Are you sure that the best way to hide the fact that you have found an attack against Skype is to advertise a contest with a billion dollar reward to anybody who can find the same attack (or any other one)?
I'm absolutely positive, no doubts whatsoever, totally sure that it means that they can't but by saying that they can't they're trying to get you to think that they can and want their opponents to use something else.
Heise reported last year that the Austrian police is able to listen in on Skype connections. Neither Austria nor Skype confirmed or denied the story back then.
The Zfone FAQ page mentions, that Skype uses VBR codec for audio which is insecure:
"Johns Hopkins University researchers have observed that when voice is compressed with a variable bit-rate (VBR) codec, the packet lengths vary depending on the types of sounds being compressed. This leaks a lot of information about the content even if the packets are encrypted, regardless of what encryption protocol is used. We strongly recommend that you avoid using VBR codecs if you want to make a secure phone call.
<...>
...This means that Skype is vulnerable to VBR leakage regardless of the quality of Skype's built-in crypto."
I don't think the encryption issue is the big problem. I am sure skype's codec has been hacked already. The p2p issue could be addressed by just placing giant routers in isp's like the US did at the telcos. The bigger problem would be transcribing a million streams at once. Also, transcribing arabic words. Thats probably what they are mostly interested in.
There are good acoustic models for english but I doubt there are for arabic. Even if there were, the processing power requirement would be insane. I doubt amazon EC could handle a million streams at once even if they used smaller grammars focusing on suspicious words.
Offering "billions" sounds a bit ridiculous. Wouldn't you start with a couple million and see if there are any contenders before you break out the big blank check? Something's fishy...
Isn't it enough money to just pay for the phone calls?
See the headlines now - NSA offers free VOIP service - no payment necessary, no advertising, just the fact that you have to be OK with them listening in on your calls.
By its very nature, eavesdropping on P2P is a tough. How do you monitor all the packets that are routed through different paths? The only way would be Deep Packet Inspection. But again the packets are encrypted with 128 bit key. So even if you get the packets, you'll have a tough time decrypting it.
The Skype binary also is heavily obfuscated. It wont even run if a ring 0 debugger is on your system.
Skype is pretty much based on the Kazaa p2p stack. Which was cracked by quite a few people. It was quite an impressive reasonably secure system, but not rocket science.
Um, the best antireversing/antidebugging people in the world still don't have casual game crackers beat. For "a billion dollars", I might substitute "free xbox".
Iam not sure if NSA is serious about the money. However, iam sure NSA can force skype to provide them with the encryption algorithm for wiretapping. So instead of spending billions of money on third-party vendor, they might as well can work with skype. My 2 cents
Actually, Dan Goodin at The Reg is a really credible industry reporter, who really does do actual reporting. This runs under someone else's byline, though.
There's no actual publication (outside of academia) that is good on crypto.
The NSA is hoovering up packets at AT&T switching stations and now they want to listen to some encrypted phone calls.
Here's my interpretation of the offer. They have no intention of paying for an attack. If somebody attempts to claim the reward they will say "Oh, no thanks, we don't really want your attack" and then rediscover the attack themselves.
Not billions, but I could certainly imagine them paying millions if someone provided them with a passive break.
Much easier to tap a few fibre optic cables (either with or without the cooperation of telcos) than to crack individual systems -- and the risk of discovery is much less, too.
this sounds like a diversion - it doesn't address what would seem to be a much larger problem of knowing which conversations are worth listening to. also wouldn't help establish the context of the conversation/decode its actual meaning.
You only need to read a few books on the history of spying to know GCHQ, NSA et al have repeatedly made major technological breakthroughs and kept them hushed up to exploit a new edge over their adversaries. You wouldn't expect them to say Skype was easily compromised, would you? They would say the opposite.
[+] [-] asciilifeform|17 years ago|reply
[+] [-] brl|17 years ago|reply
Are you sure that the best way to hide the fact that you have found an attack against Skype is to advertise a contest with a billion dollar reward to anybody who can find the same attack (or any other one)?
[+] [-] cdr|17 years ago|reply
[+] [-] maw|17 years ago|reply
I'm absolutely positive, no doubts whatsoever, totally sure that it means that they can't but by saying that they can't they're trying to get you to think that they can and want their opponents to use something else.
My reasoning is iron-clad.
[+] [-] sdfx|17 years ago|reply
http://www.heise.de/english/newsticker/news/113353
[+] [-] bluishgreen|17 years ago|reply
[+] [-] emilis_info|17 years ago|reply
The Zfone FAQ page mentions, that Skype uses VBR codec for audio which is insecure:
"Johns Hopkins University researchers have observed that when voice is compressed with a variable bit-rate (VBR) codec, the packet lengths vary depending on the types of sounds being compressed. This leaks a lot of information about the content even if the packets are encrypted, regardless of what encryption protocol is used. We strongly recommend that you avoid using VBR codecs if you want to make a secure phone call.
<...>
...This means that Skype is vulnerable to VBR leakage regardless of the quality of Skype's built-in crypto."
[+] [-] Caligula|17 years ago|reply
There are good acoustic models for english but I doubt there are for arabic. Even if there were, the processing power requirement would be insane. I doubt amazon EC could handle a million streams at once even if they used smaller grammars focusing on suspicious words.
[+] [-] pageman|17 years ago|reply
[+] [-] slater|17 years ago|reply
[+] [-] bprater|17 years ago|reply
[+] [-] Andys|17 years ago|reply
See the headlines now - NSA offers free VOIP service - no payment necessary, no advertising, just the fact that you have to be OK with them listening in on your calls.
[+] [-] braindead_in|17 years ago|reply
The Skype binary also is heavily obfuscated. It wont even run if a ring 0 debugger is on your system.
It definitely deserves a billion dollar bounty.
[+] [-] axod|17 years ago|reply
[+] [-] tptacek|17 years ago|reply
[+] [-] chaosmachine|17 years ago|reply
[+] [-] g__g|17 years ago|reply
[+] [-] omfut|17 years ago|reply
[+] [-] CaptainMorgan|17 years ago|reply
"The company won't disclose details of its encryption, either, and isn't required to as it is Europe based."
Hence, their alleged offering of "billions".
[+] [-] alecco|17 years ago|reply
[+] [-] tptacek|17 years ago|reply
There's no actual publication (outside of academia) that is good on crypto.
[+] [-] tptacek|17 years ago|reply
[+] [-] brl|17 years ago|reply
The NSA is hoovering up packets at AT&T switching stations and now they want to listen to some encrypted phone calls.
Here's my interpretation of the offer. They have no intention of paying for an attack. If somebody attempts to claim the reward they will say "Oh, no thanks, we don't really want your attack" and then rediscover the attack themselves.
[+] [-] edfrghjk|17 years ago|reply
The P2P nature of Skype makes it difficult to identify links of bad guys (or innocent guys that happen to be in the wrong place wrong time).
Listening in on calls isn't that useful - unless you know that "the goose flies south for winter" means we attack at dawn.
[+] [-] CaptainMorgan|17 years ago|reply
http://www.skype.com/download/skype/linux/choose/?cm_sp=sv|d...
But I like brl's interpretation...
[+] [-] cperciva|17 years ago|reply
Much easier to tap a few fibre optic cables (either with or without the cooperation of telcos) than to crack individual systems -- and the risk of discovery is much less, too.
[+] [-] whughes|17 years ago|reply
[+] [-] tdonia|17 years ago|reply
[+] [-] globalrev|17 years ago|reply
[+] [-] ftse|17 years ago|reply