Choose style:

Author Topic: Why Skype is Evil™  (Read 2126 times)

stvincentferrer

  • Member
  • Posts: 1,816
  • Gender: Male
Why Skype is Evil™
« on: September 06, 2009, 04:32:PM »

Why Skype is Evil™

June 19, 2007...4:12 pm

http://ultraparanoid.wordpress.com/2007/06/19/why-skype-is-evil/

So, you’re a security-minded individual who uses a HW firewall, a client firewall, antivirus SW and anti-spyware SW to protect yourself, your computer and your privacy. Great! Now you’ve found a great way to communicate with your friends and family in a secure fashion: Skype! Well, let’s take a deep breath and have a closer look at Skype. Here’s a conversation between me and you:

You: I’ve found a way to communicate with my friends and my family in a secure fashion!

Me: Wow, that’s great. Tell me more about it.

You: It’s a voice-over-IP program with chat functionality.

Me: Sounds nice, but how exactly is it “secure”?

You: It encrypts everything with a 256-bit EAS algorithm – it’s unbreakable!

Me: Yes, 256-bit AES is a strong algorithm. Did you make sure to choose a long and complex passphrase when generating the master key to keep the implementation of the encryption as strong as the algorithm lets you?

You: Huh? Skype fixed all that stuff for me.

Me: So Skype decided what encryption master key you use?

You: Yes.

Me: Doesn’t that mean that Skype can decrypt your communication and eavesdrop on your conversations whenever they want?

You: I guess… But they probably don’t have the resources to eavesdrop on me or anyone else; Skype is a small, Swedish company. Besides, what interest would they have in eavesdropping on me or anyone else?

Me: That’s not entirely true, but let’s get back to that later, and answer this: what if Skype gave the encryption key to someone who DOES have the resources and the incentive?

You: Like who?

Me: Like for example the National Security Agency?

You: Why would the NSA want to eavesdrop on my conversations and chat sessions?

Me: Most likely, they couldn’t care less when you’re talking to your mom about her doing your laundry next Saturday, but the NSA are responsible for the collection and analysis of all foreign communications. That includes your calls and your chat sessions 1).

You: But Skype is a European company, governed by European rules and regulations which prohibits them from releasing sensitive information to any foreign intelligence agency; they wouldn’t do that.

Me: Na-uh. Skype was recently bought by eBay and all the Skype servers 2) are now located in the US, which makes eavesdropping by NSA not only possible, but in fact probable. The NSA already has free access to phone calls and internet traffic routed through “normal” telephone companies /ISPs. It is only natural that they would want to do anything possible to get the hugely popular Skype communications platform under their control as well. After all, a wide-spread, easy to use, uncontrolled encrypted communications platform free for all to use is a HUGE threat to the effectiveness of the NSA. Controlling Skype has the added bonus of being able to eavesdrop on communications between foreign targets previously hard or impossible to reach. For example, a person in Germany, talking to a person in Russia using land-line phones would previously have been out of reach for NSA. The same two persons using Skype are now available for eavesdropping. In addition, the average Skype user will most likely treat the program as being trustworthy (just like you do), having bought into the Skype propaganda of the program being impossible to intercept or eavesdrop. So I have no doubt that the NSA have a great interest in getting their hands on a backdoor into the program. And if the NSA can force every telco in the USA to comply, they could certainly have no problem forcing eBay to do the same. Not that it would come to this, eBay is notoriously known for not respecting the privacy of its users.

You: I am shocked, shocked to find out that espionage is going on in here 3)!

Me: Now, let’s take a look at the eBay purchase of Skype in the first place. Why would eBay buy Skype? Granted, there are some potential benefits from a customer viewpoint, such as easy communication between buyer and seller. In addition, eBay might want to keep track of their customers’ online time and habits; something an IM client would be able to provide, but seriously: Skype has no real revenue potential. Skype’s business model has long been questioned by many economists. The software is gratis and the calls are mostly gratis. Although there is a line of hardware as well as services for money, there really aren’t that many ways for Skype to make money. There aren’t even any ads to gain revenue for Skype. So where does Skype get the money from, or rather: why in the flaming red hell would eBay want to haul out $2.6 BILLION for Skype? My guess is: they wouldn’t. There is no short term profit in Skype. There is most likely little or no long term profit in Skype. If Skype ever produced enough dough for eBay to break even on the buy I would be baffled. Did eBay really pay $2.6 billion for something that will never even break even? Perhaps. Or perhaps the executives at eBay are so bold as to stick that amount of cash (and stock) on a long shot? Or perhaps they see some potential that us mere mortals cannot see? Or perhaps there is a second buyer, helping eBay finance the purchase? Do I know that NSA helped fund eBay’s purchase of Skype? No, I certainly do not.

What I DO know is:

    * eBay has no obvious reason for buying Skype (granted, this being my weakest point); certainly not for $2.6 billion.
    * eBay has a history of handing out extensive user information to government officials without any subpoena or court order at all.
    * Skype has done everything in its power to make it impossible (warning: link to big PDF) for anyone to verify the encryption implementation or whether there are any backdoors in the program.
    * Skype is known to behave in a suspicious manner, for example collecting BIOS and motherboard information – information that a VoIP/chat program has no legitimate use for. Or imposing artificial limitations based on CPU vendor.
    * Skype has time and again refused to discuss Skype security issues, phone records and Skype interactions with law enforcement.
    * NSA has a duty to monitor as much foreign communication as possible.
    * Skype has been (presumed to be) a huge thorn in the side of NSA.
    * NSA has a secret budget. Its size and its uses are unknown.

All these facts would, in a court of law, be called “circumstantial”, but putting two and two together, I wouldn’t use Skype for anything sensitive. At least not for something I wouldn’t want NSA to know, and perhaps not for anything I didn’t want a random competing US company to know either (Warning: PDF document. See point 10.9.2).

You: Well, I’m an American, so it’s illegal for NSA to spy on me!

Me: Yeah.. Dream on.™

You: Well, I’m not a terrorist, so they won’t be interested in me at all!

Me: If you accept sacrificing your privacy, that’s your choice. But just because you haven’t done anything wrong doesn’t mean they won’t watch you.

This transcript of a Skype conversation was brought to you by NSA – your friendly neighborhood Big Brother™.

1) The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between or among “foreign powers”. Even though the act specifically forbids spying on US citizens without a court order, it can be argued that it is impossible to separate domestic internet traffic from non-domestic internet traffic. Therefore, in order to be able to monitor foreign internet traffic, one must monitor ALL internet traffic. Besides, the U-SAP-AT-RIOT Act of 2001 largely removes the public protection that existed in previous laws. If that wasn’t enough, GWB has shown us that rewriting the law on-the-fly as he sees fit is just as fun.

2) Yes, Skype is a peer-to-peer software, as opposed to a server-client model, but the software is not self-certifying which means it needs to connect and login to a centralized Skype server to certify each user’s public key.

3) My apologies to Julius J. Epstein, Philip G. Epstein and Howard Koch.


QuisUtDeus

  • Guest
Re: Why Skype is Evil™
« Reply #1 on: September 06, 2009, 05:27:PM »
Nothing on the internet is private.  The NSA would not allow any encryption they cannot already break, though some encryption may take several years to crack.  They have truly unlimited resources and the best cryptographers in the world working for them - thinking PGP or something is going to hide anything from the NSA is naive.  However, some encryption schemes are "good enough" for protecting your credit card number or to avoid blackmail by John Q. Hacker, etc.  So, the level of encryption one needs is directly related to what one is protecting and the threats against it.

One-time-pad is the only type of encryption that is worthy of being called secure, and the average person cannot implement this since they don't have access to hardware that can generate truly random numbers in a synchronized fashion or the acumen to use it.

Mark my words: anything that goes on or through the internet is public and is there forever.

If one uses Skype to talk to a buddy about the Bears game, I think that's fine.  If one uses Skype to talk about things that are more sensitive, it's probably a bad idea, but so would using a phone in general.  A directional mike or laser pointed at your window is a lot easier and more effective than cracking Skype encryption or even getting Skype to turn over the call and the key.

Security is about the weakest link, and often times the weakest link is overlooked.  In the case of Skype, the weakest link is the fact that you're using your voice to communicate probably in a place that could be bugged or monitored in some way.  So, if we're worried that someone will hear us on Skype, we should worry first about that van parked in the street because most likely that is where the conversation will be intercepted, not by decrypting the call.



Rosarium

  • Guest
Re: Why Skype is Evil™
« Reply #2 on: September 06, 2009, 05:39:PM »
Nothing on the internet is private.
Exactly.

However, a code can work better than any cypher, the human element is the weak part as always.

The time and effort it takes to really break a good encryption is usually not worth, and social engineering is the easiest and most foolproof (he-he) method of getting private information, for bad guys, government or tricksters.

NonSumDignus

  • Member
  • Posts: 528
Re: Why Skype is Evil™
« Reply #3 on: September 06, 2009, 05:49:PM »
I don't talk about anything worth eavesdropping on skype, so I'm really not too concerned.
Domine non sum dignus ut intres sub tectum meum, sed tantum dic verbo et sanabitur anima mea

stvincentferrer

  • Member
  • Posts: 1,816
  • Gender: Male
Re: Why Skype is Evil™
« Reply #4 on: September 06, 2009, 07:06:PM »
Nothing on the internet is private.  The NSA would not allow any encryption they cannot already break, though some encryption may take several years to crack.  They have truly unlimited resources and the best cryptographers in the world working for them - thinking PGP or something is going to hide anything from the NSA is naive.  However, some encryption schemes are "good enough" for protecting your credit card number or to avoid blackmail by John Q. Hacker, etc.  So, the level of encryption one needs is directly related to what one is protecting and the threats against it.

One-time-pad is the only type of encryption that is worthy of being called secure, and the average person cannot implement this since they don't have access to hardware that can generate truly random numbers in a synchronized fashion or the acumen to use it.

Mark my words: anything that goes on or through the internet is public and is there forever.

If one uses Skype to talk to a buddy about the Bears game, I think that's fine.  If one uses Skype to talk about things that are more sensitive, it's probably a bad idea, but so would using a phone in general.  A directional mike or laser pointed at your window is a lot easier and more effective than cracking Skype encryption or even getting Skype to turn over the call and the key.

Security is about the weakest link, and often times the weakest link is overlooked.  In the case of Skype, the weakest link is the fact that you're using your voice to communicate probably in a place that could be bugged or monitored in some way.  So, if we're worried that someone will hear us on Skype, we should worry first about that van parked in the street because most likely that is where the conversation will be intercepted, not by decrypting the call.


Speaking of online security, I've heard that Google owns the email of people with GMail accounts. Have you heard anything about this? If you delete a gmail account, Google keeps it but just doesn't allow you to any longer access it. There are only a couple webmail companies I know of that explicitly state that they will delete your emails when you close an account. Lavabit is one, and the other one is Gahab [sic?].




Rosarium

  • Guest
Re: Why Skype is Evil™
« Reply #5 on: September 06, 2009, 07:13:PM »
Speaking of online security, I've heard that Google owns the email of people with GMail accounts. Have you heard anything about this? If you delete a gmail account, Google keeps it but just doesn't allow you to any longer access it. There are only a couple webmail companies I know of that explicitly state that they will delete your emails when you close an account. Lavabit is one, and the other one is Gahab [sic?].

Sure, why not? It is a free Google supplied service using their servers and network. Why wouldn't they keep the information?

Also, they may be required by law to keep it.


devotedknuckles

  • the causes go, true rebels remain
  • Member
  • Posts: 20,677
Re: Why Skype is Evil™
« Reply #6 on: September 06, 2009, 07:38:PM »
what do u guys think of hushmail?
ive been told nsa front. and no i don't believe it.
sip sip
This is the journey
from which, for me there shall be no return
wholly drenched
is the pine tree of  tears
-Yoshida Shoin

stvincentferrer

  • Member
  • Posts: 1,816
  • Gender: Male
Re: Why Skype is Evil™
« Reply #7 on: September 06, 2009, 07:43:PM »
Speaking of online security, I've heard that Google owns the email of people with GMail accounts. Have you heard anything about this? If you delete a gmail account, Google keeps it but just doesn't allow you to any longer access it. There are only a couple webmail companies I know of that explicitly state that they will delete your emails when you close an account. Lavabit is one, and the other one is Gahab [sic?].

Sure, why not? It is a free Google supplied service using their servers and network. Why wouldn't they keep the information?

Also, they may be required by law to keep it.




You're so nonchalant. Nothing to see here.  :P Then the question is: how many people would use these webmail services if they realized that they don't own their emails? My guess: not a whole lot. It isn't common knowledge among free webmail customers that their emails don't belong to them. If it were common knowledge, people might still use these free webmail providers, but not to the present degree and not for anything of a delicately personal nature.

stvincentferrer

  • Member
  • Posts: 1,816
  • Gender: Male
Re: Why Skype is Evil™
« Reply #8 on: September 06, 2009, 07:44:PM »
what do u guys think of hushmail?
ive been told nsa front. and no i don't believe it.
sip sip


it's not free, so the email is yours. about being a front, anything's possible. i guess quis is right when he says nothing is safe on the internet.

Rosarium

  • Guest
Re: Why Skype is Evil™
« Reply #9 on: September 06, 2009, 07:52:PM »
You're so nonchalant. Nothing to see here.  :P Then the question is: how many people would use these webmail services if they realized that they don't own their emails? My guess: not a whole lot. It isn't common knowledge among free webmail customers that their emails don't belong to them. If it were common knowledge, people might still use these free webmail providers, but not to the present degree and not for anything of a delicately personal nature.

If they knew? I do not know. The issue is understanding. Most people do not understand the Internet or computers to make meaningful decisions at all.