Slashdot Mirror
Microsoft Makes Skype Easier To Monitor
In a follow-up to a story earlier this week, derekmead writes "Skype has gone under a number of updates and upgrades since it was bought by Microsoft last year, mostly in a bid to improve reliability. But according to a report by the Washington Post, Skype has also changed its system to make chat transcripts, as well as users' addresses and credit card numbers, more easily shared with authorities. As we've already seen with Facebook and Twitter, big Internet firms aren't digging their heels in against government requests, which shouldn't come as a shock; angering the authorities is bad business. The lesson then is that, while the Internet will always retain a vestige of its Wild West days, as companies get bigger and bigger, they're either going to play ball with governments or go the way of Kim Dotcom."
sorry, not going to do it.
Time to switch to something where we actually know what the software is doing.
...will this mean "wiretapping" via traditional warrant methods, or warrantless eavesdropping, either by non-warrant request or by essentially giving them the keys to the castle?
If it's traditional warrant methods then I'm not really any more concerned than I am for regular phone calls on POTS lines. If it's otherwise then I'm glad that I never set up a Skype account.
Do not look into laser with remaining eye.
People up to something will use a smaller, more secure system, perhaps even rolling their own communications (hey, it's not that hard).
So the people they really want to monitor is *us*.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
The internet doesn't need the damn middlemen. My computer can connect to another's computer and we can exchange encrypted traffic and we don't need anyone in the middle to snoop on us to make that possible.
It's like if I was in the same room as a friend, and some slick "suit" type slides up and says, "Hey, you wanna talk to your friend over there? Instead of going over and talking to him, hows about you tell me what you want to tell him, and I'll go tell him what you said. Then I'll do the same in reverse, so you two can talk."
Umm, how about no thanks? It's time for the programmer community to develop easy to use, robust, strongly encrypted, point to point programs. We shouldn't need Skype, or Facebook, or Yahoo, or Google in order to communicate with each other online. Putting all our eggs in those baskets that are out to "monetize" our communication and snoop on it for governemtsn is going to end badly for us all.
Government is evil.
There's a lot in between specifically designing software to give authorities lots of info, and making money from facilitating other people breaking the law. Kim "Dotcom," however you may feel on the subject in general, did intentionally promote piracy. The Mozilla foundation, as a counter, does not. Nor does the Mozilla Foundation go out of its way to provide this type of info to authorities, and improving the info that can be given. It's an exceptionally false dichotomy.
As we've already seen with Facebook and Twitter, big Internet firms aren't digging their heels in against government requests, which shouldn't come as a shock; angering the authorities is bad business.
So is angering customers. Which can MS Skype live without?
I killed my skype account the day I found out it was a Microsoft property.
This from the TFA:
Skype has gone under a number of updates and upgrades since it was bought by Microsoft last year, mostly in a bid to improve reliability. But according to a killer report by the Washington Post, Skype has also changed its system to make chat transcripts, as well as users’ addresses and credit card numbers, more easily shared with authorities.
The " to make chat transcripts, as well as users’ addresses and credit card numbers, more easily shared with authorities" is pure speculation.
And the alleged updates "since it was bought by Microsoft last year" (supernodes hosted in central data centers) was actually started in 2010, well before the Microsoft acquisition:
http://www.zdnet.com/skype-talks-back-to-critics-on-security-and-privacy-7000001682/
But this is slashdot. Why let facts get in the way of a good rumor-fueled speculation when it promises for a good Microsoft bashing?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Will Jitsi let me call home to my old wired phone?
Yes: ...BUT...
Jitzi supports the SIP standard and there are plenty of SIP-to-POTS providers around (for example, I use Switzernet which is based in switzerland and free to/from several european countries. Works with both my SIP sfotwares - Ekiga and Twinkle).
For obvious reasons there's no easy way to guarantee end-to-end encryption. So you *CAN* call home, but you won't get guaranteed privacy.
For full end-to-end encryption you need:
- a digital link from the source to the other end (which is not the case when bridging to POTS)
- the possibility to audit the software used at both ends that there are no bugs or implementation problems which could leak critical data. (So you need an opensource front-end and an opensource encryption layer, preferably using known and well tested and documented protocols (like ZRTP). And you need enough independent eyeballs looking at said code) (Jitzi is opensource so one can check that everything is properly implemented to avoid leaks).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
But if said friends have a Google account, they can already log into a XMPP/Jingle server using any compatible client (like Jitzi) and as long as both end support ZRTP encryption, the communication will be secure.
Has some tried if Jingle works between people connected on Facebook's XMPP gateway ?
In both case, you don't need to drag you whole network into a newer system, you only have to convince users to install a software supporting the necessary standard, you already have a network to leverage.
Now if someone could write a Skype wrapper for Jitzi (like there is one for Pidgin/Adium's Purple), or if someone could implement ZRTP in Pidgin, you could even have Skype and SIP or XMPP contacts in the same application.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Architecture that facilities a man in the middle attack (which is essentially what this does) is just asking for trouble. Skype used to have a pretty impressive peer to peer encryption design. No longer, I guess.
This is bad if law enforcement uses it illicitly. It's worse if some Skype/Microsoft employees go rogue, or if a hacker breaks into the infrastructure. I mean, you're baking insecurity right into the design of the frickin' product. What could go wrong?
I wonder sometimes if big brother is going to knock on the door tomorrow and stick a monitoring device right up my backside.
My comments are my own, and do not represent the views of my employer, my spouse, my children, or my cats.
I'm posting anonymously because I don't need attention. Here's the chronology and you can find the sources of these claims on your own.
- NSA issues a billion dollar RFP asking for a solution to wiretapping Skype
- as years pass, NSA's concerns about Skype keep on growing, they keep on lobbying lawmakers and industry officials
- out of the blue, MS buys Skype and pays an astronomical price
- buying Skype at that price makes no sense for MS since it poisons their relationships with carriers and pundits are confused
- first thing MS does is it kills supernodes and installs THOUSANDS of Linux servers running grsecurity http://grsecurity.net/news.php#Skype
- that means that ALL Skype traffic now passes through MS servers and can be easily wiretapped since MS holds all the keys and can easily perform a MITM attack
- NSA starts jumping from joy because their biggest black hole has been plugged.
- MS is happy because they are now getting regular large checks from NSA
tl;dr: Skype's a botnet and NSA paid MS to buy Skype
You mean they're going to be vindicated in the face of illegal state action?
(OK, hasn't quite happened yet, but that's the way it's going.)
Illegal search and seizure - just routine business
I know corporations will do anything for a buck, but doesn't it make you worried that all the authorities, government and corporate, find it perfectly OK to break the law and aren't the least bit bothered by the increasingly fascist state, as long as they make a profit this quarter?
mostly in a bid to improve reliability
. /. articles that try to put a positive spin on a negative situation?
Is this one of those far too numerous grassroots
Microsoft can kiss business use goodbye. They have been pushing an API for Skype that I have been casually looking into for awhile.
When Microsoft says it is going to make it easier for the authorities to tap into conversations all I really hear is, "We are going to implement a backdoor and pray like fucking crazy hackers don't find it to pwn us".
I can't in good conscience recommend using Skype to any business for communications, which can often be sensitive, as long as Microsoft is putting in backdoors. Need to find another platform.
That also precludes communications platforms from integrating with Skype like Asterisk. Sure, a POTS connection is not nearly as secure as Skype would be, but it is far more difficult to tap a POTS line from thousands of miles away.
What is interesting is if Microsoft's enterprise communications platform Lync suffers from the same vulnerabilities. They might just be fucking themselves out of the business sector for communications entirely.
...where the NSA et al would mod "up" and not necessarily only all the Microsoft Trolls.
Society use your Sciences
Wow! Was this a surprise!!!!! What is next?
Sorry slashdot dittoheads, you and much of the tech press have your pants down. As a Skyper, I'm here to let ya know, you have this story entirely wrong. Who is dishing out the FUD here? Who is indulging in fact-free, doctrinaire dittoheadishness? /. Of course.
Read Skype's official response to all this BS here: What Does Skype's Architecture Do? http://blogs.skype.com/en/2012/07/what_does_skypes_architecture_do.html
Then read my lips: the changes made to our network are as described above. Really. Mark nails it.
When you find actual evidence of intercepted Skype calls, or any actual evidence of Skype intercepts, yell, shout, and scream. Its been done before to good effect. Its a necessary vigilance. If you have weak minded submissions debating EULA arcana, or lucky 8 ball reasoning that MS patent + MS acquisition == sellout, or even close observations about our evolving network topology, take a deep breath and look at what's real. This story is not.
For text chats you don't even have to have much in the way of technical skill to ensure your chats are still safe from the gubbiment. Install both the Skype and OTR plugins for pidgin, and away you go.
I am a grandfather, you insensitive clod! And I'd be happy to drop my POTS for something less 'controlled'.
New mod option wanted: -1 DrunkenRambling
Yes, it's all a concidence.
Anyone who says anything else is just a complete insane nutjob with yet another conspiracy theory and you should ignore them.
Nothing more.
Move along now.
Citizen.
I find it quite amusing, that the software that comes from creators of Kazaa, which uses the same P2P methodology that was developed to help people bypass government- and law-restrictions is now being used to spy on people.
Two words:
Retroactive immunity.
So, what you're saying is, you've created a giant lollipop for crackers everywhere, where they need only compromise your giant database to get millions and millions of credit cards, passwords, addresses, and more. Were I Loyds, I would not even offer a probability on this happening at some point in the near future.
*facepalms* It's like they've all been taught anti-security. MS -> "Let's ditch our push to safer, garbage collected, safe strings, randomized memory location languages, and bring back C++ with its insanity; let's design an entire OS that our customers don't want and our developer base is rebelling over; let's put giant, gaping backdoors in previously secure software because despite the NSA's insistence that they hire the best and the brightest, they are apparently incapable of discovering the security flaws that already exist, while high-school students in Eastern European countries find them for free during their lunch hours." USA -> "Let's have a cyber-war with people we've totally provoked (at this point), and which we are totally unprepared for. We will train Marines, who are taught to obey orders, to have the mindset of 31337 h@x0r$, who have a completely different, and exclusive mindset. And f*ck fixing the economy, as everything we do makes it worse (and don't use the word 'depression', use the word 'recession'). And it hasn't dawned on us that every-time we engage in nation building / swapping out other countries' governments, we end up making a new enemy. And criticizing our government's actions is a sign of disloyalty, which gets your name on the No-Fly List." Wat. I can't tell if I should be working, or getting fitted for a super-villain costume.
I am John Hurt.
Are all my friends already on Jitsi
As Jitzi just use plain standards, the correct question isn't that, but :
"Are all my friends already on SIP or XMPP/Jingle ?"
(The software component itself isn't important. As long as the software supports SIP or XMPP you can communicate with them.
As long as both software ends support ZRTP/SRTP, you can secure the communication. As long as both software ends support OTR, you can secure the text chat. Whichever software is used isn't relevant.
Jitzi is just cited because a Tor's developper did recommend it and thus brought some publicity to it. But any compliant software could be used as an example:
Jitzi (SIP, XMPP/Jabber, ZRTP/SRTP, OTR), Twinkle (phone only, so SIP, ZRTP/SRTP, but obviously no OTR), Purple-based like Pidgin and Adium (SIP/SIMPLE, XMPP/Jabber, multiple other including a wrapper for skype, OTR for text but lacks ZRTP for now), Ekiga (SIP but no ZRTP nor OTR, XMPP planed in the future), and countless others...)
Now back to the question:
"Are all my friends already on SIP or XMPP/Jingle ?"
Surprisingly: Yes, they might.
As said, Jitzi (and countless other software) use standards like SIP and XMPP.
XMPP is very popular and several systems use it under the hood (including high profile like Goolge Talk), or provide a XMPP gateway to their own chat system (several social networks, even Facebook).
Also a full XMPP implementation can route message between different XMPP networks. So you don't even need to be on the same XMPP network as long as both your servers accept to exchange message (most do, Facebook is a notorious exception).
Google's GTalk runs on plain XMPP/Jingle (they even played a part in creating the Jingle part of the standard). So any of your friends already having a google account they can use it to log into Jitzi and will see all their Google contacts in it, and start communicate with any other GTalk user, even those using the web interface (although the web interface's video/audio plugin only works on Windows, and for very obvious security reasons doesn't support encryption).
(Note: Google's own FAQ isn't up to date, for example Pidgin also supports audio/video call since version 2.6.x)
As Google implements the full XMPP protocol you can even communicate with people on other XMPP-powered networks. (You can chat using your Google Talk @gmail.com account with people having a Jabber account @jabber.org).
Another possible candidate is Facebook. Facebook also come with a huge network of contacts. And Facebook does provide a XMPP gateway to interface their own proprietary chat. Users can log with their Facebook credential into any XMPP compliant client and they will see all their facebook contact (although due to Facebook's TAG-like approach to list, the group-mode view can be messy) and can chat with them). Now for Video/Audio, the situation is slightly less bright:
- Facebook's audio/video chat web applet, only works with other user of the web applet.
- Skype audio/video call to other facebook users only works with skype (it uses only FB for chat and friend discovery, the video/audio is still handled by skype).
Now it might be possible that friends connected through the XMPP gateway may attempt to Jingle-call each other. I haven't test it yet. But if it works, their call will be segregated, as it's already the situation between Skype and Webapp users. (Currently Facebook doesn't convert and route audio/video streams between skype and webapp user, and is very unlikely to introduce it for their XMPP gateway either).
As it is only a XMPP gateway and not a full XMPP implementation, they don't provide "server federation" and you can't chat with users on other XMPP networks (a @facebook.com account can't chat with a @gmail.com account. It's limited to other Facebook users only)
do I need to
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So... Freedoms and forced openness of user information for marketing. Censorship of user freedom. Hypocritical selfish bigwig system. I hate it