Just thinking out loud, but wouldn't it be possible to build a simple skype-addon that would look at your network traffic and be able to tell if your voice conversations were going through a supernode and not p2p.
This way you would get a quick indicator of whether or not you were likely being monitored.
first, make yourself familiar with WebRTC. it will require server side signaling. demo by google: http://www.webrtc.org/running-the-demos#TOC-Demos
sending srtp session keys over that signaling server sounds interesting
Wow. Does it make it the first, large scale, internal(¹) deployment of non-Windows infrastructure by Microsoft? The question is: why? Do their engineers managed to convince the company that Windows is ill-suited to the task? I am quite stupefied.
(¹) "Internal" as opposed to situations where Microsoft inherited non-Windows infrastructure from external acquisitions, such as when they acquired Hotmail in 1997 and their 5000 FreeBSD servers (eventually migrated to Windows.)
I was under the impression that they've used Linux in the past effectively as a firewall for their internet sites. Whether this was a temporary response to a specific situation or a semi-permanent thing I don't know but I recall reading that there was a period where Microsoft.com was returning non-Windows header information.
While they obviously don't publicise it I think they've probably used Linux where it's appropriate for some time now.
MSFT used Linux for DNS servers for a while, its unclear why they did that since they had so many other FreeBSD acquisitions anyways. Some loadbalancers returned BSD/Linux fingerprints when scanned, but its unlikely that MSFT actually used Linux in the direct path anywhere.
Windows Server powers Messenger and the upcoming notification service, which do exactly the same thing as Skype: messaging and video.
Moving an entire service to a different OS isn't quite that simple, so the simplest thing was to just add capacity using whatever was running at the moment.
But no code needed to be rewritten. Skype supernodes were working on Windows before (on Windows machines in the P2P network.) Microsoft effectively stopped supporting Windows!
I think rdl made that point well when he posted 4 hours before you did. You are both correct- my memory was faulty. But the main point about Hotmail running on a non-MS OS still stands.
The implication with wiretapping (and the NSA acronym) is that it is about security and safety against criminals and terrorists. I've always wondered how much of a business advantage it is to be able to tap into the world's biggest VoIP network?
I've seen Skype being used a lot in businesses both centralized and decentralized.
10 i = i + 1
20 PRINT i
30 IF i > 100000 THEN i = 0: GOTO 10
40 IF INKEY$ = "" THEN 10
50 PRINT "Bible, Line:", i
God says...
14:21 Do not abhor us, for thy name's sake, do not disgrace the throne
of thy glory: remember, break not thy covenant with us.
14:22 Are there any among the vanities of the Gentiles that can cause
rain? or can the heavens give showers? art not thou he, O LORD our
God? therefore we will wait upon thee: for thou hast made all these
things.
15:1 Then said the LORD unto me, Though Moses and Samuel stood before
me, yet my mind could not be toward this people: cast them out of my
sight, and let them go forth.
15:2 And it shall come to pass, if they say unto thee, Whither shall
we go forth? then thou shalt tell them, Thus saith the LORD; Such as
are for death, to death; and such as are for the sword, to the sword;
and such as are for the famine, to the famine; and such as are for the
captivity, to the captivity.
The change is interesting (though not that new it seems), but Microsoft flatly state that calls do not go over supernodes [1]:
"This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)."
Now obviously this could be a lie, but it should be fairly simple to prove one way or another - simply force a call between 2 NAT'd clients, and trace where the voice packets go, it'll either be to one of these newly centralised supernodes, or somewhere else?
Calls don't go over supernodes: I frequently call people on Skype for a conference, with my brother participating on the same network, and when the call drops, my brother and me can still talk. Might be that this is an exception for extremely local connections, but I've had similar experiences in other situations as well.
I don't think so. They wouldn't be able to target the ads without a lot of effort.... That's a LOT of voice recognition going on in a setting where people are not trying to dictate.
Most companies these days are hoarding data with no current abilities to analyze it for profit. They're rightly predicting that analytical capabilities will improve and they don't want to be the ones living in that world without massive amounts of customer data.
Right. That way I can send you the ads I would have targetted to you if you were still in college! That you are now 40 and have 3 kids is no matter. You still want all the cool college stuff, right?
I'm not saying it'll ever pan out, I'm saying it's a much more likely explanation for Microsoft centralizing certain types of Skype communication than some shady back-alley deal with the NSA.
They're not necessarily storing the data now to analyze later. They're building the capacity to acquire that data so that when the time comes all they have to do is flip a switch.
Folks no need for wiretap theories.. Skype has been tappable via using the stop start his of audio compression since its creation...ie Skype encryption is breakable via the stop start gaps in audio via audio compression used.
True such open holes does not affect text, except when skype forces it through China's servers.
The most secure approach is still encrypted text..
Contrary to the article, Skype didn't previously use supernodes for traffic between NATed clients. They were just used for NAT hole punching and then the traffic was direct between the clients.
It is possible that after receiving a wiretap request Skype will route your calls differently. But they could have rolled this out by just upgrading the supernode code and keeping supernodes distributed.
It seems far more likely that they made this change for stability/reliability. Particularly after the Skype network crashes that have happened in the past.
Well, you need a 3rd machine to route traffic between two machines if both are behind NAT^. It was my understanding that supernodes were (also) used for this.
^Unless you can predict the translated source port
Doesn't contradict the parent post. For hole punching you need to know the source (host+port) your peer sends traffic from. If the source port is randomised (or already used by someone for udp if nat prevents sharing), hole punching will fail.
If you're natted, the source port seen by supernode doesn't have to be the same as the one seen by others. Someone on your network may be talking to the same supernode already, so the conflict has to be resolved by some remapping in the nat.
No. I don't know why you're not listening to what he's saying. I can tell you, from currently writing code that does STUN negotiation, unless you have two peers behind full-cone NAT (which is rather rare actually), you do not need to know what the port mapping/translation is.
I have a sideband connection to a server, and I tell it to route my negotiation packets to my peer's sideband connection. I literally never even touch a UDP port or connection, and the library I uses establishes a connection using STUN(-light). And from having read the source, it doesn't explicitly determine or set the mapping (using uPNP) either.
In my work with VoIP that situation was pretty much the default assumption. I agree that it's only the double NATed situation that's hard to handle, but stay by my opinion that sometimes it's just impossible to resolve without a middle man. But it depends on many things - clients, routes, number of people in local network using the same application, etc. Sometimes you just have to fall back to proxying everything.
No hole punching method will work for all combinations of firewall at each end of the intended communications channel. If connecting the clients directly in either direction after the initial negotiation fails then Skype (and tools like it) will instead send the data via a 3rd host (which sits in the middle and acts as a bridge between the two TCP streams).
If they get a wiretap order and your client can normally achieve a direct connection with a particular user, they could just emulate connection failure and the clients would revert to using the proxy without informing the user (after all, they are designed to do that for the sake of resilience of the user experience). You can probably see where the traffic is going, the client may even tell you without you having to dig far, but you won't know if you are going via the middle-man server(s) because of a general network issue that is stopping a direct connection being possible or if it is because of a wire-tap.
Even if the sensational headline is accurate, it's not worth the conspiracy theories:
(1) Microsoft is a US Corporation
(2) With the Skype acquisition, Microsoft (arguably) becomes a telecommunications carrier.
(3) CALEA passed in 1994, "requiring telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time." [a]
My (unfounded, optimistic) speculation is the skype acquisition was strategic positioning in the mobile market: seamless cutover to skype when your phone has WiFi.
As a fine upstanding non-US citizen you are simply not considered by that law, and so can't be considered as much as you might like by the companies implementing systems that have to comply with that law. Microsoft's options are move to another country (not going to happen), ignore the law (not going to happen as it could cost them dear), or implement the law even though it might cause problems in markets outside the US.
For services hosted in other countries the law in those countries might well have something it can say/do, but even if they do successfully put their feet down MS could just pull the services out (costing the country if the investment in equipment/services/employees is significant) and move them elsewhere. They might be able to add the protection needed under those non-US laws the nodes in the affected areas, it depends on the exact wording and enforcement of the law, but even if they did you lose that protection as soon as you hit a node elsewhere anyway.
Practically speaking if this is a concern for you (and it might legitimately be: contrary to what governments seem to think people and companies that are not criminal, not just the criminals/terrorists, have good reasons to want some privacy generally and more specifically those in competition with MS (amongst others) would not want to trust them as the gate-keepers) then your only option is to find an alternative to Skype. That isn't going to be easy though: any commercial provider is going to comply with the same regulations otherwise they'll find it difficult to operate in the US market (or the Chinese market which is growing much faster and is even more spy-y than the US) and even if you find something you then need to convince other to use it too.
"For services hosted in other countries the law in those countries might well have something it can say/do"
The actual hosting country does not always matter. In the Netherlands for instance (i can't speak for other countries) -where- a service is hosted is irrelevant. If you market your service to Dutch citizens (you have a Dutch language version of the site, or a Dutch contact number for instance) you are assumed to abide by Dutch law and can be prosecuted in a Dutch court if you don't.
Your comment seems to be built on the assumption that if the government has passed laws to make what it does legal, then we shouldn't worry— nothing conspiratorial or against our interests is occurring.
He's just saying it's not conspiratorial, it's blatantly part of the U.S. Code. Microsoft isn't colluding with the government behind closed doors, they're complying with the laws necessary to move into a slightly different market.
Whether it's for or against our interest was never addressed.
After CALEA was extended to online services in 2006, Skype was legally required to implement wiretapping. They didn't, and stated they had no intention of complying with CALEA publicly, but never seemed to have been targeted by the DOJ over their non-compliance.
But they were still legally required to have done so, and the DOJ could have sent them up shit creek if doing so ever became a priority.
What's changed now? Probably just that Microsoft's legal division wasn't comfortable having that kind of regulatory non-compliance under their watch. Microsoft gets a lot of scrutiny from the DOJ and probably aren't particularly keen on being hauled up on new charges over this issue.
You used to trust a shady Europe-based private corporation; now you have to trust a shady US-based private corporation. Regardless of their specific track records, there is nothing intrinsically different between the two.
VSee (http://vsee.com/) doesn't look bad, but it's also closed sourced. Something built on open standards (SIP/XMPP) like Jitsi is likely to be more transparent because you won't have to guess what some mysterious supernode does and doesn't do with your data.
Good luck getting your non-techie friends to use that though. Skype became popular because it just worked, which at that point had not reliably been achieved even for plain voice calls, much less video.
I admit I don't know much about the internals of this, but maybe it's because, by serving as a node to forward other transmissions, the former Skype client drained people's mobile broadband data budgets. In this way they avoid this.
Wiretapping sounds so innocent. Of course, all US comms must be available for lawful wiretaps in fight against crime.
No, what we're dealing with here is a dragnet cast upon the comms of users around the world, who aren't protected by US Constitution and thus can be tapped at will by US agencies and even private corporations without any warrants or oversight.
For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.
Also, if a US agency wanted to put on a no-fly list some people who casually converse about what morons those TSA people are or how all US administrations support the Israeli regime that commits war crimes against Palestinians, now it's very easy to do.
For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.
Is that any different from using, say, Gmail or Google Apps? Not saying that Google is looking at that data but this is a problem with essentially every web-based communication tool. People shouldn't have an expectation of privacy or security just because it's a company they know/like or it's a popular tool.
I've long thought that Google's ability to track searches from Microsoft IP addresses was one of the reasons for the development of Bing - i.e. Bing's value is, in part, that it plugs an information leak and siphons other leaks into Microsoft's data mine.
For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.
Do you seriously think trade secrets aren't enforceable outside US borders? That there's no such thing as a transnational tort claim? Do you also think that because the "Constitution doesn't protect" stuff that Microsoft can randomly steal from people? Can they murder people too?
You knew this was a batshit claim when you saw someone trying to map the Constitution to Microsoft in the first place, since the Constitution doesn't regulate private businesses at all.
What does ECHELON and military drones have to do with civil liability?
The root comment in this thread suggests that Microsoft might be centralizing Skype so that it can scrape trade secrets out of phone calls. That sentiment is based on a preposterous misapprehension about how international law works.
Good luck finding a lawyer who has the skills to perform an international tort offense who charges less than six figures for it. Only a company like Microsoft has the cash to pull that off.
(I'm pretty sure you are directing all of your "you"s mostly to others in the thread so I will ignore the impatient and condescending tone)
You aren't very specific though. I'm not familiar with transnational tort claim and I doubt it as popular to others here in HN either. Is it as solid as you seem to make it? Google has little (easily accessible material) on it. It doesn't sound like something that is illegal by itself; only that they could be sued by those startups if/when they find out (and decide to saddle up for an international case against a huge company... yeah that probably isn't very likely).
The National Security Agency put out an RFP for Skype decrypting/intercepting awhile back and this was the first thing that popped back into my mind when Microsoft bought Skype. Then, when M announced they were replacing the supernodes, it only re-confirmed what was going on, in my mind.
This is the kind of thing that makes it annoying that just about all interesting internet companies are in the US. Why can't Europe step up with some competition?
Entrepreneurship is far more difficult in much of Europe. It's much more difficult to set up a corporation, access capital, especially speculative capital (i.e. VC money) as well as some fairly strict taxation and regulatory schemes. This article: http://buswk.co/Hltv5F explains a few if those factors.
Remember Microsoft has major contracts and relationships with the Chinese and Korean government, among others. This stuff is the dark underside of a Microsoft aquisition. Of course, they have relationships with the US govt as well, but Americans are obstensibly protected by the Constitution -- those protections (as well as due process) don't French exist in many countries with whom Microsoft does business.
107 comments
[ 5.7 ms ] story [ 181 ms ] threadhttp://www.conceivablytech.com/8108/products/microsoft-may-a...
http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_...
All of the sudden the outrageous $8.5 billion price Microsoft paid for Skype (and twice as much as any other competing bid) starts to make sense.
This way you would get a quick indicator of whether or not you were likely being monitored.
In the long term, I hope the WebRTC protocol will disrupt both of them.
Wow. Does it make it the first, large scale, internal(¹) deployment of non-Windows infrastructure by Microsoft? The question is: why? Do their engineers managed to convince the company that Windows is ill-suited to the task? I am quite stupefied.
(¹) "Internal" as opposed to situations where Microsoft inherited non-Windows infrastructure from external acquisitions, such as when they acquired Hotmail in 1997 and their 5000 FreeBSD servers (eventually migrated to Windows.)
While they obviously don't publicise it I think they've probably used Linux where it's appropriate for some time now.
Moving an entire service to a different OS isn't quite that simple, so the simplest thing was to just add capacity using whatever was running at the moment.
They acquired skype. So the question would be, Is it worth rewriting a ton of working code just so we can say it runs on our platform.
I'm pretty sure Hotmail ran Linux or BSD for quite a while after Microsoft bought them (though probably not any more)
Skype may yet transition to Windows servers, but MS are hardly going to insist they make it their first and only priority. That would be insane.
I've seen Skype being used a lot in businesses both centralized and decentralized.
14:21 Do not abhor us, for thy name's sake, do not disgrace the throne of thy glory: remember, break not thy covenant with us.
14:22 Are there any among the vanities of the Gentiles that can cause rain? or can the heavens give showers? art not thou he, O LORD our God? therefore we will wait upon thee: for thou hast made all these things.
15:1 Then said the LORD unto me, Though Moses and Samuel stood before me, yet my mind could not be toward this people: cast them out of my sight, and let them go forth.
15:2 And it shall come to pass, if they say unto thee, Whither shall we go forth? then thou shalt tell them, Thus saith the LORD; Such as are for death, to death; and such as are for the sword, to the sword; and such as are for the famine, to the famine; and such as are for the captivity, to the captivity.
"This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)."
Now obviously this could be a lie, but it should be fairly simple to prove one way or another - simply force a call between 2 NAT'd clients, and trace where the voice packets go, it'll either be to one of these newly centralised supernodes, or somewhere else?
1 - http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...
To keep OT: Perhaps they will be soon required to be able to wiretap http://www.pcadvisor.co.uk/news/security/111150/eu-seeks-to-...
It will also bring benefits to end users if the client's machines won't become supernodes. And perhaps avoid the problems from last December http://www.disruptivetelephony.com/2010/12/understanding-tod...
True such open holes does not affect text, except when skype forces it through China's servers.
The most secure approach is still encrypted text..
It is possible that after receiving a wiretap request Skype will route your calls differently. But they could have rolled this out by just upgrading the supernode code and keeping supernodes distributed.
It seems far more likely that they made this change for stability/reliability. Particularly after the Skype network crashes that have happened in the past.
^Unless you can predict the translated source port
I have a sideband connection to a server, and I tell it to route my negotiation packets to my peer's sideband connection. I literally never even touch a UDP port or connection, and the library I uses establishes a connection using STUN(-light). And from having read the source, it doesn't explicitly determine or set the mapping (using uPNP) either.
Right, that's why TURN is part of ICE.
If they get a wiretap order and your client can normally achieve a direct connection with a particular user, they could just emulate connection failure and the clients would revert to using the proxy without informing the user (after all, they are designed to do that for the sake of resilience of the user experience). You can probably see where the traffic is going, the client may even tell you without you having to dig far, but you won't know if you are going via the middle-man server(s) because of a general network issue that is stopping a direct connection being possible or if it is because of a wire-tap.
http://saikat.guha.cc/pub/iptps06-skype/
Would it be too much of a stretch to assume the clients can be directed to use one of the new Linux super nodes at will?
(1) Microsoft is a US Corporation
(2) With the Skype acquisition, Microsoft (arguably) becomes a telecommunications carrier.
(3) CALEA passed in 1994, "requiring telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time." [a]
My (unfounded, optimistic) speculation is the skype acquisition was strategic positioning in the mobile market: seamless cutover to skype when your phone has WiFi.
a - http://en.wikipedia.org/wiki/Communications_Assistance_for_L...
For services hosted in other countries the law in those countries might well have something it can say/do, but even if they do successfully put their feet down MS could just pull the services out (costing the country if the investment in equipment/services/employees is significant) and move them elsewhere. They might be able to add the protection needed under those non-US laws the nodes in the affected areas, it depends on the exact wording and enforcement of the law, but even if they did you lose that protection as soon as you hit a node elsewhere anyway.
Practically speaking if this is a concern for you (and it might legitimately be: contrary to what governments seem to think people and companies that are not criminal, not just the criminals/terrorists, have good reasons to want some privacy generally and more specifically those in competition with MS (amongst others) would not want to trust them as the gate-keepers) then your only option is to find an alternative to Skype. That isn't going to be easy though: any commercial provider is going to comply with the same regulations otherwise they'll find it difficult to operate in the US market (or the Chinese market which is growing much faster and is even more spy-y than the US) and even if you find something you then need to convince other to use it too.
The actual hosting country does not always matter. In the Netherlands for instance (i can't speak for other countries) -where- a service is hosted is irrelevant. If you market your service to Dutch citizens (you have a Dutch language version of the site, or a Dutch contact number for instance) you are assumed to abide by Dutch law and can be prosecuted in a Dutch court if you don't.
Whether it's for or against our interest was never addressed.
But they were still legally required to have done so, and the DOJ could have sent them up shit creek if doing so ever became a priority.
What's changed now? Probably just that Microsoft's legal division wasn't comfortable having that kind of regulatory non-compliance under their watch. Microsoft gets a lot of scrutiny from the DOJ and probably aren't particularly keen on being hauled up on new charges over this issue.
Good luck getting your non-techie friends to use that though. Skype became popular because it just worked, which at that point had not reliably been achieved even for plain voice calls, much less video.
No, what we're dealing with here is a dragnet cast upon the comms of users around the world, who aren't protected by US Constitution and thus can be tapped at will by US agencies and even private corporations without any warrants or oversight.
For instance, if Microsoft wanted to learn about technical or trade secrets of competitors communicating through Skype (say, a couple of start-up founders), now they're free to do it.
Also, if a US agency wanted to put on a no-fly list some people who casually converse about what morons those TSA people are or how all US administrations support the Israeli regime that commits war crimes against Palestinians, now it's very easy to do.
Is that any different from using, say, Gmail or Google Apps? Not saying that Google is looking at that data but this is a problem with essentially every web-based communication tool. People shouldn't have an expectation of privacy or security just because it's a company they know/like or it's a popular tool.
- location and contact history (cell phones)
- message history and address book (email, social network)
- interests/activities (calendars, event tools, feed subscriptions)
- browsing history
As an engineer, think about the evil fun you could have with that data. You could really mess somebody up if you didn't like them.
None of this is legal, and if discovered there would be a legal case to answer.
What? No they're not.
You knew this was a batshit claim when you saw someone trying to map the Constitution to Microsoft in the first place, since the Constitution doesn't regulate private businesses at all.
Come on. We're smarter than this.
I really wonder how much espionage is going on. Does MS have a mole at Google, and vice versa?
http://en.wikipedia.org/wiki/ECHELON#Controversy
(To your first question: ask Robert Metcalfe (3com), Charles H. Ferguson etc. To your second question: drones. -- Welcome to the real world)
But true, this has little to do with skype.
The root comment in this thread suggests that Microsoft might be centralizing Skype so that it can scrape trade secrets out of phone calls. That sentiment is based on a preposterous misapprehension about how international law works.
There isn't really anything that is called "international law", as such. There are agreements between nations, and those agreements are what they are.
You aren't very specific though. I'm not familiar with transnational tort claim and I doubt it as popular to others here in HN either. Is it as solid as you seem to make it? Google has little (easily accessible material) on it. It doesn't sound like something that is illegal by itself; only that they could be sued by those startups if/when they find out (and decide to saddle up for an international case against a huge company... yeah that probably isn't very likely).