Slashdot Mirror
Microsoft Reads Your Skype Chat Messages
An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."
"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"
http://thenextweb.com/insider/2013/04/05/new-skype-malware-spreading-at-2000-clicks-per-hour-makes-money-by-using-victims-machines-to-mine-bitcoins/
And they try to prevent it by detecting malware and we get headlines like this. Looks like people are on a witch hunt here.
Alternate headline: Microsoft protects hundreds of millions of Skype users by going to the effort of checking even https URLs in chat for malware and spam
This space for rent.
AOL reads your messages. Google reads your messages. Facebook reads your messages. Apple reads your messages. Microsoft reads your messages.
How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
It's one thing to run links through spam filters, it's quite another to access those links directly.
"Hey Joe, we'll be running up the new turbine tomorrow. It's a new system so we've put in a kill switch. Access http://system.aviationco.com/automation/stop?user=joe&pass=uhoh" But don't use it unless, you have to, it drops a rod in the turbine and that's 50,000 bucks a pop".
"Don't get Scroogled^H^H^H^H^H^H^H^H^HMicrosofted!"
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
This is the problem with closed source. You don't know what your software is doing, and its difficult to figure out.
Just in case you weren't already certain that they were monitoring your communications through Skype, they are.
Skype is not a secure communications channel. If this bothers you, use irc over i2p.
Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?
If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.
Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?
Lost at C:>. Found at C.
Both Facebook and Google's chats use bog standard XMPP (aka Jabber). Normal, clueless people use Facebook to chat. The few that don't use Facebook use the chat inside Gmail, or the one installed on their smartphone. Encryption over XMPP is very common; You'd need to use a non-standard client (say, Pidgin), but it's feasible.
The major problem is that encryption requires support at both ends:
Even a totally proprietary chat network(if it's been cracked open far enough that 3rd party clients exist, or 3rd-party wrappers around the first party client or libraries exist) can be used to send encrypted payloads; but only if both users are set up for that(Pidgin with OTR, say, works just fine over AOL's 'Oscar' protocol; but only if both ends are using it. This is the real killer. If you don't have control over what your clueless compatriot is using, none of the client-side encryption options are going to help you much. Not supported in Google's gmail web app window thing? No deal. Not supported by cellphone's default chat client? no deal.
You'll still probably get SSL, from all but the shittiest chat services; but that only protects you from people watching the wire, not from the service provider(who is the man in the middle, with one SSL-protected connection to you and a second to your chat compatriot).
Same with email: it's less common than it used to be for email to go between the client and the mailserver in the clear; but it's still damn rare for messages to be encrypted at the client end and thus safe from the mailserver operator.
.....is that they are Scroogling Skype users?
https://www.eff.org/who-has-your-back-2013
Microsoft is extremely hypocritical in their claims of privacy protection, and their attacks on Google.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
How would you even propose they filter spam links without a basic request? Do they blacklist all URL shorteners, or do you just let all spam that uses URL shorteners to go through?
Wait... Who were we talking about?
Two of my imaginary friends reproduced once
I do not like to defend Microsoft, but I can see this as being the case. Skype's got quite a bit of problems with Messenger Spam, this may be a mechanism to review them.
By the way, if privacy is your problem, you're not fixing it by using someone else's infrustructure. You should expect, by default, that they're going through your information. Build your own server or forever hold your peace.
*sigh* it's the principle of the thing, not the specific implementation. Guess what, I made the whole "Aviation Co" thing up. Joe doesn't even exist. Shock, horror, there *is no* turbine.
It's simply an example to illustrate the point that links sent in private emails should remain unmolested. You can't assume that accessing them is safe. And yes, people should not be sending unsafe links through IM but let me re-iterate, as a service provider, You can't assume that accessing them is safe
If they are claiming that the reason to read/inspect the contents of the Skype messages is to protect users from spam and fishing URLs, can they be held legally responsible if they fail in that? It's no longer a "common carrier" if you are taking such actions, is it?
http://www.scroogled.com/
This campaign of lies funded by MS is now a double lie because MS unlike Google isn't open about it. Everyone knows gmail scans your messages. Nobody knew Skype does the same.
THAT is why it is news and deserves to be repeated over and over to shut up all the MS trolls who were so happy to spout the scroogled fud.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
First rule: if you're routing your traffic through someone else's infrastructure (in this case MS's Skype servers), they are monitoring it. The only way around this is client-based encryption where the infrastructure in between doesn't have access to the encryption keys.
Second rule: if the encryption setup requires someone else's servers to be involved, they do have access to the encryption keys. The only way around this is to either have the clients communicating directly or to use a key exchange protocol that's resistant to eavesdropping.
Third rule: if you're truly concerned about confidential information, you shouldn't be depending on someone else's infrastructure in the first place. It's something you don't and can't control, which means using it's an inherent risk that should be avoided if possible. Get hosting or set up a server in your data center and run your own servers.
That Skype chat's monitored should come as no surprise. MS will monitor Skype and MSN's IM service (whatever they're calling it this week). Google monitors Google Voice and Chat. Facebook monitors Facebook Chat. Your e-mail provider monitors your e-mail. If you're worried about security or confidentiality, acknowledge this and take appropriate measures.
HTTP HEAD request to check for a response code of 200 vs. 301 or 302.
Which, from the article, is exactly what they're doing.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?
Google Talk. Works out of the browser.
Once web rtc hits mainline version of browser (soonish), it will work out of the browser without even a plugins.
Or you can install Jitsi and use that to log into your google chat instead of the webclient. And if the other end too has encryption (Off-The-Record on the message channel or ZRTP on the audio/video channels) (for exeample if the other end is using Adium to chat) the transmission is completely encrypted end-to-end with no way for google to intercept anything.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yeah, coz Google would *never* read your private data...
Doesn't matter. Just on the next line I suggested using end-to-end encryption.
You can log with any XMPP software that supports Off-The-Record to have end-to-end encryption on chat (for example Jisti, Pidgin, Adium, maybe Trillian too, but I'm not sure) you can log with any XMPP software that supports ZRTP to have end-to-end encryption on audio/video (jisti again).
Both OTR and ZRTP are standards, so as long as software at both ends support it you get encryption, you don't need to use the same software, only any software that does support it (for obvious technical reasons, Google's own web app client doesn't implement it so you're still transmitting with the same level of security as a post card if one of the peers is using this)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]