Skype with care – Microsoft is reading everything you write

[YMix]

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

A reader informed heise Security that he had observed some unusual network traffic following a Skype instant messaging conversation. The server indicated a potential replay attack. It turned out that an IP address which traced back to Microsoft had accessed the HTTPS URLs previously transmitted over Skype. Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:

65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"

They too had received visits to each of the HTTPS URLs transmitted over Skype from an IP address registered to Microsoft in Redmond. URLs pointing to encrypted web pages frequently contain unique session data or other confidential information. HTTP URLs, by contrast, were not accessed. In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.

In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:

"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."

A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.

Back in January, civil rights groups sent an open letter to Microsoft questioning the security of Skype communication since the takeover. The groups behind the letter, which included the Electronic Frontier Foundation and Reporters without Borders expressed concern that the restructuring resulting from the takeover meant that Skype would have to comply with US laws on eavesdropping and would therefore have to permit government agencies and secret services to access Skype communications.

In summary, The H and heise Security believe that, having consented to Microsoft using all data transmitted over the service pretty much however it likes, all Skype users should assume that this will actually happen and that the company is not going to reveal what exactly it gets up to with this data.

http://www.h-online.com/security/news/i ... 62870.html

[Azrael]

Skype has a lot of competition. There are lots of VoIP services, many of which are free. Hopefully some of them don't spy on their users.

[Heracleum Persicum]

.


Privacy no longer exists. get used to it.


CIA, FBI , Homeland (un)security, KGB, MI6, MI5, Mossad, Ayatollhas and and and, everybody has his finger in your A*ss

Everything I'm writing here I'm considering writing to FBI & CIA & MI5 & Mossad

Iranians used to this kind of stuff, Shah time SAVAK was hiding below your bed

But

Could Shah prevent mad mullahs taking over

NO




.

[Mr. Perfect]

Who isn't reading everything you write. Well apparantly ibrahim, he is the only person not interested. There should be an app soon for all individuals to read all formerly private correspondence soon.

The point is to accept this now. Eg, for me, I like to say all kinds of borderline outrageous things so people like Zack Morris will turn me into the authorities for surveillance, then hopefully they will tie up dozens, or even hundreds, or hopefully thousands of DHS agents on me, wasting countless hours and resources on a completely harme- I mean potentially dangerous hoodlum.

[Enki]

Skype has a lot of competition. There are lots of VoIP services, many of which are free. Hopefully some of them don't spy on their users.

I believe when BitTorrent Live comes online they don't cache anything.

[noddy]

its certainly more convenient for snoopers of the public and private control freak club to have access to the protocols and api's so that its easy to decode the message and attach it to a particular userid but its not a requirement.

unless the packet has been well encyrypted and is using a unique and hard to reverse algorithm its just a wee bit more effort to make all that happen at the tcp/ip level by monitoring the raw network.

especially now that most things are using http as a transport and the era of custom servers on non standard ports appears to be winding down.