All Your Skype Are Belong To Us
Microsoft is reading everything you write
Skype used to be the most secure instant messaging system and I have frequently recommended it on this basis. Microsoft, under Bill Gates, used to be the big company most willing to protect user’s privacy. Skype was recently purchased by Microsoft.
Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:
65.52.100.214 – – [30/Apr/2013:19:28:32 +0200]
“HEAD /…/login.html?user=tbtest&password=geheim HTTP/1.1”…
… In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.
By “specially created URL†they mean a secret URL that looks like random gibberish. When one accesses a web site over https, other people can see what website you are accessing, but they cannot see the url, thus secret urls are regularly used like passwords over https to access secret files.
I am putting this in the category party politics as well as politics, because these days Microsoft is, like all big software companies, Democrat aligned. Likely if a republican candidate says something interesting, or sends an interesting link to a fellow republican, his Democratic party opponent will get wind of it.
Adam Back replicated this experiment.
The delay of several hours suggests that there is a human in the loop, keeping an eye out for anything good, though Adam Back finds this hard to believe.
I recommend using OTR over pidgin. For one’s Skype contacts, Adam Back recommends using OTR over adium4skype.
After purchasing Skype, Microsoft replaced its peer to peer architecture with a central server architecture.  There is no good reason for doing this other than to spy on everyone.  It is obviously much more efficient to send messages as directly as possible, rather than through Redmond.
Thanks Jim. Gtalk just informed me that it’s no longer going to allow me to chat without a history log. I’m not as much worried about the government as employers digging up stuff that I IM to friends.
A friend of mine just watched a couple of white male nurses get fired over posting pictures of some bar hopping they did on face book. HR just called them up and out the door they went. Time to get everything possible away from the official and unofficial watch dogs.
So Gtalk is out.
Skype is out.
What’s out there?
I hear Russians still use ICQ. Should we go back there?
ICQ has no central server, but is in the clear, and can be logged by lots of people.
ICQ is undoubtedly logged by the Russian secret service, but the Russian secret service is not going to get anyone except Russians fired or persecuted.
Optimal solution would be OTR over ICQ.
OTR?
Probably this:
http://en.wikipedia.org/wiki/Off-the-Record_Messaging
Jitsi.
I use it and can recommend it.
https://jitsi.org/
https://jitsi.org/index.php/Documentation/ZrtpFAQ
and
Ԥ Are my chat session protected and if so, how?
Jitsi supports the OTR encryption protocol. OTR stands for Off-the-Record Messaging and once you’ve set it up (i.e. clicked on that padlock icon in a chat window and verified the identity of your contact) it allows you to make sure that no one other than you two can read your messages, not even your service provider. You can find more on the OTR mechanisms here:
http://en.wikipedia.org/wiki/Off-the-Record_Messaging‘
“There is no good reason for doing this other than to spy on everyone.”
‘NSA offering ‘billions’ for Skype eavesdrop solution’
http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
Problem solved.
[…] All your skypes belong to Microsoft « Jim’s Blog […]
Interesting. I was going to have Skype, but this post has made me think that it’s a bad idea and a no, no. Talk about dodging a bullet.
So wait a second,
OTR encrypts all you do, and isn’t crackable, right? Then it shouldn’t matter that a protocol isn’t p2p, if the chats going through the server isn’t readable.
So, say, you can use adium doing OTR over ICQ, or OTR over gtalk. Is Google able to read gtalk chats with OTR?
It boils down to key exchange. If Google or Skype or whoever sees your private and/or public keys, they can read your messages.
So do they see your keys? That requires monitoring the behaviour of chat clients: do they have secret back channels that connect to Google/Skype/whoever servers to secretly deposit your encryption keys, messages, or other such data?
Open-source clients with large, savvy userbases are the safe option in this scenario.
“private and/or public keys”
That should say private (as in, the private half of a keypair) and/or symmetric keys.
[…] After purchasing Skype, Microsoft replaced its peer to peer architecture with a central server architecture.  There is no good reason for doing this other than to spy on everyone – Jim’s Blog […]