
Who Does Skype Let Spy? - mikegerwitz
http://www.schneier.com/blog/archives/2013/01/who_does_skype.html
======
gesman
Do not expect any privacy by using any commercial communication platform or
solution.

Consider yourself entering fullbody see-through scanner every time you
conveniently send email, chat or do video call with Skype.

For total privacy use Tor-based communications channels, such as tormail.org
(instead of any other email provider) and similar Tor-based solutions. The
price for better privacy is usually less convenience and slower speeds.

~~~
biomechanica
I completely agree with you except for one thing. Tor isn't necessarily for
privacy. It has more to do with anonymity by taking steps so people can't see
who you are. By using Tormail there is still a chance that you can leak
information about yourself and your contacts. Same goes for logging in to
sites that carry your personal information.

If someone wants privacy then I would suggest using gpg/openpgp encryption for
email/documents/etc., make sure https everywhere plugin is installed on your
browser, noscript, adblock, etc. I suppose you get the same type of protection
using the Tor Browser, also.

The problem is encryption. For the average user it's a bit a pain to
understand and use. Then again, I'm sure if people want it enough they will
learn.

~~~
jiggy2011
Encryption is hard enough for developers and IT people to understand.

You have , for example websites that say "your data is protected by 256 bit
encryption!". What does that even mean? Is just encrypted in transit? Is it
only stored in an encrypted form on the other end? What is the key and who has
to know it?

There is also a pretty big disadvantage to using good crypto, mainly if you
lose/forget the key (or password used to derive it) you are completely fucked.

~~~
xradionut
It's not that you have to understand the details of the math of encryption or
write your own library, you need to understand the processes required to use
it. It's easier figure how to use GPG/PGP than use Mercurial or git.

And almost all users, and most IT folks and developers are too lazy to follow
processes. Plus management and shareholders don't want to invest the time and
money for training or implementation.

~~~
biomechanica
I guess what we're seeing is basically, when it comes straight down to it: We
are all pretty damn lazy.

------
nicholasjarnold
Please encrypt your communications whenever it's possible. Not because you
have something to hide, but because there are many entities handling our
private data that do not necessarily have their interests aligned with our
personal privacy (probably an understatement).

For text messaging (Android only) I use the excellent 'TextSecure' app, which
is an open source drop-in replacement for the standard messaging app on your
phone. You can read more about it at <http://www.whispersystems.org/>

The aforementioned Whisper Systems also has an app called 'RedPhone' for
secure voice, but I have yet to try it. If anyone uses it, I would be very
glad to hear your opinion.

~~~
hexonexxon
I use Redphone almost everyday. They now have global coverage except for most
of the Middle East and some parts of Eastern Europe. The Egyptian server
apparently doesn't relay so well either last I heard on the mailing list.

Works as advertised in China which is great success for businesses worried
about their blackberries or iphones being exploited by industrial espionage.

Another bonus is moxie is considering moving everything over to voip so you
won't even need a cell contract (since google voice numbers don't work
worldwide). Move around the city like a ninja using wifi

------
munin
It's also possible for skype to run arbitrary stuff on your system at any
time, by design, from Skype HQ: <http://www.kyrus-tech.com/go-skype-go/>

during that incident it was excellent, because Skype admins told complaining
users that they were infected with malware.

~~~
nextparadigms
They've also been very happy to give data away even without warrants, about
some Wikileaks supporters:

[http://www.slate.com/blogs/future_tense/2012/11/09/skype_gav...](http://www.slate.com/blogs/future_tense/2012/11/09/skype_gave_data_on_a_teen_wikileaks_supporter_to_a_private_company_without.html)

------
Macsenour
Several game publishers I have worked for have banned Skype and made it a
fireable offense to use it. And that's just games...

~~~
cookiecaper
Heh, several of my clients, most of whom have more sensitive data than a game
company would have, mandate the use of Skype for IM. It really is a good IM
platform, with the ability to edit/remove last message sent, easily build
chats/conferences, the "send file" functionality actually works, and of
course, it's simple to launch into a voice or video call right from the
client. It's a shame that no other IM protocol even comes close to that.

On the other hand, Skype does keep logs of all your conversations on their
servers, seemingly indefinitely. There's no easy crypto drop-in like OTR that
I know of, and there's no easily evident way to delete those logs. I refuse to
use it for non-mandated chats for these reasons.

------
brudgers
Google, Facebook, Apple and Amazon are all US companies. Who do they let spy?

Concerns about Microsoft are not unique to Microsoft. They are just a popular
vessel for the internet's unease.

~~~
deelowe
In their defense, Google does try to be as transparent about these legal
obligations as possible:
<http://www.google.com/transparencyreport/userdatarequests/>

~~~
UnoriginalGuy
Google do in the context of law enforcement.

Very little information on the security services (e.g. NSA).

------
Too
Microsoft doesn't exactly have a good reputation to begin with in this field.

Some years ago it was common that your messages through Live Messenger (and
Windows Messenger when it was still called so) got censored in real time. In
one case any message containing the string "download.php" never reached the
receiver and another time the same was true if your message contained a link
to the piratebay or simply the phrase "live messenger". I can't remember any
more concrete examples but there were many times you could easily figure out
the pattern.

~~~
sukuriant
citation desired? I'm curious.

------
hexis
I hate to be "that guy" and I hope this isn't unbearably naive, but why
doesn't free software seem to even be mentioned in this discussion?

~~~
npsimons
It is, although you have to read between the lines (and perhaps know a bit of
Schneier's previous writings): when Schneier talks about locked down devices,
it's helpful to know that previously he has talked about open source as
necessary for good security (<http://www.schneier.com/crypto-gram-9909.html>),
therefore locked down systems where you can't get the source (or run your own
software) cannot be fully vetted for trustworthiness. This applies on two
counts: if you cannot get source, you have to have faith in the competence of
those providing the software, as well as trust that the motives of those
offering it are in your best interest. With open source software, you don't
have to make either one of these (dangerous) assumptions.

------
webwanderings
I do not understand where was this noise over security when Skype was under
another American company, the Ebay?

~~~
zimbatm
It's because Microsoft has centralised Skype's network. Previously node
discovery and other services where essentially Peer-to-peer and thus more
difficult to monitor.

See: [http://arstechnica.com/business/2012/05/skype-
replaces-p2p-s...](http://arstechnica.com/business/2012/05/skype-
replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/)

~~~
harshreality
They've also recently declared Skype to be the replacement for Messenger.

[http://www.theregister.co.uk/2013/01/09/windows_live_messeng...](http://www.theregister.co.uk/2013/01/09/windows_live_messenger_skype/)

------
wamatt
FTA: _"That's security in today's world. We have no choice but to trust
Microsoft. Microsoft has reasons to be trustworthy, but they also have reasons
to betray our trust in favor of other interests. And all we can do is ask them
nicely to tell us first."_

Schneier's opinion on security is generally held in high regard, however, in
this instance, his fallacious reasoning is somewhat surprising.

IOW, it's highly unlikely that _'trusting Microsoft'_ , is the only option we
have.

------
jstalin
Are there any encrypted alternatives to Skype?

~~~
picklefish
Would it be possible to dll inject skype and automatically encrypt all text /
video between you and another person running the same injected dll?

I imagine that's against TOS or something though. I've just always wondered if
it was possible.

~~~
UnoriginalGuy
I'm sure it is possible, but keeping it from breaking with every release is
going to be tricky.

Plus one of Skype's benefits is that it works on "everything" (Windows, Linux,
Mac, Android, iOS, etc); so your solution is only as good as the platforms you
can tag.

------
mikegerwitz
I put together a more detailed comment on this:

[http://mikegerwitz.com/thoughts/2013/01/Re-Who-Does-Skype-
Le...](http://mikegerwitz.com/thoughts/2013/01/Re-Who-Does-Skype-Let-Spy.html)

------
samstave
The NSA, of course.

------
junto
The sound of silence is really an admission of guilt.

------
mbrownnyc
Don't forget ZRTP, and solutions like zfone.

------
andyzweb
"You can't stop the signal" -- Mr. Universe

------
OGinparadise
_We have no choice but to trust Microsoft. Microsoft has reasons to be
trustworthy, but they also have reasons to betray our trust in favor of other
interests._

Interests are US Federal laws not to mention other countries. When the FBI
knocks with a warrant or whatever is needed, Microsoft (Google, or Apple, or
FB, or Twitter, or AT&T...) can't do much. Do not trust them for super-
sensitive info: if you're gossiping about your in laws, maybe it's safe...drug
dealing, assassinations and Al Qaeda stuff probably not so much.

~~~
nathan_long
>> if you're gossiping about your in laws, maybe it's safe...drug dealing,
assassinations and Al Qaeda stuff probably not so much.

There are more kinds of private conversations than frivolous and evil.

>> Do not trust them for super-sensitive info

Yes, that's the takeaway. We need an easier end-to-end encrypted VOIP method,
so you don't have to trust the pipes you're using.

------
camus
so let's say i want to drop skype , what soft can i use which has instant
messaging and video communication ?

