All your skypes belong to Microsoft

All Your Skype Are Belong To Us

Microsoft is reading everything you write

Skype used to be the most secure instant messaging system and I have frequently recommended it on this basis. Microsoft, under Bill Gates, used to be the big company most willing to protect user’s privacy. Skype was recently purchased by Microsoft.

Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:

65.52.100.214 – – [30/Apr/2013:19:28:32 +0200]
“HEAD /…/login.html?user=tbtest&password=geheim HTTP/1.1”

… In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.

By “specially created URL” they mean a secret URL that looks like random gibberish. When one accesses a web site over https, other people can see what website you are accessing, but they cannot see the url, thus secret urls are regularly used like passwords over https to access secret files.

I am putting this in the category party politics as well as politics, because these days Microsoft is, like all big software companies, Democrat aligned. Likely if a republican candidate says something interesting, or sends an interesting link to a fellow republican, his Democratic party opponent will get wind of it.

Adam Back replicated this experiment.

The delay of several hours suggests that there is a human in the loop, keeping an eye out for anything good, though Adam Back finds this hard to believe.

I recommend using OTR over pidgin.  For one’s Skype contacts, Adam Back recommends using OTR over adium4skype.

After purchasing Skype, Microsoft replaced its peer to peer architecture with a central server architecture.   There is no good reason for doing this other than to spy on everyone.   It is obviously much more efficient to send messages as directly as possible, rather than through Redmond.

14 Responses to “All your skypes belong to Microsoft”

  1. […] After purchasing Skype, Microsoft replaced its peer to peer architecture with a central server architecture.   There is no good reason for doing this other than to spy on everyone – Jim’s Blog […]

  2. spandrell says:

    So wait a second,
    OTR encrypts all you do, and isn’t crackable, right? Then it shouldn’t matter that a protocol isn’t p2p, if the chats going through the server isn’t readable.

    So, say, you can use adium doing OTR over ICQ, or OTR over gtalk. Is Google able to read gtalk chats with OTR?

    • Mike says:

      It boils down to key exchange. If Google or Skype or whoever sees your private and/or public keys, they can read your messages.

      So do they see your keys? That requires monitoring the behaviour of chat clients: do they have secret back channels that connect to Google/Skype/whoever servers to secretly deposit your encryption keys, messages, or other such data?

      Open-source clients with large, savvy userbases are the safe option in this scenario.

      • Mike says:

        “private and/or public keys”

        That should say private (as in, the private half of a keypair) and/or symmetric keys.

  3. Interesting. I was going to have Skype, but this post has made me think that it’s a bad idea and a no, no. Talk about dodging a bullet.

  4. […] All your skypes belong to Microsoft « Jim’s Blog […]

  5. spandrell says:

    So Gtalk is out.
    Skype is out.

    What’s out there?
    I hear Russians still use ICQ. Should we go back there?

  6. Red says:

    Thanks Jim. Gtalk just informed me that it’s no longer going to allow me to chat without a history log. I’m not as much worried about the government as employers digging up stuff that I IM to friends.

    A friend of mine just watched a couple of white male nurses get fired over posting pictures of some bar hopping they did on face book. HR just called them up and out the door they went. Time to get everything possible away from the official and unofficial watch dogs.

Leave a Reply for Mike