

NSA offering 'billions' for Skype eavesdrop solution - CaptainMorgan
http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/

======
asciilifeform
This can only mean that they have already broken the Skype encryption - and
want their opponents to use it.

~~~
cdr
They don't need to break it, Skype already offers backdoor access for
governments.

~~~
MikeCapone
Has this really been established, or is it just presumed?

I vaguely remember reading something about the skype team saying they would
"cooperate" with law enforcement officials, but I'm not sure if that meant
actually listening in on encrypted conversations or just sharing the IPs and
time of connections to servers.

~~~
MikeCapone
I guess what I meant in short is: Please cite your sources.

~~~
jrockway
The article has this problem too. "An anonymous source says a friend of a
friend said he knows someone that thinks..."

This reads as FUD they made up to sell ad views.

------
sdfx
Heise reported last year that the Austrian police is able to listen in on
Skype connections. Neither Austria nor Skype confirmed or denied the story
back then.

<http://www.heise.de/english/newsticker/news/113353>

------
bluishgreen
Related: <http://zfoneproject.com/faq.html> (from the creator of PGP software)

~~~
emilis_info
Thanks for the link.

The Zfone FAQ page mentions, that Skype uses VBR codec for audio which is
insecure:

"Johns Hopkins University researchers have observed that when voice is
compressed with a variable bit-rate (VBR) codec, the packet lengths vary
depending on the types of sounds being compressed. This leaks a lot of
information about the content even if the packets are encrypted, regardless of
what encryption protocol is used. We strongly recommend that you avoid using
VBR codecs if you want to make a secure phone call.

<...>

...This means that Skype is vulnerable to VBR leakage regardless of the
quality of Skype's built-in crypto."

------
Caligula
I don't think the encryption issue is the big problem. I am sure skype's codec
has been hacked already. The p2p issue could be addressed by just placing
giant routers in isp's like the US did at the telcos. The bigger problem would
be transcribing a million streams at once. Also, transcribing arabic words.
Thats probably what they are mostly interested in.

There are good acoustic models for english but I doubt there are for arabic.
Even if there were, the processing power requirement would be insane. I doubt
amazon EC could handle a million streams at once even if they used smaller
grammars focusing on suspicious words.

~~~
pageman
more Pashto (<http://www.ethnologue.com/show_language.asp?code=pbt>) than
Arabic (<http://www.ethnologue.com/show_language.asp?code=arb>) there's less
than 10 million Pashto speakers in the world (about 8M are in Afghanistan) vs.
250M++ for Arabic.

------
slater
That's bizarre, considering Skype already has built-in hooks for the police
force to use

------
bprater
Offering "billions" sounds a bit ridiculous. Wouldn't you start with a couple
million and see if there are any contenders before you break out the big blank
check? Something's fishy...

~~~
Andys
Isn't it enough money to just pay for the phone calls?

See the headlines now - NSA offers free VOIP service - no payment necessary,
no advertising, just the fact that you have to be OK with them listening in on
your calls.

------
braindead_in
By its very nature, eavesdropping on P2P is a tough. How do you monitor all
the packets that are routed through different paths? The only way would be
Deep Packet Inspection. But again the packets are encrypted with 128 bit key.
So even if you get the packets, you'll have a tough time decrypting it.

The Skype binary also is heavily obfuscated. It wont even run if a ring 0
debugger is on your system.

It definitely deserves a billion dollar bounty.

~~~
tptacek
Um, the best antireversing/antidebugging people in the world still don't have
casual game crackers beat. For "a billion dollars", I might substitute "free
xbox".

~~~
brl
I hear that 'Tom Clancy's Splinter Cell' is kind of annoying to break the
protection on :)

~~~
tptacek
Hey, I totally went out and bought that title. I just never got around to it.
If you wanted to call me out on it, you might be doing me a favor.

[edit]

Context:

[http://rdist.root.org/2007/04/19/anti-debugger-techniques-
ar...](http://rdist.root.org/2007/04/19/anti-debugger-techniques-are-
overrated/)

------
chaosmachine
In other news, Google is launching a free phone service called Google Voice.
Perhaps this is their monetization strategy.

~~~
g__g
Adding to the urban ledgend i've heard so many times: "google is the NSA" :)

~~~
yters
And so is facebook too, donchaknow? Given that HN attracts all the smartest
people who would probably figure this stuff out, I'd wager that pg is really a
CIA operative. In fact, I suspect Microsoft is as well. I mean, if you are the
NSA, what better way is there of looking at everyone's personal, electronic
data?

~~~
nir
Hey, and Digg is run by the government!

------
omfut
Iam not sure if NSA is serious about the money. However, iam sure NSA can
force skype to provide them with the encryption algorithm for wiretapping. So
instead of spending billions of money on third-party vendor, they might as
well can work with skype. My 2 cents

~~~
CaptainMorgan
How are you sure? It's not a U.S. based company- it doesn't appear NSA would
have any holding over it.

"The company won't disclose details of its encryption, either, and isn't
required to as it is Europe based."

Hence, their alleged offering of "billions".

~~~
whatusername
Didn't they get bought by Ebay? Aren't ebay US based?

~~~
CaptainMorgan
You could definitely be correct. But the article isn't that old, unless they
got bought in the last thirty or so days. Quoting the article this time shows
an interesting choice of words:

"But corporate parent eBay, having had to write down $1.4bn already following
its $2.6bn purchase of Skype back in the bubble-2.0 days of 2005, might see an
opportunity here. A billion or two from the NSA for a backdoor into Skype
might make the acquisition seem like a sensible idea."

By "parent", if they get into trouble with an agency like the NSA and Ebay is
U.S based (for the sake of argument), even though Skype was acquired, couldn't
they 'break free' so-to-speak, and head back to Europe with their main
operations? Correct me if I'm wrong, but Europe appears to still be their main
base of operations while Ebay is like a corporate funding "parent"... that's
how I view it from the article, but I could no doubt be mistaken.

------
alecco
The Register on Cryptography and Security is always a good laugh.

~~~
tptacek
Actually, Dan Goodin at The Reg is a really credible industry reporter, who
really does do actual reporting. This runs under someone else's byline,
though.

There's no actual publication (outside of academia) that is good on crypto.

~~~
mixmax
What about Bruce Schneier's blog? I'm not into crypto so asking out of
curiosity.

~~~
tptacek
Without getting into drama, let me suggest that Schneier's personality and
notoriety may not match his nuts-and-bolts contributions to the field. I
wonder what cperciva thinks about that, but he's also far more polite than me.

~~~
alecco
I second that. And also rise to very questionable policies, in particular
patenting things not clearly his. Also personal experience with his people not
playing ball in standards committees.

------
tptacek
Does anyone here actually believe that the NSA would pay billions to crack the
protocol for an app that runs primarily on Windows machines?

~~~
CaptainMorgan
I run Linux and use Skype, it's available for Mac's too... why the assumption
that Windows is the main player?

[http://www.skype.com/download/skype/linux/choose/?cm_sp=sv|d...](http://www.skype.com/download/skype/linux/choose/?cm_sp=sv|download-
_-site|sidebar-_-download_lnk|en_us)

But I like brl's interpretation...

~~~
g__g
I use it on linux too and know way too many people who use it on Macs. I
agree, its not quite right to limit it to Windows.

------
tdonia
this sounds like a diversion - it doesn't address what would seem to be a much
larger problem of knowing which conversations are worth listening to. also
wouldn't help establish the context of the conversation/decode its actual
meaning.

------
globalrev
Doesn't Skype make money(as in profit not just revenue)?

------
ftse
You only need to read a few books on the history of spying to know GCHQ, NSA
et al have repeatedly made major technological breakthroughs and kept them
hushed up to exploit a new edge over their adversaries. You wouldn't expect
them to say Skype was easily compromised, would you? They would say the
opposite.

