Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft changes skype supernodes architecture to support wiretapping (skype-open-source.blogspot.ch)
253 points by smartial_arts on July 17, 2012 | hide | past | favorite | 102 comments

Even if the sensational headline is accurate, it's not worth the conspiracy theories:

(1) Microsoft is a US Corporation

(2) With the Skype acquisition, Microsoft (arguably) becomes a telecommunications carrier.

(3) CALEA passed in 1994, "requiring telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time." [a]

My (unfounded, optimistic) speculation is the skype acquisition was strategic positioning in the mobile market: seamless cutover to skype when your phone has WiFi.

a - http://en.wikipedia.org/wiki/Communications_Assistance_for_L...

Your comment seems to be built on the assumption that if the government has passed laws to make what it does legal, then we shouldn't worry— nothing conspiratorial or against our interests is occurring.

He's just saying it's not conspiratorial, it's blatantly part of the U.S. Code. Microsoft isn't colluding with the government behind closed doors, they're complying with the laws necessary to move into a slightly different market.

Whether it's for or against our interest was never addressed.

So what happens when your not a US citizen, the wiretapping option is turned off then you think?

As a fine upstanding non-US citizen you are simply not considered by that law, and so can't be considered as much as you might like by the companies implementing systems that have to comply with that law. Microsoft's options are move to another country (not going to happen), ignore the law (not going to happen as it could cost them dear), or implement the law even though it might cause problems in markets outside the US.

For services hosted in other countries the law in those countries might well have something it can say/do, but even if they do successfully put their feet down MS could just pull the services out (costing the country if the investment in equipment/services/employees is significant) and move them elsewhere. They might be able to add the protection needed under those non-US laws the nodes in the affected areas, it depends on the exact wording and enforcement of the law, but even if they did you lose that protection as soon as you hit a node elsewhere anyway.

Practically speaking if this is a concern for you (and it might legitimately be: contrary to what governments seem to think people and companies that are not criminal, not just the criminals/terrorists, have good reasons to want some privacy generally and more specifically those in competition with MS (amongst others) would not want to trust them as the gate-keepers) then your only option is to find an alternative to Skype. That isn't going to be easy though: any commercial provider is going to comply with the same regulations otherwise they'll find it difficult to operate in the US market (or the Chinese market which is growing much faster and is even more spy-y than the US) and even if you find something you then need to convince other to use it too.

"For services hosted in other countries the law in those countries might well have something it can say/do"

The actual hosting country does not always matter. In the Netherlands for instance (i can't speak for other countries) -where- a service is hosted is irrelevant. If you market your service to Dutch citizens (you have a Dutch language version of the site, or a Dutch contact number for instance) you are assumed to abide by Dutch law and can be prosecuted in a Dutch court if you don't.

Why, then, wasn't Skype required to implement CALEA-compliant functionality before Microsoft bought them?

After CALEA was extended to online services in 2006, Skype was legally required to implement wiretapping. They didn't, and stated they had no intention of complying with CALEA publicly, but never seemed to have been targeted by the DOJ over their non-compliance.

But they were still legally required to have done so, and the DOJ could have sent them up shit creek if doing so ever became a priority.

What's changed now? Probably just that Microsoft's legal division wasn't comfortable having that kind of regulatory non-compliance under their watch. Microsoft gets a lot of scrutiny from the DOJ and probably aren't particularly keen on being hauled up on new charges over this issue.

Previously Skype was registered in Luxembourg, maybe it is because they are now under US ownership.

Contrary to the article, Skype didn't previously use supernodes for traffic between NATed clients. They were just used for NAT hole punching and then the traffic was direct between the clients.

It is possible that after receiving a wiretap request Skype will route your calls differently. But they could have rolled this out by just upgrading the supernode code and keeping supernodes distributed.

It seems far more likely that they made this change for stability/reliability. Particularly after the Skype network crashes that have happened in the past.

The following research seems to suggest voice can and does go through super nodes under certain conditions:


Would it be too much of a stretch to assume the clients can be directed to use one of the new Linux super nodes at will?

Well, you need a 3rd machine to route traffic between two machines if both are behind NAT^. It was my understanding that supernodes were (also) used for this.

^Unless you can predict the translated source port

No hole punching method will work for all combinations of firewall at each end of the intended communications channel. If connecting the clients directly in either direction after the initial negotiation fails then Skype (and tools like it) will instead send the data via a 3rd host (which sits in the middle and acts as a bridge between the two TCP streams).

If they get a wiretap order and your client can normally achieve a direct connection with a particular user, they could just emulate connection failure and the clients would revert to using the proxy without informing the user (after all, they are designed to do that for the sake of resilience of the user experience). You can probably see where the traffic is going, the client may even tell you without you having to dig far, but you won't know if you are going via the middle-man server(s) because of a general network issue that is stopping a direct connection being possible or if it is because of a wire-tap.

Doesn't contradict the parent post. For hole punching you need to know the source (host+port) your peer sends traffic from. If the source port is randomised (or already used by someone for udp if nat prevents sharing), hole punching will fail.

That's where the third party supernode comes in; the sending peer tells the supernode which source port it is using to send to the non-supernode.

If you're natted, the source port seen by supernode doesn't have to be the same as the one seen by others. Someone on your network may be talking to the same supernode already, so the conflict has to be resolved by some remapping in the nat.

You then retry with an alternate supernode.

Unless your NAT is randomising ports by default. Then you will always get the wrong answer.

No. I don't know why you're not listening to what he's saying. I can tell you, from currently writing code that does STUN negotiation, unless you have two peers behind full-cone NAT (which is rather rare actually), you do not need to know what the port mapping/translation is.

I have a sideband connection to a server, and I tell it to route my negotiation packets to my peer's sideband connection. I literally never even touch a UDP port or connection, and the library I uses establishes a connection using STUN(-light). And from having read the source, it doesn't explicitly determine or set the mapping (using uPNP) either.

In my work with VoIP that situation was pretty much the default assumption. I agree that it's only the double NATed situation that's hard to handle, but stay by my opinion that sometimes it's just impossible to resolve without a middle man. But it depends on many things - clients, routes, number of people in local network using the same application, etc. Sometimes you just have to fall back to proxying everything.

>stay by my opinion that sometimes it's just impossible to resolve without a middle man

Right, that's why TURN is part of ICE.

The change is interesting (though not that new it seems), but Microsoft flatly state that calls do not go over supernodes [1]:

"This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)."

Now obviously this could be a lie, but it should be fairly simple to prove one way or another - simply force a call between 2 NAT'd clients, and trace where the voice packets go, it'll either be to one of these newly centralised supernodes, or somewhere else?

1 - http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...

Calls don't go over supernodes: I frequently call people on Skype for a conference, with my brother participating on the same network, and when the call drops, my brother and me can still talk. Might be that this is an exception for extremely local connections, but I've had similar experiences in other situations as well.

That doesn't prove anything at all.

Read the blog post. Calls still don't go over supernodes by default, it was just changed so that specific calls can be routed over them if desired.

wow a 2 month old blog post with a HN comment as a single source?

To keep OT: Perhaps they will be soon required to be able to wiretap http://www.pcadvisor.co.uk/news/security/111150/eu-seeks-to-...

It will also bring benefits to end users if the client's machines won't become supernodes. And perhaps avoid the problems from last December http://www.disruptivetelephony.com/2010/12/understanding-tod...

Recently I have found https://jitsi.org/ which seems to be a possible alternative for Skype.

The title is clearly a completely unsupported hypothesis.

Why do HN mods change perfectly good titles seemingly at a whim, and then when there's a linkbait title screaming to be changed, then don't touch it?

Or, you know, centralizing their architecture so they can own all your communications and sell you ads like every other Tom Dick and Harry.

I don't think so. They wouldn't be able to target the ads without a lot of effort.... That's a LOT of voice recognition going on in a setting where people are not trying to dictate.

Most companies these days are hoarding data with no current abilities to analyze it for profit. They're rightly predicting that analytical capabilities will improve and they don't want to be the ones living in that world without massive amounts of customer data.

Right. That way I can send you the ads I would have targetted to you if you were still in college! That you are now 40 and have 3 kids is no matter. You still want all the cool college stuff, right?

They're not necessarily storing the data now to analyze later. They're building the capacity to acquire that data so that when the time comes all they have to do is flip a switch.

I'm not saying it'll ever pan out, I'm saying it's a much more likely explanation for Microsoft centralizing certain types of Skype communication than some shady back-alley deal with the NSA.

Data storage is stupidly cheap. You might as well save all the data your users provide to you.

I am curious. Regarding voice communications, where does the Stored Communications Act come into this? What can they legally store?

Just thinking out loud, but wouldn't it be possible to build a simple skype-addon that would look at your network traffic and be able to tell if your voice conversations were going through a supernode and not p2p.

This way you would get a quick indicator of whether or not you were likely being monitored.

"Microsoft has replaced P2P Skype supernodes with thousands of Linux boxes" from http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...

Wow. Does it make it the first, large scale, internal(¹) deployment of non-Windows infrastructure by Microsoft? The question is: why? Do their engineers managed to convince the company that Windows is ill-suited to the task? I am quite stupefied.

(¹) "Internal" as opposed to situations where Microsoft inherited non-Windows infrastructure from external acquisitions, such as when they acquired Hotmail in 1997 and their 5000 FreeBSD servers (eventually migrated to Windows.)

Do their engineers managed to convince the company that Windows is ill-suited to the task?

They acquired skype. So the question would be, Is it worth rewriting a ton of working code just so we can say it runs on our platform.

I'm pretty sure Hotmail ran Linux or BSD for quite a while after Microsoft bought them (though probably not any more)

But no code needed to be rewritten. Skype supernodes were working on Windows before (on Windows machines in the P2P network.) Microsoft effectively stopped supporting Windows!

IIRC, there was a failed attempt to move it to Windows NT 4.

Hotmail ran on Linux for a very long time.

Skype may yet transition to Windows servers, but MS are hardly going to insist they make it their first and only priority. That would be insane.

I think you mean FreeBSD.

Hotmail never ran on Linux, it was all FreeBSD.

I think rdl made that point well when he posted 4 hours before you did. You are both correct- my memory was faulty. But the main point about Hotmail running on a non-MS OS still stands.

Windows Server powers Messenger and the upcoming notification service, which do exactly the same thing as Skype: messaging and video.

Moving an entire service to a different OS isn't quite that simple, so the simplest thing was to just add capacity using whatever was running at the moment.

I was under the impression that they've used Linux in the past effectively as a firewall for their internet sites. Whether this was a temporary response to a specific situation or a semi-permanent thing I don't know but I recall reading that there was a period where Microsoft.com was returning non-Windows header information.

While they obviously don't publicise it I think they've probably used Linux where it's appropriate for some time now.

If I remember correctly this was done by Akamai and not directly by themselves, while this time the nodes are effectively under Microsoft's control.

MSFT used Linux for DNS servers for a while, its unclear why they did that since they had so many other FreeBSD acquisitions anyways. Some loadbalancers returned BSD/Linux fingerprints when scanned, but its unlikely that MSFT actually used Linux in the direct path anywhere.

Heck, MS contributed to the Linux kernel so it could be virtualised well.

It's amazing how citizen rights to privacy has completely eroded while their governments now get to operate in near complete secrecy against them.

The implication with wiretapping (and the NSA acronym) is that it is about security and safety against criminals and terrorists. I've always wondered how much of a business advantage it is to be able to tap into the world's biggest VoIP network?

I've seen Skype being used a lot in businesses both centralized and decentralized.

I admit I don't know much about the internals of this, but maybe it's because, by serving as a node to forward other transmissions, the former Skype client drained people's mobile broadband data budgets. In this way they avoid this.

I think it is more likely because they want to build a social network for collaboration around Office 365, Yammer and Skype, and maybe, be able to give some uptime/quality guarantees to customers (things would not necessarily be better, but more under control of Microsoft)

If you have a distributed system but want to wiretap some calls, I think it would be easier to have some back door for instructing clients "whenever you make a call/get a call from one of these numbers, CC us".

The evidence on this one is rather thin. It takes a speculation in a comment on HN about what Microsoft could be doing - without any proof that they are actually doing it, adds some code that proves something Microsoft claims they do not do could be done if they wanted to do it - and the conclusion is Microsoft definitely has sold everybody to the Man. I think a jump from "they could be doing it" to "they did it" requires more proof than that.

This is for anyone who was assuming that Skype wasn't wire-tappable. But then again, I don't know why anyone would assume that in the first place.

This is the kind of thing that makes it annoying that just about all interesting internet companies are in the US. Why can't Europe step up with some competition?

Entrepreneurship is far more difficult in much of Europe. It's much more difficult to set up a corporation, access capital, especially speculative capital (i.e. VC money) as well as some fairly strict taxation and regulatory schemes. This article: http://buswk.co/Hltv5F explains a few if those factors.

Skype was originally a swedish company until it was aquired by eBay.

Estonian, I thought.

Luxembourg actually, with Swedish founders and Estonian coders.

The National Security Agency put out an RFP for Skype decrypting/intercepting awhile back and this was the first thing that popped back into my mind when Microsoft bought Skype. Then, when M announced they were replacing the supernodes, it only re-confirmed what was going on, in my mind.

This means new opportunities in the VoIP market. Than you Microsoft

In the short term, I'm hoping Google Hangouts will be a viable alternative for both normal users and enterprise users.

In the long term, I hope the WebRTC protocol will disrupt both of them.

Why are Google Hangouts a viable alternative for people who care about privacy? (Ostensibly the point of this article.)

I agree. Distributed and P2P with encryption is the only way to guarantee privacy.

first, make yourself familiar with WebRTC. it will require server side signaling. demo by google: http://www.webrtc.org/running-the-demos#TOC-Demos sending srtp session keys over that signaling server sounds interesting

Any privacy we could had using Skype was dead the same day MSFT bought them. It was just a matter of time to make it official.

What's gonna be from now on? Stay put, and watch it.

SKYPE GOES OPEN SOURCE......FLAWLESS VICTORY: https://joindiaspora.com/posts/1799228

What are some good open source alternatives for skype?

VSee (http://vsee.com/) doesn't look bad, but it's also closed sourced. Something built on open standards (SIP/XMPP) like Jitsi is likely to be more transparent because you won't have to guess what some mysterious supernode does and doesn't do with your data.

Good luck getting your non-techie friends to use that though. Skype became popular because it just worked, which at that point had not reliably been achieved even for plain voice calls, much less video.

Remember Microsoft has major contracts and relationships with the Chinese and Korean government, among others. This stuff is the dark underside of a Microsoft aquisition. Of course, they have relationships with the US govt as well, but Americans are obstensibly protected by the Constitution -- those protections (as well as due process) don't French exist in many countries with whom Microsoft does business.

Did we really think we could trust Microsoft with such an acquisition?

You used to trust a shady Europe-based private corporation; now you have to trust a shady US-based private corporation. Regardless of their specific track records, there is nothing intrinsically different between the two.

Except executive management and leadership

Duh, never heard of hostile take-over. Microsoft has a long history of simply buying out technologies and then deep sixing them.

omg, I've just only now realized, my phone company can wiretap all my calls

Wiretapping sounds so innocent. Of course, all US comms must be available for lawful wiretaps in fight against crime.

No, what we're dealing with here is a dragnet cast upon the comms of users around the world, who aren't protected by US Constitution and thus can be tapped at will by US agencies and even private corporations without any warrants or oversight.

For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

Also, if a US agency wanted to put on a no-fly list some people who casually converse about what morons those TSA people are or how all US administrations support the Israeli regime that commits war crimes against Palestinians, now it's very easy to do.

For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

Is that any different from using, say, Gmail or Google Apps? Not saying that Google is looking at that data but this is a problem with essentially every web-based communication tool. People shouldn't have an expectation of privacy or security just because it's a company they know/like or it's a popular tool.

It's a risky situation, if you ask me. Consider the data that tools collect on us:

- location and contact history (cell phones)

- message history and address book (email, social network)

- interests/activities (calendars, event tools, feed subscriptions)

- browsing history

As an engineer, think about the evil fun you could have with that data. You could really mess somebody up if you didn't like them.

While technology makes this easier, it isn't new. You could hire a PI to follow the CEO of a competitor. You could break in and bug their offices.

None of this is legal, and if discovered there would be a legal case to answer.

I've long thought that Google's ability to track searches from Microsoft IP addresses was one of the reasons for the development of Bing - i.e. Bing's value is, in part, that it plugs an information leak and siphons other leaks into Microsoft's data mine.

For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

What? No they're not.

It does sound outlandish but... what specifically is stopping them?

Do you seriously think trade secrets aren't enforceable outside US borders? That there's no such thing as a transnational tort claim? Do you also think that because the "Constitution doesn't protect" stuff that Microsoft can randomly steal from people? Can they murder people too?

You knew this was a batshit claim when you saw someone trying to map the Constitution to Microsoft in the first place, since the Constitution doesn't regulate private businesses at all.

Come on. We're smarter than this.

Come on. Pseudonaïvité.


(To your first question: ask Robert Metcalfe (3com), Charles H. Ferguson etc. To your second question: drones. -- Welcome to the real world)

But true, this has little to do with skype.

What does ECHELON and military drones have to do with civil liability?

The root comment in this thread suggests that Microsoft might be centralizing Skype so that it can scrape trade secrets out of phone calls. That sentiment is based on a preposterous misapprehension about how international law works.

We were talking about kites (if you know what I mean), and off-the book killings.

There isn't really anything that is called "international law", as such. There are agreements between nations, and those agreements are what they are.

The sheeple love to feel important and free, no amount of argument and reason would make them see the reality ;)

How would they get caught stealing trade secrets through Skype? Whistleblowers? Have there been any instance of a transnational tort claim in tech?

I really wonder how much espionage is going on. Does MS have a mole at Google, and vice versa?

(I'm pretty sure you are directing all of your "you"s mostly to others in the thread so I will ignore the impatient and condescending tone)

You aren't very specific though. I'm not familiar with transnational tort claim and I doubt it as popular to others here in HN either. Is it as solid as you seem to make it? Google has little (easily accessible material) on it. It doesn't sound like something that is illegal by itself; only that they could be sued by those startups if/when they find out (and decide to saddle up for an international case against a huge company... yeah that probably isn't very likely).

Good luck finding a lawyer who has the skills to perform an international tort offense who charges less than six figures for it. Only a company like Microsoft has the cash to pull that off.

Federal law.

Sad to see a two and a half month old blog article with a flame bait headline and no references or proof being lapped up by HN.

Yeah. Personally, I take all articles with a grain of salt when the author bandies about terms like M$.

I think these 2 older articles support that conclusion as well:



All of the sudden the outrageous $8.5 billion price Microsoft paid for Skype (and twice as much as any other competing bid) starts to make sense.

Its called a hostile takeover. MS has a long history of buying tech companies out and then deep-sixing the tech forever.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact