
Skype backdoor confirmation - austengary
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
======
UnoriginalGuy
This is totally nit-picky, but strange use of the word "backdoor." When I read
"backdoor" I was expecting to read about some malware-like functionality
within the Skype client itself, but instead this is just telling us that
Microsoft can read content after it is sent to them via the client and
decrypted.

I would prefer Microsoft stopped scanning/reading my conversations, and I
agree that what they're doing (e.g. accessing URLs) is a problem (and arguably
illegal, given the recent case about someone accessing insecured AT&T URLs and
going to jail).

Just think the original title could have been more clear.

~~~
austengary
A backdoor in their encryption protocol. They claim it is secure.

"The Skype Security Policy is: ... 4\. Messages transmitted through a Skype
session are encrypted from Skype-end to Skype-end. No intermediary node, if
any exist, has access to the meaning of these messages. [1]"

[1]:
[http://download.skype.com/share/security/2005-031%20security...](http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf)

Aforementioned referenced on + additonal security overview/facade:
<http://www.skype.com/en/security/#encryption>

Their hybrid peer-to-peer/client–server implementation allows for
eavesdropping. This is now confirmed to be in practice.

~~~
lucb1e
Oh, that quote from the security policy finally explains why this is so big
news. MSN still doesn't use SSL and that's not big news in anyway. But MSN
never promised to use end-to-end encryption...

------
downandout
I'm not sure how this or the original article are "discoveries". Per the skype
privacy policy, they are receiving and storing just about everything:

(from
[http://www.skype.com/en/legal/privacy/#retentionOfPersonalDa...](http://www.skype.com/en/legal/privacy/#retentionOfPersonalData))

 _Retention of Instant Messages, Voicemail Messages, and Video Messages (Skype
internet communications software application only)

Your instant messaging (IM), voicemail, and video message content
(collectively “messages”) may be stored by Skype (a) to convey and synchronize
your messages and (b) to enable you to retrieve the messages and history where
possible. Depending on the message type, messages are generally stored by
Skype for a maximum of between 30 and 90 days unless otherwise permitted or
required by law. This storage facilitates delivery of messages when a user is
offline and to help sync messages between user devices..._

From Section 8 of that same document:

 _Skype may use automated scanning within Instant Messages and SMS to (a)
identify suspected spam and/or (b) identify URLs that have been previously
flagged as spam, fraud, or phishing links. In limited instances, Skype may
capture and manually review instant messages or SMS in connection with Spam
prevention efforts._

~~~
ballard
The article is fear-mongering with a drip of reality, too much like commercial
news.

If someone didn't think all of their personal electronic interactions: SMS,
gmail (if you still have one), banking info weren't being cursorily evaluated
by echelon or other tinfoil hat system ... blackball the moron.

I'm interested in by-invite-only HN alternatives w/ lower noise and higher
signal. (I'm no longer using HN as a primary news source and refuse to
disclose which I do use.)

~~~
sinnerswing
How about a GMAIL backdoor? oh no!! NOT GOOGLE!

Anyone remember this?

"A US government-mandated backdoor allowed China to hack into Gmail"

"In order to comply with government search warrants on user data, Google
created a backdoor access system into Gmail accounts. This feature is what the
Chinese hackers exploited to gain access."

[http://www.cnn.com/2010/OPINION/01/23/schneier.google.hackin...](http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html)

------
nr0mx
This is the company currently running ads positioning itself as a company that
holds privacy dear.

"At Microsoft, we take our responsibilities for protecting your privacy very
seriously. It’s a priority across all our businesses, and an area where we
continue to work closely with others throughout academia, government and
industry."

[http://blogs.windows.com/ie/b/ie/archive/2013/04/22/consumer...](http://blogs.windows.com/ie/b/ie/archive/2013/04/22/consumer-
survey-85-of-americans-are-concerned-about-their-online-privacy-far-fewer-
take-action.aspx)

"Your Privacy is Our Priority" "The lines between public and private may never
be perfect, but at Microsoft we are going to keep on trying, because your
privacy is our priority." <https://www.youtube.com/watch?v=bt51MWll1oY>

~~~
mtgx
That's the most annoying thing about Microsoft's campaigns. Sure they may be
_slightly_ better in _some_ areas than Google, but overall they are just as
bad, or _worse_ than Google when it comes to privacy.

Maybe I'd get it if those campaigns came from Mozilla or DuckDuckGo (even
though they are still done in poor taste, and resemble too much negative
political campaigns), but Microsoft? I just can't take them seriously in
regards to that. Microsoft is throwing stones from a glass house, and they
should stop.

~~~
jlgreco
> _resemble too much negative political campaigns_

Seriously, outside of politics they are the most negative ads I've ever seen.
Even rival dishsoap or gym ads never get that extreme; nothing else compares.
Did they _actually_ hire a political advertising team or something?

~~~
pyre
IIRC, the Scroogled campaign was put forward by an ex-political campaign guy.

~~~
jlgreco
Oh wow, you're right:
<http://en.wikipedia.org/wiki/Mark_Penn#Microsoft_Corporation>

------
OldSchool
Nothing else explains why Microsoft would pay US $8 Billion for Skype. Profit
margins are either exactly zero or near-zero for every call; this is not 1995
when telco call termination was 20x more expensive.

The simplest explanation is that reliable incumbent Microsoft was hired in
some way to conveniently consolidate Skype. With as many channels through
which Microsoft does business with the US government, favorable contract terms
here and elsewhere could easily make the whole package worthwhile.

~~~
mtgx
NSA was already ready to pay billions of dollars for a Skype eavesdropping
solution [1]. One could wonder if that's one way Microsoft wanted to recover
some of the cost of their investment, and why they were so willing to pay
_twice_ as much as Google wanted to pay. I mean what company outbids another
by 2x/$4 billion for a company with not that much revenue and profit?

[1] -
[http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_...](http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/)

~~~
pyre

      | One could wonder if that's one way Microsoft
      | wanted to recover some of the cost of their
      | investment
    

You _could_ wonder, but it would seem difficult to hide $1 billion in revenue
for a publicly traded company.

~~~
OldSchool
No need to hide anything. An extra billion or two per year going forward would
provide a respectable ROI on $8 billion. Surely there are countless wholly
open ways to accomplish that with a customer the size of the US gov't.

------
buster
Very strange article. It only re-does what all other news sources already
stated.. plus, i think that commonly a backdoor is understood as something in
the software itself that let's someone get access from the outside, which
doesn't appear to be the case.

Plus, to think that skype would be exempt from the governments claim to get
access to all communications and messaging data is very simple-minded. The guy
does realize that today governments can access all his mails, right? SSL/TLS
or not.

~~~
claudius
I have reason to believe that the government cannot access all my mails. But
if it could, I’d be even happier, as it would either prove a fault in GPG
(unlikely) or a working quantum computer implementing e.g. Shor’s algorithm.
And who wouldn’t want to hear of the latter?

~~~
buster
I have reason to believe that you're wrong, because if you're under
surveillance by the FBI or whatever, they will be able to read your mail.
Unless you're the ultra-paranoid guy there are ways to get to your password
physically :(

(so, since you're coming up with GPG which i obviously was not referring to i
can also come up with some unlikely scenario, ok?)

~~~
aurelianito
Obligatory xkcd comic. <http://xkcd.com/538/>

~~~
claudius
If they use this method, I at the very least know that they’re using it and
that my data is compromised.

~~~
buster
If you wouldn't be drugged :(

~~~
jlgreco
Enough alcohol will leave me unable to recall several of my longer passwords.
I find it hard to believe that they have a drug that will 1) not trigger that,
2) not leave a hangover of any sorts, 3) render me entirely unable to remember
the incident, 4) make me inclined to tell them the password.

That would basically be a wonder drug, the ultimate truth serum.

~~~
chalst
There are drugs for some of those things...

1) Barbiturates induce a hypnotic state that has widely been reported to
improve subjects ability to recall details. Published work on human subjects
more or less dried up in the early 70s for ethical grounds (cf. <http://ist-
socrates.berkeley.edu/~kihlstrm/exhumed.htm> "There is, unfortunately, a
virtual lack of controlled clinical studies on the accuracy of hypnotically
refreshed memories."), but I bet the military have classified knowledge. Also,
there's been quite a bit of published work on recall under barbiturates in
dogs and rats.

2) So, you wake up with a hangover, a blackout, some bruises, and an
attractive stranger in your bed. What do you assume?

3) There are drugs to suppress memories. Barbiturates, again, make it hard to
recall details of the trance. Also, see
<http://mbldownloads.com/0205CNS_Pitman.pdf>

4) Barbiturates, yet again, are well-documented to improve compliance, though
at the expense of an apparent willingness to cause you to believe what you
think will please the interrogator rather than what you would normally believe
to be true.

~~~
jlgreco
> _So, you wake up with a hangover, a blackout, some bruises, and an
> attractive stranger in your bed. What do you assume?_

Unless I was out clubbing, taking drugs without knowing what they were, (I am
not in the habit of doing this...), I would get myself to a hospital and
probably call the police. I'm fairly familiar with what truly excessive
amounts of alcohol will do to me and that list of symptoms does not include
truly blacking out without the presence of some other pretty extreme symptoms.
Of course I have not gotten this drunk in years because I am an adult who
knows how to moderate my own drink intake, so I would assume I was drugged
regardless (if nothing else, had my drinks spiked)...

Regardless, any drug-induced blackouts that leave you coherent enough to
participate in complex tasks (including recall) are unreliable at best; there
is a strong chance that the victim will remember that _something_ bad
happened. Honestly it would be better to just give up on the "black out" part,
drug the guy conventionally, then beat the password out of him. You will
undoubtedly have better results by giving yourself fewer restrictions.

------
maaaats
This is misleading, it's not a backdoor. At least not my definition of
backdoor. Anyways, if you need secrecy, don't use a service like this.

I have read people speculating if it's for spam/malware protection. They
screen the urls to see if it's a redirect to known malware.

~~~
burgreblast
Agreed. This is one of those "improve the service things".

GOOG would do the same, but then sell ads against the data and everyone would
say the ads are ok, because they're also operating a free, and very useful
service.

------
rossjudson
Checking URLs passed in messages isn't incompatible with secure communication.
It's easy enough to look at a text message that's going to be sent and break
it into parts (URL and non-URL). Encrypt point-to-point the non-URL parts, and
encrypt the URL parts such that the central servers can read them (and verify
that they're not pointing to bad stuff, which is a _very_ valuable service to
provide to the vast number of readers).

We might find somewhere in Skype's ToS a reference to URL checking, for any
URLs you send through the service.

The URL checks could also be anonymized.

~~~
betterunix
"Checking URLs passed in messages isn't incompatible with secure
communication"

I guess that depends on your definition of "security," and perhaps of
"practicality." Where I'm from (i.e. a grad student whose research is on
practical secure multiparty computation), a practical system for checking URLs
in a privacy-preserving fashion is still very much a research topic.

"It's easy enough to look at a text message that's going to be sent and break
it into parts (URL and non-URL). Encrypt point-to-point the non-URL parts, and
encrypt the URL parts such that the central servers can read them"

How is that secure? Now the third party knows what URLs you are sending in
your messages.

"The URL checks could also be anonymized."

Sure, but that is not what you are seeing here. You would need a mix-net of
some kind, one in which the users themselves are participating (to ensure that
there is at least one honest party). It is technically possible...but you're
not going to see it happen, not any time soon. With the FBI talking about
building back doors into everything, what incentive is there for a company
like Microsoft to actually make such a secure system?

When it comes down to it, most Skype users are too uninformed to even know how
their software might betray them. On the other hand, the Justice Department
could create plenty of difficulty for Microsoft if they failed to cooperate.
Whose side do you think Microsoft will choose?

~~~
rossjudson
I'm not arguing that the communications stay theoretically secure. If there's
any processing going on, they clearly don't. What I'm saying is that you break
the message up into risk and non-risky parts, and the risky parts (URLs) can
be treated differently. That different treatment is very valuable to the vast
majority of users that don't care about complete security, but do care about
having their systems compromised.

Which "betrayal" is worse -- Skype being able to look at messages, or
compromised systems?

In terms of implementation, it's interesting to think about the design space.

------
oelmekki
I wouldn't be surprised it this was intended to help bing discover deep web.
If it's the case, combine that with the ability on bing to do "ip:<ip>"
searches, and you have a formidable tool for forensics.

~~~
quackerhacker
I agree with this. I know that when I've done webdev and when I check out a
unique sandbox url (like jumbled letters with no backlinks) for a page I'll
design, I use to see GoogleBot crawl that page eventually in the logs. (guess
what browser I was using...Chrome)

~~~
cskau
Chrome has all kinds of services like "resolve navigation error", "URL
prediction" and "usage statistics". That Chrome sends your URLs out there on
the Internet isn't exactly a secret. If it bothers you, you can disable some
of the features under 'Privacy' on:

chrome://settings/

The difference here is that Chrome doesn't pretend to be a secure
communication channel like Microsoft claims Skype is.

------
ksk
Have people checked if the client itself sends the URLs separately via some
webservice (as opposed to MS being able to decrypt the IM) ?

~~~
sp332
I have this question too. While still not good, this is the new best-case
scenario.

------
GigabyteCoin
Why is everybody so worried that Skype is visiting URLs you posted in their
chat box?

They're probably just checking them for Malware was my first thought and is
still my only.

~~~
DannyBee
Because they are sending urls you type in back to MS and MS is storing them?

They also claim it's a secure communciations platform. If it was actually
secure, why would microsoft be able to see it?

------
X4

        * Can you please recommend a cross-platform alternative?
    

I only know of Gnome-Empathy/KDE-Telepathy and Pidgin that utilize XMPP's
voice and video features.

I've found this: <http://octro.com/octrotalk.php> which lacks a linux client,
but appears to be solid and has a web-client too.

~~~
sparkie
<https://jitsi.org/>

~~~
X4
I've tried jitsi for some time, but it crashes from time to time. It stores
your passwords in cleartext just like pidgin does.

------
quackerhacker
Don't be surprised. While I can see 2 sides to this argument (it was discussed
earlier here on HN, link below), we shouldn't be too surprised by what some
companies do to "optimize," their products. Microsoft autocrawling http(s)
links could be either for obtaining new bing search results (and it could make
that result relative to your conversation), or it could be for security to
screen links.

I don't know, but I agree that if you have a secret conversation, take steps
like PGP to keep it secret. Big Brother is ALWAYS listening :: usually a good
preventative security motivation ;)

<https://news.ycombinator.com/item?id=5721006>

------
tete
Hey, there is an amazing alternative without setup time, P2P, open, standards
compliant, ...

And best of all it's a shameless ad for a story submitted by myself. ;)

<https://news.ycombinator.com/item?id=5729606>

------
ancarda
The main problem is most of my friends (even those who are programmers) cannot
be bothered to spend the 20 minutes picking up alternative software so I'm
stuck with Skype and Facebook as my primary means of talking to people.

~~~
yarou
Convenience for privacy. :)

------
freewizard
Not surprising at all. Skype has been saving chat logs for its China expansion
since a few years ago. It's an existing function of their network and probably
just a simple switch on their server.

~~~
anonymfus
No, it was reported that Chinese version of Skype spies on client site. If
somebody would get international version of Skype in China, it would not spy.

------
werter03886
I tried testing sending a private link to my server to one of my friends over
Skype after reading the first Heise article. To get a response from Skype, I
contacted them. I think you might find the following very interesting:

"You are correct, Skype chats and conversations are encrypted. Your chat can
only be read when you sign in using your Skype name and password. Not even
Skype or Microsoft has access to your chat history. "

You can see the full transcript here: <http://pastebin.com/bbiSWtrz>

------
rbanffy
What if someone passes an internal (poorly designed) Microsoft REST API that
damages something when HEAD is called?

------
bede
Has anyone developed a user friendly encryption layer that works on top of
Skype? PGP or otherwise. Skype is useful, and it would be nice to have the
option to use it for private conversations.

------
Havoc
Could someone help me understand why the password changed from "bar" to
"yeahright"? Or is that just a mistake on the authors side?

~~~
claudius
He probably typed out the string in the paragraph and copy-pasted the logs, so
likely it is just a mistake on the author’s side.

------
westoque
I guess it's time for Google Hangouts to shine.

~~~
alfaomega
Why? I don't think it's encrypted in such a way that Google can't read it.
References?

I don't think you can trust Google with your chat and docs as well.

From:<http://www.wired.com/threatlevel/2010/09/google-spy/>

>Google acknowledged Wednesday that two employees have been terminated after
being caught in separate incidents allegedly spying on user e-mails and chats.

>David Barksdale, 27, was fired in July after he reportedly accessed the
communications of at least four minors with Google accounts, spying on Google
Voice call logs, chat transcripts and contact lists, according to Gawker,
which broke the story Wednesday.

[http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

~~~
Karunamon
Shocking! You mean that nearly 3 years ago, a hosted service had employees
that may have access to the databases of the services you're using?

The difference being that Google doesn't play at being encrypted end-to-end.

------
Nux
Like their latest ad on British TV says: "At Microsoft, your privacy is our
priority!" :-D

------
Bjoern
This is yet another reason on my list why I welcome WebRTC so that we can get
rid of problems like this.

------
RandallBrown
That article was nonsensical. English probably isn't their first language, but
I have no idea what they're saying.

~~~
wfn
The slang is very common in crypto* newsgroups of these sorts, I didn't find
anything unusual or un-parseable in the message.

~~~
vacri
The best I ever saw was when I had a subtle weird issue with a windows
graphics driver. The only place I could find on google that looked like it had
the answer was a Filipino gamer board... but the only problem was that the
thread was a mix of English, Tagalog, and l33tspeak. I could tell that the
answer was probably there, but I couldn't interpret it...

