
Open Letter to Skype from Internet Activists, Journalists and Academics - magikarp
http://skypeopenletter.com
======
avar
Open comment to Internet Activists, Journalists and Academics: You're not
going to get what you want by piggy-backing on Microsoft's proprietary
platform. Specifically if you're an Internet Activists you shouldn't be
relying on some company's proprietary tool for disguising your communications.

There's plenty of open and secure VoIP clients which coupled with open
encryption standards, VPN's etc. will suit your purposes. Use those things,
not Skype.

~~~
polymatter
I only know about Tor (<https://www.torproject.org>) which could help. I hope
someone else can recommend any others.

~~~
StavrosK
<https://silentcircle.com/> aims to do just that, secure communications.

Disclosure: I work there.

~~~
magikarp
As the person behind the Open Letter to Skype, I have also written copiously
about how dangerous Silent Circle is to cryptography software development.

Silent Circle has repeatedly told untruths in the media regarding the open
source nature of their software. Their software remains largely closed and not
open for public review (except for Silent Text, which has only released
incomplete source code.)

All the same, Silent Circle has been consciously targeting activists in life-
or-death situations. They have repeatedly told activist and the media that
their tools are open source and transparently and publicly reviewed. Silent
Circle has been lying to those in life and death situations for four months.
Their software, except for portions of Silent Text, is not publicly reviewed
and closed source software. Furthermore, they claim to have servers based in
Canada whereas most of their network is in the U.S., subject to U.S.
surveillance laws.

I have written about this here:

<http://log.nadim.cc/?p=89> <http://log.nadim.cc/?p=102>

~~~
StavrosK
I couldn't comment on that, as I hadn't heard about these concerns before. My
personal opinion is the opposite from yours, I think you're reading too much
of a bad intention into a startup having its hands full with development. I
guess the issue will be put to rest when the code is released, so there's no
point in arguing about it too much.

~~~
magikarp
I would appreciate it if Silent Circle did not repeatedly claim to the media
that the code has already been openly released and reviewed when it hasn't
been.

~~~
StavrosK
I'm not aware of that. The Silent Text repo is here:

<https://github.com/SilentCircle/silent-text>

Do you have any references of anyone saying the code of the other clients has
been released? I'm curious.

~~~
magikarp
Silent Text is only one (and the smallest) component of the Silent Circle
suite; this source code release is an incomplete excuse.

Here's one article out of many where Silent Circle makes claims of complete
open source. [http://www.lemonde.fr/sciences/article/2012/12/13/le-
cryptag...](http://www.lemonde.fr/sciences/article/2012/12/13/le-cryptage-a-
la-portee-de-tous_1806219_1650684.html)

------
nakedrobot2
Has there been any confirmation of the very juicy rumor about Skype and the
NSA? Brieftly it is this:

The NSA put out a $1 billion RFP to crack the encryption of skype - their
inability to listen in on this huge communication channel was really a bummer
for the NSA. Microsoft says "Hmm" and buys Skype for $8 billion, re-engineers
the archtecture of Skype so that it is centralized rather than P2P and easily
decrypted by Law Enforcement.

Or is this only another juicy rumor? Is there any citation for this RFP from
the NSA, for example?

~~~
pieter
Skype has always relied on a central authentication server, which means that
anyone with control of that server would be able to MITM any conversation. The
recent changes of ownership and centralization of the service have nothing to
do with this. Presumably the US government has been able to tap into any Skype
conversation they want for a long time.

~~~
eps
> _would be able to MITM any conversation_

Sure, in theory. In practice, eavsdropping on two Skype users required
presence on a network route between the callers, which might have been
entirely in some random country's Internet segment.

~~~
pieter
Not really -- the directory server can just direct a user to connect to a MITM
server. There's no need to control the entire network, you only need access to
Skype's servers.

------
phillc73
I have searched and searched for an alternative to Skype, but so far have
mostly failed.

My situation:

\- I use Linux on all my desktops/laptops.

\- I have an Android phone.

\- My mobile phone bill is usually in excess of £100 per month.

\- I am usually located in the UK, sometimes elsewhere but almost never in the
US.

My use cases:

\- I want to make cheap calls to mobile phone numbers in Ireland, Austria and
Australia

\- I want to make landline calls to the same countries.

\- I want to send SMS messages to the same countries.

\- I want to make free person to person VOIP calls.

\- I want to make video calls.

\- Security and privacy is a factor.

Currently, I have Skype working reasonably well on my 64-bit Debian based
Linux machines. However, call quality can be very patchy when calling mobile
phone numbers. Video quality is often poor and the call drops out when
communicating with others in Australia.

I have tried Ekiga, Jitsi, SflPhone and a few others. I have a Diamondcard.us
account for making chargeable calls. Almost always the call-out quality of
these services is poor. I've been told it sounds like "I'm talking through a
pillow."

I have been using Google Voice recently. It does work from my UK registered
Google Account for making calls to mobile phones and landlines. The call
quality is very good. The mobile phone pricing is generally a little more
expensive than Skype. Unfortunately, landline calls are significantly more
expensive that Skype and the full Google Voice experience (SMS messages,
registering a number and thus using on my Android device) isn't available
outside the US.

Is there any other single unified service worth considering, which does meet
at least the majority of my use cases?

~~~
EwanToo
The first 3 of your requirements would possibly be better served with just a
good International calling package on your mobile.

Lebara charge £39 a month for "unlimited" calls to 39 countries, including
Ireland, and Australia, and cheap(ish) calls to Austria (and other places).
Their call charges are pretty comparable to most VOIP services.

It's certainly worth considering if you're spending >£100 a month on calls.

~~~
phillc73
Worth considering for sure and a good idea to investigate similar services
more thoroughly.

Unfortunately for Austria mobiles (all rates include VAT):

Lebara: 19p/min

Skype: 11.2p/min (in the £38.99/month for 400 minutes package)

Google Voice: 8.4p/min

Out of the three countries I listed, Austria is the only one I call daily,
usually for a minimum of 10 minutes, up to about 20 minutes. Ireland I call
infrequently, but SMS up to 10 times per day. Australia I usually call once or
twice per week, up to about 45 minutes.

------
dhimes
What is the best linux-compatibile open source with encryption alternative at
the moment? The wiki page shows that many haven't been updated in quite some
time (Twinkle). Does anybody have experience with Blink?

~~~
zorlem
I personally like SFLPhone [1]. It's developed by the fine folks from Savoir-
faire Linux [2] and supports encryption. Here is a guide how to configure it
to encrypt traffic between the client and an Asterisk server [3].

[1] <http://sflphone.org/> [2] <http://www.savoirfairelinux.com/en/> [3]
[https://projects.savoirfairelinux.com/projects/sflphone/wiki...](https://projects.savoirfairelinux.com/projects/sflphone/wiki/Security)

------
jjoergensen
The governments in many countries are monitoring everything that you are
doing. It is no longer a fictitious idea about what could be done. They
collect and correlate sets of data and they use it for monitoring for abnormal
behaviour and find potential threats.

There is nothing that you can do about it. Your only safety is that you are
completely irrelevant for them and they keep their mouth shut unless they have
a very good reason not to do so.

~~~
Karunamon
>There is nothing that you can do about it.

Such irrational defeatism.

------
vadiml
Folks please try Discretio for Android
([https://play.google.com/store/apps/details?id=com.discretio....](https://play.google.com/store/apps/details?id=com.discretio.android))
Open source (GPLv3) secure VOIP solution. For the moment only Android version
is available but iOS and desktop vresions are in the queue...

~~~
StavrosK
That doesn't sound very convincing. You can't just have some icons tell you
that you're secure, how do they know if someone's MITMing you?

You can use the already-available ZRTP, that requires each user to speak a
phrase to the other, so you can verify by hearing the other person's voice.
Discretio doesn't do any of that, so how does it know you're not talking to
some random attacker?

~~~
vadiml
The client side source code is available:
<https://bitbucket.org/repo/all?name=discretio>

~~~
StavrosK
I saw that, but I didn't see any explanation on how it works, and I'm pretty
sure it's impossible to have security without verification. I can't read the
code to verify that, sadly.

~~~
Discretio
Curious to hear from someone working in a company who says things but not show
it's true. In fact, if i say i am rich, tall, blond with a famous sense of
humour, you are ready to believe me, but if i don't say anything but i prove
it, you refuse to believe me... strange. Discretio doesn't say anything of
this kind but show the entire client software source code. Do the same please.

~~~
StavrosK
So how do you protect against MITMs?

~~~
vadiml
Basically the client connects to SIP server using ssl connection authenticated
on both sides. When placing calls the clients A and B are negotiating SRTP
session key using DH key exchange. It is done over SIP (and not over RTP
channel as in ZRTP). Each client upon registration generates public/private
key pair and submits a CSR to the registration service which signs it and
stores the public key (which is later used to authenticate the above
mentionned ssl connections) in the SIP server's DB... The server has no access
to the client's private key nor to the SRTP session key

~~~
StavrosK
Hmm, it sounds resistant to random MITM but the server can still listen in on
the calls if it wants, by MITMing the clients itself...

~~~
vadiml
Yes, with the cooperation from CA the MITM is still possible. We however will
provide server code to especially paranoid clients so they can build and run
the software on their own machines... This way they can have garanties against
certificate tampering. And we're working on an alternative solution when even
cooperating CA will not allow MITM...

~~~
StavrosK
That sounds very good, good luck! Why not use ZRTP, though?

~~~
vadiml
Well, this tech is derived from the project which was designed to meet specs
of one of our clients. We did propose ZRTP during design phase, to the client
but they security analysts decided against it. They affirm that given the
state the current state of art in speech recognition and synthesis ZRTP can be
vulnerable on impersonation during short code validation phase for the
attacker with sufficient resources. I'm personally doubtful, but one thing i'm
sure about, is that this client security experts have access to info and
resources which are not available to me.

~~~
StavrosK
That sounds reasonable, thanks for the explanation.

------
marme
The problem with complain to microsoft about this is they are locked into some
of these things with deal skype setup before they were bought out. Microsoft
is contractually obligated to only supply skype TOM in china, this is the
reason why they wont shutdown MSN in china because they are unable to control
the skype network within china. You cant expect microsoft to reveal all these
things while they are trying to clean house and get skype in order. Dont hold
your breath on microsoft revealing anything

------
verdverm
Whats the deal with Google voice and Google talk on this issue?

~~~
josteink
Not available in most countries in the world, perhaps?

~~~
verdverm
i read somewhere that their video chat can run on 380kbs connections, i would
assume its in the works. they did buy drones for Africa

personally i stopped using skype because i had issues on linux recently.
google talk worked out of the box for me, and much much better

------
lampe
there alternatives to skype that are open sourced and you can look up what
security features they got.
<http://en.wikipedia.org/wiki/Comparison_of_VoIP_software>

~~~
nodata
Skype is popular because it just worked, even through funky firewalls. The
replacement would need to be better than Skype to gain traction with non-
technical users.

~~~
lampe
skype just uses an http tunnel cause mostly the 80 port is open so no magic
here(it does some more tricks but this is on).

I dont think skype is easy just look at the UI... i dont like skype for linux
it never works on my laptop...

~~~
ef4
It's a bit smarter than just using an http tunnel.

Skype is capable of direct client-to-client connections, despite intervening
NAT. It's pretty clever -- with the server's help as coordinator, the clients
_both_ initiate the connection, causing their own NAT routers to accept the
inbound packets from the other side.

~~~
0x0
That's also called STUN, I believe <http://en.wikipedia.org/wiki/STUN> (or
probably a variant)

------
nathan_long
Apparently they weren't briefed on the business model:
<http://www.youtube.com/watch?v=w8c_m6U1f9o>

------
Nordichacker
You just need to assume that everything you do on skype can be intercepted. If
you want secure communications, choose something else.

------
shaaaaawn
Would love to see something similar as what google does for transparency. Even
better an common standard for transparency

~~~
decourl
Pretty sure Google will remain the oddball in the bunch. Nobody wants to
reveal all that.

------
gesman
Open reply from Ballmer to *ists: "My way or highway"

------
LatvjuAvs
Human creativity sees no walls. Tor this, tor that, onions on the rise!

For small chat yes, Skype works, but when selling weapons and weed, no no.

------
arindone
Recurring transparency report? Have you ever asked Google for such things when
it reads your emails to sell you ads? Have you ever asked Target or Walmart
for this when they track your credit card purchases and sell the ACTUAL data
to other parties?

Stories like this are driven mostly by unverified rumors and sensationalist
journalism that is JUST as rampant in the tech industry as it is in politics,
economics, or any other topic covered in mass media today.

