

Project Chess: How U.S. Snoops On Your Skype - ArabGeek
http://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/

======
gbin
Am I the only one seeing the background check of urls on IMs a good thing ?
Those fake https fishing sites spread by a skype worm could really harm
people. Granted that they could do it like in chrome safe browsing feature
without sending the actual url but a hash of it.

~~~
jdp23
It's a positive thing from an anti-phishing and anti-spam perspective.

It's a negative thing from a surveillance perspective. Any government with at
least some jurisdiction over Microsoft can request this information under
their legal processes.

As you point out, there are ways to get the positive aspects while diminishing
the negative. Hopefully MS will evolve the implementation.

------
tlrobinson
I must have missed the "how" part.

And how is the HTTPS link crawling even related?

~~~
hga
The how is replacing ... volunteered ^_^ 3rd party supernodes with company
provided ones. There were indeed good business reasons to do this as the Skype
item Forbes linked to says, but it also obviously gives Skype complete
control.

~~~
wmf
The supernodes are an orthogonal issue. If Skype is end-to-end secure then the
location of the supernodes doesn't matter. And if Skype is not end-to-end
secure (e.g. imagine if their CA issues MITM certs) then having supernodes in
US university dorm rooms doesn't help you either.

BTW, if anybody wants a refresher, here's what Skype _says_ their architecture
is:
[http://www.skype.com/en/security/#encryption](http://www.skype.com/en/security/#encryption)
[http://download.skype.com/share/security/2005-031%20security...](http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf)
It could have changed since 2005, although I've heard that really old versions
of Skype can still connect to the network.

~~~
ajross
You're confusing "provable security" with "effective privacy", and they aren't
the same thing.

Having uncontrolled supernodes certainly does "help you", as it means Skype
can't see the traffic without some other exploit to get it. Verbal
communication is normally "insecure" and subject to eavesdropping, but if I
have the conversation on a boat in the ocean I can be relatively certain that
no one else is going to hear it.

~~~
moheeb
I considered verbal communication as the most secure! I'm curious what would
be considered more secure. The only method more secure that I can think of is
sign language, but that doesn't translate electronically.

------
shmerl
Use XMPP/Jingle with ZRTP. Why would anyone trust Skype to begin with?

~~~
mtgx
Or Jitsi:

[https://jitsi.org](https://jitsi.org)

I figure P2P encrypted WebRTC calls should work soon, too.

~~~
shmerl
Jitsi does use Jingle with ZRTP :)

------
DennisP
It was a sad day when Skype was bought by eBay. Prior to that, the CEO was
asked what he was going to do about the new U.S. law requiring provision for
wiretapping. He said "we're not a U.S. company, why would I care?"

------
joering2
Skype under Microsoft really infused itself with MS spirit.

\- you cannot turn off Skype updates. Please try. For longer than 2 week,
Skype will update itself anyways and will keep telling you "would you like to
update". Totally deceiving. Turning Skype updates don't help. They are done
through Windows 7 updates. Turning those does not help either LOL.

\- on the top of those forces updates, each time (at least on Windows 7), you
have to re-do the following: - delete "echo / test account", re-do your
notifications, re-do sound settings, re-do all confirmations (delete contact,
close skype, accept file, etc).

\- I beg someone to give me a genuine, smoothly working alternative with ios
app. Honestly at this point, security comes second as long as I can avoid
Microsoft.

~~~
kamjam
[http://portableapps.com/apps/internet/skype_portable](http://portableapps.com/apps/internet/skype_portable)

There you go, no need to mess around with auto updates :)

~~~
MrDOS
Do they have an archive of previous versions? Due to annoying
incompatibilities between recent versions (6.0+) of Skype and skype4pidgin[1],
I've been considering switching back to 5.0.

[1]
[http://code.google.com/p/skype4pidgin/](http://code.google.com/p/skype4pidgin/)

~~~
kamjam
I think with portable it still connects to the Skype site to download the
required files at initial setup.

You could install from:
[http://www.oldversion.com/windows/skype/](http://www.oldversion.com/windows/skype/)

~~~
MrDOS
Ah, alright. I'm familiar with OldVersion and that was how I was originally
anticipating installing it, so I guess that's what I'll do.

------
embolism
Suddenly FaceTime voice seems like a killer product.

~~~
Noppix
Apple are signed up for PRISM.

~~~
embolism
But they have stated that FaceTime uses end-to-end encryption and they can't
decrypt the content. PRISM can only access data that the companies actually
have.

This is why Google and Facebook are so dangerous - they are deliberately
creating detailed profiles of each person's behavior.

~~~
iamshs
The truth: Nobody knows [1] [2] [3].

[1] -
[https://www.schneier.com/blog/archives/2013/04/apples_imessa...](https://www.schneier.com/blog/archives/2013/04/apples_imessage.html)

[2] -
[https://www.techdirt.com/articles/20130405/01485922590/dea-a...](https://www.techdirt.com/articles/20130405/01485922590/dea-
accused-leaking-misleading-info-falsely-implying-that-it-cant-read-apple-
imessages.shtml)

[3] - [http://www.zdnet.com/u-s-government-cant-intercept-
imessage-...](http://www.zdnet.com/u-s-government-cant-intercept-imessage-but-
it-can-still-serve-apple-a-search-warrant-7000013533/)

~~~
embolism
The truth is, Apple has made a clear statement that they _can 't_ intercept
the contents.

That's more than anyone else has said about their products. Saying 'nobody
knows' is pure FUD. It's equivalent to saying nobody knows whether Google
pipes all their data direct to the NSA even though they've denied it.

