
Microsoft changes skype supernodes architecture to support wiretapping - smartial_arts
http://skype-open-source.blogspot.ch/2012/05/microsoft-wiretapping-on-skype-now.html
======
jjguy
Even if the sensational headline is accurate, it's not worth the conspiracy
theories:

(1) Microsoft is a US Corporation

(2) With the Skype acquisition, Microsoft (arguably) becomes a
telecommunications carrier.

(3) CALEA passed in 1994, "requiring telecommunications carriers and
manufacturers of telecommunications equipment modify and design their
equipment, facilities, and services to ensure they have built-in surveillance
capabilities, allowing federal agencies to monitor all telephone, broadband
internet, and VoIP traffic in real-time." [a]

My (unfounded, optimistic) speculation is the skype acquisition was strategic
positioning in the mobile market: seamless cutover to skype when your phone
has WiFi.

a -
[http://en.wikipedia.org/wiki/Communications_Assistance_for_L...](http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)

~~~
charonn0
Why, then, wasn't Skype required to implement CALEA-compliant functionality
before Microsoft bought them?

~~~
msbarnett
After CALEA was extended to online services in 2006, Skype was legally
required to implement wiretapping. They didn't, and stated they had no
intention of complying with CALEA publicly, but never seemed to have been
targeted by the DOJ over their non-compliance.

But they were still legally required to have done so, and the DOJ could have
sent them up shit creek if doing so ever became a priority.

What's changed now? Probably just that Microsoft's legal division wasn't
comfortable having that kind of regulatory non-compliance under their watch.
Microsoft gets a lot of scrutiny from the DOJ and probably aren't particularly
keen on being hauled up on new charges over this issue.

------
omh
Contrary to the article, Skype didn't previously use supernodes for traffic
between NATed clients. They were just used for NAT hole punching and then the
traffic was direct between the clients.

It is possible that after receiving a wiretap request Skype will route your
calls differently. But they could have rolled this out by just upgrading the
supernode code and keeping supernodes distributed.

It seems far more likely that they made this change for stability/reliability.
Particularly after the Skype network crashes that have happened in the past.

~~~
lgeek
Well, you need a 3rd machine to route traffic between two machines if both are
behind NAT^. It was my understanding that supernodes were (also) used for
this.

^Unless you can predict the translated source port

~~~
sharjeel
<http://en.wikipedia.org/wiki/Hole_punching>

~~~
viraptor
Doesn't contradict the parent post. For hole punching you need to know the
source (host+port) your peer sends traffic from. If the source port is
randomised (or already used by someone for udp if nat prevents sharing), hole
punching will fail.

~~~
cma
That's where the third party supernode comes in; the sending peer tells the
supernode which source port it is using to send to the non-supernode.

~~~
viraptor
If you're natted, the source port seen by supernode doesn't have to be the
same as the one seen by others. Someone on your network may be talking to the
same supernode already, so the conflict has to be resolved by some remapping
in the nat.

~~~
cma
You then retry with an alternate supernode.

~~~
viraptor
Unless your NAT is randomising ports by default. Then you will always get the
wrong answer.

~~~
drivebyacct2
No. I don't know why you're not listening to what he's saying. I can tell you,
from currently writing code that does STUN negotiation, unless you have two
peers behind full-cone NAT (which is rather rare actually), you do _not_ need
to know what the port mapping/translation is.

I have a sideband connection to a server, and I tell it to route my
negotiation packets to my peer's sideband connection. I literally never even
touch a UDP port or connection, and the library I uses establishes a
connection using STUN(-light). And from having read the source, it doesn't
explicitly determine or set the mapping (using uPNP) either.

~~~
viraptor
In my work with VoIP that situation was pretty much the default assumption. I
agree that it's only the double NATed situation that's hard to handle, but
stay by my opinion that sometimes it's just impossible to resolve without a
middle man. But it depends on many things - clients, routes, number of people
in local network using the same application, etc. Sometimes you just have to
fall back to proxying everything.

~~~
drivebyacct2
>stay by my opinion that sometimes it's just impossible to resolve without a
middle man

Right, that's why TURN is part of ICE.

------
EwanToo
The change is interesting (though not that new it seems), but Microsoft flatly
state that calls do not go over supernodes [1]:

"This has not changed the underlying nature of Skype’s peer-to-peer (P2P)
architecture, in which supernodes simply allow users to find one another
(calls do not pass through supernodes)."

Now obviously this could be a lie, but it should be fairly simple to prove one
way or another - simply force a call between 2 NAT'd clients, and trace where
the voice packets go, it'll either be to one of these newly centralised
supernodes, or somewhere else?

1 - [http://arstechnica.com/business/2012/05/skype-
replaces-p2p-s...](http://arstechnica.com/business/2012/05/skype-
replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/)

~~~
sspiff
Calls don't go over supernodes: I frequently call people on Skype for a
conference, with my brother participating on the same network, and when the
call drops, my brother and me can still talk. Might be that this is an
exception for extremely local connections, but I've had similar experiences in
other situations as well.

~~~
0x0
That doesn't prove anything at all.

------
yread
wow a 2 month old blog post with a HN comment as a single source?

To keep OT: Perhaps they will be soon required to be able to wiretap
[http://www.pcadvisor.co.uk/news/security/111150/eu-seeks-
to-...](http://www.pcadvisor.co.uk/news/security/111150/eu-seeks-to-change-
skype-wiretapping-laws/)

It will also bring benefits to end users if the client's machines won't become
supernodes. And perhaps avoid the problems from last December
[http://www.disruptivetelephony.com/2010/12/understanding-
tod...](http://www.disruptivetelephony.com/2010/12/understanding-todays-skype-
outage-explaining-supernodes.html)

------
scrrr
Recently I have found <https://jitsi.org/> which seems to be a possible
alternative for Skype.

------
crazygringo
The title is clearly a completely unsupported hypothesis.

Why do HN mods change perfectly good titles seemingly at a whim, and then when
there's a linkbait title screaming to be changed, then don't touch it?

------
qq66
Or, you know, centralizing their architecture so they can own all your
communications and sell you ads like every other Tom Dick and Harry.

~~~
einhverfr
I don't think so. They wouldn't be able to target the ads without a lot of
effort.... That's a LOT of voice recognition going on in a setting where
people are not trying to dictate.

~~~
qq66
Most companies these days are hoarding data with no current abilities to
analyze it for profit. They're rightly predicting that analytical capabilities
will improve and they don't want to be the ones living in that world without
massive amounts of customer data.

~~~
einhverfr
Right. That way I can send you the ads I would have targetted to you if you
were still in college! That you are now 40 and have 3 kids is no matter. You
still want all the cool college stuff, right?

~~~
eli
Data storage is stupidly cheap. You might as well save all the data your users
provide to you.

~~~
einhverfr
I am curious. Regarding voice communications, where does the Stored
Communications Act come into this? What can they legally store?

------
s_henry_paulson
Just thinking out loud, but wouldn't it be possible to build a simple skype-
addon that would look at your network traffic and be able to tell if your
voice conversations were going through a supernode and not p2p.

This way you would get a quick indicator of whether or not you were likely
being monitored.

------
mrb
_"Microsoft has replaced P2P Skype supernodes with thousands of Linux boxes"_
from [http://arstechnica.com/business/2012/05/skype-
replaces-p2p-s...](http://arstechnica.com/business/2012/05/skype-
replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/)

Wow. Does it make it the first, large scale, internal(¹) deployment of non-
Windows infrastructure by Microsoft? The question is: why? Do their engineers
managed to convince the company that Windows is ill-suited to the task? I am
quite stupefied.

(¹) "Internal" as opposed to situations where Microsoft inherited non-Windows
infrastructure from external acquisitions, such as when they acquired Hotmail
in 1997 and their 5000 FreeBSD servers (eventually migrated to Windows.)

~~~
Tyrannosaurs
I was under the impression that they've used Linux in the past effectively as
a firewall for their internet sites. Whether this was a temporary response to
a specific situation or a semi-permanent thing I don't know but I recall
reading that there was a period where Microsoft.com was returning non-Windows
header information.

While they obviously don't publicise it I think they've probably used Linux
where it's appropriate for some time now.

~~~
ch0wn
If I remember correctly this was done by Akamai and not directly by
themselves, while this time the nodes are effectively under Microsoft's
control.

------
ck2
It's amazing how citizen rights to privacy has completely eroded while their
governments now get to operate in near complete secrecy against them.

------
aerique
The implication with wiretapping (and the NSA acronym) is that it is about
security and safety against criminals and terrorists. I've always wondered how
much of a business advantage it is to be able to tap into the world's biggest
VoIP network?

I've seen Skype being used a lot in businesses both centralized and
decentralized.

------
tunnuz
I admit I don't know much about the internals of this, but maybe it's because,
by serving as a node to forward other transmissions, the former Skype client
drained people's mobile broadband data budgets. In this way they avoid this.

------
Someone
I think it is more likely because they want to build a social network for
collaboration around Office 365, Yammer and Skype, and maybe, be able to give
some uptime/quality guarantees to customers (things would not necessarily be
better, but more under control of Microsoft)

If you have a distributed system but want to wiretap some calls, I think it
would be easier to have some back door for instructing clients "whenever you
make a call/get a call from one of these numbers, CC us".

------
smsm42
The evidence on this one is rather thin. It takes a speculation in a comment
on HN about what Microsoft _could_ be doing - without any proof that they are
actually doing it, adds some code that proves something Microsoft claims they
do not do could be done if they wanted to do it - and the conclusion is
Microsoft definitely has sold everybody to the Man. I think a jump from "they
could be doing it" to "they did it" requires more proof than that.

~~~
Scene_Cast2
This is for anyone who was assuming that Skype wasn't wire-tappable. But then
again, I don't know why anyone would assume that in the first place.

------
guelo
This is the kind of thing that makes it annoying that just about all
interesting internet companies are in the US. Why can't Europe step up with
some competition?

~~~
qznc
Skype was originally a swedish company until it was aquired by eBay.

~~~
rocky1138
Estonian, I thought.

~~~
sdfjkl
Luxembourg actually, with Swedish founders and Estonian coders.

------
runjake
The National Security Agency put out an RFP for Skype decrypting/intercepting
awhile back and this was the first thing that popped back into my mind when
Microsoft bought Skype. Then, when M announced they were replacing the
supernodes, it only re-confirmed what was going on, in my mind.

------
wslh
This means new opportunities in the VoIP market. Than you Microsoft

~~~
mtgx
In the short term, I'm hoping Google Hangouts will be a viable alternative for
both normal users and enterprise users.

In the long term, I hope the WebRTC protocol will disrupt both of them.

~~~
kevindication
Why are Google Hangouts a viable alternative for people who care about
privacy? (Ostensibly the point of this article.)

~~~
alttab
I agree. Distributed and P2P with encryption is the only way to guarantee
privacy.

------
mmariani
Any privacy we could had using Skype was dead the same day MSFT bought them.
It was just a matter of time to make it official.

What's gonna be from now on? Stay put, and watch it.

------
jaytaylor
SKYPE GOES OPEN SOURCE......FLAWLESS VICTORY:
<https://joindiaspora.com/posts/1799228>

------
xSwag
What are some good open source alternatives for skype?

~~~
sdfjkl
VSee (<http://vsee.com/>) doesn't look bad, but it's also closed sourced.
Something built on open standards (SIP/XMPP) like Jitsi is likely to be more
transparent because you won't have to guess what some mysterious supernode
does and doesn't do with your data.

Good luck getting your non-techie friends to use that though. Skype became
popular because it just worked, which at that point had not reliably been
achieved even for plain voice calls, much less video.

------
briandear
Remember Microsoft has major contracts and relationships with the Chinese and
Korean government, among others. This stuff is the dark underside of a
Microsoft aquisition. Of course, they have relationships with the US govt as
well, but Americans are obstensibly protected by the Constitution -- those
protections (as well as due process) don't French exist in many countries with
whom Microsoft does business.

------
alttab
Did we really think we could trust Microsoft with such an acquisition?

~~~
toyg
You used to trust a shady Europe-based private corporation; now you have to
trust a shady US-based private corporation. Regardless of their specific track
records, there is nothing intrinsically different between the two.

~~~
alttab
Except executive management and leadership

------
maked00
Duh, never heard of hostile take-over. Microsoft has a long history of simply
buying out technologies and then deep sixing them.

------
tinfoilhat
omg, I've just only now realized, my phone company can wiretap all my calls

------
hastur
Wiretapping sounds so innocent. Of course, all US comms must be available for
lawful wiretaps in fight against crime.

No, what we're dealing with here is a dragnet cast upon the comms of users
around the world, who aren't protected by US Constitution and thus can be
tapped at will by US agencies and even private corporations without any
warrants or oversight.

For instance, if Microsoft wanted to learn about technical or trade secrets of
competitors communicating through Skype (say, a couple of start-up founders),
now they're free to do it.

Also, if a US agency wanted to put on a no-fly list some people who casually
converse about what morons those TSA people are or how all US administrations
support the Israeli regime that commits war crimes against Palestinians, now
it's very easy to do.

~~~
HarshaThota
_For instance, if Microsoft wanted to learn about technical or trade secrets
of competitors communicating through Skype (say, a couple of start-up
founders), now they're free to do it._

Is that any different from using, say, Gmail or Google Apps? Not saying that
Google is looking at that data but this is a problem with essentially every
web-based communication tool. People shouldn't have an expectation of privacy
or security just because it's a company they know/like or it's a popular tool.

~~~
pfraze
It's a risky situation, if you ask me. Consider the data that tools collect on
us:

\- location and contact history (cell phones)

\- message history and address book (email, social network)

\- interests/activities (calendars, event tools, feed subscriptions)

\- browsing history

As an engineer, think about the evil fun you could have with that data. You
could really mess somebody up if you didn't like them.

~~~
untog
While technology makes this easier, it isn't new. You could hire a PI to
follow the CEO of a competitor. You could break in and bug their offices.

None of this is legal, and if discovered there would be a legal case to
answer.

------
cooldeal
Sad to see a two and a half month old blog article with a flame bait headline
and no references or proof being lapped up by HN.

~~~
robert_nsu
Yeah. Personally, I take all articles with a grain of salt when the author
bandies about terms like M$.

------
mtgx
I think these 2 older articles support that conclusion as well:

[http://www.conceivablytech.com/8108/products/microsoft-
may-a...](http://www.conceivablytech.com/8108/products/microsoft-may-add-
eavesdropping-to-skype)

[http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_...](http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/)

All of the sudden the outrageous $8.5 billion price Microsoft paid for Skype
(and twice as much as any other competing bid) starts to make sense.

------
maked00
Its called a hostile takeover. MS has a long history of buying tech companies
out and then deep-sixing the tech forever.

