VoIP – Frank Leonhardt's Blog

Skype under investigation for NSA links

According to today’s Guardian, Skype is being tackled by the data protection commissioner in Luxembourg over concerns it has secret links with the US National Security Agency, and its Prism communications intercept programme. Like many “interesting” companies such as eBay, Amazon and even Starbucks, Skype chose to be be based in the Luxembourg in the hope it would be left alone. However, the infamous tax haven’s constitutionally enshrined right to privacy might turn around and bite Skype.

Microsoft bought Skype a couple of years ago; it had once been owned by eBay and, as a separate division, Microsoft has presumably decided to keep it in Luxembourg for the tax advantages. However, while Microsoft was allegedly one of the first large technology group to be pulled in to Prism, Skype has been widely thought of as a secure communications channel. If Luxembourg-based Skype has been passing intercepts to the NSA, its users and the local authorities will not be pleased.

I understand that the local law does allow this kind of thing, and for it to remain secret, if it’s specially negotiated by the government. And as such the data commissioner may not have been in the loop.

But, you may wonder, how does an encrypted peer-to-peer system like Skype get intercepted anyway? The protocol was designed to pirate media files in such a way that lawful authorities were unable to track or disrupt it (which is why no network administrators would ever want it on their LANs). If it has weaknesses, they must have been there from the start. And I believe they were.

A few years back I was talking to someone from Facetime, a manufacturer of firewalls. They’ve since found that flogging their domain to Apple for an iPhone product is also lucrative, and now they’re called Actiance. But I digress.

Facetime had struck a deal with eBay to get details of the secret protocol so that they could manage Skype on local networks. As it’s obfuscated and designed to avoid firewalls, this is a neat trick, and they were the only people able to do it at the time. As an example, they were able to determine which versions of Skype were in use and block those that didn’t fit with company policy. In other words, they could positively recognise the obfuscated protocol and make sense of it.

According to the files the Guardian claims to have seen, Skype was ordered to cooperate with the NSA in February 2011, and it only took them a few months to have call intercepts in place. I’m not that surprised; given the Facetime firewall’s abilities I suspected that payload decryption was going to be possible if you asked the right questions whilst brandishing a big enough stick.

Making this information public, as is now the case, is simply going to push the people that should be intercepted on to systems not under the influence of the USA. How about a Chinese Skype-alike instead? Perhaps not, as it’s widely believed that the Chinese version has a back-door for the local authorities to plunder. But there are plenty of anarchist outfits out there with the ability to write a VoIP system that isn’t compromised by big business’s need to cooperate with governments if they want to make a profit.

Meanwhile, let’s see how Luxemburg’s data protection commissioner gets on.

12-May-1310-June-13

Logitech pulls plug on Vid HD and suggests users dismantle firewalls

One of the best things about Logitech USB web cameras was their video conferencing system called Vid HD. Unlike Skype, it’s secure (or can be). This was a great reason to use it, and why network administrators the world over would chose it over things like MSN Messenger and Skype.

Logitech Logo If you want to know what’s wrong with Skype see my chapter on VoIP in the Handbook of Electronic Security and Digital Forensics. Basically it’s a “stealth” protocol based on illegal file sharing technology (Kazza) and is almost completely unmanageable at firewall level. Apart from its use as a conduit for malware through a firewall, its anarchic super-node structure is a menace. It was designed, of course, to make it impossible for the authorities to shut it down peer-to-peer media sharing operations after Napster’s servers were clobbered, so the directory server (super-nodes) can pop up anywhere you get a luser running Skype. In summary, no one who knows about security would be happy about Skype running on their corporate network, and home users can go to hell in a handcart.

So, it’s come as something of a shock to discover that Logitech, the supplier of reason, plans to do the dirty on all those who bought their kit and signed up to the service. According Joerg Tewes (their VP of digital home business group) on his blog, Logitech is going to withdraw the service on 1st July.

According to Tewes, “We launched Logitech Vid to make video calling easier and more approachable for our customers. We recognize that video calling has come a long way since then and there are now more widely used video calling solutions available, such as Skype.”

He continues by suggesting that users switch to Skype instead, as though this is some kind of decision made in the best interests of their hapless customers. There’s no hint of an apology.

Unless there is a change of heart from Logitech it’s going to leave a lot of people in the lurch. These will be people who understand about communications and security, not the home users that think Skype is cool. It’s going to hit the kind of people who specify product, and they’ll be loath to trust Logitech again as a result. I, for one, am certainly sorry I recommended them.

Deploying a replacement is going to be awkward and expensive, and there’s no obvious sensible replacement available. Vid HD was simple, reliable and a good product. Logitech’s management may be simple, but they’re neither reliable nor good.

I have asked Logitech through for their comments through Joerg Tewes about the above, but they have so far declined to comment.

16-January-1217-January-12

VoIP socket pinout on newer Draytek routers (2820Vn etc)

I’ve just spent over a day trying to get this piece of information out of Draytek, so appreciate it!

On the newer Draytek routers with VoIP capabilities (Vigor 2820 and some of the later ones) you no longer connect the handset (or PABX) to a standard RJ11. Instead both analogue lines come out on a single RJ11/RJ12, and you get an adapter so you can plug two standard BT handsets in to it. I assume this only applies to UK models. Anyway, if you’re wiring to a PABX, BT jacks are a complete pain in the rear, so if you want to connect an RJ11 to a twin-pair cable and go directly to a krone block the pin-out is (officially):

Line 1 – pins 2 and 5 (centre two)
Line 2 – pins 3 and 4 (one out from centre, or outer on RJ11)

That is to say the middle two pins and the two straddling – and numbering as if it was an RJ12 with six positions, even though the contacts may be missing from an RJ11. Heck, if you don’t know how to number an RJ12 you’re probably better off with the BT jacks.

This is logical and probably most telecoms people’s first guess, but it’s nice not to have to go for trial an error or smash their adapter apart (assuming you can’t connect an AVO into a BT-style socket conveniently).

For what it’s worth, I’ve been using Draytek VoIP kit for about eight years now – some of the best going in the market it serves, and I’ve got rather a lot to compare with. It’s a pity the company is so hard to get hold of for technical support as they won’t answer a general question straddling the product range – only individual serial-numbered units. Therefore I can’t get a list of kit for which this applies – I need to ask them one at a time giving the serial number of an extant unit. I suspect they don’t want too many dumb questions swamping them, but not so brilliant for professional users though – if it’s not in their FAQ you’re left to trial-and-error.