Slashdot Mirror
Skype Finalizes Its Move To the Cloud; To Kill Older Clients -- Remains Tight Lipped About Privacy (arstechnica.com)
When it was first created, Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing muscle and bandwidth acted as "supernodes," and coordinated connections between other machines on the network. This p2p system was generally perceived as being relatively private, a belief that has since been debunked. There were several technical challenges, which led Microsoft to move most of Skype's operations to the cloud. Ars Technica is reporting that the company has finalized the switch. From the article: Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.The issue, as the report points out, is that Microsoft is strangely not talking about privacy and security concerns. The article adds: The Ed Snowden leaks raised substantial questions about the privacy of services such as Skype and have caused an increasing interest in platforms that offer end-to-end encryption. The ability to intercept or wiretap Skype came as a shock to many, especially given Skype's traditionally peer-to-peer infrastructure. Accordingly, we've seen similar services such as iMessage, WhatsApp, and even Facebook Messenger, start introducing end-to-end encryption. The abandonment of Skype's peer-to-peer system can only raise suspicions here.Matthew Green, who teaches cryptography at Johns Hopkins, said: "The surprising thing here is not that Microsoft can intercept Skype calls (duh) but that they won't just admit it."
What can you recommend in FOSS, and can such things work reliably without a heavy backend infrastructure?
Am I the only one who considered the old Peer to Peer mode of Skype suspicious? I was always under the assumption that those who got selected as "supernodes" had some snooping capabilities, and State or commercial interests could easily buy enough servers with lots of bandwidth to snoop on many people, although possibly not precisely targeted. I'm glad that the Peer to Peer switching via SuperNodes is gone, but trustworthy end to end encryption would still be a nice thing.
If peer-to-peer was already wire-tappable, then what's the difference with putting it on a cloud server? With MS holding the reigns, you know exactly who to sue if something goes wrong. Theoretically, they are held to account for privacy requirements; not so much P2P nodes. If non-secure P2P were to stick around, I guess the government wouldn't have a one-stop shop for Skype data, but hackers/da gubmint would retain the ability to single out a target and wire-tap them at will. It's a trade-off, but I'm pretty confident that the vast majority of Skype users don't care who holds the data as long as their chats and calls still go through.
It's also not MS's problem if devices are deprecated by the update. Tell your TV manufacturer or Sony to update their client.
Not only do they wiretap your Skype calls, they patented it: http://appft1.uspto.gov/netacg....
From the very beginning, Skype's protocol was undocumented. (That's one of the reasons there weren't competing compatible implementations.)
And since it was undocumented, everyone assumed it had to be fundamentally insecure.
And then there was the fact that it was banned in various countries on the explicit and publicly-known condition that the ban wouldn't be lifted until the governments in question were given access to the keys. This confirmed the insecurity, to openly known fact. That it's insecure isn't a nerdy or tinfoil hat things; it's mainstream knowledge that you can see by googling news stories where governments were granted decryption keys. This isn't shady or a secret or something that nobody likes to talk about. It's been common knowledge for several years. So..
..WTF? Why did you say that? It isn't merely wrong that it's insecure; it's a borderline lie when you suggest that people think it is secure. I bet you can't find a person who says "I thought it was secure" even for purposes of making fun of, or educating, that person.
(Again, we're talking about perception, not the insecurity itself. And I'm saying you're mis-representing the perception.)
The ones that deny wiretapping are liars. There is only one way: Open Source. Spare us the walking on egg shells.
Preferably with some JEDEC earthquake-proof LEDs?
...Clients for the new network will be available for Windows XP ...
But... but... but... Microsoft has stated that XP is dead and unsupported, haven't they?
The Skype protocol is proprietary. No one has any idea if it is secure or not. Therefore it isn't secure. Support open standards and protocols.
The interesting problem is that for POTS, they need warrants to wiretap. For new internet technologies the laws are not in place, so the NSA and FBI pretty much have said "It's available, it's not required to warrant by law, so let's Hoover up everything". And that's what they are doing. Microsoft already has an "NSAKEY" in its Windows encryption, and since taking over Skype they've "re-architected" everything. I'd be highly surprised if they DIDN'T have it all piped straight to the TLA government agencies.
They left out linux in the list... so that means they are beta testing a dead product?
What gives? Microsoft never does things like that.
Do not look at laser with remaining good eye.
This was obvious to anyone who watched the initial purchase of Skype by Microsoft. It made absolutely no business sense. It was nice of the NSA to twist their arm or float them some cash to get it inside the country.
However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.
Another reason for segregating features from key components such as displays and vehicles. If Microsoft said those things it would be kind of a low blow considering developers would likely say the same about some of their past (Zune, WinRT) and current (Win Phone) devices.
That is all.
systemd is Roko's Basilisk.
The fact is Skype is not for spy level data and 99% of you aren't that important anyway. You're best bet is a system that has an efficient and easy to maintain model so you get features and decent out facing security at least.
If you operate in any government borders, you don't really have privacy unless you can ensure end to end encryption and a reliable anonymity network. All current anonymity networks are questionable. I would argue most ppl using them are just idiots drawing more attention to their actions. The upside is they hide the 1% of content on there that may legitimately need to be anonymous.
Even if you government guarantees privacy, that's a law that is open to interpretation and can be changed at any point. Unless your a solid dictator with a dynasty of loyalist under you, don't expect government proof internet privacy.
Nobody has a right to being government proof, that would mean you had found a way to be above the law. Even if you're the best coder in the world, you don't have a right to be above the law. Using technology to outsmart law is futile and fleeting proposition. It's not sustainable. A justice system has to be able to demand data and if everyone can lock that data up we will be screwing ourselves.
Skype has recently been approved for US Gov employees to use at work. This happened almost as soon as MS bought the company; took a few years, but by now it is approved pretty much govt wide. Somehow that seems like relevant information here.
Other than Skype for Bidness (which I'm forced to use at work) I've moved to Discord with a whole slew of other people
BUH-BYE
What's so strange and surprising about this? They need to spy on people. Really all they did is remove what little value Skype had left. I already quit using it. Not that WhatsApp is any better...
“He’s not deformed, he’s just drunk!”
As I recall it, the very first thing Microsoft did after they acquired Skype was to make it wiretappable.
I have been noticing that the web client has a lot crappier quality for audio and video, closer to the google hangout quality. So those of you using it for podcasts to get better audio of guests..... expect to look for something else...
Sadly the free and easy solutions for high quality audio conferencing are going away.
Do not look at laser with remaining good eye.
It seems kind of strange nobody ever reverse engineered the protocol. Maybe it's too hard to do or too well encrypted, but it seems like a lot harder things have been reversed or cracked.
Anyone's house can be burgled. Anyone who uses a checking account can have it drained.
Therefore, nearly all users need secure communications. If you're going to throw numbers like 99% around, then to translate to your way of looking at things: Skype is too insecure for 99% of users. There is a lucky(?) 1% (homeless people? death row inmates?) for whom it might be sufficient.
But everybody has a right to be criminal-proof. (And similarly, everyone has a right to be government up to the point where due process has decided that one person, on this one occasion, will have that right revoked.) And technology is totally agnostic when it comes from whose attacks you're defending.
Thus, there is a conflict: all people need the ability to communicate to a degree of security, which just happens to be far, far above what a government can tap. And governments need to force insecurity, to a degree far, far below what is needed to stop a common, everyday mundane criminal.
Something has to give. So let's characterize both sides, to both extremes. You (and I) (and everyone else) is on one of these two sides, each which sounds both smart and stupid:
And there isn't a third position. Nobody gets to say "My side doesn't have a disadvantage." Yes, it does. Because we're just talking about power in isolation, since software doesn't give a fuck who is using it for what purpose.
One of the traditional advantages of P2P is that it is possible to with no preset limit for the size of messages, including attachments. IIRC, Skype has had that ability in the past. The thing is that I don't know of any centralized client-server system, even cloud based, that has not implemented some limit on the size of messages you can send. In addition to being silent about privacy, this article (at least) does not say anything one way or the other about introducing size limits.
all successful, quality, conferencing apps use a client server approach with muxing of streams taking place on the server itself allowing you to reserve maximum bandwidth for voice quality
the architecture of the platform isnt the privacy concern, the tos are
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
All US-based Skype traffic traverses the NSA's new Utah datacenter. Keep this in mind before you decide to use it.
Does "works well" include handling group calls (or whatever Skype calls them)?
Yes but not in the Web version - currently only the Linux desktop version (with caveats). See https://support.skype.com/en/f... (Calling and call troubleshooting):
Does this fix the incoming group call issue I have on Skype for Linux today?
Yes, the problem with receiving incoming group calls is fixed in Skype for Linux Alpha. Make sure the people you're calling or receiving calls from are using the latest version of Skype.
You've got to be kidding if you think switching on WhatsApp and Facebook Messenger give you more privacy. All it does is change who is doing the spying. Skype is Microsoft which seems to be cozy with the government. Facebook doesn't seem as cozy with the government in public, but I think that is probably all show anyways.
However, Facebook's apps are designed to be spyware, while Skype isn't last I checked. How is installing Spyware more private than non-spyware?
With Windows 10 and patches to earlier operating systems, Microsoft entered the spyware business big time. Maybe the Skype app is spyware now too, I haven't seen anything posted on that? Microsoft has always been cozy with the government like the daily scans for NSA provided keywords on all Microsoft OSes, but this move to being more like Facebook and Google has been more recent.
Skype's privacy policy:
https://privacy.microsoft.com/...
"However, we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you."
Facebook messenger policy:
https://www.facebook.com/polic...
"We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others."
"We use the information we have to improve our advertising and measurement systems so we can show you relevant ads on and off our Services and measure the effectiveness and reach of ads and services."
So Skype = NSA spying.
WhatsApp/Facebook Messenger = Facebook spying and almost certainly the NSA even though Facebook tries to imply otherwise.
What we need are more options like Signal Private Messenger that actually seem to care about privacy.
iMessage probably is one of the more privacy oriented messengers (with the exception of Signal). Apple hasn't seemed to be big on spyware other than the stint in Yosemite.
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
But which Asterisk manager is the least PITA?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Assuming you have the knowledge to set up your own LAMP/LEMP stack, then it is very easy to set up your own server that allows anyone using a WebRTC compatible web-browser to have voice chat calls.
In particular, I use NGINX + Owncloud + spreed.me (webrtc). For folks with an owncloud account, then I can initiate a video chat if we are both connected to owncloud. Otherwise, for other folks, I can create a temporary session and specify when the session expires, then send an https URL that contains the session key.
I've tested with chrome on android, and it works very well for video chat and I don't see any reason to use proprietary software or servers anymore.
WhatsApp supports Signal now.
So does Facebook Messenger.
End of Line.
In addition to the afore mentioned Pidgin, there is also Jitsi.
It, too, can connect to XMPP (e.g.: Google Mail. Or a private server) and SIP.
It, too, uses OTR to guarantee end-to-end encryption over the chat channel.
It is multi platform, available on Linux, Windows, Mac and Android (as far as I know, either pidgin itselfs, or other software using its libpurple library are also available on nearly any platform you would want).
Jitsi can in addition place encrypted call, using ZRTP (as far as I know, Pidgin currently only supports clear calls).
On the other hand Pidgin has many more plugins (e.g.: the JSON and XML interfaces used by Facebook messaging App, by web skype, by Steam Mobile, etc.)
And yup, that means that you can overlay end-to-end encryption over skype, as long as both end points support it (e.g.: Pidgin + OTR + WebSkype plugin)
(does anyone know if there are browser plugins a la Mailveloppe that work to add OTR to web chats ?)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
as another exemple:
Google Talk is available over XMPP.
And if both endpoints use OTR, you can get end-to-end encryption (e.g.: Jitsi on one side, and Adium - Mac OS X's Pidgin cousin - on the other)
Note that some of the more advanced feature that are only available in Google Hangout are not available on the Google Talk interface (offline message. and "who has read what" status).
---
Saddly Facebook's XMPP gateway has been shut down (you need to use a plugin compatible with FB Messenger, which is not available on all chat clients, only in Pidgin)
Saddly WhatsApp is in a holy crusade against 3rd party client so you're completely out of luck.
TFA's web skype has also a plugin for pidgin.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If you read the fine print in the EULA, Microsoft is willing to help law enforcement wherever it is required by local laws.
And if you believe the log of the AppArmor jail you linux client is running in, it's a really badly designed, badly behaving application.
On the other hand, the mix of JSON and XML used by Web Skype has been reverse engineered, plug-ins are availabe for libpurple (thus for Pidgin, Adium, Telepathy, etc.) so you can set-up your own end-to-end encryption layer over skype (e.g.: OTR) if both end points support it.
And unlike the case with WhatsApp, Microsoft doesn't seem interested in fighting such 3rd party clients.
(Even their own latest linux beta client uses the web skype interface, apparently).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Here's one for you all:
Microsoft's purchase of Skype was underwritten by the US Government on the basis that Microsoft provides a mechanism where the FBI and NSA can access conversations.
It would probably have been a cheaper way to do this than have another Government Contract let to do it :-)
Having secure transport doesn't help if the client end is spyware.
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
Skype is video spying of anything you do or that goes on behind you when you use it. Naked kids run by, bam. Leaked. This includes all jacking off stuff they notice.
Microsoft is total spyware for the US government,no secret or tight lipped about that.
Never bring up Ed Snowden in a pitch for Microsoft shit.
There is no such thing as a computer cloud mother fuckers it is their COMPANY SERVERS. It is GOVERNMENT DATABASES because they have immediate access to it.
http://ring.cx/ is looking good... Decentralized using DHT, and e2e encrypted. It doesn't live inside Chrome browser, either, which I think is a big handicap for Signal.