The video calling service Skype recently made a change to how it routes calls.
Yawn, right? But here's where it get a little juicier: Hackers
and bloggers are saying the changes, which push some of the video
calling process onto Skype's own computers instead of onto random
machines on the Internet, could help the app spy on users' calls,
presumably at the request of a court or government.
"Reportedly,
Microsoft is re-engineering these supernodes to make it easier for law
enforcement to monitor calls by allowing the supernodes to not only make
the introduction but to actually route the voice data of the calls as
well," Tim Verry, from the website ExtremeTech, wrote last week. (Supernodes are third-party computers that act as a sort of directory service for routing calls.)
"In this way, the actual
voice data would pass through the monitored servers and the call is no
longer secure. It is essentially a man-in-the-middle attack, and it is
made all the easier because Microsoft -- who owns Skype and knows the
keys used for the service's encryption -- is helping."
Other news outlets, including Forbes and Slate, picked up on the discussion. Forbes says there is "tremendous buzz" in the hacker community on this topic.
The problem? It's unclear
what exactly changed, and a Skype spokesman contacted by CNN for
clarification would not release more than a pre-written statement.
Chaim Haas, the
spokesman, would not say, for instance, if the update actually enabled
the company to tap into and record Skype calls. He also would not answer
questions about when the update took place or whether wiretapping was a
motive.
"As part of our ongoing
commitment to continually improve the Skype user experience, we
developed supernodes, which can be located on dedicated servers within
secure datacenters," the statement from Skype says. "This has not
changed the underlying nature of Skype's peer-to-peer (P2P)
architecture, in which supernodes simply allow users to find one another
(calls do not pass through supernodes).
"We believe this approach
has immediate performance, scalability and availability benefits for
the hundreds of millions of users that make up the Skype community."
Skype, which grew out of the peer-to-peer downloading network Kazaa
and how has 254 million "connected" users per month, has a long
reputation for guarding the privacy of its callers. Skype calls usually
are routed from one caller to another, rather than through a middleman.
"Historically, Skype has been a major barrier to law enforcement agencies," writes Ryan Gallagher at Slate.
"Using strong encryption and complex peer-to-peer network connections,
Skype was considered by most to be virtually impossible to intercept."
For technical reasons,
this meant that Skype actually could not comply with an order to wiretap
a particular Skype user's conversations, a spokeswoman told the tech news site CNET in 2008.
"We have not received any subpoenas or court orders asking us to
perform a live interception or wiretap of Skype-to-Skype
communications," the spokeswoman said. "In any event, because of Skype's
peer-to-peer architecture and encryption techniques, Skype would not be
able to comply with such a request."
But after the recent change, some insiders are speculating that such digital eavesdropping may indeed be possible.
The difference involves
the third-party "supernode" computers. Until recently, those supernodes
were other Skype users who had fast Internet connections and could
handle the work.
Now, according to
Skype's statement, those supernodes have moved onto computers owned by
Skype, which is owned by Microsoft. That has some people concerned.
Haas, Skype's spokesman, wrote that "it is also important to note that Skype calls DO NOT (emphasis his) pass through supernodes -- they act in a directory function only."
He added: "As was true
before the Microsoft acquisition, Skype cooperates with law enforcement
agencies as is legally required and technically feasible."
This seems to mean that
Skype can't intercept calls just because it owns the supernodes now. The
spokesman, however, declined to answer follow-up questions on this
point.
Others are unsure what it means.
"I'm a little bit surprised and slightly skeptical about that statement" about how calls "do not pass through supernodes," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation.
Maybe in most cases
calls would not actually pass through a supernode in a way that they
could be tracked, Eckersley said, but, for technical reasons, some types
of computer connections may require a call to route though a supernode.
If you are really truly geek fluent, Eckersley's question for Skype may interest you:
"If two Skype users are
firewalled so that they can only make outbound TCP connections and
cannot make UDP connections, how do you route a call between those two
users?"
Eckersley said he can't
think of an answer, aside from pushing a call through a supernode, which
now would be on a Skype- or Microsoft-owned computer.
In any event, Eckersley
said, this update may not be all that significant in the big picture.
His group already does not recommend that people who live in
authoritarian regimes use Skype, because of the relative likelihood that
communications could be tapped.
In dangerous places like Iran and Syria, using a service like Gmail is safer, he said.
"As of 2012 we don't
believe the Skype architecture is secure," he said. "There are a lot of
people out there, a lot of governments out there, that have the means to
break Skype, and this remains true regardless of whatever Microsoft
just changed.
Retweet this story
No comments:
Post a Comment