Index: [thread] [date] [subject] [author]
  From: <djg2120@columbia.edu>
  To  : <CPC@emoglen.law.columbia.edu>
  Date: Fri, 03 Mar 2006 03:27:36 -0500

Net telephony could trip up wiretaps

I thought this article was a nice follow-up to the discussion in
class today regarding net telephony and encrypted signals.
Dan
     
Net telephony could trip up wiretaps
By Peter Svensson, Associated Press

NEW YORK — Even as the U.S. government is embroiled in a debate over
the legality of wiretapping, the fastest-growing technology for
Internet calls appears to have the potential to make eavesdropping
a thing of the past.

Skype, the Internet calling service recently acquired by eBay Inc.,
provides free voice calls and instant messaging between users.
Unlike other Internet voice services, Skype calls are encrypted —
encoded using complex mathematical operations. That apparently
makes them impossible to snoop on, though the company leaves the
issue somewhat open to question.

Skype is certainly not the first application for encrypted
communications on the Internet. Secure e-mail and instant messaging
programs have been available for years at little or no cost.

But to a large extent, Internet users haven't felt a need for
privacy that outweighed the extra effort needed to use encryption.
In particular, e-mail programs such as Pretty Good Privacy have
been considered too cumbersome by many.And because such
applications have had limited popularity, their mere use can draw
attention. With Skype, however, criminals, terrorists and other
people who really want to keep their communications private are
indistinguishable from those who just want to call their mothers.

"Skype became popular not because it was secure, but because it was
easy to use," said Bruce Schneier, chief technology officer at
Counterpane Internet Security Inc.

Luxembourg-based Skype was founded by the Swedish and Estonian
entrepreneurs who created the Kazaa file-sharing network, which has
been the subject of several court actions by the music industry.

Skype's software for personal computers is distributed for free.
Members pay nothing to talk to each other over PCs but pay fees to
connect to people who are using telephones. Skype software is also
being built into cell-phone-like portable devices that will work
within range of wireless Internet "hot spots."

While still somewhat marginal in the United States, Skype had 75
million registered users worldwide at the end of 2005. Typically, 3
million to 4 million users are online at the same time.

Skype calls whip around the Internet encrypted with "keys," which
essentially are very long numbers. Skype keys are 256 bits long —
twice as long as the 128-bit keys used to send credit card numbers
over the Internet. The security is much more than doubled — in
theory, Skype's 256-bit keys would take trillions of times longer
to crack than 128-bit keys, which are themselves regarded as
practically impossible to break by current means.

"It is a pretty secure form of communication, which if you're
talking to your mistress you really appreciate, but if Al Qaida is
talking over Skype you have probably a different view," said Monty
Bannerman, chief executive of Verso Technologies Inc. His company
makes equipment for Internet service providers, including software
that can identify and block Skype calls.

Security experts are not completely convinced that Skype is as
secure as it seems, because the company hasn't made its technology
open to review. In the cryptographic community, opening software
blueprints to outsiders who can point out errors is considered to
be the safest way to go. Because of the complex mathematics
involved, a properly designed cryptographic system can be
unbreakable even if its method is known to outsiders.

But according to Schneier, if Skype's encryption is weaker than
believed, it still would stymie the kind of broad eavesdropping
that the National Security Agency is reputed to be performing, in
which it scans thousands or millions of calls at a time for certain
phrases. Even a weakly encrypted call would force an eavesdropper to
spend time cracking it.

Kurt Sauer, Skype's chief security officer, said there are no "back
doors" that could let a government bypass the encryption on a call.
At the same time, he said Skype "cooperates fully with all lawful
requests from relevant authorities." He would not give particulars
on the type of support provided.

The U.S. Justice Department did not respond to questions about its
views on Skype's encryption.

Verso's Bannerman notes that Skype calls are decrypted if they enter
the traditional telephone network to communicate with regular
phones, so a conversation could be intercepted there.

Skype does not reveal how many of its calls run on the phone
network.

"There are other ways of getting at the conversation than
brute-force decryption of the hacking," Bannerman said.

Schneier believes that eavesdropping on the content of calls is not
as important to the NSA as tracking the calls, which is still
possible with Skype. For instance, if a particular account were
associated with a terrorist or criminal, it would be possible to
identify his conversation partners.

"What you and I are saying is much less important than the fact that
you and I are talking," Schneier says. "Against traffic analysis,
encryption is irrelevant."

Steve Bannerman, vice president of marketing at Narus Inc. (he is
unrelated to Verso's Bannerman), said his company's systems enable
wiretapping of voice calls routed over the Internet, but not those
from Skype.

The most that Narus' technology, which is used by telecommunications
carriers, can do is identify what type of Skype traffic — voice
call, text chat or video conference — is being used, and record the
scrambled data for law enforcement officials. From there, he said,
"who knows what those guys can do?"
http://www.insidebayarea.com/businessnews/ci 3531310
         
Daniel Grimm
djg2120@columbia.edu

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list



Index: [thread] [date] [subject] [author]