skype backdoor confirmation
215 views
Skip to first unread message
Bryan Bishop
May 16, 2013, 4:13:51 PM5/16/13
to diybio, Bryan Bishop
I thought some of our more privacy-focused biohackers would find this important and relevant.
--
- Bryan
http://heybryan.org/
1 512 203 0507
From: Adam Back <ad...@cypherspace.org>
Date: Thu, May 16, 2013 at 2:52 PM
Subject: [cryptography] skype backdoor confirmation
To: Crypto List <crypto...@randombit.net>
So when I saw this article
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
I was disappointed the rumoured skype backdoor is claimed to be real, and
that they have evidence. The method by which they confirmed is kind of odd
- not only is skype eavesdropping but its doing head requests on SSL sites
that have urls pasted in the skype chat!
Now I've worked with a few of the german security outfits before, though not
Heise, and they are usually top-notch, so if they say its confirmed, you
generally are advised to believe them. And the date on the article is a
couple of days old, but I tried it anyway. Setup an non-indexed
/dev/urandom generated long filename, and saved it as php with a
meta-refresh to a known malware site in case thats a trigger, and a passive
html with no refresh and no args. Passed a username password via
?user=foo&password=bar to the php one and sent the links to Ian Grigg who I
saw was online over skype with strict instructions not to click.
To my surprise I see this two entries in the apache SSL log:
65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 -
65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 -
I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It
took about 45mins until the hit came so they must be batched. (The gap
between the two requests is because I did some work on the web server as the
SSL cert was expired and I didnt want that to prevent it working, nor
something more script like with cgi arguments as in the article).
Now are they just hoovering up the skype IMs via the new microsoft central
server architecture having back doored skype client to no longer have
end2end encrption (and feedind them through echelon or whatever) or is this
the client that is reading your IMs and sending selected things to the
mothership.
btw their HEAD request was completely ineffective per the weak excuse
microsoft offered in the article at top my php contained a meta-refresh
which the head wont see as its in the html body. (Yes I confirmed via my
own localhost HTTP get as web dev environments are automatic in various
ways).
So there is adium4skype which allows you to use OTR with your skype contacts
and using skype as the transport. Or one might be more inclined to drop
skype in protest.
I think the spooks have been watching "Person of Interest" too much to think
such things are cricket. How far does this go? Do people need to worry
about microsoft IIS web servers with SSL, exchange servers?
You do have to wonder if apple backdoored their IM client, below the OTR, or
silent circle, or the OS - I mean how far does this go? Jon Callas said not
apple, that wouldnt be cool, and apple aims for coolness for users; maybe he
should dig a little more. It seems to be getting to you cant trust anything
without compiling it from source, and having a good PGP WoT network with
developers. A distro binary possibly isnt enough in such an environment.
Adam
_______________________________________________
cryptography mailing list
crypto...@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Date: Thu, May 16, 2013 at 2:52 PM
Subject: [cryptography] skype backdoor confirmation
To: Crypto List <crypto...@randombit.net>
So when I saw this article
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
I was disappointed the rumoured skype backdoor is claimed to be real, and
that they have evidence. The method by which they confirmed is kind of odd
- not only is skype eavesdropping but its doing head requests on SSL sites
that have urls pasted in the skype chat!
Now I've worked with a few of the german security outfits before, though not
Heise, and they are usually top-notch, so if they say its confirmed, you
generally are advised to believe them. And the date on the article is a
couple of days old, but I tried it anyway. Setup an non-indexed
/dev/urandom generated long filename, and saved it as php with a
meta-refresh to a known malware site in case thats a trigger, and a passive
html with no refresh and no args. Passed a username password via
?user=foo&password=bar to the php one and sent the links to Ian Grigg who I
saw was online over skype with strict instructions not to click.
To my surprise I see this two entries in the apache SSL log:
65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 -
65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 -
I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It
took about 45mins until the hit came so they must be batched. (The gap
between the two requests is because I did some work on the web server as the
SSL cert was expired and I didnt want that to prevent it working, nor
something more script like with cgi arguments as in the article).
Now are they just hoovering up the skype IMs via the new microsoft central
server architecture having back doored skype client to no longer have
end2end encrption (and feedind them through echelon or whatever) or is this
the client that is reading your IMs and sending selected things to the
mothership.
btw their HEAD request was completely ineffective per the weak excuse
microsoft offered in the article at top my php contained a meta-refresh
which the head wont see as its in the html body. (Yes I confirmed via my
own localhost HTTP get as web dev environments are automatic in various
ways).
So there is adium4skype which allows you to use OTR with your skype contacts
and using skype as the transport. Or one might be more inclined to drop
skype in protest.
I think the spooks have been watching "Person of Interest" too much to think
such things are cricket. How far does this go? Do people need to worry
about microsoft IIS web servers with SSL, exchange servers?
You do have to wonder if apple backdoored their IM client, below the OTR, or
silent circle, or the OS - I mean how far does this go? Jon Callas said not
apple, that wouldnt be cool, and apple aims for coolness for users; maybe he
should dig a little more. It seems to be getting to you cant trust anything
without compiling it from source, and having a good PGP WoT network with
developers. A distro binary possibly isnt enough in such an environment.
Adam
_______________________________________________
cryptography mailing list
crypto...@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
- Bryan
http://heybryan.org/
1 512 203 0507
Nathan McCorkle
May 16, 2013, 4:36:04 PM5/16/13
to diybio
dang, what about the video feed?
> --
> -- You received this message because you are subscribed to the Google Groups
> DIYbio group. To post to this group, send email to diy...@googlegroups.com.
> To unsubscribe from this group, send email to
> diybio+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/diybio?hl=en
> Learn more at www.diybio.org
> ---
> You received this message because you are subscribed to the Google Groups
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to diybio+un...@googlegroups.com.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
-Nathan
> -- You received this message because you are subscribed to the Google Groups
> DIYbio group. To post to this group, send email to diy...@googlegroups.com.
> To unsubscribe from this group, send email to
> diybio+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/diybio?hl=en
> Learn more at www.diybio.org
> ---
> You received this message because you are subscribed to the Google Groups
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to diybio+un...@googlegroups.com.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
-Nathan
Cathal Garvey
May 16, 2013, 4:45:30 PM5/16/13
to diy...@googlegroups.com
Frankly, anyone who trusts a closed-source application with their
privacy deserves what they get; a breach of trust, discovered too late.
On Thu, 16 May 2013 15:13:51 -0500
Bryan Bishop <kan...@gmail.com> wrote:
> I thought some of our more privacy-focused biohackers would find this
> important and relevant.
>
> From: Adam Back <ad...@cypherspace.org>
> Date: Thu, May 16, 2013 at 2:52 PM
> Subject: [cryptography] skype backdoor confirmation
> To: Crypto List <crypto...@randombit.net>
>
>
> So when I saw this article
> http://www.h-online.com/**security/news/item/Skype-with-**
> care-Microsoft-is-reading-**everything-you-write-1862870.**html<http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html>
> CuArhuk2veg1owOtiTofAryib7CajV**isBeb8.html HTTP/1.1" 200 -
> 65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /**
> CuArhuk2veg1owOtiTofAyarrUg5bl**ettOlyurc7.php?user=foo&pass=**yeahright
> ______________________________**_________________
> cryptography mailing list
> crypto...@randombit.net
> http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography>
>
>
>
privacy deserves what they get; a breach of trust, discovered too late.
On Thu, 16 May 2013 15:13:51 -0500
Bryan Bishop <kan...@gmail.com> wrote:
> I thought some of our more privacy-focused biohackers would find this
> important and relevant.
>
> From: Adam Back <ad...@cypherspace.org>
> Date: Thu, May 16, 2013 at 2:52 PM
> Subject: [cryptography] skype backdoor confirmation
> To: Crypto List <crypto...@randombit.net>
>
>
> So when I saw this article
> care-Microsoft-is-reading-**everything-you-write-1862870.**html<http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html>
>
> I was disappointed the rumoured skype backdoor is claimed to be real,
> and that they have evidence. The method by which they confirmed is
> kind of odd
> - not only is skype eavesdropping but its doing head requests on SSL
> sites that have urls pasted in the skype chat!
>
> Now I've worked with a few of the german security outfits before,
> though not Heise, and they are usually top-notch, so if they say its
> confirmed, you generally are advised to believe them. And the date
> on the article is a couple of days old, but I tried it anyway. Setup
> an non-indexed /dev/urandom generated long filename, and saved it as
> php with a meta-refresh to a known malware site in case thats a
> trigger, and a passive html with no refresh and no args. Passed a
> username password via ?user=foo&password=bar to the php one and sent
> the links to Ian Grigg who I saw was online over skype with strict
> instructions not to click.
>
> To my surprise I see this two entries in the apache SSL log:
>
> 65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /**
> I was disappointed the rumoured skype backdoor is claimed to be real,
> and that they have evidence. The method by which they confirmed is
> kind of odd
> - not only is skype eavesdropping but its doing head requests on SSL
> sites that have urls pasted in the skype chat!
>
> Now I've worked with a few of the german security outfits before,
> though not Heise, and they are usually top-notch, so if they say its
> confirmed, you generally are advised to believe them. And the date
> on the article is a couple of days old, but I tried it anyway. Setup
> an non-indexed /dev/urandom generated long filename, and saved it as
> php with a meta-refresh to a known malware site in case thats a
> trigger, and a passive html with no refresh and no args. Passed a
> username password via ?user=foo&password=bar to the php one and sent
> the links to Ian Grigg who I saw was online over skype with strict
> instructions not to click.
>
> To my surprise I see this two entries in the apache SSL log:
>
> CuArhuk2veg1owOtiTofAryib7CajV**isBeb8.html HTTP/1.1" 200 -
> 65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /**
> CuArhuk2veg1owOtiTofAyarrUg5bl**ettOlyurc7.php?user=foo&pass=**yeahright
> cryptography mailing list
> crypto...@randombit.net
> http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography>
>
>
>
Eugen Leitl
May 16, 2013, 4:47:06 PM5/16/13
to diy...@googlegroups.com
On Thu, May 16, 2013 at 03:13:51PM -0500, Bryan Bishop wrote:
> I thought some of our more privacy-focused biohackers would find this
> important and relevant.
If it's not open source, it can't be trusted. Use Jitsi instead.
> I thought some of our more privacy-focused biohackers would find this
> important and relevant.
In related news: http://www.reddit.com/r/privacy/comments/1efdh1/google_removes_feature_to_chat_off_the_record_by/
Eugen Leitl
May 16, 2013, 4:50:41 PM5/16/13
to diy...@googlegroups.com
On Thu, May 16, 2013 at 01:36:04PM -0700, Nathan McCorkle wrote:
> dang, what about the video feed?
You can assume that any relevant traffic (perhaps not
> dang, what about the video feed?
video, but audio stripped from it) goes to facilities
like http://en.wikipedia.org/wiki/Utah_Data_Center
for permanent or semipermanent storage (that much
has been admitted in public, so no need to assume).
Cathal Garvey
May 16, 2013, 4:52:21 PM5/16/13
to diy...@googlegroups.com
There is no way to know, because it's closed source and there are no
callbacks with the video feed. It is unlikely that an URL displayed or
spoken would be automatically called like this, unless someone took a
specific interest in your video.
The only way to provoke evidence of voice/video interception (which is
*certainly* taking place, don't worry) would be to have a chat feed
that contains something terrorism-ish and mention an url in the
voice-feed; see then if someone visits the URL. Of course, given the
nature of this mass-interception police-state bollox, expect to be
convicted of an ill-defined blanket charge like "terrorism" regardless
of whether or not it's true.
So.. don't do that. Just expect, because really now let's not be silly,
that of *course* they are intercepting the voice and video. They own
the crypto keys, they can do whatever they like.
callbacks with the video feed. It is unlikely that an URL displayed or
spoken would be automatically called like this, unless someone took a
specific interest in your video.
The only way to provoke evidence of voice/video interception (which is
*certainly* taking place, don't worry) would be to have a chat feed
that contains something terrorism-ish and mention an url in the
voice-feed; see then if someone visits the URL. Of course, given the
nature of this mass-interception police-state bollox, expect to be
convicted of an ill-defined blanket charge like "terrorism" regardless
of whether or not it's true.
So.. don't do that. Just expect, because really now let's not be silly,
that of *course* they are intercepting the voice and video. They own
the crypto keys, they can do whatever they like.
leaking pen
May 16, 2013, 5:11:40 PM5/16/13
to diy...@googlegroups.com
be easy enough, just have it be video thats part of a "movie" youre making.
Bryan Bishop
May 16, 2013, 6:05:27 PM5/16/13
to diy...@googlegroups.com, Bryan Bishop, Cathal Garvey
I thought the other opinions expressed were correct or valid, but not this one. Nobody "deserves" a breach of privacy in this context. That's called victim blaming. I was letting people know of some public discovery efforts that reveal url snooping, which is worth knowing about, especially if users are on skype.
But if you are arguing that it's a non-issue because we can't possibly report all cases of existing privacy infringing technologies, then yeah I guess it's a bit much to mention skype. But I can think of at least 200 biohackers that have skype accounts.
But if you are arguing that it's a non-issue because we can't possibly report all cases of existing privacy infringing technologies, then yeah I guess it's a bit much to mention skype. But I can think of at least 200 biohackers that have skype accounts.
Jonathan Cline
May 17, 2013, 2:59:05 AM5/17/13
to diy...@googlegroups.com, Bryan Bishop, jcline
Thanks for the info Bryan
Alternatives?
On Thursday, May 16, 2013 1:13:51 PM UTC-7, Bryan Bishop wrote:
Alternatives?
On Thursday, May 16, 2013 1:13:51 PM UTC-7, Bryan Bishop wrote:
I thought some of our more privacy-focused biohackers would find this important and relevant.
Bryan Bishop
May 17, 2013, 3:19:38 AM5/17/13
to Jonathan Cline, Bryan Bishop, diy...@googlegroups.com, jcline
On Fri, May 17, 2013 at 1:59 AM, Jonathan Cline <jnc...@gmail.com> wrote:
jitsi? xmpp things. Mostly xmpp things..
Alternatives?
jitsi? xmpp things. Mostly xmpp things..
Eugen Leitl
May 17, 2013, 5:30:52 AM5/17/13
to diy...@googlegroups.com
On Thu, May 16, 2013 at 05:05:27PM -0500, Bryan Bishop wrote:
> I thought the other opinions expressed were correct or valid, but not this
> one. Nobody "deserves" a breach of privacy in this context. That's called
It is unreasonable to expect privacy in a proprietary package, operated
> I thought the other opinions expressed were correct or valid, but not this
> one. Nobody "deserves" a breach of privacy in this context. That's called
by a corporation. There are laws against that kind of thing, and documented
instances where laws don't matter at all.
So if you're designing that MDR pathogen library for coordinated
global delivery, you shouldn't perhaps coordinate your activities
on Skype. Or Gmail. Or your mobile, or landline. (Professionals
do it with one-time pads and number stations).
> victim blaming. I was letting people know of some public discovery efforts
> that reveal url snooping, which is worth knowing about, especially if users
> are on skype.
>
> But if you are arguing that it's a non-issue because we can't possibly
> report all cases of existing privacy infringing technologies, then yeah I
> guess it's a bit much to mention skype. But I can think of at least 200
> biohackers that have skype accounts.
do expect your entire cleartext to be screened in realtime and forwarded
for storage, and (your entire) cyphertext stored for later analysis.
Higher-value targets should expert their infrastructure to be compromised,
and highest-value by physical layer bugs planted in their absence.
Assuming anything else would not be conservative.
Ashley Heath
May 17, 2013, 3:54:46 PM5/17/13
to diy...@googlegroups.com
A really dumb question but why are the open source options safer exactly?
Nathan McCorkle
May 17, 2013, 4:14:55 PM5/17/13
to diybio
Because presumably some kind-hearted (but possibly non-existant)
hacker has reviewed and continues to review the code for devious code.
Presumably if there was something bad happening in the code, this
kind-hearted hacker would fix the code and make public their findings
and how they fixed it.
I'm not sure that actually happens, there's also the issue of trusting
said person (or persons) in general.
> https://groups.google.com/d/msgid/diybio/d3faa377-3a90-4723-9cc5-78e822875536%40googlegroups.com?hl=en.
hacker has reviewed and continues to review the code for devious code.
Presumably if there was something bad happening in the code, this
kind-hearted hacker would fix the code and make public their findings
and how they fixed it.
I'm not sure that actually happens, there's also the issue of trusting
said person (or persons) in general.
> --
> -- You received this message because you are subscribed to the Google Groups
> DIYbio group. To post to this group, send email to diy...@googlegroups.com.
> To unsubscribe from this group, send email to
> diybio+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/diybio?hl=en
> Learn more at www.diybio.org
> ---
> You received this message because you are subscribed to the Google Groups
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to diybio+un...@googlegroups.com.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> To view this discussion on the web visit
> -- You received this message because you are subscribed to the Google Groups
> DIYbio group. To post to this group, send email to diy...@googlegroups.com.
> To unsubscribe from this group, send email to
> diybio+un...@googlegroups.com. For more options, visit this group at
> https://groups.google.com/d/forum/diybio?hl=en
> Learn more at www.diybio.org
> ---
> You received this message because you are subscribed to the Google Groups
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to diybio+un...@googlegroups.com.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> https://groups.google.com/d/msgid/diybio/d3faa377-3a90-4723-9cc5-78e822875536%40googlegroups.com?hl=en.
Cathal Garvey
May 17, 2013, 4:22:38 PM5/17/13
to diy...@googlegroups.com
Primarily because you can search the source code for malign activities
yourself, and either compile the application directly from your
sanity-checked code, or verify (somehow) that the
provided-for-convenience binaries match a compiled version of the
non-malicious source code.
More generally, because open source projects are often community
managed without a clear monetary incentive to invade privacy.
However, for some projects this isn't necessarily useful. Large enough
projects are often divided across many very large files, and parsing
these can be all but impossible for anyone but the developer. If it
weren't for its track record, I'd be suspicious of Truecrypt, for
example, as it's been accused of being giant and largely
incomprehensible despite having the whole source code available for
review or manual compilation.
Really, you don't check the source code yourself. For a large enough
open source project, you simply accept that other people out there
*do*, and you'd have heard about malicious code by now if it existed in
the code-base. As the old saying goes, with enough eyes, all bugs are
shallow. Put that in the context of a surveillance bug and the
principal remains valid.
yourself, and either compile the application directly from your
sanity-checked code, or verify (somehow) that the
provided-for-convenience binaries match a compiled version of the
non-malicious source code.
More generally, because open source projects are often community
managed without a clear monetary incentive to invade privacy.
However, for some projects this isn't necessarily useful. Large enough
projects are often divided across many very large files, and parsing
these can be all but impossible for anyone but the developer. If it
weren't for its track record, I'd be suspicious of Truecrypt, for
example, as it's been accused of being giant and largely
incomprehensible despite having the whole source code available for
review or manual compilation.
Really, you don't check the source code yourself. For a large enough
open source project, you simply accept that other people out there
*do*, and you'd have heard about malicious code by now if it existed in
the code-base. As the old saying goes, with enough eyes, all bugs are
shallow. Put that in the context of a surveillance bug and the
principal remains valid.
Jonathan Cline
May 17, 2013, 7:38:48 PM5/17/13
to diy...@googlegroups.com
Because the open source clients are peer-to-peer: therefore are safer (more private and secure). They don't go through a central server (like Microsoft-Skype does now). Originally, skype was peer-to-peer, specifically by design (including to ensure privacy, specifically), but as part of the Microsoft acquisition, Skype apps now route traffic through Microsoft central server(s). Skype was originally written to behave like a torrent client (in fact, by the same hackers; see Kazaa) where traffic patterns/routes are indeterminate and encrypted, i.e. conversations would be inherently untraceable and secure (private) between only the parties involved. Too bad that Microsoft has twisted the technology into unusability (history repeats itself!).
On Fri, May 17, 2013 at 12:54 PM, Ashley Heath <ovici...@gmail.com> wrote:
--
-- You received this message because you are subscribed to the Google Groups DIYbio group. To post to this group, send email to diy...@googlegroups.com. To unsubscribe from this group, send email to diybio+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/diybio?hl=en
Learn more at www.diybio.org
---
You received this message because you are subscribed to a topic in the Google Groups "DIYbio" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/diybio/ojWOEGt7zM8/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to diybio+un...@googlegroups.com.
To post to this group, send email to diy...@googlegroups.com.
Visit this group at http://groups.google.com/group/diybio?hl=en.
To view this discussion on the web visit https://groups.google.com/d/msgid/diybio/d3faa377-3a90-4723-9cc5-78e822875536%40googlegroups.com?hl=en.
Nathan McCorkle
May 17, 2013, 7:53:52 PM5/17/13
to diybio
jitsi seems to offer h.264, which sounds great, but I can't tell what
encryption method it uses, if it's acting on each video frame or
stream packet? Also there's no android app in the Google Play store
> You received this message because you are subscribed to the Google Groups
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
-Nathan
encryption method it uses, if it's acting on each video frame or
stream packet? Also there's no android app in the Google Play store
> "DIYbio" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to diybio+un...@googlegroups.com.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/diybio/CAAhtNQvNk3oBtL4wjSXoygULN-EvKLNdUhTiz6ZkeVXLUDc-bA%40mail.gmail.com?hl=en.
> To post to this group, send email to diy...@googlegroups.com.
> Visit this group at http://groups.google.com/group/diybio?hl=en.
> To view this discussion on the web visit
-Nathan
Eugen Leitl
May 18, 2013, 2:52:10 AM5/18/13
to diy...@googlegroups.com
On Fri, May 17, 2013 at 04:38:48PM -0700, Jonathan Cline wrote:
> Because the open source clients are peer-to-peer: therefore are safer (more
> private and secure). They don't go through a central server (like
> Microsoft-Skype does now). Originally, skype was peer-to-peer,
> specifically by design (including to ensure privacy, specifically), but as
> part of the Microsoft acquisition, Skype apps now route traffic through
> Microsoft central server(s). Skype was originally written to behave like
> a torrent client (in fact, by the same hackers; see Kazaa) where traffic
> patterns/routes are indeterminate and encrypted, i.e. conversations would
> be inherently untraceable and secure (private) between only the parties
> involved. Too bad that Microsoft has twisted the technology into
> unusability (history repeats itself!).
As a company you're required to comply with all kinds of regulations
> Because the open source clients are peer-to-peer: therefore are safer (more
> private and secure). They don't go through a central server (like
> Microsoft-Skype does now). Originally, skype was peer-to-peer,
> specifically by design (including to ensure privacy, specifically), but as
> part of the Microsoft acquisition, Skype apps now route traffic through
> Microsoft central server(s). Skype was originally written to behave like
> a torrent client (in fact, by the same hackers; see Kazaa) where traffic
> patterns/routes are indeterminate and encrypted, i.e. conversations would
> be inherently untraceable and secure (private) between only the parties
> involved. Too bad that Microsoft has twisted the technology into
> unusability (history repeats itself!).
and off-the-record pressure and will be shut down or fined if you
don't comply.
An open source project with many contributors all over the world
is immune to such pressure. It is not immune to subtle backdoors
being planted by contributors, which would be very hard to detect
during a code review, if done competently.
However, this is a whole different ballgame than just intercept
and forward cleartext traffic from the supernodes you control.
Bryan Bishop
May 18, 2013, 4:25:59 AM5/18/13
to danboarder, Bryan Bishop, diy...@googlegroups.com, jcline
On Sat, May 18, 2013 at 3:10 AM, danboarder <tro...@gmail.com> wrote:
I think you completely failed to read the other messages in the thread. There's no way that you can guarantee to me that it's secure (and even if you did, I wouldn't trust you), because you (in all likelihood) do not have access to the source code of this software. You could potentially reverse engineer it to read what it's doing, but that would take some amount of effort that, again, I am skeptical you have put in.
It is free and has replaced skype for most video calls and has better screen/app level sharing. It's cross-platform and secure. It's marketed for medical use but it works as good as skype for anyone, I think.
I think you completely failed to read the other messages in the thread. There's no way that you can guarantee to me that it's secure (and even if you did, I wouldn't trust you), because you (in all likelihood) do not have access to the source code of this software. You could potentially reverse engineer it to read what it's doing, but that would take some amount of effort that, again, I am skeptical you have put in.
It's a shame that security products are being marketed to doctors like that.
John Griessen
May 18, 2013, 6:24:00 PM5/18/13
to diy...@googlegroups.com
On 05/16/13 15:47, Eugen Leitl wrote:
> If it's not open source, it can't be trusted. Use Jitsi instead.
>
> In related news: http://www.reddit.com/r/privacy/comments/1efdh1/google_removes_feature_to_chat_off_the_record_by/
Reading about the Utah data center recorder at $2B + $40m/yr is scary, and then google going evil...
> If it's not open source, it can't be trusted. Use Jitsi instead.
>
> In related news: http://www.reddit.com/r/privacy/comments/1efdh1/google_removes_feature_to_chat_off_the_record_by/
What next? jitsi and bitcoin for ordinary, non-drug-dealer folks? Aaa-aaaaaa-aaargh..
Eugen Leitl
May 20, 2013, 3:32:27 AM5/20/13
to cyphe...@al-qaeda.net, in...@postbiota.org, diy...@googlegroups.com, zs-...@googlegroups.com
----- Forwarded message from Jacob Appelbaum <ja...@appelbaum.net> -----
Date: Sun, 19 May 2013 19:41:43 +0000
From: Jacob Appelbaum <ja...@appelbaum.net>
To: crypto...@randombit.net
Cc: Citizenship at Microsoft <mcit...@microsoft.com>
Subject: Re: [cryptography] skype backdoor confirmation
Krassimir Tzvetanov:
> To the best of my knowledge in Russia (no, I'm not Russian nor have lived
> there so I'm not 100% sure) you need to submit a copy of the private key if
> you are operating a website providing encryption on their territory to
> allow for legal intercept.
>
> They also have other provisions about wiretapping and monitoring which
> would mean that Skype really has not options if they want to _legally_
> operate there... It's just the way the local legislation is rather than a
> function of how Skype is. They are just following the law. Now if somebody
> does not like the law there are other ways to approach this but
> breaking/violating it is usually one that is not effective.
>
> I think this discussion is focusing too much into the technical details and
> forgets a simple detail - doing some of those things to increase privacy
> may itself be _illegal_ in certain jurisdictions which make this even more
> fun.
>
> It's not impossible but it is usually very difficult to provide technical
> solutions to political/politics problems. That's of course just my
> experience :)
>
> Cheers,
> Krassimir
Hi,
I'm late to the party on this list but I've been worried about these
kinds of backdoors in Skype for quite some time. My worry partially
comes from the common rumors, of which there are many, though it is
largely the existential proof, the economic, the political and the
social contextual issues that raise the largest concerns in my mind.
As we've seen with Cisco, we know how some of these so-called lawful
interception systems are implemented:
http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html
This patent by Microsoft may be of interest to those looking into Skype,
automated interception and probably many other kinds of interception -
note that this is not just a matter of recording, it in fact *tampers*
with the data:
"Aspects of the subject matter described herein relate to silently
recording communications. In aspects, data associated with a request to
establish a communication is modified to cause the communication to be
established via a path that includes a recording agent. Modification may
include, for example, adding, changing, and/or deleting data within the
data. The data as modified is then passed to a protocol entity that uses
the data to establish a communication session. Because of the way in
which the data has been modified, the protocol entity selects a path
that includes the recording agent. The recording agent is then able to
silently record the communication."
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=1&f=G&l=50&d=PG01&p=1&S1=20110153809&OS=20110153809&RS=20110153809
Note that this is from 2009 and the Skype purchase was not finalized
until 2011.
Perhaps the authors (Ghanem; George; (Redmond, WA) ; Bizga; Lawrence
Felix; (Monroe, WA) ; Khanchandani; Niraj K.; (Redmond, WA)) of that
patent are open to discussing how they might improve on their patent for
a peer to peer system as deployed today? :)
Skype is clearly inspecting the entire message and right now, we have an
existential proof that they extract at least HTTP and HTTPS urls and
process them in some fashion. I suspect that it would be a useful idea
to insert many different kinds of protocols to see the depth of the
rabbit hole probing, so to speak.
http://user@password:www.example.com/secret-area
magnet://[hash]
ftp://ftp.example.com
https://user@password:www.example.com/secret-area
telnet//user@password:telnet.example.com
I would also suggest that we might try a few hacks to determine where
the parsing, inspection and extraction of interesting data is or isn't
taking place. As an example - run Skype in a virtual machine, type a
message - delay the message sending to the network, freeze the virtual
machine and flip a single bit in the url already in the outbound message
queue. This isn't trivial to do with Skype by any means but it most
certainly isn't impossible for someone with the inclination.
We know that Skype clients sync up the social graph of a given user;
they call this a buddy list. This suggests that information in the
directory of clients and the linked list for relationships is stored on
their servers - is it encrypted in a way that may not be recovered by
anyone other than the user? Skype dynamically routes calls to devices,
does this imply that the location of the user is disclosed to the
network or stored in some kind of time series data structure? Chat
message history is in sync across clients, how is this data stored?
Messages may be queued for a given user - how are these messages
encrypted, authenticated and retained to ensure integrity during the
queuing? We also know that Skype is able to call out with the feature
SkypeOut - so we know that someone has to comply with CALEA - even if it
isn't Microsoft, the calls/sms hit a VoIP gateway or the SS7 network
somewhere. Who peers with them? Have any telecom switch operators
attempted to trace these calls and openly published the metadata that is
normally not available to end user telephone systems? This is among many
other "features" that deserve a discussion and by no means an exhaustive
list.
We see that there is a great deal of pressure around the world to allow
for interception:
http://www.rudebaguette.com/2013/03/12/skype-may-face-criminal-charges-if-it-doesnt-let-french-police-listen-in-on-skype-calls/
We also see that there are variants of Skype that *do* inspect text that
is on censorship lists:
http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it
http://cs.unm.edu/~jeffk/tom-skype/
The above of course says nothing of the Tom Skype fiasco that included
untold numbers of unecrypted chat messages being logged on open
web-servers as exposed by Citizen Lab as well as others.
We see that location privacy is clearly not a priority and if it is,
they've failed at the goal:
http://community.skype.com/t5/Security-Privacy-Trust-and/Easy-way-to-lookup-IP-address-of-a-skype-username/td-p/689903
http://bits.blogs.nytimes.com/2011/11/29/skype-can-expose-your-location-researchers-say/
To distinguish how this failure happens, I propose a simple experiment.
It should be possible to give a Skype client a public IP and then
transparently route all traffic it over Tor - if the Skype client
reports on its IP to the network, it will give the public IP bound to
the interface, if it does it through some network activity or if the
network service discovers the IP, the Tor exit node IP will be
disclosed. I suspect there are a few other variants and different
internal Skype systems likely have access to different IP addressing
information.
Chat syncing supposedly happens between clients that are online, though
one wonders how this connection is internally authenticated, as well as
if anyone may simply remotely pull the chat logs from a given client:
http://community.skype.com/t5/Windows-desktop-client/Chat-History-on-Multiple-Computers-Retaining-one-deleting-other/td-p/159190
http://community.skype.com/t5/Security-Privacy-Trust-and/Is-chat-history-stored-on-Skype-servers/td-p/472379
Note that Skype claims that they do store this for ~30 days:
http://www.skype.com/en/legal/privacy/#12
Really though, I don't know how clear cut their backdoor needs to be
disclaimed than the following text from the above link:
"Skype will retain your information for as long as is necessary to: (1)
fulfill any of the Purposes (as defined in article 2 of this Privacy
Policy) or (2) comply with applicable legislation, regulatory requests
and relevant orders from competent courts.
"Retention of Instant Messages, Voicemail Messages, and Video Messages
(Skype internet communications software application only)
"Your instant messaging (IM), voicemail, and video message content
(collectively “messages”) may be stored by Skype (a) to convey and
synchronize your messages and (b) to enable you to retrieve the messages
and history where possible. Depending on the message type, messages are
generally stored by Skype for a maximum of between 30 and 90 days unless
otherwise permitted or required by law. This storage facilitates
delivery of messages when a user is offline and to help sync messages
between user devices. For IM, if you have linked your Skype and
Microsoft accounts, you may have the option to choose to store your full
IM history for a longer period. In that case, your IMs may be stored in
your Outlook.com Messaging folder until you manually delete them. For
Video messages, you may also choose to store messages for an extended
period if the sender is a Premium Member.
"Skype will take appropriate technical and security measures to protect
your information. By using this product, you consent to the storage of
your IM, voicemail, and video message communications as described above.
Yowza!
There are specific properties that many desire from a communication
system. It seems that we have seen reports of some of these things
working in a way that suggests most of it is done in the simplest manner
possible: without strong cryptography, if any cryptography, and without
strong technical privacy of any sort. Often technically illiterate
journalists, especially Microsoft apologists, will suggest that Skype is
encrypted - this is of course hand waving bordering on masturbation - of
course there is encryption of sorts. The questions are about what data
is stored, who has access to that data and how that data is protected -
these issues are absolutely not disclosed in any meaningful sense - not
the least of which is with the source code of an end user client that we
are welcome to analyze openly.
I might add that some tactical hacking shops have a collection of 0day
for Skype that is used to break into "suspects" computers for insertion
of malware. My guess is that this is so common that it is commercially
supported by backdoors. This likely includes Remote Control System's
Hacking Team tools, a.k.a. DaVinci and FinFisher, which we know uses
Skype's API directly:
https://twitter.com/botherder/status/334775398904758273
I should also add that I had the chance to meet one of the founders of
Skype last week. I encourage people to reach out to the founders and to
directly and politely, ask about interception capabilities, legal
requirements as well as architectural designs; most of this is
pre-Microsoft, of course. Still we'll begin to understand the historical
context for the current behaviors, we may even find historical behaviors
that match present behaviors.
I would also suggest looking at the court dockets and cases filed in
Luxembourg. I suspect that the number of lawful orders is not zero and
that the number of times data has been returned is also not zero.
So to summarize, we have strong evidence or admission from Skype and/or
Microsoft for the following:
Skype logs chat, buddy list, audio, video, email address and more.
Data is stored/disclosed to third parties in various circumstances.
Data is unencrypted and data-mined by machines.
Data is used by Skype/Microsoft for various reasons.
Skype API is used by malware used by thug pigs in dictatorships.
Skype API is used by malware used by Honest Cops in the Free World.
Skype's binary is obfuscated to prevent analysis by reverse engineers.
SkypeOut touches networks that must be CALEA compliant.
I wouldn't use this for activism anywhere in the world. I can't imagine
that it would be reasonable for victims of domestic violence, amongst
other likely users, to use it either.
Perhaps Microsoft will fix all of these things? And if they're not
interested in fixing it, perhaps they might comment on it and line by
line confirm, deny or explain these issues?
The Microsoft Law Enforcement Requests Report seems to suggest that
they're open to hearing from the wider community:
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency
I've cc'ed the email mention on their transparency report - I did this
previously and never received a substantial reply; perhaps this time?
All the best,
Jacob
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Date: Sun, 19 May 2013 19:41:43 +0000
From: Jacob Appelbaum <ja...@appelbaum.net>
To: crypto...@randombit.net
Cc: Citizenship at Microsoft <mcit...@microsoft.com>
Subject: Re: [cryptography] skype backdoor confirmation
Krassimir Tzvetanov:
> To the best of my knowledge in Russia (no, I'm not Russian nor have lived
> there so I'm not 100% sure) you need to submit a copy of the private key if
> you are operating a website providing encryption on their territory to
> allow for legal intercept.
>
> They also have other provisions about wiretapping and monitoring which
> would mean that Skype really has not options if they want to _legally_
> operate there... It's just the way the local legislation is rather than a
> function of how Skype is. They are just following the law. Now if somebody
> does not like the law there are other ways to approach this but
> breaking/violating it is usually one that is not effective.
>
> I think this discussion is focusing too much into the technical details and
> forgets a simple detail - doing some of those things to increase privacy
> may itself be _illegal_ in certain jurisdictions which make this even more
> fun.
>
> It's not impossible but it is usually very difficult to provide technical
> solutions to political/politics problems. That's of course just my
> experience :)
>
> Cheers,
> Krassimir
Hi,
I'm late to the party on this list but I've been worried about these
kinds of backdoors in Skype for quite some time. My worry partially
comes from the common rumors, of which there are many, though it is
largely the existential proof, the economic, the political and the
social contextual issues that raise the largest concerns in my mind.
As we've seen with Cisco, we know how some of these so-called lawful
interception systems are implemented:
http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html
This patent by Microsoft may be of interest to those looking into Skype,
automated interception and probably many other kinds of interception -
note that this is not just a matter of recording, it in fact *tampers*
with the data:
"Aspects of the subject matter described herein relate to silently
recording communications. In aspects, data associated with a request to
establish a communication is modified to cause the communication to be
established via a path that includes a recording agent. Modification may
include, for example, adding, changing, and/or deleting data within the
data. The data as modified is then passed to a protocol entity that uses
the data to establish a communication session. Because of the way in
which the data has been modified, the protocol entity selects a path
that includes the recording agent. The recording agent is then able to
silently record the communication."
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=1&f=G&l=50&d=PG01&p=1&S1=20110153809&OS=20110153809&RS=20110153809
Note that this is from 2009 and the Skype purchase was not finalized
until 2011.
Perhaps the authors (Ghanem; George; (Redmond, WA) ; Bizga; Lawrence
Felix; (Monroe, WA) ; Khanchandani; Niraj K.; (Redmond, WA)) of that
patent are open to discussing how they might improve on their patent for
a peer to peer system as deployed today? :)
Skype is clearly inspecting the entire message and right now, we have an
existential proof that they extract at least HTTP and HTTPS urls and
process them in some fashion. I suspect that it would be a useful idea
to insert many different kinds of protocols to see the depth of the
rabbit hole probing, so to speak.
http://user@password:www.example.com/secret-area
magnet://[hash]
ftp://ftp.example.com
https://user@password:www.example.com/secret-area
telnet//user@password:telnet.example.com
I would also suggest that we might try a few hacks to determine where
the parsing, inspection and extraction of interesting data is or isn't
taking place. As an example - run Skype in a virtual machine, type a
message - delay the message sending to the network, freeze the virtual
machine and flip a single bit in the url already in the outbound message
queue. This isn't trivial to do with Skype by any means but it most
certainly isn't impossible for someone with the inclination.
We know that Skype clients sync up the social graph of a given user;
they call this a buddy list. This suggests that information in the
directory of clients and the linked list for relationships is stored on
their servers - is it encrypted in a way that may not be recovered by
anyone other than the user? Skype dynamically routes calls to devices,
does this imply that the location of the user is disclosed to the
network or stored in some kind of time series data structure? Chat
message history is in sync across clients, how is this data stored?
Messages may be queued for a given user - how are these messages
encrypted, authenticated and retained to ensure integrity during the
queuing? We also know that Skype is able to call out with the feature
SkypeOut - so we know that someone has to comply with CALEA - even if it
isn't Microsoft, the calls/sms hit a VoIP gateway or the SS7 network
somewhere. Who peers with them? Have any telecom switch operators
attempted to trace these calls and openly published the metadata that is
normally not available to end user telephone systems? This is among many
other "features" that deserve a discussion and by no means an exhaustive
list.
We see that there is a great deal of pressure around the world to allow
for interception:
http://www.rudebaguette.com/2013/03/12/skype-may-face-criminal-charges-if-it-doesnt-let-french-police-listen-in-on-skype-calls/
We also see that there are variants of Skype that *do* inspect text that
is on censorship lists:
http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it
http://cs.unm.edu/~jeffk/tom-skype/
The above of course says nothing of the Tom Skype fiasco that included
untold numbers of unecrypted chat messages being logged on open
web-servers as exposed by Citizen Lab as well as others.
We see that location privacy is clearly not a priority and if it is,
they've failed at the goal:
http://community.skype.com/t5/Security-Privacy-Trust-and/Easy-way-to-lookup-IP-address-of-a-skype-username/td-p/689903
http://bits.blogs.nytimes.com/2011/11/29/skype-can-expose-your-location-researchers-say/
To distinguish how this failure happens, I propose a simple experiment.
It should be possible to give a Skype client a public IP and then
transparently route all traffic it over Tor - if the Skype client
reports on its IP to the network, it will give the public IP bound to
the interface, if it does it through some network activity or if the
network service discovers the IP, the Tor exit node IP will be
disclosed. I suspect there are a few other variants and different
internal Skype systems likely have access to different IP addressing
information.
Chat syncing supposedly happens between clients that are online, though
one wonders how this connection is internally authenticated, as well as
if anyone may simply remotely pull the chat logs from a given client:
http://community.skype.com/t5/Windows-desktop-client/Chat-History-on-Multiple-Computers-Retaining-one-deleting-other/td-p/159190
http://community.skype.com/t5/Security-Privacy-Trust-and/Is-chat-history-stored-on-Skype-servers/td-p/472379
Note that Skype claims that they do store this for ~30 days:
http://www.skype.com/en/legal/privacy/#12
Really though, I don't know how clear cut their backdoor needs to be
disclaimed than the following text from the above link:
"Skype will retain your information for as long as is necessary to: (1)
fulfill any of the Purposes (as defined in article 2 of this Privacy
Policy) or (2) comply with applicable legislation, regulatory requests
and relevant orders from competent courts.
"Retention of Instant Messages, Voicemail Messages, and Video Messages
(Skype internet communications software application only)
"Your instant messaging (IM), voicemail, and video message content
(collectively “messages”) may be stored by Skype (a) to convey and
synchronize your messages and (b) to enable you to retrieve the messages
and history where possible. Depending on the message type, messages are
generally stored by Skype for a maximum of between 30 and 90 days unless
otherwise permitted or required by law. This storage facilitates
delivery of messages when a user is offline and to help sync messages
between user devices. For IM, if you have linked your Skype and
Microsoft accounts, you may have the option to choose to store your full
IM history for a longer period. In that case, your IMs may be stored in
your Outlook.com Messaging folder until you manually delete them. For
Video messages, you may also choose to store messages for an extended
period if the sender is a Premium Member.
"Skype will take appropriate technical and security measures to protect
your information. By using this product, you consent to the storage of
your IM, voicemail, and video message communications as described above.
Yowza!
There are specific properties that many desire from a communication
system. It seems that we have seen reports of some of these things
working in a way that suggests most of it is done in the simplest manner
possible: without strong cryptography, if any cryptography, and without
strong technical privacy of any sort. Often technically illiterate
journalists, especially Microsoft apologists, will suggest that Skype is
encrypted - this is of course hand waving bordering on masturbation - of
course there is encryption of sorts. The questions are about what data
is stored, who has access to that data and how that data is protected -
these issues are absolutely not disclosed in any meaningful sense - not
the least of which is with the source code of an end user client that we
are welcome to analyze openly.
I might add that some tactical hacking shops have a collection of 0day
for Skype that is used to break into "suspects" computers for insertion
of malware. My guess is that this is so common that it is commercially
supported by backdoors. This likely includes Remote Control System's
Hacking Team tools, a.k.a. DaVinci and FinFisher, which we know uses
Skype's API directly:
https://twitter.com/botherder/status/334775398904758273
I should also add that I had the chance to meet one of the founders of
Skype last week. I encourage people to reach out to the founders and to
directly and politely, ask about interception capabilities, legal
requirements as well as architectural designs; most of this is
pre-Microsoft, of course. Still we'll begin to understand the historical
context for the current behaviors, we may even find historical behaviors
that match present behaviors.
I would also suggest looking at the court dockets and cases filed in
Luxembourg. I suspect that the number of lawful orders is not zero and
that the number of times data has been returned is also not zero.
So to summarize, we have strong evidence or admission from Skype and/or
Microsoft for the following:
Skype logs chat, buddy list, audio, video, email address and more.
Data is stored/disclosed to third parties in various circumstances.
Data is unencrypted and data-mined by machines.
Data is used by Skype/Microsoft for various reasons.
Skype API is used by malware used by thug pigs in dictatorships.
Skype API is used by malware used by Honest Cops in the Free World.
Skype's binary is obfuscated to prevent analysis by reverse engineers.
SkypeOut touches networks that must be CALEA compliant.
I wouldn't use this for activism anywhere in the world. I can't imagine
that it would be reasonable for victims of domestic violence, amongst
other likely users, to use it either.
Perhaps Microsoft will fix all of these things? And if they're not
interested in fixing it, perhaps they might comment on it and line by
line confirm, deny or explain these issues?
The Microsoft Law Enforcement Requests Report seems to suggest that
they're open to hearing from the wider community:
http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency
I've cc'ed the email mention on their transparency report - I did this
previously and never received a substantial reply; perhaps this time?
All the best,
Jacob
_______________________________________________
cryptography mailing list
crypto...@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
----- End forwarded message -----
cryptography mailing list
crypto...@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
Jonathan Cline
May 27, 2013, 12:41:30 AM5/27/13
to diy...@googlegroups.com, jcline
On Friday, May 17, 2013 11:52:10 PM UTC-7, eleitl wrote:
On Fri, May 17, 2013 at 04:38:48PM -0700, Jonathan Cline wrote:
> Because the open source clients are peer-to-peer: therefore are safer (more
> private and secure). They don't go through a central server (like
> Microsoft-Skype does now). Originally, skype was peer-to-peer,
> specifically by design (including to ensure privacy, specifically), but as
> part of the Microsoft acquisition, Skype apps now route traffic through
> Microsoft central server(s). Skype was originally written to behave like
> a torrent client (in fact, by the same hackers; see Kazaa) where traffic
> patterns/routes are indeterminate and encrypted, i.e. conversations would
> be inherently untraceable and secure (private) between only the parties
> involved. Too bad that Microsoft has twisted the technology into
> unusability (history repeats itself!).
As a company you're required to comply with all kinds of regulations
and off-the-record pressure and will be shut down or fined if you
don't comply.
The above is not really true in the real world. Corporations only need to appear to follow the law -- they don't need to actually follow it. If corporations really followed the law, then youtube would not exist. Youtube's original founders (Napster) apparently revelled in the idea of it being used for video piracy and music piracy. In the early days of youtube the site was primarily stolen music videos and stolen music tracks for fan-made videos. Youtube apparently ignored copyright law and only said it was complying with the law, when it was obvious that it was not. After the acquisition by Google, there were more promises of compliance, and some apparently random enforcement, yet still today nearly the entire site is an example of music piracy. Other video sites which did strictly comply with the law (vimeo, blip, ..) were not as successful as youtube for obvious reasons (copyright violations resulted in instant video takedowns and account removal, so they weren't as popular), and as a result these companies were not acquired by Google. Google has apparently been able to avoid the off-the-record pressure you refer to, and basically keep up it's illegal practices. Copyright law is law. Good law or bad law, it is law. Perfect example of a corporation internally ignoring the law while publicly claiming compliance.
So there is no reason to believe that, if Microsoft really wanted to, they couldn't somehow maintain that Skype needs to remain completely encrypted, anonymously-routed, peer-to-peer technology, and as a result, ensure privacy to the end users, or only for internet chats & calls which don't terminate to the FCC-regulated PSTN. Obviously this privacy is not important to Microsoft. In fact, Microsoft probably wants to spy on chat links and chat conversations and voice conversations, much like Google wanted to spy on all available wifi networks while roaming around the streets of Europe with their mapping cars. It's data, for the big data machines to use.
Cathal Garvey (Android)
May 27, 2013, 4:22:35 AM5/27/13
to diy...@googlegroups.com
I'm no Google fan, but under the DMCA Youtube is perfectly compliant. More than necessary, in fact, evidenced by the existence of privileged Takedown-bots built by RIAA/MPAA and given backdoor access by Google.
Under the DMCA, you are compliant if you remove infringing content *when asked to by the supposed 'owner'*. YouTube does.
In any case, it's a bit of a diversion away from the core message: if ye want to chat about biohacking or whatever with friends, use Jitsi, not Skype or Google Whatever. Don't trust companies to protect you; even if they wanted to, they can be forced to betray you easily enough.
Under the DMCA, you are compliant if you remove infringing content *when asked to by the supposed 'owner'*. YouTube does.
In any case, it's a bit of a diversion away from the core message: if ye want to chat about biohacking or whatever with friends, use Jitsi, not Skype or Google Whatever. Don't trust companies to protect you; even if they wanted to, they can be forced to betray you easily enough.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Reply all
Reply to author
Forward
0 new messages