107 comments

[ 5.7 ms ] story [ 181 ms ] thread
Just thinking out loud, but wouldn't it be possible to build a simple skype-addon that would look at your network traffic and be able to tell if your voice conversations were going through a supernode and not p2p.

This way you would get a quick indicator of whether or not you were likely being monitored.

(comment deleted)
This means new opportunities in the VoIP market. Than you Microsoft
In the short term, I'm hoping Google Hangouts will be a viable alternative for both normal users and enterprise users.

In the long term, I hope the WebRTC protocol will disrupt both of them.

Why are Google Hangouts a viable alternative for people who care about privacy? (Ostensibly the point of this article.)
I agree. Distributed and P2P with encryption is the only way to guarantee privacy.
"Microsoft has replaced P2P Skype supernodes with thousands of Linux boxes" from http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...

Wow. Does it make it the first, large scale, internal(¹) deployment of non-Windows infrastructure by Microsoft? The question is: why? Do their engineers managed to convince the company that Windows is ill-suited to the task? I am quite stupefied.

(¹) "Internal" as opposed to situations where Microsoft inherited non-Windows infrastructure from external acquisitions, such as when they acquired Hotmail in 1997 and their 5000 FreeBSD servers (eventually migrated to Windows.)

I was under the impression that they've used Linux in the past effectively as a firewall for their internet sites. Whether this was a temporary response to a specific situation or a semi-permanent thing I don't know but I recall reading that there was a period where Microsoft.com was returning non-Windows header information.

While they obviously don't publicise it I think they've probably used Linux where it's appropriate for some time now.

If I remember correctly this was done by Akamai and not directly by themselves, while this time the nodes are effectively under Microsoft's control.
Heck, MS contributed to the Linux kernel so it could be virtualised well.
MSFT used Linux for DNS servers for a while, its unclear why they did that since they had so many other FreeBSD acquisitions anyways. Some loadbalancers returned BSD/Linux fingerprints when scanned, but its unlikely that MSFT actually used Linux in the direct path anywhere.
(comment deleted)
Windows Server powers Messenger and the upcoming notification service, which do exactly the same thing as Skype: messaging and video.

Moving an entire service to a different OS isn't quite that simple, so the simplest thing was to just add capacity using whatever was running at the moment.

Do their engineers managed to convince the company that Windows is ill-suited to the task?

They acquired skype. So the question would be, Is it worth rewriting a ton of working code just so we can say it runs on our platform.

I'm pretty sure Hotmail ran Linux or BSD for quite a while after Microsoft bought them (though probably not any more)

IIRC, there was a failed attempt to move it to Windows NT 4.
But no code needed to be rewritten. Skype supernodes were working on Windows before (on Windows machines in the P2P network.) Microsoft effectively stopped supporting Windows!
Hotmail ran on Linux for a very long time.

Skype may yet transition to Windows servers, but MS are hardly going to insist they make it their first and only priority. That would be insane.

I think you mean FreeBSD.
Hotmail never ran on Linux, it was all FreeBSD.
I think rdl made that point well when he posted 4 hours before you did. You are both correct- my memory was faulty. But the main point about Hotmail running on a non-MS OS still stands.
The implication with wiretapping (and the NSA acronym) is that it is about security and safety against criminals and terrorists. I've always wondered how much of a business advantage it is to be able to tap into the world's biggest VoIP network?

I've seen Skype being used a lot in businesses both centralized and decentralized.

    10 i = i + 1
    20 PRINT i
    30 IF i > 100000 THEN i = 0: GOTO 10
    40 IF INKEY$ = "" THEN 10
    50 PRINT "Bible, Line:", i

God says...

14:21 Do not abhor us, for thy name's sake, do not disgrace the throne of thy glory: remember, break not thy covenant with us.

14:22 Are there any among the vanities of the Gentiles that can cause rain? or can the heavens give showers? art not thou he, O LORD our God? therefore we will wait upon thee: for thou hast made all these things.

15:1 Then said the LORD unto me, Though Moses and Samuel stood before me, yet my mind could not be toward this people: cast them out of my sight, and let them go forth.

15:2 And it shall come to pass, if they say unto thee, Whither shall we go forth? then thou shalt tell them, Thus saith the LORD; Such as are for death, to death; and such as are for the sword, to the sword; and such as are for the famine, to the famine; and such as are for the captivity, to the captivity.

The change is interesting (though not that new it seems), but Microsoft flatly state that calls do not go over supernodes [1]:

"This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)."

Now obviously this could be a lie, but it should be fairly simple to prove one way or another - simply force a call between 2 NAT'd clients, and trace where the voice packets go, it'll either be to one of these newly centralised supernodes, or somewhere else?

1 - http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...

Calls don't go over supernodes: I frequently call people on Skype for a conference, with my brother participating on the same network, and when the call drops, my brother and me can still talk. Might be that this is an exception for extremely local connections, but I've had similar experiences in other situations as well.
That doesn't prove anything at all.
Read the blog post. Calls still don't go over supernodes by default, it was just changed so that specific calls can be routed over them if desired.
Or, you know, centralizing their architecture so they can own all your communications and sell you ads like every other Tom Dick and Harry.
I don't think so. They wouldn't be able to target the ads without a lot of effort.... That's a LOT of voice recognition going on in a setting where people are not trying to dictate.
Most companies these days are hoarding data with no current abilities to analyze it for profit. They're rightly predicting that analytical capabilities will improve and they don't want to be the ones living in that world without massive amounts of customer data.
Right. That way I can send you the ads I would have targetted to you if you were still in college! That you are now 40 and have 3 kids is no matter. You still want all the cool college stuff, right?
I'm not saying it'll ever pan out, I'm saying it's a much more likely explanation for Microsoft centralizing certain types of Skype communication than some shady back-alley deal with the NSA.
Data storage is stupidly cheap. You might as well save all the data your users provide to you.
I am curious. Regarding voice communications, where does the Stored Communications Act come into this? What can they legally store?
They're not necessarily storing the data now to analyze later. They're building the capacity to acquire that data so that when the time comes all they have to do is flip a switch.
Folks no need for wiretap theories.. Skype has been tappable via using the stop start his of audio compression since its creation...ie Skype encryption is breakable via the stop start gaps in audio via audio compression used.

True such open holes does not affect text, except when skype forces it through China's servers.

The most secure approach is still encrypted text..

Contrary to the article, Skype didn't previously use supernodes for traffic between NATed clients. They were just used for NAT hole punching and then the traffic was direct between the clients.

It is possible that after receiving a wiretap request Skype will route your calls differently. But they could have rolled this out by just upgrading the supernode code and keeping supernodes distributed.

It seems far more likely that they made this change for stability/reliability. Particularly after the Skype network crashes that have happened in the past.

Well, you need a 3rd machine to route traffic between two machines if both are behind NAT^. It was my understanding that supernodes were (also) used for this.

^Unless you can predict the translated source port

Doesn't contradict the parent post. For hole punching you need to know the source (host+port) your peer sends traffic from. If the source port is randomised (or already used by someone for udp if nat prevents sharing), hole punching will fail.
That's where the third party supernode comes in; the sending peer tells the supernode which source port it is using to send to the non-supernode.
If you're natted, the source port seen by supernode doesn't have to be the same as the one seen by others. Someone on your network may be talking to the same supernode already, so the conflict has to be resolved by some remapping in the nat.
You then retry with an alternate supernode.
Unless your NAT is randomising ports by default. Then you will always get the wrong answer.
No. I don't know why you're not listening to what he's saying. I can tell you, from currently writing code that does STUN negotiation, unless you have two peers behind full-cone NAT (which is rather rare actually), you do not need to know what the port mapping/translation is.

I have a sideband connection to a server, and I tell it to route my negotiation packets to my peer's sideband connection. I literally never even touch a UDP port or connection, and the library I uses establishes a connection using STUN(-light). And from having read the source, it doesn't explicitly determine or set the mapping (using uPNP) either.

In my work with VoIP that situation was pretty much the default assumption. I agree that it's only the double NATed situation that's hard to handle, but stay by my opinion that sometimes it's just impossible to resolve without a middle man. But it depends on many things - clients, routes, number of people in local network using the same application, etc. Sometimes you just have to fall back to proxying everything.
>stay by my opinion that sometimes it's just impossible to resolve without a middle man

Right, that's why TURN is part of ICE.

No hole punching method will work for all combinations of firewall at each end of the intended communications channel. If connecting the clients directly in either direction after the initial negotiation fails then Skype (and tools like it) will instead send the data via a 3rd host (which sits in the middle and acts as a bridge between the two TCP streams).

If they get a wiretap order and your client can normally achieve a direct connection with a particular user, they could just emulate connection failure and the clients would revert to using the proxy without informing the user (after all, they are designed to do that for the sake of resilience of the user experience). You can probably see where the traffic is going, the client may even tell you without you having to dig far, but you won't know if you are going via the middle-man server(s) because of a general network issue that is stopping a direct connection being possible or if it is because of a wire-tap.

The following research seems to suggest voice can and does go through super nodes under certain conditions:

http://saikat.guha.cc/pub/iptps06-skype/

Would it be too much of a stretch to assume the clients can be directed to use one of the new Linux super nodes at will?

Even if the sensational headline is accurate, it's not worth the conspiracy theories:

(1) Microsoft is a US Corporation

(2) With the Skype acquisition, Microsoft (arguably) becomes a telecommunications carrier.

(3) CALEA passed in 1994, "requiring telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time." [a]

My (unfounded, optimistic) speculation is the skype acquisition was strategic positioning in the mobile market: seamless cutover to skype when your phone has WiFi.

a - http://en.wikipedia.org/wiki/Communications_Assistance_for_L...

So what happens when your not a US citizen, the wiretapping option is turned off then you think?
As a fine upstanding non-US citizen you are simply not considered by that law, and so can't be considered as much as you might like by the companies implementing systems that have to comply with that law. Microsoft's options are move to another country (not going to happen), ignore the law (not going to happen as it could cost them dear), or implement the law even though it might cause problems in markets outside the US.

For services hosted in other countries the law in those countries might well have something it can say/do, but even if they do successfully put their feet down MS could just pull the services out (costing the country if the investment in equipment/services/employees is significant) and move them elsewhere. They might be able to add the protection needed under those non-US laws the nodes in the affected areas, it depends on the exact wording and enforcement of the law, but even if they did you lose that protection as soon as you hit a node elsewhere anyway.

Practically speaking if this is a concern for you (and it might legitimately be: contrary to what governments seem to think people and companies that are not criminal, not just the criminals/terrorists, have good reasons to want some privacy generally and more specifically those in competition with MS (amongst others) would not want to trust them as the gate-keepers) then your only option is to find an alternative to Skype. That isn't going to be easy though: any commercial provider is going to comply with the same regulations otherwise they'll find it difficult to operate in the US market (or the Chinese market which is growing much faster and is even more spy-y than the US) and even if you find something you then need to convince other to use it too.

"For services hosted in other countries the law in those countries might well have something it can say/do"

The actual hosting country does not always matter. In the Netherlands for instance (i can't speak for other countries) -where- a service is hosted is irrelevant. If you market your service to Dutch citizens (you have a Dutch language version of the site, or a Dutch contact number for instance) you are assumed to abide by Dutch law and can be prosecuted in a Dutch court if you don't.

Your comment seems to be built on the assumption that if the government has passed laws to make what it does legal, then we shouldn't worry— nothing conspiratorial or against our interests is occurring.
He's just saying it's not conspiratorial, it's blatantly part of the U.S. Code. Microsoft isn't colluding with the government behind closed doors, they're complying with the laws necessary to move into a slightly different market.

Whether it's for or against our interest was never addressed.

Why, then, wasn't Skype required to implement CALEA-compliant functionality before Microsoft bought them?
After CALEA was extended to online services in 2006, Skype was legally required to implement wiretapping. They didn't, and stated they had no intention of complying with CALEA publicly, but never seemed to have been targeted by the DOJ over their non-compliance.

But they were still legally required to have done so, and the DOJ could have sent them up shit creek if doing so ever became a priority.

What's changed now? Probably just that Microsoft's legal division wasn't comfortable having that kind of regulatory non-compliance under their watch. Microsoft gets a lot of scrutiny from the DOJ and probably aren't particularly keen on being hauled up on new charges over this issue.

(comment deleted)
Previously Skype was registered in Luxembourg, maybe it is because they are now under US ownership.
Did we really think we could trust Microsoft with such an acquisition?
You used to trust a shady Europe-based private corporation; now you have to trust a shady US-based private corporation. Regardless of their specific track records, there is nothing intrinsically different between the two.
Except executive management and leadership
What are some good open source alternatives for skype?
VSee (http://vsee.com/) doesn't look bad, but it's also closed sourced. Something built on open standards (SIP/XMPP) like Jitsi is likely to be more transparent because you won't have to guess what some mysterious supernode does and doesn't do with your data.

Good luck getting your non-techie friends to use that though. Skype became popular because it just worked, which at that point had not reliably been achieved even for plain voice calls, much less video.

Duh, never heard of hostile take-over. Microsoft has a long history of simply buying out technologies and then deep sixing them.
Its called a hostile takeover. MS has a long history of buying tech companies out and then deep-sixing the tech forever.
I admit I don't know much about the internals of this, but maybe it's because, by serving as a node to forward other transmissions, the former Skype client drained people's mobile broadband data budgets. In this way they avoid this.
Wiretapping sounds so innocent. Of course, all US comms must be available for lawful wiretaps in fight against crime.

No, what we're dealing with here is a dragnet cast upon the comms of users around the world, who aren't protected by US Constitution and thus can be tapped at will by US agencies and even private corporations without any warrants or oversight.

For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

Also, if a US agency wanted to put on a no-fly list some people who casually converse about what morons those TSA people are or how all US administrations support the Israeli regime that commits war crimes against Palestinians, now it's very easy to do.

For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

Is that any different from using, say, Gmail or Google Apps? Not saying that Google is looking at that data but this is a problem with essentially every web-based communication tool. People shouldn't have an expectation of privacy or security just because it's a company they know/like or it's a popular tool.

It's a risky situation, if you ask me. Consider the data that tools collect on us:

- location and contact history (cell phones)

- message history and address book (email, social network)

- interests/activities (calendars, event tools, feed subscriptions)

- browsing history

As an engineer, think about the evil fun you could have with that data. You could really mess somebody up if you didn't like them.

While technology makes this easier, it isn't new. You could hire a PI to follow the CEO of a competitor. You could break in and bug their offices.

None of this is legal, and if discovered there would be a legal case to answer.

I've long thought that Google's ability to track searches from Microsoft IP addresses was one of the reasons for the development of Bing - i.e. Bing's value is, in part, that it plugs an information leak and siphons other leaks into Microsoft's data mine.
For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.

What? No they're not.

It does sound outlandish but... what specifically is stopping them?
Do you seriously think trade secrets aren't enforceable outside US borders? That there's no such thing as a transnational tort claim? Do you also think that because the "Constitution doesn't protect" stuff that Microsoft can randomly steal from people? Can they murder people too?

You knew this was a batshit claim when you saw someone trying to map the Constitution to Microsoft in the first place, since the Constitution doesn't regulate private businesses at all.

Come on. We're smarter than this.

How would they get caught stealing trade secrets through Skype? Whistleblowers? Have there been any instance of a transnational tort claim in tech?

I really wonder how much espionage is going on. Does MS have a mole at Google, and vice versa?

Come on. Pseudonaïvité.

http://en.wikipedia.org/wiki/ECHELON#Controversy

(To your first question: ask Robert Metcalfe (3com), Charles H. Ferguson etc. To your second question: drones. -- Welcome to the real world)

But true, this has little to do with skype.

What does ECHELON and military drones have to do with civil liability?

The root comment in this thread suggests that Microsoft might be centralizing Skype so that it can scrape trade secrets out of phone calls. That sentiment is based on a preposterous misapprehension about how international law works.

We were talking about kites (if you know what I mean), and off-the book killings.

There isn't really anything that is called "international law", as such. There are agreements between nations, and those agreements are what they are.

The sheeple love to feel important and free, no amount of argument and reason would make them see the reality ;)
Good luck finding a lawyer who has the skills to perform an international tort offense who charges less than six figures for it. Only a company like Microsoft has the cash to pull that off.
(I'm pretty sure you are directing all of your "you"s mostly to others in the thread so I will ignore the impatient and condescending tone)

You aren't very specific though. I'm not familiar with transnational tort claim and I doubt it as popular to others here in HN either. Is it as solid as you seem to make it? Google has little (easily accessible material) on it. It doesn't sound like something that is illegal by itself; only that they could be sued by those startups if/when they find out (and decide to saddle up for an international case against a huge company... yeah that probably isn't very likely).

Sad to see a two and a half month old blog article with a flame bait headline and no references or proof being lapped up by HN.
Yeah. Personally, I take all articles with a grain of salt when the author bandies about terms like M$.
The National Security Agency put out an RFP for Skype decrypting/intercepting awhile back and this was the first thing that popped back into my mind when Microsoft bought Skype. Then, when M announced they were replacing the supernodes, it only re-confirmed what was going on, in my mind.
This is the kind of thing that makes it annoying that just about all interesting internet companies are in the US. Why can't Europe step up with some competition?
Entrepreneurship is far more difficult in much of Europe. It's much more difficult to set up a corporation, access capital, especially speculative capital (i.e. VC money) as well as some fairly strict taxation and regulatory schemes. This article: http://buswk.co/Hltv5F explains a few if those factors.
Skype was originally a swedish company until it was aquired by eBay.
Estonian, I thought.
Luxembourg actually, with Swedish founders and Estonian coders.
Remember Microsoft has major contracts and relationships with the Chinese and Korean government, among others. This stuff is the dark underside of a Microsoft aquisition. Of course, they have relationships with the US govt as well, but Americans are obstensibly protected by the Constitution -- those protections (as well as due process) don't French exist in many countries with whom Microsoft does business.
It's amazing how citizen rights to privacy has completely eroded while their governments now get to operate in near complete secrecy against them.