Financial Cryptography

Skype: the gloss is losing its shine

Skype loses some of its shine. Here's a list I've built up over the last year, others have better lists.

• the Chinese use it for targetting and eavesdropping.
• In other rumours, it has been said (!) that the intel agencies can now break in to Skype. But there is no confirmation of this.
• Recall that Skype is now owned by eBay, which is probably the biggest signal of all.
• More woes reported by Economist.
• The taliban use it, and it is devlish difficult to crack, so say the tommies.
• Meanwhile, a released open source intel document on terrorist tools is strangely discrete about it. Probably distracted by all the other things like twitter terrorist attacks and mobile cameras in missiles...
• Confirming that intelligence ho-humedry, the Mumbai terrorists used a big array of tech tools, some of them completely compromised, and the tools were even intercepted! They still got their job done, allegedly or apparently or by some measures. Maybe the genie is really out of the bottle, and no amount of cracking Skype will slow down the revolution for the committed do-badder? Or maybe the Internet and telecommunications has reached the commoditisation stage where it is just like clothing, and even terrorists are adept at wearing t-shirts and jeans and iPods.
• this very nice resource: http://www1.cs.columbia.edu/~salman/skype/.
• And, hot off the press is today's news: here is evidence that Skype is scanning your other applications for purposes evil and nefarious (also encrypted in French). Who's to blame here? Skype for getting over-eager to sell your identity, or Firefox for not protecting the user from the compromise platform? Actually, the latter looks pretty guilty of naivete here, the platform as attacker has been on the validated threat list for how long now? Again, Skype leads the way by carefully protecting *itself* from other client-attacks (good use of RC4, that!). Which in no way absolves Skype of the crime of reading data from other applications. If true, that's a class-action lawsuit for eBay, and they'd better have some good answers.

Summary?

• Skype is still the single best system out there for your privacy.
• In terms of points, it beats any other system, hands-down.
• But the cracks are showing, the shine is off the new factory paint job.
• Any day now, I expect that confirmation will turn up that they screwed up your privacy in one way or another.
• Still, it also remains the bright shining light of security architecture. For that alone it is worth following.

This is inevitable. All great revolutions start out from perfect motives and morals, which then get trashed. Meet the new boss, same as the old boss. There is no doubt that Skype cannot provide the permanent libertarian wet-dream of defeating governments and crooks forever. Intel agencies will eventually get in, crooks will find a way, its new owner will put pressure on the company to monetarise the investment, and you the user will be screwed as always.

Enjoy the bounty while it lasts.

---

Tossing the phone

Oct 10th 2008
From Economist.com
Though a great alternative, Skype is open to abuse

LATE last year, your correspondent decided he was paying too much for long-distance telephone calls, and vowed to switch to one of the new VOIP (“voice over internet protocol”) services, which offer calls to most places in the world for a few pennies a minute at most. At the time, his land-line carrier (Verizon) was charging him five cents a minute for local calls, 11 cents for long-distance, and around 16 cents for international calls. With lots of contacts in Britain and Japan, over half his monthly phone bill was for international calls.

Many PC users got their first taste of VOIP in the 1990s when a product called VocalTec first hit the market. But because of the technical hassles involved, making calls between two PCs connected to the internet wasn’t for the faint of heart.

Skype changed all that in 2003 with a delightfully simple piece of software that could be downloaded for free and used to talk to other Skype users around the world with no charge whatsoever. Since then, close to 300m copies of the Skype software have been downloaded, and 13m Skypers are jabbering away cheerfully on any given day.
Reuters

You can still use Skype to talk to other users around the world for free. That’s a terrific deal—provided, that is, the person you’re contacting is sat at a computer.

But what if you want to reach someone’s land-line or mobile number? No problem. Either buy Skype credit online and pay around two to three cents a minute, or purchase a monthly subscription for $9.95 and make unlimited calls to other people’s phones anywhere in the world.

Best of all, Skype offers video and text-messaging as well as good old-fashioned talk. Your correspondent first started using Skype’s video-conferencing feature in 2006 when working for several months in Japan. He found it an ideal way to help his nine-year-old with her homework.

With so much going for it, Skype has attracted its share of wannabes. Before deciding to hang up his land-line, your correspondent investigated a number of Skype alternatives—including SightSpeed and Gizmo Project (now Gizmo5) as well as newcomers like Mobivox, iSkoot, TalkPlus, Jajah and Jangl. With a few honourable exceptions, most looked financially fragile and have subsequently had trouble turning their technologies into worthy contenders.

Two things made Skype the obvious choice. One, of course, was its ease of use, especially its video-conferencing facility. Improvements in video quality—along with the capacity for full-screen video plus “picture-in-picture” in the latest versions—have made using Skype only more compelling.

The other clincher was the way the Skype software also runs on dozens of mobile phones as well as game consoles and other internet appliances. Your correspondent currently uses a dedicated Skype phone that automatically logs on to any open Wi-Fi network within hailing distance—like a “smart phone” with a built-in Wi-Fi radio as well as a cellular connection. Open Wi-Fi hotspots are ten-a-penny in coastal California.

Though it has saved him several thousand dollars over the past six months, your correspondent finds Skype to be not without its problems. In particular, the more he uses it, the more he worries about its lack of security.

Sure, Skype relies on some of the best encryption technology around to prevent ordinary eavesdroppers from listening in to conversations. For a start, the user’s login is certified by the widely-trusted RSA algorithm. And the information being transmitted—whether voice, video, text or computer data—is scrambled with the same 256-bit AES encryption method used by the military everywhere.

But because Skype sends and receives calls with a proprietary protocol that is closely guarded as a company secret, there’s no way of knowing how tamper-proof the network really is. There could even be a “backdoor” to the software, of which the people at Skype itself might be unaware. When a network provider says, effectively, “Trust us—everything’s fine,” you would have to be naive not to have at least some reservations.

That’s an even greater concern when you know that anyone can join the network without having to prove his identity. The fact is, users can set up any number of Skype accounts, each under a different fictitious name, and never be challenged. In short, this is not the telephone system that Ma Bell made a model of trustworthiness and reliability. Skypers are out there in the big, bad world at its ugly worst.

You can see why Skype terrifies IT managers particularly. Because it was designed by the same bright sparks in Estonia who created the virtually unstoppable KaZaA file-sharing network—and it uses much the same proprietary form of peer-to-peer architecture—Skype can evade practically every firewall known to man.

With messages bounced from one user’s computer unknowingly to another’s before reaching their final destination, there is no central server directing the traffic flow, logging the calls, and screening them for viruses, Trojan horses and spyware.

In short, it’s a perfect vehicle for delivering malware to the inner sanctum of any organisation, as well as sneaking corporate secrets out. Such features hardly can escape the attention of those criminals who surreptitiously commandeer hordes of innocent users’ computers to launch devastating “botnet” attacks on organisations.

Then there’s a little matter of compliance. Because of its heavy encryption, firms have no way of recording Skype’s voice and video calls to meet their financial and legal obligations under the Sarbanes-Oxley Act. That alone can leave them wide open to criminal penalties.

If that’s not enough for IT managers as well as individual users to worry about, the blogosphere has lately been abuzz about the way Skype tracks every computer’s identity–and quite possibly its whereabouts.

Civil-liberties folks are concerned that this could provide a powerful tool for authoritarian regimes to keep tabs on annoying dissidents. Skype, you may recall, got a black eye for helping the Chinese authorities filter conversations for sensitive words like “democracy”, “independence”, “earthquake” and more recently “melamine”.

Unless you are running the 64-bit version of Windows, you’ll never notice a tiny file called “1.com” that Skype launches when its users log on. This tiny 16-bit program (which Windows 64 can’t read and therefore reports as an error) executes in a flash and unloads itself immediately—but not before reporting back the identity of the computer’s motherboard.

If you were so inclined, correlating a computer’s ID with its internet address would make tracking the movement of anyone using Skype a doddle.

Mischievously, your correspondent has sprinkled empty 1.com files throughout his Windows directory—to see whether denying Skype the chance to interrogate his computer’s identity triggers any disruptions. So far, nothing untoward has happened. He would be amused to hear from readers who have taken similar precautions.

Posted by iang at January 22, 2009 01:41 PM | TrackBack