action.
In the US it is considered a scandal. In China it is considered "business as usual". That is the difference. - GothAlice, on 10/03/2008, -0/+3Jabber+SSL+OTR
- hauntedchippy, on 10/03/2008, -1/+4The vast majority of CCTV systems in the UK are unmanned. There are simply too many and they're almost all in city centres or industrial estates. They are used when a crime has been reported in an area in which case some lucky PC has to trawl through the footage to find evidence. This has led to an increase in prosecutions for assaults and rapes. Recording what people say is much more intrusive than even (hypothetically) seeing them walk down the street. Hundreds of people see you walk down the street, it's a public place. A chatroom is not a public place and governments have no right being there.
- JonForTheWin, on 10/03/2008, -0/+3Don't use proprietary software for communication.
- Tenoq, on 10/03/2008, -0/+2Nor in Skype headquarters, it seems.
- blankoboy, on 10/03/2008, -0/+2A lot of web stroking going on I assume?
- colonelbuckshot, on 10/03/2008, -1/+3If there was an open source equivalent to Skype that was just as good, I would have left Skype already.
- m4csrgh3yk3v, on 10/03/2008, -2/+4Sorry did I miss something? The Skype transfer is supposed to be encrypted.
Are you claiming that you can set up a man-in-the-middle attack on Skype? I can believe government having that kind of access because of the closed source, but unless you work in government, I tentatively call BS. - eliteblast, on 10/03/2008, -0/+2It isn't just china spying on skype, the secret service can monitor skype calls as well, how do I know this? I know someone who is in the secret service, and monitors skype calls.
- beamster, on 10/03/2008, -1/+3What is the significants of ebay owning skype?
- pwr4, on 10/03/2008, -0/+2Use zfone with your favorite chat like google talk, yahoo, jabber, IM and have all of the encryption controlled between the users. Convenience and Security
http://zfoneproject.com/ - hauntedchippy, on 10/03/2008, -3/+5There is a world of difference between CCTV and logging conversations in secret.
- motters, on 10/03/2008, -0/+2Skype is not a secure method of communication, and if you think this only happens in China think again. Using proprietary (i.e. closed/secret source) programs is never secure, since you can't verify that the government or other shadowy agencies havn't placed backdoors into the software.
- qbp54321, on 10/03/2008, -0/+1Who else thinks it might be fun to make up crap to scare to people reading the conversations?
- m4csrgh3yk3v, on 10/03/2008, -2/+3@microchip
A proxy based attack on SSL is based on installing certificates on client machines which expressly trust the proxy. Are you saying there is no such authentication mechanism in Skype for endpoints? You mean I would exchange symmetric keys with the proxy and the proxy would exchange keys with my counterpart?
As for payload being in the clear, but transport not: who said that the packets are every reaching Skype HQ? When it isn't a relayed connection to help with NAT, the packets go directly to my counterpart.
It seems to me that any snoop needs:
(1) Private keys
(2) To be in the middle
Only government/warrants can get the private keys.
Fundamentally, the private keys shouldn't be on the Skype servers in the first place. - Ninnux, on 10/03/2008, -4/+5My wife uses Skype to talk to her parents in Shanghai every week. They already assume this is going on and continue on with their life. Nothing to hide.
- kirado4, on 10/03/2008, -1/+2ooh china.. don't spy on people outside you country.. if you're not prepared to face the consequences.. no a clever idea that
-
Show 51 - 57 of 57 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is