Skype security and privacy concerns
Scott Granneman,
http://www.securityfocus.com/print/columnists/357
One of my stranger hobbies is collecting interesting and weird anecdotes I
find in the news. I have a few areas that always fascinate me, such as
finding people who miraculously escape certain death, or items about human
memory and cognition, or eccentric individuals who embody some strange
aspect of the human condition.
Some of my favorites, though, are the stories of folks who lose something
and then have it returned to them, years or sometimes decades later.
* A German man lost his suitcase in 1979 while traveling in Senegal. 24
years later, police in Dusseldorf found his luggage and notified the
61-year-old. At first he didn't want to reclaim the suitcase, since it was
stocked full of disco-era clothing that he didn't want to see, but his wife
convinced him to go ahead and be a sport. There was no word on how well the
orange leisure suit fit.
* A fourth-grader at Connoquenessing Elementary School in Butler,
Pennsylvania, sent a laminated card aloft in the 1980s by attaching it to a
green balloon. The note asked the finder to send it back to the school.
Twenty years later, a farmer named Robert Brindle, who lived about 170 miles
away from Butler, sent the card to the school, who passed it along to the
now 30-year-old man who had launched it years earlier.
* Lisa Tonks, of Peru, Indiana, was vacationing with her family at
Yellowstone National Park in the 1980s when she lost her wallet. Twenty
years passed as the wallet sat in a police evidence room gathering dust. A
police technician saw the wallet, noticed the Social Security card in it,
traced the number to Tonks, and sent the wallet back to the grateful woman
... along with the $177 that had remained safely in it for two decades.
Those are great stories (readers who are aware of more, feel free to send
'em my way!), but in each case, someone loses something, only to regain it
again, long after they'd given up hope of ever seeing it again. Of course,
these are the exceptions. I lost my wallet about twenty years ago in a movie
theater in Kansas City, Missouri, and I've never heard tell of it since. But
that's nothing: I've lost shoes, umbrellas, books, pictures, CDs,
sunglasses, and even underwear (don't ask). None of it has ever made its way
back to me.
The big story in the news over the last week or so hasn't been about a loss,
however - it's been about a gain. eBay agreed to purchase Skype, a
peer-to-peer-based Voice over IP (VoIP) app, for a whopping $1.3 billion in
cash and $1.3 billion in stock, with another $1.5 billion to come down the
road if Skype met financial targets by 2008. VoIP has been in the news a lot
in recent months, with Microsoft buying Teleo, Google rolling out Google
Talk, Yahoo! acquiring Dialpad, and even AOL introducing a new service
designed to let users make phone calls over the Net. Now eBay is joining the
party by snapping up Skype.
I'm not really interested in why eBay bought Skype (although I'm pretty sure
it's to make it easier for bidders to contact sellers) or whether or not the
auction giant paid too much money or not (the general consensus seems to be,
"Oh yeah!") for a company that has made $60 million this year but has yet to
post a profit. I'm more interested in what the purchase of Skype means for
security.
What's that you said?
Skype has many things going for it. Among the various software-based VoIP
apps (which thereby excludes hardware-based offerings like Vonage from
consideration), Skype probably works the best in terms of
computer-to-computer, computer-to-land line, and computer-to-cell based
calling. It's easy to set up and use, and it works on Windows, Mac OS, and
Linux boxes. Skype also provides more than just VoIP, with IM and file
transfer also available. I've used it quite a bit, and overall, I've been
happy with its sound quality, as have many other people, given that the
program has been downloaded more than 100 million times. It has more than 52
million registered users (among those 2 million paying customers), and well
over 3 million people are online and using the program right now, as I'm
typing this column.
But that doesn't mean that Skype is perfect. Far from it. Skype claims that
it uses strong encryption to protect phone calls, IM messages, and file
transfers:
"Skype uses AES (Advanced Encryption Standard), also known as Rijndael,
which is used by U.S. Government organizations to protect sensitive,
information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077
possible keys, in order to actively encrypt the data in each Skype call or
instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys.
User public keys are certified by the Skype server at login using 1536 or
2048-bit RSA certificates."
Here's the problem with that statement: since Skype is an insistently closed
source program - and one that additionally uses a proprietary protocol, but
I'll get to that in a moment - we have no way of verifying Skype's security.
We simply have to take them at their word that their encryption works. For
such an important program, that's quite a problem. I'm just not sure how
safe I feel when Skype says, "Trust me - everything's going to be fine."
Say what?!
That's bad enough, but now Skype is going to be owned by eBay. I know that
lots of people just loooove eBay. I use them myself, most recently to
enhance my Li'l Abner comics collection, but I'm careful about the
information I give them. Why? Well, it seems that there are three kinds of
companies: those that fight for customers' privacy in the face of the
demands of law enforcement; those that require some sort of official,
constitutionally-mandated documents - like, oh, say, a warrant or subpoena -
before handing over customer info to the cops; and eBay.
Think I'm being a little harsh on eBay? At the CyberCrime 2003 conference,
Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for
eBay, had this to say to a group of law enforcement officials:
"I know from investigating eBay fraud cases that eBay has probably the
most generous policy of any internet company when it comes to sharing
information. We do not require a subpoena except for very limited
circumstances. We require a subpoena when we need the financial information
from the site, credit card info or sometimes IP information. ... So, that
really opens the door for us. That means that what our policy is that if you
are law enforcement agency you can fax us on your letterhead to request
information: who is that beyond the seller ID, who is beyond this user ID.
We give you their name, their address, their e-mail address and we can give
you their sales history without a subpoena. ... We will probably tell you
too that you might want to get a subpoena because we are looking for credit
card info and you ask that. ... We also do other things to facilitate your
investigation by looking and doing some searches around on our own,
typically to see if there are some other user ID's associated with that
thing. ... We are doing a lot of work with law enforcement agencies."
I'm nearly speechless after reading Sullivan's comments. Think about what
he's saying: if eBay receives a fax on offical letterhead (not that that
would ever be faked, oh no) - just a simple fax, mind you, just a fax,
unaccompanied by a court order - it will gladly fork over the following info
about you, or any other eBay user:
* Full name
* User ID
* Email address
* Street address
* State
* City
* ZIP code
* Phone number
* Country
* Company
* Password
* Secondary phone number
* Gender
* Shipping information (including name, street address, city, state,
ZIP)
* Bidding history on an item
* Items for sale
* Feedback left about the user
* Bidding history
* Prices paid for items
* Feedback rating
* Chat room and bulletin board posts
Understatement of the week: that is one hell of a list! It's long, it's
scary, and it's troubling. So what do we have? Software that says it's
completely secure, but without a good way to verify that claim, now owned by
a company that will basically give up an astonishing amount of personal
information about you at the slightest peep from the authorities. This looks
and smells bad. It's a questionable act to trust your personal and business
phone calls, instant messages, and file transfers to Skype already, but it
seems almost the height of foolhardiness to do the same now with a Skype
owned by eBay.
Listen up!
So is there any alternative to Skype? Sure! In particular, I'm keeping my
eye on Gizmo Project. Sure there are similarities: both are easy to use,
install on Win/Mac/Lin, utilize encryption (although so far we don't kind
what kind of encryption scheme Gizmo Project is using), and enable users to
make calls to and receive calls from landline and cell phones (both are also
closed source, although it appears that portions of Gizmo will be open
sourced, so we'll be able to verify at least part of what Gizmo Project says
about itself). However, Gizmo Project differs from Skype in several key
ways. Where Skype uses its own proprietary protocol, Gizmo Project uses the
open SIP (Session Initiation Protocol) standard (and it now supports the
open Jabber protocol for IM). But here's the biggie: where Skype only allows
free VoIP calls to other Skype users, Gizmo Project is committed to
interoperability, so that it will be able to interconnect with any
SIP-compatible VoIP system. Gizmo Project isn't anywhere near finished yet,
but it is good enought to test, and if its current status is any indication,
it's going to be one to contend with... especially if the new eBay Skype is
as problematic as I'm worried it will be.
Of course, these other services are not perfect. Skype is decentralized
thanks to its peer-to-peer nature, which makes it somewhat harder to track
and wiretap, while most of the other services - like Gizmo - are centralized
around a few servers. If the US FedGov really wants to, it'll be a lot
easier to set up some sort of Carnivore-type server in place that looks at
all traffic used by those services. Encryption sure helps in that scenario
... until your phone call hits the PSTN (Public Switched Telephone Network),
or the boys up in Washington start demanding a back door key. And guess
what? The title of this FCC press release, dated 5 August 2005, says it all:
FCC Requires Certain Broadband and VoIP Providers to Accommodate Wiretaps
(110 kb PDF). Gulp.
Things are about to get very interesting in the VoIP world. There are simply
too many 800 pound gorillas - both corporate and governmental - throwing
their weight around. As security pros, we need to watch this space, while
insisting on a few basic principles: openness, support for standards, and
interoperability. If eBay goes down the wrong path with Skype, we need to
move ourselves - and our friends, families, and business associates - to a
more open, yet secure, alternative. If we don't keep our eyes - and ears,
naturally! - open, we could find, after a few years, that we've lost
something special, and there's no possiblity of getting it back.
Further Reading
Kuhn, D. Richard, Thomas J. Walsh, and Steffen Fries. Security
Considerations for Voice Over IP Systems: Recommendations of the National
Institute of Standards and Technology. NIST Special Publication 800-58
(January 2005).
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
