Why Skype is Evil™
June 19, 2007...4:12 pmhttp://ultraparanoid.wordpress.com/2007/06/19/why-skype-is-evil/
So, you’re a security-minded individual who uses a HW firewall, a client firewall, antivirus SW and anti-spyware SW to protect yourself, your computer and your privacy. Great! Now you’ve found a great way to communicate with your friends and family in a secure fashion: Skype! Well, let’s take a deep breath and have a closer look at Skype. Here’s a conversation between me and you:
You: I’ve found a way to communicate with my friends and my family in a secure fashion!
Me: Wow, that’s great. Tell me more about it.
You: It’s a voice-over-IP program with chat functionality.
Me: Sounds nice, but how exactly is it “secure”?
You: It encrypts everything with a 256-bit EAS algorithm – it’s unbreakable!
Me: Yes, 256-bit AES is a strong algorithm. Did you make sure to choose a long and complex passphrase when generating the master key to keep the implementation of the encryption as strong as the algorithm lets you?
You: Huh? Skype fixed all that stuff for me.
Me: So Skype decided what encryption master key you use?
Me: Doesn’t that mean that Skype can decrypt your communication and eavesdrop on your conversations whenever they want?
You: I guess… But they probably don’t have the resources to eavesdrop on me or anyone else; Skype is a small, Swedish company. Besides, what interest would they have in eavesdropping on me or anyone else?
Me: That’s not entirely true, but let’s get back to that later, and answer this: what if Skype gave the encryption key to someone who DOES have the resources and the incentive?
You: Like who?
Me: Like for example the National Security Agency?
You: Why would the NSA want to eavesdrop on my conversations and chat sessions?
Me: Most likely, they couldn’t care less when you’re talking to your mom about her doing your laundry next Saturday, but the NSA are responsible for the collection and analysis of all foreign communications. That includes your calls and your chat sessions 1).
You: But Skype is a European company, governed by European rules and regulations which prohibits them from releasing sensitive information to any foreign intelligence agency; they wouldn’t do that.
Me: Na-uh. Skype was recently bought by eBay and all the Skype servers 2) are now located in the US, which makes eavesdropping by NSA not only possible, but in fact probable. The NSA already has free access to phone calls and internet traffic routed through “normal” telephone companies /ISPs. It is only natural that they would want to do anything possible to get the hugely popular Skype communications platform under their control as well. After all, a wide-spread, easy to use, uncontrolled encrypted communications platform free for all to use is a HUGE threat to the effectiveness of the NSA. Controlling Skype has the added bonus of being able to eavesdrop on communications between foreign targets previously hard or impossible to reach. For example, a person in Germany, talking to a person in Russia using land-line phones would previously have been out of reach for NSA. The same two persons using Skype are now available for eavesdropping. In addition, the average Skype user will most likely treat the program as being trustworthy (just like you do), having bought into the Skype propaganda of the program being impossible to intercept or eavesdrop. So I have no doubt that the NSA have a great interest in getting their hands on a backdoor into the program. And if the NSA can force every telco in the USA to comply, they could certainly have no problem forcing eBay to do the same. Not that it would come to this, eBay is notoriously known for not respecting the privacy of its users.
You: I am shocked, shocked to find out that espionage is going on in here 3)!
Me: Now, let’s take a look at the eBay purchase of Skype in the first place. Why would eBay buy Skype? Granted, there are some potential benefits from a customer viewpoint, such as easy communication between buyer and seller. In addition, eBay might want to keep track of their customers’ online time and habits; something an IM client would be able to provide, but seriously: Skype has no real revenue potential. Skype’s business model has long been questioned by many economists. The software is gratis and the calls are mostly gratis. Although there is a line of hardware as well as services for money, there really aren’t that many ways for Skype to make money. There aren’t even any ads to gain revenue for Skype. So where does Skype get the money from, or rather: why in the flaming red hell would eBay want to haul out $2.6 BILLION for Skype? My guess is: they wouldn’t. There is no short term profit in Skype. There is most likely little or no long term profit in Skype. If Skype ever produced enough dough for eBay to break even on the buy I would be baffled. Did eBay really pay $2.6 billion for something that will never even break even? Perhaps. Or perhaps the executives at eBay are so bold as to stick that amount of cash (and stock) on a long shot? Or perhaps they see some potential that us mere mortals cannot see? Or perhaps there is a second buyer, helping eBay finance the purchase? Do I know that NSA helped fund eBay’s purchase of Skype? No, I certainly do not.
What I DO know is:
* eBay has no obvious reason for buying Skype (granted, this being my weakest point); certainly not for $2.6 billion.
* eBay has a history of handing out extensive user information to government officials without any subpoena or court order at all.
* Skype has done everything in its power to make it impossible (warning: link to big PDF) for anyone to verify the encryption implementation or whether there are any backdoors in the program.
* Skype is known to behave in a suspicious manner, for example collecting BIOS and motherboard information – information that a VoIP/chat program has no legitimate use for. Or imposing artificial limitations based on CPU vendor.
* Skype has time and again refused to discuss Skype security issues, phone records and Skype interactions with law enforcement.
* NSA has a duty to monitor as much foreign communication as possible.
* Skype has been (presumed to be) a huge thorn in the side of NSA.
* NSA has a secret budget. Its size and its uses are unknown.
All these facts would, in a court of law, be called “circumstantial”, but putting two and two together, I wouldn’t use Skype for anything sensitive. At least not for something I wouldn’t want NSA to know, and perhaps not for anything I didn’t want a random competing US company to know either (Warning: PDF document. See point 10.9.2).
You: Well, I’m an American, so it’s illegal for NSA to spy on me!
Me: Yeah.. Dream on.™
You: Well, I’m not a terrorist, so they won’t be interested in me at all!
Me: If you accept sacrificing your privacy, that’s your choice. But just because you haven’t done anything wrong doesn’t mean they won’t watch you.
This transcript of a Skype conversation was brought to you by NSA – your friendly neighborhood Big Brother™.
1) The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between or among “foreign powers”. Even though the act specifically forbids spying on US citizens without a court order, it can be argued that it is impossible to separate domestic internet traffic from non-domestic internet traffic. Therefore, in order to be able to monitor foreign internet traffic, one must monitor ALL internet traffic. Besides, the U-SAP-AT-RIOT Act of 2001 largely removes the public protection that existed in previous laws. If that wasn’t enough, GWB has shown us that rewriting the law on-the-fly as he sees fit is just as fun.
2) Yes, Skype is a peer-to-peer software, as opposed to a server-client model, but the software is not self-certifying which means it needs to connect and login to a centralized Skype server to certify each user’s public key.
3) My apologies to Julius J. Epstein, Philip G. Epstein and Howard Koch.