Why Skype is Evil™

So, you’re a security-minded individual who uses a HW firewall, a client firewall, antivirus SW and anti-spyware SW to protect yourself, your computer and your privacy. Great! Now you’ve found a great way to communicate with your friends and family in a secure fashion: Skype! Well, let’s take a deep breath and have a closer look at Skype. Here’s a conversation between me and you:

You: I’ve found a way to communicate with my friends and my family in a secure fashion!

Me: Wow, that’s great. Tell me more about it.

You: It’s a voice-over-IP program with chat functionality.

Me: Sounds nice, but how exactly is it “secure”?

You: It encrypts everything with a 256-bit EAS algorithm – it’s unbreakable!

Me: Yes, 256-bit AES is a strong algorithm. Did you make sure to choose a long and complex passphrase when generating the master key to keep the implementation of the encryption as strong as the algorithm lets you?

You: Huh? Skype fixed all that stuff for me.

Me: So Skype decided what encryption master key you use?

You: Yes.

Me: Doesn’t that mean that Skype can decrypt your communication and eavesdrop on your conversations whenever they want?

You: I guess… But they probably don’t have the resources to eavesdrop on me or anyone else; Skype is a small, Swedish company. Besides, what interest would they have in eavesdropping on me or anyone else?

Me: That’s not entirely true, but let’s get back to that later, and answer this: what if Skype gave the encryption key to someone who DOES have the resources and the incentive?

You: Like who?

Me: Like for example the National Security Agency?

You: Why would the NSA want to eavesdrop on my conversations and chat sessions?

Me: Most likely, they couldn’t care less when you’re talking to your mom about her doing your laundry next Saturday, but the NSA are responsible for the collection and analysis of all foreign communications. That includes your calls and your chat sessions 1).

You: But Skype is a European company, governed by European rules and regulations which prohibits them from releasing sensitive information to any foreign intelligence agency; they wouldn’t do that.

Me: Na-uh. Skype was recently bought by eBay and all the Skype servers 2) are now located in the US, which makes eavesdropping by NSA not only possible, but in fact probable. The NSA already has free access to phone calls and internet traffic routed through “normal” telephone companies /ISPs. It is only natural that they would want to do anything possible to get the hugely popular Skype communications platform under their control as well. After all, a wide-spread, easy to use, uncontrolled encrypted communications platform free for all to use is a HUGE threat to the effectiveness of the NSA. Controlling Skype has the added bonus of being able to eavesdrop on communications between foreign targets previously hard or impossible to reach. For example, a person in Germany, talking to a person in Russia using land-line phones would previously have been out of reach for NSA. The same two persons using Skype are now available for eavesdropping. In addition, the average Skype user will most likely treat the program as being trustworthy (just like you do), having bought into the Skype propaganda of the program being impossible to intercept or eavesdrop. So I have no doubt that the NSA have a great interest in getting their hands on a backdoor into the program. And if the NSA can force every telco in the USA to comply, they could certainly have no problem forcing eBay to do the same. Not that it would come to this, eBay is notoriously known for not respecting the privacy of its users.

You: I am shocked, shocked to find out that espionage is going on in here 3)!

Me: Now, let’s take a look at the eBay purchase of Skype in the first place. Why would eBay buy Skype? Granted, there are some potential benefits from a customer viewpoint, such as easy communication between buyer and seller. In addition, eBay might want to keep track of their customers’ online time and habits; something an IM client would be able to provide, but seriously: Skype has no real revenue potential. Skype’s business model has long been questioned by many economists. The software is gratis and the calls are mostly gratis. Although there is a line of hardware as well as services for money, there really aren’t that many ways for Skype to make money. There aren’t even any ads to gain revenue for Skype. So where does Skype get the money from, or rather: why in the flaming red hell would eBay want to haul out $2.6 BILLION for Skype? My guess is: they wouldn’t. There is no short term profit in Skype. There is most likely little or no long term profit in Skype. If Skype ever produced enough dough for eBay to break even on the buy I would be baffled. Did eBay really pay $2.6 billion for something that will never even break even? Perhaps. Or perhaps the executives at eBay are so bold as to stick that amount of cash (and stock) on a long shot? Or perhaps they see some potential that us mere mortals cannot see? Or perhaps there is a second buyer, helping eBay finance the purchase? Do I know that NSA helped fund eBay’s purchase of Skype? No, I certainly do not.

What I DO know is:

All these facts would, in a court of law, be called “circumstantial”, but putting two and two together, I wouldn’t use Skype for anything sensitive. At least not for something I wouldn’t want NSA to know, and perhaps not for anything I didn’t want a random competing US company to know either (Warning: PDF document. See point 10.9.2).

You: Well, I’m an American, so it’s illegal for NSA to spy on me!

Me: Yeah.. Dream on.

You: Well, I’m not a terrorist, so they won’t be interested in me at all!

Me: If you accept sacrificing your privacy, that’s your choice. But just because you haven’t done anything wrong doesn’t mean they won’t watch you.

This transcript of a Skype conversation was brought to you by NSA – your friendly neighborhood Big Brother™.

1) The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between or among “foreign powers”. Even though the act specifically forbids spying on US citizens without a court order, it can be argued that it is impossible to separate domestic internet traffic from non-domestic internet traffic. Therefore, in order to be able to monitor foreign internet traffic, one must monitor ALL internet traffic. Besides, the U-SAP-AT-RIOT Act of 2001 largely removes the public protection that existed in previous laws. If that wasn’t enough, GWB has shown us that rewriting the law on-the-fly as he sees fit is just as fun.

2) Yes, Skype is a peer-to-peer software, as opposed to a server-client model, but the software is not self-certifying which means it needs to connect and login to a centralized Skype server to certify each user’s public key.

3) My apologies to Julius J. Epstein, Philip G. Epstein and Howard Koch.

About these ads

4 Comments

Filed under chat, Ebay, Echelon, encryption, espionage, NSA, privacy, security, Skype, voip

4 responses to “Why Skype is Evil™

  1. Jack

    “The NSA already has free access to phone calls and internet traffic routed through “normal” telephone companies /ISPs.”

    – So stop using your land line/ cell phone also.
    This article doesn’t make sense if you reside in the US. folks in other countries .. different story.

    Its economics, if the NSA is going to spy on me regardless, why shouldn’t I use something (skype) which at least saves me some dough?? duh!!!

  2. ultraparanoid

    Jack: True, land lines /cell phones are also insecure. Most people _know_ that land lines and cell phones are insecure, but think that Skype’s encrypted communication is secure. I’m just saying it isn’t.

  3. semi

    All valid points, but the issue I always find when trying to switch to ‘secure’ communication is you never can achieve adequate security without sacrificing too much usability.

    Start with the secured communication. Like say IRC over SSL, WASTE, pgp+jabber, what have you. Right here at step one you can run into questionable security, like say IRC/SSL having the server replaced with one thats listening in, something that could happen easily with little way to verify it.

    Even if you trust your secured communication though you have to trust the other side. Again using IRC/SSL as an example, how do you know the other end isnt logging things like a lot of people do? As soon as they’re compromised, everything ever said gets out. Loggings a big no-no, and you can’t tell whos doing it. Thats also the first usability feature you’re having to give up.

    Practically speaking today you’d also be giving up a lot of other ease of use features, like AIM’s direct connects. Nothing trustable I’ve seen really has a client that is feature rich. Okay, acceptable but a hard trade.

    Thirdly, you’re now having to give up portability. I can get on aim from my nintendo ds, my cellphone, just about anybody’s computer with an internet connection (via a web based client, irc relay, or just installing one of the many aim clients for just about any OS). Not always an option with secured comunication, usually limited to only one client and whatever it works on. Also if done securely, limitted to wherever you have and can access your key. Kind of hard to move a 4096bit encryption key around, and not very secure to have laying on a portable device. Again, tradeoff, still willing to make it.

    Now, related to that, you’re going to have to cut off anyone who is unable or unwilling to switch to your form of communication. Theres a huge percentage of people I know that wouldn’t be willing to concede on those above points, or have the knowledge to. Want to talk to that cute girl you met at school? Yeah, you won’t get far.
    For that matter, you want to let arbitrary people contact you? Really hard to do when you’re using something obscure.
    You can compromise this by still using popular communication and trusted communication side by side, but then you have more to manage and people might prefer to use the common one out of ease. Also still potentially compromising in that who you talk to might not be something you want out.

    On top of that, you still have the issue of everything you do needing to be secure too, not just your communication. What good is masking your friend suggesting a cd you should get if you then going out to a torrent site via HTTP, logging in by a login tying you to everything you used it for on that site, then downloading it in cleartext? So, you have to either give up that kind of thing, or switch to TOR and never use anything with a login. Kills any kind of community involvement, and makes you give up ‘high speed internet’– No more instant pageloads and high speed downloads.

    Overall just not willing to sacrifice enough to get to what I’d consider secured, and find stopping short not really worth the hassle and added attention.

    Sorry about the big wall of text and rambling, I should probably get my own blog one of these days.

  4. I appreciate this thread. I am planning on starting up a podcast and thought skype would be a reasonable, cost effective means for acquiring some decent sounding interviews; but when I went through the installation process they gave me a sample transcript of a conversation with skype. Well, it was a direct quote from Orwell’s 1984. It was a conversation between Smith, and O’Brien and they were discussing the potential reality of Big Brother’s existence as a physical human being. That freaked me out so much that I immediately trashed everything I had just downloaded from skype. I’m not worried about anyone hearing what I have to say, but I in no way want to make it easier for our government to put a lock and chain on our freedom of speech. I’d rather pay more and suffer some inconveniences than help Big Brother establish a vast infrastructure that, once it is complete, can put an end to our ability to communicate with each other freely based on what we really consider to be free speech. My podcast will deal with alternatives to our global financial structures, including the “rumored” plan to expand our sovereignty into a North American Union, which will therefore eradicate the US constitution and implement the Amero in place of the dollar. If skype is in the hands of the NSA it would be so easy for them to silence anyone that might offer up information that could upset the status quo in one way or another if we willingly help them expand a virtual transportation system from computer to computer. Whether you are having international communications or domestic isn’t what matters. What matters is that we should all be aware of the potential here, and do everything in our power to preserve the best of our constitutional rights as U.S. citizens. I’m hopeful about Obama, but I don’t trust him at the same time. You have to play some dirty ball to get in good with the real players running the show and be chosen as their poster child for change. Did Bush continue to leave such a dirty mess in his final days in office so that Obama could come in and clean some stuff up right away and make us stop questioning again? When we all feel safe and snug in our beds and back to hypnotically watching American Idol, will business as usual can come back in full swing?

    I just really meant to say, thanks for putting the question out there! Is skype an unfortunate luxury intended to imprison us even deeper? In order to work, mouse traps have to be baited with something to entice the rodent to bite in the first place. Think about it. Are we just mere rodents?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s