TUESDAY, 24 JULY 2012 19:47
The video calling service Skype recently made a change to how it routes calls.
Yawn, right? But here's where it get a little juicier: Hackers and bloggers are saying the changes, which push some of the video calling process onto Skype's own computers instead of onto random machines on the Internet, could help the app spy on users' calls, presumably at the request of a court or government.
"Reportedly, Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well," Tim Verry, from the website ExtremeTech, wrote last week. (Supernodes are third-party computers that act as a sort of directory service for routing calls.) "In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -- who owns Skype and knows the keys used for the service's encryption -- is helping."
Other news outlets, including Forbes and Slate, picked up on the discussion. Forbes says there is "tremendous buzz" in the hacker community on this topic.
The problem? It's unclear what exactly changed, and a Skype spokesman contacted by CNN for clarification would not release more than a pre-written statement.
Chaim Haas, the spokesman, would not say, for instance, if the update actually enabled the company to tap into and record Skype calls. He also would not answer questions about when the update took place or whether wiretapping was a motive.
"As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes, which can be located on dedicated servers within secure datacenters," the statement from Skype says. "This has not changed the underlying nature of Skype's peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes).
"We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community." Skype, which grew out of the peer-to-peer downloading network Kazaa and how has 254 million "connected" users per month, has a long reputation for guarding the privacy of its callers. Skype calls usually are routed from one caller to another, rather than through a middleman.
"Historically, Skype has been a major barrier to law enforcement agencies," writes Ryan Gallagher at Slate. "Using strong encryption and complex peer-to-peer network connections, Skype was considered by most to be virtually impossible to intercept." For technical reasons, this meant that Skype actually could not comply with an order to wiretap a particular Skype user's conversations, a spokeswoman told the tech news site CNET in 2008. "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications," the spokeswoman said. "In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request." But after the recent change, some insiders are speculating that such digital eavesdropping may indeed be possible.
The difference involves the third-party "supernode" computers. Until recently, those supernodes were other Skype users who had fast Internet connections and could handle the work.
Now, according to Skype's statement, those supernodes have moved onto computers owned by Skype, which is owned by Microsoft. That has some people concerned.
Haas, Skype's spokesman, wrote that "it is also important to note that Skype calls DO NOT (emphasis his) pass through supernodes -- they act in a directory function only." He added: "As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible." This seems to mean that Skype can't intercept calls just because it owns the supernodes now. The spokesman, however, declined to answer follow-up questions on this point.
Others are unsure what it means.
"I'm a little bit surprised and slightly skeptical about that statement" about how calls "do not pass through supernodes," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation.
Maybe in most cases calls would not actually pass through a supernode in a way that they could be tracked, Eckersley said, but, for technical reasons, some types of computer connections may require a call to route though a supernode.
If you are really truly geek fluent, Eckersley's question for Skype may interest you: "If two Skype users are firewalled so that they can only make outbound TCP connections and cannot make UDP connections, how do you route a call between those two users?" Eckersley said he can't think of an answer, aside from pushing a call through a supernode, which now would be on a Skype- or Microsoft-owned computer.
In any event, Eckersley said, this update may not be all that significant in the big picture. His group already does not recommend that people who live in authoritarian regimes use Skype, because of the relative likelihood that communications could be tapped.
In dangerous places like Iran and Syria, using a service like Gmail is safer, he said.
"As of 2012 we don't believe the Skype architecture is secure," he said. "There are a lot of people out there, a lot of governments out there, that have the means to break Skype, and this remains true regardless of whatever Microsoft just changed."
Yawn, right? But here's where it get a little juicier: Hackers and bloggers are saying the changes, which push some of the video calling process onto Skype's own computers instead of onto random machines on the Internet, could help the app spy on users' calls, presumably at the request of a court or government.
"Reportedly, Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well," Tim Verry, from the website ExtremeTech, wrote last week. (Supernodes are third-party computers that act as a sort of directory service for routing calls.) "In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -- who owns Skype and knows the keys used for the service's encryption -- is helping."
Other news outlets, including Forbes and Slate, picked up on the discussion. Forbes says there is "tremendous buzz" in the hacker community on this topic.
The problem? It's unclear what exactly changed, and a Skype spokesman contacted by CNN for clarification would not release more than a pre-written statement.
Chaim Haas, the spokesman, would not say, for instance, if the update actually enabled the company to tap into and record Skype calls. He also would not answer questions about when the update took place or whether wiretapping was a motive.
"As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes, which can be located on dedicated servers within secure datacenters," the statement from Skype says. "This has not changed the underlying nature of Skype's peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes).
"We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community." Skype, which grew out of the peer-to-peer downloading network Kazaa and how has 254 million "connected" users per month, has a long reputation for guarding the privacy of its callers. Skype calls usually are routed from one caller to another, rather than through a middleman.
"Historically, Skype has been a major barrier to law enforcement agencies," writes Ryan Gallagher at Slate. "Using strong encryption and complex peer-to-peer network connections, Skype was considered by most to be virtually impossible to intercept." For technical reasons, this meant that Skype actually could not comply with an order to wiretap a particular Skype user's conversations, a spokeswoman told the tech news site CNET in 2008. "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications," the spokeswoman said. "In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request." But after the recent change, some insiders are speculating that such digital eavesdropping may indeed be possible.
The difference involves the third-party "supernode" computers. Until recently, those supernodes were other Skype users who had fast Internet connections and could handle the work.
Now, according to Skype's statement, those supernodes have moved onto computers owned by Skype, which is owned by Microsoft. That has some people concerned.
Haas, Skype's spokesman, wrote that "it is also important to note that Skype calls DO NOT (emphasis his) pass through supernodes -- they act in a directory function only." He added: "As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible." This seems to mean that Skype can't intercept calls just because it owns the supernodes now. The spokesman, however, declined to answer follow-up questions on this point.
Others are unsure what it means.
"I'm a little bit surprised and slightly skeptical about that statement" about how calls "do not pass through supernodes," said Peter Eckersley, technology projects director for the Electronic Frontier Foundation.
Maybe in most cases calls would not actually pass through a supernode in a way that they could be tracked, Eckersley said, but, for technical reasons, some types of computer connections may require a call to route though a supernode.
If you are really truly geek fluent, Eckersley's question for Skype may interest you: "If two Skype users are firewalled so that they can only make outbound TCP connections and cannot make UDP connections, how do you route a call between those two users?" Eckersley said he can't think of an answer, aside from pushing a call through a supernode, which now would be on a Skype- or Microsoft-owned computer.
In any event, Eckersley said, this update may not be all that significant in the big picture. His group already does not recommend that people who live in authoritarian regimes use Skype, because of the relative likelihood that communications could be tapped.
In dangerous places like Iran and Syria, using a service like Gmail is safer, he said.
"As of 2012 we don't believe the Skype architecture is secure," he said. "There are a lot of people out there, a lot of governments out there, that have the means to break Skype, and this remains true regardless of whatever Microsoft just changed."