
How Skype fixes security vulnerabilities - atomlib
https://hub.zhovner.com/geek/how-skype-fixes-security-vulnerabilities/?1
======
noelwelsh
Most interesting to me was the response from the MS Security Response Centre:
"[T]his is not a valid vulnerability ... [It] relies entirely on social
engineering."

This narrow view of what constitutes the system shows that MS Security is
seriously flawed. If you run hosted software you have to consider the security
aspects of the total system, including support and other human factors. Seems
like MS is stuck in the mindset of shrink-wrapped software.

------
andybak
Mods removed "(They don't)" or similar from the title. Before they did this I
think it more accurately reflected the intent of the original author as this
is the prominent subtitle on the page. Without this it makes the article
sounds much less interesting.

~~~
bryanrasmussen
When I read the title without the They don't in it I thought sarcastically to
myself "They don't".

~~~
TeMPOraL
I literally did the same when I read the title. I guess Skype has done a lot
to earn the snark.

------
viraptor
I feel like this could be fixed very quickly if someone wanted to invest the
time and was a bit on the chaotic side. 1) find Skype IDs of Microsoft
managers, known people, big businesses with ties to MS 2) create 20+ fake
accounts 3) start reporting abuse...

It's the same issue as in any big system - people on high enough positions are
isolated from all the crap normal users have to deal with. If you can
interrupt their business call though... I expect the fix will be coming soon.

~~~
therein
This is very true. OP can contact me for some MS employee Skype usernames. :)

------
bad_user
Last week Skype dropped 2/3 of my contacts list.

I contacted their chat support to tell them about it. The person on the other
end was insisting that I might be using another Skype account where my other
contacts are. Which of course I ain't since I'm not that stupid. He then
suggested the stupid bullshit Tier 1 support usually does, like reinstalling
Skype. I did as asked.

Then he asked me for remote control of my PC which I refused, because I have
sensitive data on my laptop and I'm on a MacOS anyway. I then asked for my
issue to be upgraded to a higher-level tier, because losing my contacts is
unacceptable. Then he made an accusation that I haven't reinstalled Skype as
asked and that I'm probably using two accounts, at which point I gave up.

Anyway, Skype sucks, it's been a week since I've lost most of my contacts
which I've been collecting for about 7 years or so and their support is
useless.

If you're relying on Skype for your business, stop doing that ;-)

~~~
setq
I've dumped all of these services due to random crap like this. Phone, SMS,
email or go away. They're not perfect but they are significantly better than
anything else.

However if you want a real turd: Skype for Business. Everything starts with 20
minutes trying to work out if it's working or not which for a random subset of
people the answer is nope.

~~~
antihero
Phone and SMS are fucking useless if you spend any significant period of time
using wifi without having signal (my office, the tube, etc.), and you have to
pay to send images. SMS can go do one, to be honest.

~~~
setq
I read books on the tube :)

------
marksamman
I've been looking for a Skype alternative since the security of Skype was
weakened after it was acquired by Microsoft. I've had my account stolen
multiple times because their support has changed the primary e-mail address of
my account, I had to use the same method the social engineers used to get my
account back. Since then I've avoided sharing anything slightly sensitive over
Skype, as chat history is synced with anyone who accesses your account.

Finding a replacement isn't easy, but I've used Wire (wire.com) for a year now
and find it good enough feature-wise, and excellent security-wise. It has its
quirks and can be a resource hog at times (the desktop app uses Electron
IIRC), but it's worth switching from the security disaster that is Skype.

~~~
zeratax
You should definitely consider the matrix protocol
([https://matrix.org](https://matrix.org)) that is used with riot
([https://riot.im](https://riot.im)). Matrix allows for a complete
decentralization and both the the protocol and the client are open source.
There are even many other clients as matrix also works with for example
weechat.

One of it's biggest strength are the support for bridges to other messengers
like slack, irc and gitter. I personally haven't yet tried group calls or
video chat, but considering that those also use end to end encryption just as
messages and attachement and that this encryption has been fully audited, I
could barely be any less hyped about all this. As the author of this article
pointed out, all of skype's flaws are more or less inherent of big centralized
messengers and this is exactly what we get around with matrix. It's really
amazing in what a great state it already is. Sure there is still lots of work
left, but to me it appears to be the currently most promising project.

~~~
tmikaeld
Both are too difficult for normal people to grasp and have no central id
management so you have to copy it manually

------
klausjensen
Skype makes me sad.

I used it 10 years ago, and it was great - or at least pretty good, compared
to the other options. Video calls, screen sharing, chat.

But it had a number of problems. Mostly surrounding using it on multiple
devices, making it very hard to keep track of what has and has not been read.
Log onto Skype on a device I have not used in a couple of days, and "unread"
messages show up - messages I have already read.

Over the past 10 years, none of the issues that I care about have been
addressed. But we did get some garbage integration with facebook and nice
emoticons. They added features nobody wants and have not addressed the
problems. It is maddening.

It makes me sad. But it is unfortunately still the standard when you deal with
non-technical people, so I keep using it... :(

~~~
toyg
_> making it very hard to keep track of what has and has not been read_

This seems to have finally been addressed, at least on my OSX/iOS combo.

------
illuminated
Sadly, Skype is still used a lot. More than half of the emails I receive with
a next step of communication proposal come suggesting Skype.

The only way to beat it would be to have another communication solution which
can be used as simple as Skype is (for any age, technical literacy, etc.).

~~~
alkonaut
This. People talk about various alternatives, but I haven't seen one. The
requirements are pretty simple

1) Chat and group chat (persistent)

2) Simple file transfer and image posting in chat

3) Good quality voice calls, video calls and group voice calls

4) Apps for android/iOS with shared contact lists

5) Single application for all of the above (to enable a single group set,
switching between group chat and group call with one button)

6) No server setup

7) Free or freemium on all platforms (With all features 1-5 in the free tier)

Are there any good alternatives? Is there even _an_ alternative?

~~~
tluyben2
3) Is not true for me though, it's awful mostly, but that's my pet peeve (all
coders assume everyone else is on a 1000mbit connection as well all the time)
and MS is really bad at making anything work on bad connections. Office 365
isn't even getting past the 'wait while loading' while Google drive/docs is
completely usable when I have a bad connection (which is often). The software
that was written for bad connections, like Whatsapp and Wechat, for me, have
much better quality. But no video (which I personally don't need, but it
violates your 3rd demand).

~~~
pawadu
> 3) Good quality voice calls, video calls and group voice calls

In my experience, voice quality issues is almost always due to the people and
not the technology.

~~~
tluyben2
Well Skype just disconnects _often_ and it takes a while to get back. While
the 'others' don't have that as they assume the connection will break / is too
slow?

------
walrus01
I wonder how many other free services' accounts can be disabled by bombarding
an automated abuse-reporting/blocking system with reports of "abuse" from a
specified username. A lot more than just Skype, I bet. And many of these
services have no method of contacting a human at "customer service" because of
the sheer number of free accounts (tens of millions).

~~~
azernik
There have been a lot of instances of this happening to feminist or LGBT
groups on Facebook and YouTube. These systems are fantastically abusable.

~~~
walrus01
If I were setting up an automated abuse-report-receiving system that could
automatically disable accounts, I would run some sort of filter for "is the
account reporting the abuse itself a newly created account, and/or one with
suspiciously low and non-human looking usage patterns?".

But on the other side, malicious actors can solve that problem by having
clickfarm workers in bangladesh create 30 fake facebook accounts, post random
drivel on them for a week to make them look like they're in use, and then use
those to report abuse.

~~~
mschuster91
> If I were setting up an automated abuse-report-receiving system that could
> automatically disable accounts, I would run some sort of filter for "is the
> account reporting the abuse itself a newly created account, and/or one with
> suspiciously low and non-human looking usage patterns?".

That does not help against these kiddy vandals mentioned in the article.

~~~
walrus01
yes, exactly why it's a hard problem to solve.

~~~
mschuster91
The solution is simple: Hire support people - and both train and allow them to
deviate from the usual support flowcharts.

Oh, and check if they actually speak English well enough to communicate with
customers. As a customer, I instantly notice outsourced callcenters.

~~~
walrus01
The solution is _not_ simple, if you're on the business management side and
need to concern yourself with the fully loaded yearly office space, overhead,
payroll/benefits cost of hiring hundreds of well trained, motivated, educated,
english speaking customer support reps to support your 20+ million "free"
customers...

~~~
mschuster91
It all boils down to classic capitalism: privatizing profits (money not spent
on support teams) and socializing losses (wasted police funds on SWATting,
often needed psychological care for victims, lost productivity due to
hacks)...

Once these losses are factored in, the tide swings towards support staff. But
unfortunately that won't happen any time soon.

------
aleksi
Original in Russian:
[https://habrahabr.ru/post/316912/](https://habrahabr.ru/post/316912/)

Original submission by author:
[https://news.ycombinator.com/item?id=13225939](https://news.ycombinator.com/item?id=13225939)

------
wslh
It is obvious for me that Satya Nadella never uses Skype (or Lync, cough
cough, Skype for Business). If he were using Skype he would write an e-mail
like this Bill Gates rant:
[http://blog.seattlepi.com/microsoft/2008/06/24/full-text-
an-...](http://blog.seattlepi.com/microsoft/2008/06/24/full-text-an-epic-bill-
gates-e-mail-rant/) about Movie Maker.

------
dirtbox
Last year I discovered a bug that allowed you to call someone's phone and
remotely activate it's camera and mic by disconnecting the call while it was
ringing - the target's device would simply call you back as if it were a
dropped call.

They fixed it, but boy that was a doozy.

~~~
dirtbox
Oh god, haha! Someone picked up my original post about it on reddit and wrote
an article including my original drawing.

[http://www.androidpolice.com/2014/12/22/security-hole-
skype-...](http://www.androidpolice.com/2014/12/22/security-hole-skype-allows-
users-surreptitiously-connect-users/)

Ed: Oh my word, hundreds of phone, tech and malware blogs picked up on it all
over the world. I didn't have a clue.

~~~
zhovner
Wow! Looks pretty the same to remote mic activation on desktop that i found
few years ago
[https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=h...](https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F133555%2F)

Skype for Android can receive a call when skype app in backgroud?

------
sprite
My account on Skype seems to have gotten some sort of shadowban. I don't show
up when people search for me and when I send people a contact request it shows
as sent on my side but the other person never receives it. I can communicate
fine with my existing contacts.

------
120bits
> Skype tech support is vulnerable to social engineering, and Microsoft is
> perfectly OK with that.

This is bothers me alot. My mom got a call from this guy pretending to be MS
employee couple of weeks ago. He told her that the PC has been infected by
virus and MS has been notified and he is helping her to resolve the issue. For
a person like my mom who is not much of tech savy person, the chances are
really high to fall for this. Fortunately, she told that guy to call her back
later, because she didn't know the administrator password.

------
Aissen
From my sources inside of Skype, everyone is leaving, and Microsoft might be
preparing to sell it. No wonder that nothing's changing.

~~~
gst
This would explain why they don't allow anymore to link your Skype to your
Microsoft account: [https://support.skype.com/en/faq/FA12060/can-i-link-or-
unlin...](https://support.skype.com/en/faq/FA12060/can-i-link-or-unlink-my-
skype-and-microsoft-accounts)

------
anocendi
My first reaction seeing the title was, "Is this for Real!?".

Then, I saw what I was expecting as the very first line in the article.

------
edpichler
I use Skype for more than 10 years, and I feel it's abandoned. I also have a
Google Voice account, same feeling.

------
jokoon
I recently had an interview on Skype.

I added the interviewer in my contact list, but we were never able to start a
video conference. We did it by phone instead. I did not have the job. Thanks
Skype. Not to mention the interviewer had Skype Pro.

Not to mention the intrusive ads.

------
rasjani
Lync (Skype for business) has been The Worst support that I've ever dealt
with.

------
tomp
> <Skype> > We think that we gave enough information. You are piece of shit,
> live with it.

I've no idea if this is real or not, but if it is, it's pretty damning for
Microsoft. I hope the author goes to court and wins!

~~~
grzm
From the article: "Short recap:" As far as I can tell this recap is a summary
of the original email exchange which is available from a link in the article.

[http://telegra.ph/SRX1365288845ID---Account-blocked-by-
mass-...](http://telegra.ph/SRX1365288845ID---Account-blocked-by-mass-abuse-
reporting-12-19)

I haven't read it closely enough to confirm that the gist of each message
corresponds, but I don't see any of the explicit, abusive language from Skype
in the emails that shows up in the recap.

------
wwwigham
I don't think I can fault Skype for this "vulnerability" \- the problem itself
isn't really in code, but in people. Yes, within the article there's mention
of a past attack which relied on socially engineering a support specialist to
send verification codes and guess the result, but that seems to have stopped.
I'd actually love to know the key generation algorithm or the probabilities
that go into guessing one of four-ish codes sent in a burst in just a few
tries.

Still. the other exploit mentioned, the one not "patched" \- This same kind of
mass-reporting system exploit is usable in all manner of online forums and
services - heck, HN's own flag feature could get pretty close (we just have
some very hands-on moderators and an okay community)!

As for not restoring something when contacting support... I can understand
why. It's _better_ this way, since then no malicious party who is _actually_
spamming with Skype accounts can retrieve an account using only a bit of
social engineering! Instead they need to roll up new emails and new accounts.
(And think of it this way: If a malicious party is abusing the system to get
your account blocked, how will they know your new account to repeat the
procedure? They shouldn't.)

Yes. It's a pity that the abuse reporting system is itself vulnerable to
abuse, but... aren't most? Given Skype's massive userbase, putting the user
reporting function behind a mechanical turk... the rate at which they'd need
to comb through ban requests would seem to make fatigue (and thereby false
positives which would result in the same outcome as now) inevitable. The only
interesting way I've seen this abuse-system abuse handled in recent years was
the League of Legends tribunal system[1], where they effectively handed
penalty decisions to the community at large and let them come to a consensus.
Though I don't know how well it worked and, honestly, that system seems just
as game-able as the automated report button itself. In fact, it feels
analogous to a Sybil attack[2] in the crypto world - get enough aligned
malicious identities in a decentralized system and they effectively control
it. The only "fix" is making identity creation too expensive to make gaining a
controlling share of the identity-space prohibitive (which would entail making
account creation difficult) - I feel that this is _directly at odds_ with
account creation speed and this user acquisition for a service like this, so I
can not fault Skype for falling on the middleground that they have.

[1][http://forums.na.leagueoflegends.com/board/showthread.php?t=...](http://forums.na.leagueoflegends.com/board/showthread.php?t=2068259)
[2][https://en.wikipedia.org/wiki/Sybil_attack](https://en.wikipedia.org/wiki/Sybil_attack)

~~~
ordu
If support team is vulnerable to abuse, so deal with it. For example, stop
blocking accounts due to abuse reports. Just block account ability to contact
with reporter. Make some automatic abuse detection system to deal with most
popular cases. Invent some type of carma for users, keep it hidden, but let
this carma influence on decision making of support team or abuse detection
system.

A little courage to face problem and some creativity to brain storm a
solution... But Skype team seems lacking will to solve any problems.

