Subscribe by EmailSkype May No Longer Be Secure
October 3, 2008 by PatB | 6 comments
By PatB
Contributing Writer, [GAS]
MSN, Yahoo IM and AIM all use clear text in the chat discussions, which means anyone along the path of communication can read what it is you are typing, including your boss if you use chat at work. Many people, including myself, use Skype as an IM chat client because it has strong encryption built in. A system admin monitoring the network can still tell you are using Skype, but no one can read what you typed into the chat box. Until now.
Ebay’s Chinese partner, Tom Group, has been distributing a version of Skype, with permission, to its Chinese users. Tom’s version of Skype has been trojanized by the Chinese communist government to capture certain conversations that contain keywords that the government considers to be subversive. Those chat sessions, which includes usernames, IP addresses and a record of all phone calls made over Skype, are packaged and sent encrypted to several webservers owned by Tom Group for retrieval by Chicom agents.
Quite simply, this means, if you use Skype and are chatting unknowingly to someone using this Tom-Skype version, and you use a profanity or a banned keyword, the entire chat session gets archived by the Chi-coms, along with the Skype-out phone records of the Tom-Skype user.
With thanks to Steinnon, the details are here at infowar-monitor.net:
The most damaging information concerns the log files that record call information and the content filter logs that contain full text chat messages. The call information logs date from August 2007 and contain a record of the IP addresses and usernames of all those that participated in voice calls as well as the username and/or phone number of the recipient of the call.
The content filter logs dating from August 2008 contain similar identifying information as well as the full content of the logged text messages. These messages contain sensitive information including email addresses, passwords, phone numbers, package tracking numbers and bank card numbers.
As mentioned above, the information is stored encrypted on several webservers at Tom Group. But the webserver stores the logs in a publicly accessible directory, and politely includes the decryption code on the server so anyone can download the messages and decrypt them. So not only do the Chicoms know about your chat sessions, lots of hackers and identity thieves probably do too.
Ebay, owner of Skype, should immeditately terminate their partnership with Tom Group for allowing their customers to have their privacy violated and should immediately issue a new version that is incompatible with the Tom Group version of Skype.
- Hear your Skype calls coming through with Skype Muter
- Integrating Skype into Pidgin
- Have your Skype calls announced over the speaker
- Synchronize your IM chat history
Although I too think that updating a version that’s incompatible with such things described above is the greatest idea, I don’t know why I don’t think they’ll be doing it sometime soon…
This is probably not a “favor” for e-bay, who knows, maybe they’re getting paid some extra $$$ for letting them manipulate their code and produce a “new” unsafe version of skype…
Anyways, say goodbye to your privacy!!
It has long been known that governments and large corps have access to the encryption keys of skype. They are hard coded into the program.
Always remember: If you cannot see the source, you cannot trust the author. Period.
I’m currently living in China and I use Skype all the time. I find these privacy violations appalling and wish Ebay would do something about them. The censoring and monitoring is one of the most obnoxious things about using the internet in China.
Also, when I try to get to the Skype website from here, I am automatically redirected to http://skype.tom.com and there is no english version link. Thank god I could get the safe version from the Ubuntu repositories.
And concerning the issue, this link might be of interest.
You should use a proxy to get the real version. I think it’s very wrong to distribute such a version of Skype.
To Andrei and others who think similarly about needing to get the “real version” of skype:
Skype is closed source, therefore, you cannot ever be sure there are no backdoors, and you have no way to know how well it secures you.
If you are concerned at all about privacy or security, you would use open source software only.