But this. This baffles me.
Skype worked as a p2p network, where some peers where marked as super peers and would help with peers behind firewalls (UDP-holepunching), and routing through the super peer. If your phone became a super peer, you could expect to essentially work like a server, with the "benefits" of increased bandwidth usage and power usage. Not exactly what you want as a mobile user.
So Microsoft had to change the architecture (which wasn't designed with mobile devices in mind) into a more centralised approach that could work with mobile devices.
A simplified explanation: Mobile devices will often ignore almost all incoming network traffic to reduce battery usage. The only way to reliably communicate with the device is through a centralized push notification service (e.g. APN and GCM).
There’s fsync() but it only syncs when you launch the app - what I think you meant is “there’s no continuously syncing iOS SyncThing app”.
I am using CSipSimple to my own server, battery usage is the same. Yes this is anecdotal evidence, but one can always check.
Unfortunate result is hundred of apps waking up the phone ever 20 seconds and transmitting data nonstop. Sigh.
You use a central server to do the discovery and bootstrap the connection between two devices. For each device it looks like they are connecting out. This works for UDP and this works for TCP. It works both for NAT'ed and LAN peers. For the latter it works 100% of time. This is a 10 year old tech. It worked back then and it works now.
We ban accounts that are uncivil like this, and you've done it a lot in the past, though happily not in the recent past, so please just don't do it at all.
If I read you correctly, you seem to have significantly lowered the plank for what you ban people for. What the OP said was a complete factual garbage showing an utter lack of understanding of the subject he is so confidently commenting on. So this was, by any conventional definition of the term, a bullshit. How can this conceivably be a cause for a ban?
It's easy to point out that a statement is wrong without being disrespectful, if you want to, and so neither damage the community nor discredit the truth with personal bad behavior. That way we all can learn something.
Perceptions of what's uncivil can vary for legitimate reasons, e.g. differing cultural standards—HN is a highly international community. But for that very reason, we need people to err on the side of being respectful. The alternative leads to wars and ultimately the death of the forum.
> differing cultural standards
Well, that's exactly the problem, isn't it?
What passes for normal "civil" behavior in countries like States and Canada looks like a completely fake way to express sentiments in other parts of the world. If someone asks "how are you?", they, more often than not, actually want to know how you are, not soliciting the "I'm fine" response.
What I said in the comment you killed I would absolutely not hesitate to say in person. I did not want to point out that his statement was wrong. I had an issue with the fact that he was commenting on things he doesn't appear to understand well in the first place. This was a personal remark, but I'm not sure which format you expect it to be distilled in to be acceptable as "civil".
If we are to reverse the situation, i.e. if it was me who blurted out something equally majestic, I would expect and prefer to be told just that instead of a wishy-washy pretense polite way. To me, coming from one of them "different cultural standards", the latter is a strange and alien way to communicate with others... which brings us right back to your remark about being respectful. Sometimes I'd be blunt when responding to comments I find particularly inane, but I also expect others to be blunt to me if the situation warrants it. Being blunt is not the same as being disrespectful, leave alone "uncivil".
> Then we all can learn something, which is the intended use of the site.
I've always viewed HN as a place for discussion with people of similar interests. Some may indeed learn a thing or two here, just like on any other forum, but stating that it's the intended use of the site is really quite strange.
How Skype works, is how msn messenger worked, office messenger, then office communicator worked, then Lync, now skype.
They moved Skype to their existing infrastructure
This might be one reason why. Fuck software patents.
Edit: There's https://tox.chat but I have never used it/always forget it exists. Antidote/Antox fas clients for iOS/Android.
"Hey guys, I've got a patent for talking from one machine to another over a connection." (Don't give SCO any ideas.)
The purpose of patents was to foster innovation, not squander it.
What if Issac Newton and Liebniz had a "foundation" that owned the rights to every mathematical construct they discovered? How would the world function if we had to pay that foundation fees every time we used Newton's method, or Calculus? It'd be complete bureaucratic hell.
And further, coming from another angle, I bet you money there are prior implementations of P2P chat long before... 2005.
I was working on an app that had graph-like data so we decided to use a graph database...nothing super innovative. My coworker, who apparently had a couple patents, said that we could probably patent this algorithm. I looked at him and said, how can you patent traversing nodes and vertices... that's graph theory 101?!
Big companies try to patent everything because its a metric they can use to show how amazing they are, and acts as blackmail (or cold war). If you sue me, I'll sue you.
Other explanations that seem plausible:
* IBM patent, as other poster pointed out.
* ability to monitor/censor users more directly (to stay in government's good graces)
* problems with peers invading privacy or taking other malicious actions
As an engineer and software developer, I find this to be extremely unlikely.
If "super-peers" can already route traffic for others, it seems very likely they could simply route all traffic for Mobile users through some "super-duper peer", instead of routing all traffic for all users through some "super-duper peer".
Or to put it another way: If I accept the choice is between routing mobile traffic to Microsoft, or no mobile-Skype support, I don't understand how it follows that all traffic needs to move through Microsoft, or no mobile-Skype support.
I'm sure there were other reasons involved in the decision, I don't pretend to know them, but from a business perspective alone, you choose one connection methodology and you stick with it. Anything more is wasteful of resources.
They already had a protocol that essentially did both.
Once you have forwarding/routing i.e. what Skype called "super-nodes", P2P is a clear superset of "centralised".
Anyone who says different doesn't know what they're talking about.
> I'm sure there were other reasons involved in the decision, I don't pretend to know them, but from a business perspective alone, you choose one connection methodology and you stick with it. Anything more is wasteful of resources.
I'm not speculating.
I've seen engineers do stupid things that don't make sense; I'm not arguing that there are stupid reasons for it, and I'm not going to argue that there's non-technical reasons for it.
But technical reasons? I don't buy it. I need some convincing: If one protocol (the P2P one) does both use cases, then you don't need another protocol just to handle one use case. That's just not how protocols work.
In fairness, it was eBay that first bought Skype  in 2005 centralizing the data. eBay then sold it to a private investor group which Microsoft then bought Skype from  in 2011.
Following the Snowden leaks as well as the information from Bill Binney, NSA scoops up the data regardless..
That seems like pretty unreasonable tinfoil. There is no reason for Microsoft to want to give information to governments. I assume they don't pay, and the cost is consumer trust. Makes a lot of sense to rearchitect such that you can't give in to government demands.
No? I don't think you are being fair.
First of all Microsoft is not one mind. There are lots of motivations bouncing around inside that entity, and not all of those motivations are 'reasonable' like you purport to be.
Second, secret court orders get issued to these big companies all the time. You don't know what kind of affordances Microsoft has provided for US and foreign government and intelligence services.
> I assume they don't pay ...
Oh let's not be pollyannaish, any contract work done for governments would be paid work. Cha-CHING! I see dolla signs. $$$
It's infinitely reasonable to distrust large internet companies that gather interesting user data. paule89 just came right out and says what a lot of us reasonable folk are thinking.
Maybe someone at Microsoft's decided it would be more profitable to salvage the Skype name and introduce some real end-to-end encryption just like the competition has. Or, maybe Microsoft is helping the Five Eyes to use Skype + Signal as a big real-world test bed for cracking or weakening Signal's encryption. I mean, it's just impossible to know what's really going on here.
Doesn't seem so to me.
>I assume they don't pay
You're dead wrong, my friend. They do pay. A lot. Think of all those juicy government contracts.
Though, some companies are handed a court order to "share" their data (quarterly, about 80 companies so far). And NSA has standard rates for this.
Apple might actually be making consumers care in an odd way by making it such a public issue.
Backdoors require quite a few MSFT people with--way more than--FU money agreeing to it. I would bet that something like this would leak. All it takes is one to annon leak a screenshot or a memo
Signal (the organization) has worked with other companies, like Facebook and WhatsApp (owned by FaceBook, I know), to implement the Signal protocol on their respective messaging services. It appears that's precisely what they're doing with Skype in this case. It's not like Microsoft is buying out Signal.
Signal is also the basis for the protocols for Wire (Proteus) and Matrix (Olm).
Wire is attempting to pursue decentralization, but federation is not (yet) in their roadmap.
Matrix is looking good, but again not P2P only federated. This is why we are trying to do fully P2P end-to-end encryption like with https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi... .
Notably, things we don’t have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.
All message contents are end to end encrypted, so we don’t have that information either.
I installed Signal a few days ago for the first time and there was definitely a prompt, with an easy way to skip it, before it did the find my friends thing.
The wording also seemed to indicate that only the hashes of the numbers would be uploaded but not sure if thats actually true.
Signal periodically sends truncated cryptographically hashed phone numbers for contact discovery. Names are never transmitted, and the information is not stored on the servers. The server responds with the contacts that are Signal users and then immediately discards this information. Your phone now knows which of your contacts is a Signal user and notifies you if your contact just started using Signal.
I suspect security will remain a privilege of the technical elite or those that can pay the technical elite. I guess maybe that's OK, but a bit concerning at a consumer level where it could be another factor increasing the class gap.
On the other hand, this sort of integration is a symbolic baby step of little practical impact or increase in security. Not only are these features not enabled by default, they're so deeply buried in the UI they're hard to find even when you know they're there. It's easier to accidentally send someone an animated gif of tapirs playing poker and smoking cigars on FB Messenger than it is to deliberately start an encrypted conversation. Skype and Allo are not much better.
Seems like most of the critiqued stuff has changed. By the time i got to EFF recomendations Signal was the winner and use of telegram and cryptocat was discouraged.
What were the grades for apps/protocols that run on closed, proprietary basebands with, in some cases, DMA ? Or on devices with embedded, parallel computers that can run arbitrary java programs uploaded, at any time, by the carrier,
without the users' knowledge ?
All fails, right ? Straight "F"s ?
 These are called "SIM chips"
- Open the app to the "Messages" tab.
- Tap the compose button in the top right corner
- Tap the "Secret" button in the top right corner.
I prefer for Signal to be attacked and to matter than to be unattacked and to be irrelevant.
Regardless, the exposure ship sailed long ago anyway when WhatsApp with their billions of users, including plenty of terrorist groups in the middle east and africa, decided to adopt the platform.
Additionally, breaking crypto systems like this in practice, if possible, pretty much always means targeted attacks. Which is a significant difference from the type of mass surveillance which Skype et al currently allow.
Even Blackberry bragged about building a system for the NSA/CSEC to provide real-time data access to every BBM being sent in the Toronto area during G20. It's very likely that Skype has a similar system and this change (should) make that fundamentally infeasible.
They believed that everyone should be able to have an easy way to communicate with everyone, with a nice UI/UX, AND have an app secure and respectful of your privacy. And this, leaded to the Signal protocal and the Signal app .
The Signal protocol may be sound, but as we've seen with today's WhatsApp news, there are still implementation-specific compromises being made. Not to mention that many of those companies ship a closed source product. They could publish a spec of what should be going over the wire to make it auditable without needing to go all open source, but they don't do that either. Things are really kept closed. I am not sure whether it's a net positive or a net negative when another user joins WhatsApp or a similar service, versus Telegram where encryption is opt-in but at least it's open source and not leaking metadata to BigCorps whose profit model is knowing you.
And I would definitely not say Telegram is the best tool here . If you want something really secure, I would recommend the Signal app .
In the end, it is always who you decide to put your trust in.
Would it be possible to use the same open source proto and crypto that Signal chose, but in a way that does not rely on third parties to run servers, such as OWS, WhatsApp, Facebook, Google, Microsoft, etc.?
Moxie has said repeatedly that they're working to do better on this front, but it's not without its technological challenges. He's written repeatedly about this and has also called for anyone willing to try to make it happen and offered to help them. Just one example springs to mind:
And federation is possible over XMPP with Signal:
That article does not say this. In fact, it more or less has the opposite meaning.
NAT, Firewall, etc all make it very difficult to do true P2P as well.
The only systems that have had even tiny problems with were Gmail and Microsoft. With Gmail it took a while to build reputation as a non-offender. With Microsoft the first time I sent mail to their way, I got an automated bounce with instructions to forward to a certain address for human verification. That check round took maybe 12 hours and I haven't had any problems since.
I find that pretty reasonable.
But how do you know that when you send mail to a new Gmail contact it won't be silently flagged as spam? And how many times will the recipient have to "un-flag" before the behaviour changeges?
> The only systems that have had even tiny problems with were Gmail and Microsoft
The "only" big provider missing from that list is apple (in the West anyway).
I've never meant to claim that smaller providers that know what they're doing aren't capable of sending proper bounces, setting proper smtp error codes on reception or of handling email to postmaster@.
It's just that with Gmail and outlook not being God net citizens - it becomes unreasonably hard to send legitimate email to a large percentage of Internet users. One possible "fix" is to send mail to Gmail users via a Gmail account and Gmail authenticated smtp servers - and so on for outlook.com - but as the number of "silos" one needs to send data to grows, that solution becomes cumbersome. Not to mention if you publish an mx record for your domain, you should be accepting email... That's the whole point...
It's not like "today, you feel white-ish enough to not be silently dropped at gw, black-ish enough to go in the spam folder without warning" is the only valid policy to fight spam.
Even simply rejecting with an error (spam suspected) would be better than the silent treatment.
And I don't see anything wrong with telling people how you set up a firewall. We even write books about that.
The extension I built was a POC just showing how it could be done easily with Keybase.
Or Outlook(Office365), Ymail, Zoho, GMX, iCloud, Yandex, Proton.
We built our video calling app, Daily.co, on top of WebRTC and so we could relatively easily include end-to-end encryption from the day we launched.
A few things make e2e harder as you scale up. One is that metadata gets more and more important, for a lot of reasons, as you add features and try to grow a business. As has been pointed out here, Skype was end-to-end encrypted in the pre-Microsoft days.
Another challenge is that it's a lot easier to build e2e encryption for mesh network topologies than if you're routing things through central servers. For video calling, mesh networking breaks down as you add more users to a call. For us, that means we're e2e encrypted up to 4 people in a call. After that, we're forwarding video streams through our servers in the cloud, and we don't do e2e encryption anymore. (Not that we wouldn't like to, it's just a much heavier development lift.)
If possible, just put the old Skype interface back. The new design with all its jazz-matazz and sparkles have made the product unusable. It is not a first-world unusable I am talking about. The product is not usable, as in I am moving away from Skype after being a customer who has given thousands of dollars in business over the years.
How did the new Skype design pass user feedback reviews? Honestly asking to learn.
the only workaround i found was the pidgin skype-web plugin, which can be a little buggy, but it's far preferable if all you use skype for is IM.
I used to work on a virtualised Windows machine (work mandated) and the only usable accessibility option was a high DPI setting. The old Lync client worked perfectly with this, obviously dating back to an age where they cared about accessibility. Skype for business completely ignored system DPI settings, made certain things huge with other things being tiny.
The spacing was the biggest issue - literally 30-40% of my 43" monitor would often be taken up by spacing around icons etc on the app.
It really felt as though they just stopped putting as much effort into UX, accessibility, usability. Lync felt like a professional IM client, Skype for Business felt like a half baked bodge.
Or better, support dual account logins.
Put another way, if I have a group with 10 users and it's encrypted and then another person joins and can see the old messages, was it actually securely encrypted in the first place?
Sure, why not? Assume, just because it's the first thing that came to mind, that message history is encrypted using GPG and every message is encrypted with everyone's individual public keys. When a new user joins, one user just encrypts the message history with the new user's public key.
Or am I missing something? Do the existing users in the group not have access to their own message history?
That said, encrypting every message with everyone’s public key doesn’t scale, so instead you’d likely want to generate a symmetric key for the group and as new users are invited the inviter would encrypt the group key with the invitee’s public key. That makes it trivial for new users to view history, and as new chats are posted they only need to be encrypted with one key.
E2E encryption is useless here. Unless you setup some kind of dedicated channel for secretive group chats.
But incidentally the same people selling hacked spotify and netflix accounts also provide "support" over skype, so opsec, meet window I guess
Right now only Signal and WhatsApp enable the end-to-end encryption by default.
Microsoft should remember that they can't use the excuse that "they can't provide law enforcement with the messages" unless the users were also using the E2E mode/Private Conversations.
It would also help if Microsoft stopped supporting voice calls in its main client, too, as that automatically qualifies it as a "telecom provider" in many countries, which means it automatically falls under the same lawful intercept laws that affect telecom providers.
Unless these changes are made, then this news hardly changes anything in regards to Skype messages being intercepted.
The thing about E2E encryption is that you still need to have reasonable trust in each E.
It's interesting that so many people who claim they understand what the software is doing don't appear to understand that proprietary software is always untrustworthy. Users have no real control over proprietary software, no matter how technical and willing they are to change their copy of the software.
Therefore it doesn't matter which apps are installed on a proprietary OS. The proprietary OS (or possibly some hardware beneath it) is untrustworthy. Every keystroke, drag/gesture, location change, camera/mic input, and more pass through proprietary software before they get to the ostensibly trustworthy app.
Some users want peer-to-peer networks that are controlled by users, not third parties such as Microsoft, Facebook, etc. It seems that corporations are also interested in such networks. But they just want the users, not the ability to exclude third parties (they are a third party).
What is important for these interested users is that Skype changed and how it changed, not why changed.
No explanation, rationale or excuse is a substitute for a peer-to-peer network that is controlled by its users, not third parties.
We know why these user-controlled networks get acquired (or copied) by companies: because they work and they attract many users.
Then I realised it wasn't "Microsoft Skype", but rather, "before Microsoft, Skype had..."
Let them focus on a problem that actually needs solving.
To add a little bit, avoiding forward secrecy was a design decision. We wanted to support adding and removing devices from your account (including removing all of your original devices, if you want), and we wanted new devices to be able to read your message history. I think those two things put together are in conflict with forward secrecy.
That said, we'd like to allow you to turn off history for some messages, and it would be nice if you got forward secrecy for those messages when you did that. We're currently in the middle of figuring out how that's going to work. One of the open problems is this sort of situation: If I have 5 devices, and one of them is a laptop that's been in the closet for 3 years and won't ever rotate its keys again, how do we avoid making that laptop a giant hole in my forward secrecy guarantees?
Remember this is closed source and you're using a central infrastructure.
I'd still rather see Skype eaten by the untainted parts of the competition, but I suppose at least for people who will keep using Skype no matter what, this should be an improvement.
Also, I don't think they ever encrypt their chat. I remember a while ago where somebody showed that when you send a private web address to the person you are chatting to, that URL is visited by a machine with an IP belonging to Microsoft. That was a few years ago though and I think the explanation was that Microsoft was looking for malware.
This way the few users of the feature will be visible like a Christmas tree in a dark forest and the general userbase will think it's their laziness not to use encrypted Skype.
That's also how Facebook implemented it in messenger.
I like everything else about Signal, but won't use it as long as they mandate that you tie your account to a verified, non-throwaway phone number. That's asking for more trust than I'm willing to give.
To block spammers in a social network, you either need messages to be expensive to send (ala the old e-stamps concept) or you need 1. identities to be expensive to acquire, plus 2. the ability to ban identities. The simplest way to make identities expensive is to require that each account be tied to some sort of real-world scarce token that you can prove possession of, like a phone number.
If, when you ban a user, you also ban their token from being used to create new accounts, most casual users are stymied from "re-making", and professional spammers have their potential volume (and therefore potential ROI) lowered by an order of magnitude because they need to pay for phone numbers (at e.g. $1 a pop on Twilio) to in order to register the spam-accounts, and each of those spam-accounts (and therefore phone numbers) will be banned quickly enough that they won't have made $1 back by the time it happens.
The fact that account-deduplicating like this helps them get more accurate active-subscriber statistics is a nice bonus.
What this probably isn't, is a KYC measure. They don't care who you are; they just care that—whoever you might be—you only have one active account. (If you can think of a better way to achieve that without asking for potentially-identifying information, I'm all ears! Something something proof-of-stake? Make registration require you to burn an hour/day/week mining a token?)
And it’s not only design but the ux is horrible too, when you switch between conversation - it does not focus on the chat box field so you can start typing right away, instead you have to click it first. This is a basic stuff for a chatting app and whoever missed that is apparently clueless about ux
Edit: also if any of Skype iOS app developers is reading this - on iPhone X when you accidentally click top left corner of the phone where the clock is - for some inexplicable reason the whole conversation scrolls all the way to the top, which is incredibly annoying!
That's by design and standard iOS behaviour (it has been there for years). Tapping anywhere on the system toolbar (i.e. where the clock, wifi, signal strength indicators are) brings the main scrollable view to its "topmost" position.
I really dislike behavior like this that is useful to a few people but is far more likely to be encountered accidentally and feel buggy.
I thought this was one of Apple's "protected" features that everyone used/loved - guess not!
The only disadvantage is that many users do not know about this feature (because there is no indication that the status bar tab is supposed to do something like that) which is the reason many use think an app is buggy after they have tabbed on it accidentally.
Precisely why this behavior should be considered unfriendly. It's not intuitive and is prone to accidents by the vast majority of the target market.
Even just making it a double-tap would make it drastically better, and double-taps are closer to convention as well. Double-click the left or right arrows in an overloaded tab bar in Firefox on desktop, for instance, for it to scroll a full row over.
I've noticed that most people find the feature accidentally, but then once they realize it's an option, use it extensively.
WhatsApp shows a small button in the lower-right corner once you scroll up a few messages for this purpose. iMessage scrolls back to the bottom as soon as you focus the input field. I don't know about the others.
But yeah, it highly depends on how the developers decide to implement it, which is suboptimal :(
Seriously, try to e.g. delete an email from the system's mail app, then vigorously shake your phone in anger. A popup asking you to "Undo delete" should appear on the screen (Many applications hook into this seemingly standard undo mechanism on iOS).
Some things in iOS are objectively weird and unintuitive but I miss them so much whenever I use an Android phone.
"You appear to be shaking your phone in frustration. Would you like to un-delete that?" :)
What's two flicks got that this doesn't? Or maybe if a shortcut was desired for extremely long views, why not make it a double tap?
Try 4-5 (or more) flicks and you also have to wait for the scrolling to happen (at the speed of your flick) .... contrast that with one "press" on iOS - it's not even close - I use the feature daily.
It loses messages at random. Sometimes it fails to send (I was really angry when I had an important call, and my "Hey, I'm here, let's start" got stuck in "Sending..." forever - thankfully, web.skype.com worked. That message made it through only the next day.) Sometimes it fails to receive - someone asks me why I'm not responding and I check the messages and don't see anything.
And those "sometimes" are not once in a blue moon, but every other month (if not worse).
Unfortunately, suggestions to use something else are not really working so I've stopped trying. Everyone seems to hate Skype, everyone I've asked had recognized it barely works and is frequently unreliable, but almost everyone I know still sticks to it. :(
I used to really like skype but it has now become one of the worst, and I'm still forced to use it due to several of my contacts being on it. Imho network effect is the only reason they aren't being mass dumped by users.
Installed it to try, and it starts by asking sms and contacts permissions, which seems innocent enough to integrate with your contact list, only to realize "upload all your contacts to microsoft periodically" is on without asking.
Microsoft, you're really terrible at this.
(bonus point that I can't fully uninstall regular Skype because it's a "native app" on my samsung s7 edge, so at best I can disable it and remove all permissions from it, awesome)
We’ve been using it for years, but the video chat UI is so bad people struggle with it every single meeting. Even I forget from time to time.
Good news for you, SFB is most likely going away soon; Microsoft is seemingly hell bent on rolling all of the things into Teams.
IMHO the last update killed it, awful interface and less features
- the "favourites" list (useful) now it's a global directory (useless)
- cannot screen-share a window, only the whole screen (you start hearing the fan very soon on a 5k desktop)
- text chat is now 3 centimeters wide, regardless of screen size (=> useless, in particular if you are in an audio+text call)
However, I also completely lack the curiosity to figure it out. I just try to minimize using Skype as much as possible.
It's a vicious circle of wanting to flee and thereby not getting accustomed to it.
- If you click on a link in a conversation, it switches the focus to that link. If you start typing again, nothing will happen until you hit the spacebar, at which point the link will activate again.
- If you use the search function, there's no apparent way to get back to the most recent messages in that conversation. The only solution I've found is to quit the app and relaunch it.
Per-UX, I've found Skype very difficult to use since the last major redesign a few(?) years ago. I'm not sure if the update made it worse. I feel generally confused just the same.