Open comment to Internet Activists, Journalists and Academics: You're not going to get what you want by piggy-backing on Microsoft's proprietary platform. Specifically if you're an Internet Activists you shouldn't be relying on some company's proprietary tool for disguising your communications.
There's plenty of open and secure VoIP clients which coupled with open encryption standards, VPN's etc. will suit your purposes. Use those things, not Skype.
For those specifically yes. If you're an activist or journalist talking to your sources, you shouldn't be using Skype, period.
However, the letter also tries to make Skype a safer platform for everyone else. For example they are asking for a regular transparency report, the way Google has with Gmail and Google searches. Is that really too much to ask from Microsoft? And don't you think it would benefit a lot of those 600 million people if they found out just how much Skype is being monitored? While (most) people here can be sure Skype is unsafe, do you really get the same impression from "regular" people? Or are they completely unaware of it? I think transparency would help raise awareness about it.
As the person behind the Open Letter to Skype, I have also written copiously about how dangerous Silent Circle is to cryptography software development.
Silent Circle has repeatedly told untruths in the media regarding the open source nature of their software. Their software remains largely closed and not open for public review (except for Silent Text, which has only released incomplete source code.)
All the same, Silent Circle has been consciously targeting activists in life-or-death situations. They have repeatedly told activist and the media that their tools are open source and transparently and publicly reviewed. Silent Circle has been lying to those in life and death situations for four months. Their software, except for portions of Silent Text, is not publicly reviewed and closed source software. Furthermore, they claim to have servers based in Canada whereas most of their network is in the U.S., subject to U.S. surveillance laws.
I couldn't comment on that, as I hadn't heard about these concerns before. My personal opinion is the opposite from yours, I think you're reading too much of a bad intention into a startup having its hands full with development. I guess the issue will be put to rest when the code is released, so there's no point in arguing about it too much.
I would appreciate it if Silent Circle did not repeatedly claim to the media that the code has already been openly released and reviewed when it hasn't been.
Perhaps this is a good time and place to do so (just because you hear something for the first time doesn't mean that you can't comment).
(I think both Silent Circle and the Skype open letter initiative are great and I'm not affiliated with any of them. Just wanted to point out that not being able to comment on something because it's the first time one hears it sounds weird.)
I meant I can't comment with prior knowledge, because I haven't discussed these issues, not having heard them before. I did comment with my personal opinion in the next sentence.
The rest of the clients's code is probably being cleaned up, but I guess we're trying to build more functionality and are very busy with other stuff, and publishing the code has fallen behind a bit. That's just my guess, as, as I said, I don't work on that.
From what I've seen in my time there, though, everyone is extremely capable (I have yet to see a single thing that wasn't done correctly) and very focused on security (again, I have yet to find fault with something, and I'm really paranoid).
From what I've seen (and this probably comes off a bit too PR-y, but it's true), I have absolutely no problem trusting SC with my communications, everyone takes every precaution to safeguard users' data (even in the web part, we don't want to use third-party services, our analytics are hosted by us) to avoid compromising users' data.
Anyway, I've raved too long about this. I'll just say I'm very happy to work there.
Has there been any confirmation of the very juicy rumor about Skype and the NSA? Brieftly it is this:
The NSA put out a $1 billion RFP to crack the encryption of skype - their inability to listen in on this huge communication channel was really a bummer for the NSA. Microsoft says "Hmm" and buys Skype for $8 billion, re-engineers the archtecture of Skype so that it is centralized rather than P2P and easily decrypted by Law Enforcement.
Or is this only another juicy rumor? Is there any citation for this RFP from the NSA, for example?
Skype has always relied on a central authentication server, which means that anyone with control of that server would be able to MITM any conversation. The recent changes of ownership and centralization of the service have nothing to do with this. Presumably the US government has been able to tap into any Skype conversation they want for a long time.
Sure, in theory. In practice, eavsdropping on two Skype users required presence on a network route between the callers, which might have been entirely in some random country's Internet segment.
Not really -- the directory server can just direct a user to connect to a MITM server. There's no need to control the entire network, you only need access to Skype's servers.
Skype's architecture is changing to match the changes in user base. As more and more tablets, phones, televisions and other devices which can't act as a supernode are added - and will be added in future - Skype needs to run more servers to pick up the slack. The notion that this is for eavesdropping purposes at the behest of the NSA is best left to the tinfoil hat brigade.
That said, you'd be ill advised to depend on Skype being more secure than a regular phone call. As a commercial service it is subject to all the kinds of pressures telco's face.
Not quite - CALEA legally requires telcos to cooperate with law enforcement and implement infrastructure for wiretapping. As far as I'm aware, no such law applies to Microsoft as they aren't a carrier under said law.
So any eavesdropping Microsoft lets law enforcement do is voluntary, whereas telcos have a legal requirement in this regards.
Metadata (call logs and such) is another story and are equally unprotected in practice.
I have searched and searched for an alternative to Skype, but so far have mostly failed.
My situation:
- I use Linux on all my desktops/laptops.
- I have an Android phone.
- My mobile phone bill is usually in excess of £100 per month.
- I am usually located in the UK, sometimes elsewhere but almost never in the US.
My use cases:
- I want to make cheap calls to mobile phone numbers in Ireland, Austria and Australia
- I want to make landline calls to the same countries.
- I want to send SMS messages to the same countries.
- I want to make free person to person VOIP calls.
- I want to make video calls.
- Security and privacy is a factor.
Currently, I have Skype working reasonably well on my 64-bit Debian based Linux machines. However, call quality can be very patchy when calling mobile phone numbers. Video quality is often poor and the call drops out when communicating with others in Australia.
I have tried Ekiga, Jitsi, SflPhone and a few others. I have a Diamondcard.us account for making chargeable calls. Almost always the call-out quality of these services is poor. I've been told it sounds like "I'm talking through a pillow."
I have been using Google Voice recently. It does work from my UK registered Google Account for making calls to mobile phones and landlines. The call quality is very good. The mobile phone pricing is generally a little more expensive than Skype. Unfortunately, landline calls are significantly more expensive that Skype and the full Google Voice experience (SMS messages, registering a number and thus using on my Android device) isn't available outside the US.
Is there any other single unified service worth considering, which does meet at least the majority of my use cases?
For the past 6 years, I've been using VOIPDiscount [1].
Their rate is "unlimited" for 10EUR a month (you can setup auto payment).
The nice feature is that they give you about 200 so called "free days", which means that landlines to most countries will be totally free of charge (mobiles have low rate but you have to pay) up to 200 days from the moment of your purchase. I can confirm this works as I have called my home country in Europe every weekend for couple hours a day talking with family on multitude occasions. They have Android and iPhone app as well. If your folks oversees have landlines, this is a clearly best choice (I do not work for them, just been happy with their service).
The first 3 of your requirements would possibly be better served with just a good International calling package on your mobile.
Lebara charge £39 a month for "unlimited" calls to 39 countries, including Ireland, and Australia, and cheap(ish) calls to Austria (and other places). Their call charges are pretty comparable to most VOIP services.
It's certainly worth considering if you're spending >£100 a month on calls.
Worth considering for sure and a good idea to investigate similar services more thoroughly.
Unfortunately for Austria mobiles (all rates include VAT):
Lebara: 19p/min
Skype: 11.2p/min (in the £38.99/month for 400 minutes package)
Google Voice: 8.4p/min
Out of the three countries I listed, Austria is the only one I call daily, usually for a minimum of 10 minutes, up to about 20 minutes. Ireland I call infrequently, but SMS up to 10 times per day. Australia I usually call once or twice per week, up to about 45 minutes.
What is the best linux-compatibile open source with encryption alternative at the moment? The wiki page shows that many haven't been updated in quite some time (Twinkle). Does anybody have experience with Blink?
I personally like SFLPhone [1]. It's developed by the fine folks from Savoir-faire Linux [2] and supports encryption. Here is a guide how to configure it to encrypt traffic between the client and an Asterisk server [3].
The governments in many countries are monitoring everything that you are doing. It is no longer a fictitious idea about what could be done. They collect and correlate sets of data and they use it for monitoring for abnormal behaviour and find potential threats.
There is nothing that you can do about it. Your only safety is that you are completely irrelevant for them and they keep their mouth shut unless they have a very good reason not to do so.
That doesn't sound very convincing. You can't just have some icons tell you that you're secure, how do they know if someone's MITMing you?
You can use the already-available ZRTP, that requires each user to speak a phrase to the other, so you can verify by hearing the other person's voice. Discretio doesn't do any of that, so how does it know you're not talking to some random attacker?
I saw that, but I didn't see any explanation on how it works, and I'm pretty sure it's impossible to have security without verification. I can't read the code to verify that, sadly.
Curious to hear from someone working in a company who says things but not show it's true.
In fact, if i say i am rich, tall, blond with a famous sense of humour, you are ready to believe me, but if i don't say anything but i prove it, you refuse to believe me... strange.
Discretio doesn't say anything of this kind but show the entire client software source code. Do the same please.
Basically the client connects to SIP server using ssl connection authenticated on both sides.
When placing calls the clients A and B are negotiating SRTP session key using DH key exchange. It is done
over SIP (and not over RTP channel as in ZRTP).
Each client upon registration generates public/private key pair and submits a CSR to the registration service which signs it and stores the public key (which is later used to authenticate the above mentionned ssl connections) in the SIP server's DB...
The server has no access to the client's private key nor to the SRTP session key
Yes, with the cooperation from CA the MITM is still possible. We however will provide server code to especially paranoid clients so they can build and run the software on their own machines... This way they can have garanties against certificate tampering.
And we're working on an alternative solution when even cooperating CA will not allow MITM...
Well, this tech is derived from the project which was designed to meet specs of one of our clients.
We did propose ZRTP during design phase, to the client but they security analysts decided against it. They affirm that given the state the current state of art in speech recognition and synthesis ZRTP can be vulnerable on impersonation during short code validation phase for the attacker with sufficient resources.
I'm personally doubtful, but one thing i'm sure about, is that this client security experts have access to info and resources which are not available to me.
The problem with complain to microsoft about this is they are locked into some of these things with deal skype setup before they were bought out. Microsoft is contractually obligated to only supply skype TOM in china, this is the reason why they wont shutdown MSN in china because they are unable to control the skype network within china. You cant expect microsoft to reveal all these things while they are trying to clean house and get skype in order. Dont hold your breath on microsoft revealing anything
Skype is popular because it just worked, even through funky firewalls. The replacement would need to be better than Skype to gain traction with non-technical users.
Skype's overall quality has been on a very steady decline recently. From call quality, to call drops, to offline contacts showing as online and vice versa, to privacy concerns - Skype's position has never been weaker. It still got an obvious momentum, but it is actively pissing of a lot of its users.
How did the internet get so dumbed down? Cloud this and web app that and now nobody knows how to research or install any normal software. Or do anything that isn't shiny packaged at $10+ a month?
It's a bit smarter than just using an http tunnel.
Skype is capable of direct client-to-client connections, despite intervening NAT. It's pretty clever -- with the server's help as coordinator, the clients both initiate the connection, causing their own NAT routers to accept the inbound packets from the other side.
I'm not keen on some of the recent changes to Skype but I don't really consider "Skype for Linux" to actually be Skype. Skype is actually the only reason beyond dev testing that I keep MS Windows.
Skype for Linux is the only software I've installed in at least 8 years, AFAIR, that has crashed my desktop session.
I wish all it did would be to crash my session. Mine would go into an endless loop or something, consuming 100% CPU. Everything would still appear to be working fine, only I couldn't make any calls, my chats wouldn't be delivered, etc. This happens around once every five minutes, and I have missed important meetings because Skype had hung and I was wondering why the person I was waiting for hadn't logged in yet, only to be asked where I was later.
It's the worst sort of bug, because it leads you to believe it's working fine, when it isn't. Skype for Linux is the reason I don't use Skype any more.
Recurring transparency report? Have you ever asked Google for such things when it reads your emails to sell you ads? Have you ever asked Target or Walmart for this when they track your credit card purchases and sell the ACTUAL data to other parties?
Stories like this are driven mostly by unverified rumors and sensationalist journalism that is JUST as rampant in the tech industry as it is in politics, economics, or any other topic covered in mass media today.
There's plenty of open and secure VoIP clients which coupled with open encryption standards, VPN's etc. will suit your purposes. Use those things, not Skype.