Re: Skype 安全问题 也许内置了一个后门
wanghx
Skype Backdoor Speculations
24
Jul
The well respected German website Heise Online has fueled speculations about a backdoor that is implemented in the Voice over IP software Skype. According to Heise the Austrian interior minister revealed at a conference with representatives of ISPs and the Austrian regulator on lawful interception of IP based services that they were able to listen to Skype conversations which was confirmed to Heise by several attendees of the conference.
Heise was not able to get a statement from eBay about the
allegations other than they would not comment on media speculations.
The Austrian broadcaster ORF
(German article) published an article last week that already contained
the allegations that the Austrian police was able to listen to Skype
conversations. The possibility to listen to Skype conversations was not
trivial but doable.
Time To Look For A Skype Alternative
from gHacks technology news by Martin
The voice over IP client Skype never got off the radar of privacy activists. There were always rumors about backdoors in the voice communication software and that several organizations were able to record calls made by Skype users although Skype claimed otherwise.
Skype messages were in the focus of privacy groups since first news about text filtering messages in China became known to the public. Back then Skype released an official statement that the text filter applied by the Chinese Skype partner Tom Online would not affect security and encryption mechanisms of Skype, that people’s privacy would not be compromised and calls, chats and other forms of communication on Skype would continue to be encrypted and secure.
Researchers and privacy activists of the University of Toronto discovered files on unprotected Chinese computers that contained filtered Skype messages that were recorded in China.
The filtering system uses a blacklist that contains words that will not be shown in Skype conversations. If a blacklisted word is send over Skype the word will be filtered and the conversation recorded including personal information about the users taking part in the chat.
Some of the words that cause the filtering and recording are Tibet, Taiwan Independence and Voice of America. There is no way of telling if and how Skype is working with authorities in other countries but who would want to risk that?
The Electronic Frontier Foundation has Skype replacements on their priority list with links to multiple voip clients that can be downloaded freely.
The complete report from the researchers can be downloaded at the Infowar Monitor website. The major findings list:
* The full text chat messages of TOM-Skype users, along with Skype users who have
communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.
* These text messages, along with millions of records containing personal information, are
stored on insecure publicly-accessible web servers together with the encryption key required to
decrypt the data.
* The captured messages contain specifc keywords relating to sensitive political topics such
as Taiwan independence, the Falun Gong, and political opposition to the Communist Party
of China.
* Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting
that there may be criteria, such as specifc usernames, that determine whether messages are
captured by the system.
Time To Look For A Skype Alternative
Tags: china, china surveilance, ebay, skype, skype backdoor, skype china, skype tom, tom online, voice over ip, voip
Related posts
* The Brits Surely Know How To Spread Confidential Data (5)
* Imo.im Adds Skype And MySpace Support (4)
* Improve Skype Sound Quality (0)
* Skype Backdoor Speculations (0)
* Protect PayPal Accounts With VeriSign Identity Protection Devices (17)
http://chinagfw.blogspot.com/2008/10/faq-for-conceptdoppler.html
FAQ for ConceptDoppler
What is the GFC?
What is ConceptDoppler?
Why do you call it ConceptDoppler?
Is the GFC a "fraud?"
What is really interesting about this work, i.e., what are your suggested soundbites?
- 1) That the GFC's keyword filtering mechanism is not a firewall that peremptorily blocks at the border of the Chinese Internet (blocking may occur deeper into the Chinese Internet, may be sporadic during busy Internet periods, and for 28% of the paths we tested did not occur at all);
- 2) The keywords that are targeted with censorship are surprising, and include words such as (in Chinese) conversion rate, Mein Kampf, Hitler, Deauville, and many other unexpected results; and
- 3)
Keyword filtering is a seemingly precise mechanism with imprecise
results that have unique implications, meaning that a great deal more
content is filtered than what the censors intended. Examples are any
web page containing the keyword (in Chinese) massacre; or that contain
(in Chinese) North Rhine Westphalia which, when spelled in the Chinese
characters used for foreign words, appears to contain the word "falun"
that is meant to target content about Falun Gong.
Why is knowing the keyword blacklist important?
Even though the Chinese Constitution requires that restrictions on freedom of speech and press be openly legislated and transparently applied, he said, "In reality, restrictions imposed by officials are often premised upon ill-defined concepts of 'social stability,' 'state security,' and 'sedition' that mask what is in fact mere intolerance of dissent."
Knowing exactly what is on the keyword blacklist can help us to support or refute these kinds of statements. For example, the fact that keywords such as (in Chinese) conversion rate, Mein Kampf, Hitler, and Deauville (where the Asian Film Festival is located) appear on the list lends support to Congressman Leach's statement.
Did you call the GFC a "Panopticon" to imply that the Chinese Internet is a prison?
Are you trying to "topple" the Great Firewall of China?
If we choose to do any research about evasion in the future it will be only to aid in understanding.
Are your efforts aimed against China and/or against Censorship?
What about censorship in other countries?
Do your results reflect on the GFC as a whole?
Why focus on keyword filtering?
A more important reason is that keyword filtering is unique compared to other forms of Internet censorship. Filtering a keyword can lead to censorship of many more topics than intended, an example is how filtering for Falun Gong (in Chinese) can lead to censorship of articles about North-Rhine Westphalia, a state in western Germany.
Why did you choose the term "Panopticon?"
Many experts had made this observation about the GFC, that it promotes self-censorship, before we did our work, but we chose the term "Panopticon" as an alternative to "firewall," since our results clearly show that the GFC is not a "firewall" in the strict sense of the term. A firewall would block all offending traffic at the border of the country's Internet. Our work adds quantitative measurements to an idea that had already been expressed by many experts about the GFC.
The opinions of Chinese Internet users vary widely, but many that we have talked to feel that keyword filtering is applied not just to block access to web sites but also to log Internet traffic for review by law enforcement. This is (as of September 2007) stated as a fact on the Chinese-language version of Wikipedia: http://zh.wikipedia.org/wiki/GFW. Whether this is rumor or fact, the effect that such a belief has on the Internet usage behavior of those who believe it is real. The fact that some Chinese Internet users regularly use proxies and other evasion techniques to get around the censorship does not change this fact.
What assumptions are you making by testing only GET requests from outside of China?
How does the keyword filtering work?
Much work is needed before we can answer specific questions, such as whether the filtering routers reconstruct TCP flows or simply scan each packet and ignore the possibility that a keyword is broken up across two packets. Also, we believe that the keyword filtering implementation is heterogeneous, meaning that it works differently in different places even if the keyword list appears to be the same, and both ourselves and the Cambridge researchers have found the implementation to change over time. One example is that their research concluded that no SYN/SYNACK handshake was necessary for keyword filtering to occur, while we found this handshake to be necessary in at least some places. The GFC implementation might have changed between their experiments and ours.
Why not ask the Chinese government for the blacklist and the locations of the filtering routers?
Furthermore, if the information were made public it would still be necessary to verify it. Also, ConceptDoppler can be applied to any form of keyword-based censorship where an answer is returned as to whether a word was censored or not.
If you know who to contact to get the up-to-date blacklist and the locations of the filtering routers, please e-mail us (conceptREMOVEC...@gmail.com) and let us know.
Have you tested every word?
Can I try it?
What should I do if I find new words that are not on your list?
How can I contribute?
What is a Panopticon?
Is ConceptDoppler open source?
From North America/Europe, it appears that yahoo.cn is subject to keyword filtering and google.cn is not. What does this mean?
We are not sure. If you know, or have tested this from another continent, please e-mail us (conceptREMOVEC...@gmail.com). One possibility is that there is a router between where you are testing from and yahoo.cn where keyword filtering is being applied, but there is no such router between your source location and google.cn. Whether keyword filtering is applied depends on the path that the packets take, and whether that path contains at least one router that performs keyword filtering. For example, we see keyword filtering of GET requests destined for yahoo.cn, but there is apparently no filtering of HTML responses from yahoo.cn, not even for keywords that we know to be filtered in HTML responses coming from other places. Internet routes are often assymetric, meaning that there may be a filtering router along our route to yahoo.cn but no filtering router along yahoo.cn's route to us. Another possible explanation as to why google.cn does not seem to be subject to keyword filtering:"Since announcing its intent to comply with Internet censorship laws in the People's Republic of China, Google China has been the focus of controversy over what critics view as capitulation to the 'Golden Shield Project' (also known as the Great Firewall of China). Because of its self-imposed censorship, whenever people search for interdicted Chinese keywords on a blocked list maintained by the PRC government, google.cn will display the following at the bottom of the page (translated): In accordance with local laws, regulations and policies, part of the search result is not shown."
http://www.ithome.com.tw/itadm/article.php?c=51204
TOM-Skype側錄通訊紀錄 Skype出面說明
文/陳曉莉 (編譯) 2008-10-03
Skype表示,中國存在著檢查制度是眾所皆知,該政府偵測國內外的通訊行之有年,包括電子郵件、市內電話、行動電話或即時傳訊的內容都會受到檢查。
加拿大多倫多大學市民實驗室(Citizen Lab)在周三(10/1)針對TOM-Skype發表一份「違背信任」(Breaching Trust)的報告指出TOM-Skype對用戶進行監視後,Skype高層週四(10/2)出面說明。
報告指出,TOM-Skype針對渉及中國政治敏感議題的十多萬筆文字訊息進行監視,上傳及儲存於該公司在中國的伺服器,該伺服器不但可供公開存取,而且 含有可解開文字檔案的加密金鑰。
該實驗室指出,所有與TOM-Skype用戶的文字傳訊都受到監控,不論是雙方都使用TOM-Skype或是有一方使用Skype,只要渉及敏感字眼的傳 訊,除了文字會被封鎖外,也會被儲存下來,所儲存的資訊還包括使用者名稱及IP位址等。
市民實驗室在TOM-Skype伺服器上發現了16萬筆的訊息,以及7萬個IP位址與4.4萬個使用者名稱。從IP位址來看,相關的訊息來自59個不同的 國家,但中國仍佔絕大多數,約有95%被紀錄的訊息是來自中國的IP位址;而被紀錄的訊息中,有15.71%是含有共產黨的字眼,約有6.99%含有法輪 功的字眼,有2.45%與台灣獨立有關。
TOM-Skype是Skype與Tom Online於2005年合資在中國成立的公司,負責推動Skype在中國的業務,其中由Tom持股51%,Skype持股49%。
在此一報告出爐並引來大肆報導後,Skype總裁Josh Silverman在部落格上發表對此事的看法,指出就像其他在中國設立的通訊公司一樣,必須符合中國政府的規定,其中包括中國政府要求偵測及封鎖含有特 定字眼的訊息,而且,中國存在著檢查制度是眾所皆知,該政府偵測國內外的通訊行之有年,包括電子郵件、市內電話、行動電話或即時傳訊的內容都會受到檢查。
只是,Silverman坦承原先並不知道TOM-Skype儲存了使用者的通訊紀錄,在2006年4月,Skype曾經公開表示Tom透過文字過濾機制 防堵傳訊時的特定字眼,如果相關字眼是被中國禁止的,那麼該訊息就會直接被取消或是無法顯示,但他並不知道Tom會上傳並儲存相關訊息,目前該公司正與 Tom協商此一措施。
此外,Silverman亦指出Tom已修補伺服器漏洞以杜絕外界存取相關紀錄。
Silverman強調,Tom的事件並不影響其他使用標準版Skype軟體的用戶,所有Skype-to-Skype的通訊一直以來都是十分安全而且私 密的。(編譯/陳曉莉)
http://www.techspot.com/news/31904-Skype-admits-privacy-breach-in-China.html
Skype admits privacy breach in China
By Jose Vilches, TechSpot.com
Published: October 2, 2008, 5:50 PM EST
It's no secret that businesses who want to enter the Internet market in China have to sometimes do some unsavory things to comply with government regulations. Thus, it doesn’t really come as much of a surprise to learn that a surveillance system is being used to monitor and block Skype conversations. What’s more troubling, though, is that the company claims the practice was changed for a more aggressive one without their knowledge or consent.
Instead of just blocking certain text messages with sensitive words from reaching their destination, it appears that a joint venture between Skype and Chinese wireless carrier Tom Online was allowing authorities to monitor these conversations and store them on a web server. The logs include a treasure-trove of personal information, such as e-mail addresses, passwords, phone numbers, package tracking numbers and bank card numbers.
What’s worst, many of the captured messages contain words that are too common, suggesting that there may be other more specific criteria to determine whether a conversation should be captured by the system. Skype officials said to be “extremely concerned” over this situation and promised a fix soon.
Auldsod
on October 2, 2008
10:56 PM What a betrayal of trust! Skype has no excuse for this breach of privacy. They KNEW about their pact with the Chinese Government and it was clearly their duty to inform Skype users of this. Possibly, arrests will follow? - Auldsod
craterbaiter
on October 3, 2008
1:13 AM Skype promotes the text and voice service as encrypted end to end...is that credible ?
Pickens writes:
Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'" [ Slashdot Posted by CmdrTaco on Thursday October 02, @12:09PM]
UK, and partners: AUSCANZUKUS, has 'Echelon' running like a raped ape 24/7 recording ALL the communications from anyone to anywhere on anything.
Onyx is a Swiss intelligence gathering system maintained by the Swiss Army to monitor both civil and military communications, such as telephone, fax or Internet traffic, carried by satellite. Onyx uses lists of keywords to filter the intercepted content for information of interest, and monitoring communications between a person in Switzerland and someone in another country is allowed.
Frenchalon: The system allegedly operated by DGSE, whose Direction Technique (Technical Direction) is responsible for signal intelligence, of anyone on anything from to France or in Europe and 'French territories' and places of influence [ which to the French means: the world. ]
It cannot be a surprise that China might be curious about Internet chatter, more curious is how ****** the users are to assume that Skype is a secure service.
PS Skype is owned by Ebay.. itself a huge resource for internal revenue departments worldwide, and not incidentally watched by every sensible police force in the world for stolen goods trafficking, money laundering , fraud etc . Lol
If you want security, encryption, anonymity .. pay for it. Then one has to wonder which state security services would be dull enough not to have infiltrated every secure server and software system in the last twenty years, when hackers do so ad hoc on a daily basis without resources.
Only silence is secure, and free.
BSBD
http://rconversation.blogs.com/rconversation/2008/10/skype-messes-up.html
October 03, 2008
Skype messes up, badly.
The Open Net Initiative's Information Warfare Monitor project has published a stunning report by "Hacktivist" Nart Villeneuve titled: "Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform." It has been covered by both the New York Times and the Wall Street Journal. The report's key findings are as follows:
Major Findings
• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
Nart has posted a Q&A to which he will continue to add answers to questions he has been getting. He says he alerted Skype to his findings before the report was made public in order to avoid further compromising the people whose personal information was stored on insecure publicly-accessible web servers.
Skype's initial reaction, reported here by the Wall Street Journal, was dismissive and somewhat flippant in tone, making it seem as if they didn't take the situation too seriously:
...The idea that the Chinese [government] might be monitoring communications in and out of the country shouldn’t surprise anyone, and in fact, it happens regularly with most forms of communication such as emails, traditional phone calls, and chats between people within China and between people communicating to people in China from other countries.
Nevertheless, we were very concerned to hear about the apparent security issue which made it possible for people to view chat information among mainly Tom users, and we are pleased that, once we informed Tom about it, that they were able to fix the flaw.
They later added a statement that is more appropriate if you want your users to think you take their privacy and rights to free expression seriously:
In 2006, Skype publicly disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers’ privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologize for the breach of privacy on Tom’s servers in China and we are urgently addressing this situation with Tom.
We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publicly available communications today.
While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users' rights and interests. What else is going on - or has gone on - which users don't know about and which Skype headquarters doesn't know about either? This incident with TOM raises questions about how trustworthy Skype as a company really is. Even if top management did not intend for such a situation to happen, the fact that it did happen shows that management has not made user rights high enough of a priority company-wide, and have failed to communicate well with their local partners about what practices are acceptable and what practices are not. This situation could have been avoided if they had really been thinking through the potential challenges and pitfalls of working with a local partner in offering a localized internet communications product in the mainland Chinese market.
Skype is now learning the lesson Yahoo! already learned the hard way: that if you leave your users' privacy and security to your local partner to sort out without paying too much attention to details or thinking through how things might play out, you could burn your users badly and badly damage the credibility of your global brand.
Yahoo! (along with Google, Microsoft, and others) has been part of an ongoing initiative to develop a global industry code of conduct for free expression and privacy. The initiative should (I hope) go public before the end of this year. In August, in response to queries by U.S. Sentator Richard Durbin about the status of the initiative, some of the companies issued letters. Here are the pdf's of Yahoo!'s and Microsoft's. They are very similar. Microsoft describes the initiative's substance as follows:
We are pleased to report that representatives of the diverse group of human rights organizations, policy groups, companies, socially responsible investors, and academics working on these principles have reached agreement in principle on the core components of a planned ICT ("lnformation, Communications, and Technology") Initiative. The agreement in principle is now being reviewed by each participating entity for final approval, and for a decision whether to participate in (or, as may be appropriate for some entities, simply to endorse) the lnitiative.
Later this year, once these approvals and participation decisions are made, the Initiative's members, plans, and details will be formally announced. At this time, however, we can provide you with some information about the core components of the Initiative, which are as follows:
Principles on Freedom of Expression and Privacy that provide direction and guidance to the ICT industry and other stakeholders on protecting and advancing rights to freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; and Governance, Accountability & Transparency.
lmplementation Guidelines that provide further detail on how participating companies will put the Principles into practice. The lmplementation Guidelines describe a set of actions which, when followed by a company, would constitute compliance with the Principles, and thereby provide companies with concrete guidance on how to implement the Principles.
A Governance, Accountability and Learning Framework founded on the notion that an organizational and multi-stakeholder governance structure is required to support the Principles and that participating companies should be held accountable for adhering to the Principles through a system of independent assessment.
Companies participating in the Initiative will put the Principles into practice throughout their operations over time, and there will be milestones in terms of reporting along the way. Additionally, the companies and other participants will be working collectively to consider options for public policy engagement, to strengthen government respect for freedom of expression, and to carry out the independent assessments that are part of the accountability process.
While the principles have not yet been published and these structures are not yet set up, anticipation of them is already starting to impact how some of the participating companies operate around the world. Yahoo! now says it conducts human rights assessments before entering "challenging new markets."
It's unfortunate eBay didn't get involved with this initiative back in 2006 when Nart first discovered that Tom was filtering Skype chat. Perhaps they might have avoided this eggregious abuse of user trust.
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/t/trackback/178695/34079697
Listed below are links to weblogs that reference Skype messes up, badly.:
» Lessons
from Citizen Lab's China-Skype revelations from Imagethief
If you don't know the story, you can read up on the New York Times or
the Wall Street Journal (and again [Read
More]
Tracked on October 03, 2008 at 11:04 AM
Comments
While this doesn't excuse the privacy breach, it's important to remember that the issues highlighted in the Information Warfare Monitor / ONI Asia report affect only the TOM-Skype software distributed in China, and not standard versions of Skype. Skype-to-Skype communications are, and always have been, completely secure and private.
Josh Silverman, Skype's President, has blogged about the situation, explaining where we stand and what we're doing to sort things out.
Posted by: Peter Parkes (Skype Blogger)
I don't understand why this is news. It should only be surprising if Beijing weren't bugging it. I would think that everyone would of understood Beijing's position on this by now. More predictable tedious outrage from the usual suspects.
Posted by: mtm | October 04, 2008 at 11:17 PM
Are Chinese spies monitoring Fonterra and New Zealanders?
New Zealand Green MP Keith Locke said on Green's
website.http://www.greens.org.nz/node/20017
“Our Government should make an official complaint about China’s
surveillance of Skype communications, which may include business
communications from New Zealand firms such as Fonterra, as well as
personal conversations,”
“Some family members could get a black security mark if they made candid comments on Skype about democracy, Tibetan rights or the SanLu-Fonterra scandal."
“Now that New Zealand has a free trade and investment agreement with China, we should use what leverage we have to ensure the privacy of business communications."
“Privacy in China is a one-way street. In China, secrecy and state
control was used to cover up the milk powder scandal, and at the same
time the efforts to bring it to light was being secretly monitored”.
Posted by: Maxwell Smart (Agent 86)
eBay appointed a new President of Skype back in March who has been reviewing all of Skype's activities worldwide; he is currently in the process of restructuring and reorganizing Skype. One key difference in this situation is that, for the first time in Skype's five year history, when a crisis situation arose, the President of Skype has personally responded rather than leave a situation to fester amidst speculation. Reviewing the TOM relationship gets added to a list of many business issues they must (and are) addressing over the next few months.
As an FYI, Skype Journal is one blog that is totally blocked by the Great Chinese Firewall.
Posted by: Jim Courtney (Skype Journal)
http://twitter.com/zengjinyan/statuses/943151259
http://snurl.com/40og5 Surveillance of Skype Messages Found in China
http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?_r=2&oref=slogin
Surveillance of Skype Messages Found in China
By JOHN MARKOFF Published: October 1, 2008
http://www.reuters.com/article/newsOne/idUSTRE49238X20081003?pageNumber=3&virtualBrandChannel=10341&sp=true
Skype's China spying sparks anger
Fri Oct 3, 2008 8:54am EDT
Email | Print |
Share
| Reprints | Single Page | Recommend (5)
[-] Text [+]
Photo
1 of 1Full Size
By John Ruwitch and Emma Graham-Harrison
HONG KONG/BEIJING (Reuters) - Savvy Internet users in China began avoiding the version of Skype offered by its Chinese partner two years ago, but news it filtered and recorded text messages has sparked new worries about the global firm's commitment to privacy.
The U.S.-owned Web communications firm faces a backlash at home and in China for apparently allowing core principles to be compromised in order to meet the demands of Chinese censors, analysts warned.
"We may never know whether some of those people whose conversations were logged have gone to jail or have had their lives ruined in various ways as a result of this," said Rebecca MacKinnon, an Internet expert at Hong Kong University.
"This is a big blow to Skype's credibility, despite the fact that Skype executives are downplaying it as not such a big deal."
Skype, with its promises of total security and privacy, has long been popular with Chinese looking to keep their conversations away from the prying eyes of government censors.
But the eBay-owned firm had to apologize on Thursday after a report revealed that its Chinese service not only monitors text chats with sensitive keywords, which it had earlier admitted, but also stores them along with millions of personal user records on computers that could easily be accessed by anybody.
Skype added however that only messaging conversations where one or more people were using the Chinese software were affected.
The censorship provoked little surprise among some of China's more knowledgeable Web users, however.
Suspicious of the software provided by TOM Online Inc., majority owners of the TOM-Skype joint-venture in China, they had already sought out the original version.
"We already knew that their software would not pass on messages with some words in them, so we understood they had some deal with the government and we avoided them," said Wang Lixiong, an author with dissident views.
Many spread the word over blogs and through other networks that the TOM-Skype version was not secure. The Skype homepage in China apparently redirected would-be users to download that version rather than the international one.
OVERSATISFYING BEIJING
Still, there was outrage at the extent of a cooperation that many saw as another example of once-admired Western Internet giants bending their principles in order to do business in China.
"The problem with Skype is that they did more than what people expected. They over-satisfied the government," said Isaac Mao, one of China's earliest and best known bloggers.
Yahoo Inc. has been widely criticized for its role in helping the Chinese government identify Shi Tao, a reporter accused of leaking state secrets abroad. He was jailed for 10 years in April 2007.
Google Inc., which has the corporate motto "Don't be evil", upset some by launching a self-censoring Chinese site.
TOM said only that the company adhered to Chinese rules and regulations, and declined to answer any further questions.
Their defense was mocked by the people they aimed to monitor.
"We must interrogate you: the constitution stipulates that citizens have freedom of correspondence and of secret correspondence. Have you complied with this mother of laws?" one post on an online message board asked.
Author Wang said government controls on phones and other Internet programs left him with little choice but to take Skype at its word and continue using its original software, but even that has a security flaw that he worries about constantly.
He says the program allows one user to open their account on two separate computers, with no notification to the first.
"If our password is stolen, everything that we do on Skype can be seen or copied on another computer without us knowing. And in fact stealing a password is very easy for Internet police or hackers," he added.
© Thomson Reuters 2008 All rights reserved
http://www.infowar-monitor.net/breachingtrust.pdf
JR01-2008
Information Warfare Monitor Joint Report
ONI Asia
BREACHING TRUST:
http://www.infowar-monitor.net/breachingtrust/
An analysis of surveillance and
security practices on China’s
TOM-Skype platform
Nart Villeneuve, Psiphon Fellow, the Citizen Lab
http://groups.google.com/group/paste/browse_thread/thread/793c9f696f3cf9fc
Tom.com 监控Skype用户网络行为
http://chinagfw.blogspot.com/2008/10/breaching-trust-analysis-of.html
Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform
The full report can be downloaded here:
here
John Markoff of the New York Times has just released a story about the report, which will appear in tomorrow's paper, but can be found online here:
here
Major Findings of this report are as follows:
• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.