I was inspecting Skype terms and condition
http://www.skype.com/en/legal/tou/#15
[...]We will process your personal information, the traffic data and
the content of your communication(s) in accordance with our Privacy
Policy:http://www.skype.com/go/privacy.;
http://www.skype.com/en/legal/privacy/
1. WHAT INFORMATION DOES SKYPE COLLECT AND USE?
.
Content of instant messaging communications, voicemails, and video messages
Nikos
On Sun, May 19, 2013 at 10:41 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
Krassimir Tzvetanov:
To the best of my knowledge in Russia (no, I'm not Russian nor have lived
there so I'm not 100% sure) you need to submit a copy of the private key if
you are operating a website providing encryption on their territory to
allow for legal intercept.
They also have other provisions about wiretapping and monitoring which
would mean that Skype really has not options if they want to _legally_
operate there... It's just the way the local legislation is rather than a
function of how Skype is. They are just following the law. Now if somebody
does not like the law there are other ways to approach this but
breaking/violating it is usually one that is not effective.
I think this discussion is focusing too much into the technical details and
forgets a simple detail - doing some of those things to increase privacy
may itself be _illegal_ in certain jurisdictions which make this even more
fun.
It's not impossible but it is usually very difficult to provide technical
solutions to political/politics problems. That's of course just my
experience :)
Cheers,
Krassimir
Hi,
I'm late to the party on this list but I've been worried about these
kinds of backdoors in Skype for quite some time. My worry partially
comes from the common rumors, of which there are many, though it is
largely the existential proof, the economic, the political and the
social contextual issues that raise the largest concerns in my mind.
As we've seen with Cisco, we know how some of these so-called lawful
interception systems are implemented:
http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html
This patent by Microsoft may be of interest to those looking into Skype,
automated interception and probably many other kinds of interception -
note that this is not just a matter of recording, it in fact *tampers*
with the data:
Aspects of the subject matter described herein relate to silently
recording communications. In aspects, data associated with a request to
establish a communication is modified to cause the communication to be
established via a path that includes a recording agent. Modification may
include, for example, adding, changing, and/or deleting data within the
data. The data as modified is then passed to a protocol entity that uses
the data to establish a communication session. Because of the way in
which the data has been modified, the protocol entity selects a path
that includes the recording agent. The recording agent is then able to
silently record the communication.
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFu=%2Fnetahtml%2FPTO%2Fsearch-adv.htmlr=1f=Gl=50d=PG01p=1S1=20110153809OS=20110153809RS=20110153809
Note that this is from 2009 and the Skype purchase was not finalized
until 2011.
Perhaps the authors (Ghanem; George; (Redmond, WA) ; Bizga; Lawrence
Felix; (Monroe, WA) ; Khanchandani; Niraj K.; (Redmond, WA)) of that
patent are open to discussing how they might improve on their patent for
a peer to peer system as deployed today? :)
Skype is clearly inspecting the entire message and right now, we have an
existential proof that they extract at least HTTP and HTTPS urls and
process them in some fashion. I suspect that it would be a useful idea
to insert many different kinds of protocols to see the depth of the
rabbit hole probing, so to speak.
http://user@password:www.example.com/secret-area
magnet://[hash]
ftp://ftp.example.com
https://user@password:www.example.com/secret-area
telnet//user@password:telnet.example.com
I would also suggest that we might try a few hacks to determine where
the parsing, inspection and extraction of interesting data is or isn't
taking place. As an example - run Skype in a virtual machine, type a
message - delay the message sending to the network, freeze the virtual
machine and flip a single bit in the url already in the outbound message
queue. This isn't trivial to do with Skype by any means but it most
certainly isn't impossible for someone with the inclination.
We know that Skype clients sync up the social graph of a given user;
they call this a buddy list. This suggests that information in the
directory of clients and the linked list for relationships is stored on
their servers - is it encrypted in a way that may not be recovered by
anyone other than the user? Skype dynamically routes calls to devices,
does this imply that the location of the user is