I laughed, because it's funny to think that someone concerned about Microsoft snooping on their chat sessions would be willing to somehow publish those same messages into a (very public) blockchain.
The best recommendation I have at the current time is OTR https://en.wikipedia.org/wiki/Off-the-Record_Messaging, authenticate your key fingerprints, ensure that neither party's chat program is logging, and that both computers are free of malware.
Pidgin supports OTR, but it crashes enough to raise concerns about that last point.
I'm confused. The above poster asked what a good chat program is for communicating with other people (namely non-technical users) where the user can't get spied upon.
This isn't so much a "how can I be secure" question, but a "what alternatives to Skype do I have that work on Linux" question.
Which is one I'm also interested in, since I also want something thats (1)linux compatible, (2) easy and accessible for "average users" of any OS, (3) and secure. And I'm hoping for those things in that order.
If you are talking to an average user (implied by #2), then there are short odds that at some point their machine will be compromised, at which point it doesn't matter how secure the communications channel is.
I should clarify, I don't mean secure from all angles. In terms of security I don't want a company looking through my chat logs, and I don't want someone who be able to see what I'm saying via a wifi sniffer.
I've switched to Yate's QT client (http://yate.null.ro) for all my communication needs. allocate about 512MB of RAM to a VM for Asterisk/Openfire/FreePBX, and connect to it. You'll have voice/video plus instant messaging, with no central authority snooping on all your conversations.
I realize I could probably use Yate for everything, but I know asterisk and openfire better at this point, so I use them. :)
That article is very dismissive and pretty flimsy. "A single experiment"? No, it was replicated by multiple people. I’ve concluded that the reason for the mysterious visit is almost certainly innocent.... I’m reasonably certain that address is part of Microsoft’s SmartScreen infrastructure. First, that's not very reassuring. The data should not be readable by Microsoft. Second, since the traffic showed up hours after the message was sent, it is not useful as a screening service. The link would have been clicked long before the URL was checked out. The only mitigating piece of this mess is that the request was a HEAD and not a GET, so they're not fetching the whole contents of the page. But the damage is done long before.
Then again, some people have discovered that GET requests came in probably from the same person and with a google referrer after the HEAD request from the google bot:
In addition to sp332's well-taken points, there is the fact that what Microsoft sees, it cannot prevent the USA government and its allies from seeing. Many Skype customers would see that as an unacceptable threat.
The ZDNet do not say that Microsoft aren't reading and interpreting what people write in private chat. ZDNet just say its "almost certainly innocent" because its done automatically by a machine for the purpose of increased security.
I for once disagree here that such actions are innocent. When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.
>When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.
Skype was originally marketed as having end-to-end encryption. Now, we know that since Microsoft bought Skype they've added wiretapping support, which works by making themselves a man-in-the-middle. They claim they only do this temporarily for people they are actively wiretapping.
This, however, shows that Microsoft regularly MITMs you, for the purpose of evaluating whether links are dangerous. This means that basically all of Skype's former privacy claims are no longer true. They simply regularly look at your unencrypted traffic, which means that they are a target for attackers, governments, and pretty much anyone who wants to eavesdrop or read your messages.
How do you know if Microsoft is actually eavesdropping the entire conversation, or it's just the Skype client filtering out URLs in the conversation for additional screening? Sorry if I missed something in the article.
The URLs are being pinged by computers within Microsoft, so even if the filtering was only occurring on the client side (which I doubt) it still makes its way back to MS servers.
I wouldn't call this man-in-the-middle, they are the man at both ends and in the middle.
MITM usually refers to 3rd parties routing your traffic. So if your ISP or network admin was sniffing your Skype messages, that would be what is generally called MITM.
The article concludes: There’s no evidence that anyone, human or machine, is reading your confidential messages.
Well obviously, a machine is reading your confidential messages, if only to scan them for links. In the most benign case, the link scanning could be done in the skype client (closed source software on your machine), and MS's servers are seeing a list of links + an encrypted message.
Wasn't it enough that the original debunked post was on the front page for almost two days that we now have outraged people upvoting this yet again? Skype checks http URLs too and only does a HTTP HEAD, not GET, so what are they snooping on?
On the other hand, I am wary of posting anything that can be construed as pro-Microsoft here.
7:1 When the LORD thy God shall bring thee into the land whither thou
goest to possess it, and hath cast out many nations before thee, the
Hittites, and the Girgashites, and the Amorites, and the Canaanites,
and the Perizzites, and the Hivites, and the Jebusites, seven nations
greater and mightier than thou; 7:2 And when the LORD thy God shall
deliver them before thee; thou shalt smite them, and utterly destroy
them; thou shalt make no covenant with them, nor shew mercy unto them:
7:3 Neither shalt thou make marriages with them; thy daughter thou
shalt not give unto his son, nor his daughter shalt thou take unto thy
son.
7:4 For they will turn away thy son from following me, that they may
serve other gods: so will the anger of the LORD be kindled against
you, and destroy thee suddenly.
7:5 But thus shall ye deal with them; ye shall destroy their altars,
and break down their images, and cut down their groves, and burn their
graven images with fire.
"Spam and phishing sites are not usually found on HTTPS pages"
That's actually a lie, making people think a website is safe just because they see https:// in the address bar.
In fact, automated link visits is a common practice used by many email spam filters, and it makes sense to implement it in other messaging systems such as Skype.
As an ex-Microsoftie, I'm really happy Skype is doing this. Instant messages are one of the best ways to spread bad things to other people's computers by getting them to click on things. This is going to protect a lot of people.
I've recently discovered that MSN censors IMs with some urls. From reports, it seems that the censor rules are really random too: e.g. everything with the .io tld. It also gave zero feedback that it was doing this, other than "error sending message".
That is not acceptable. If you think there is a virus in a URL, attach a warning as web browsers do with domains that have had reports of distributing malware. And beyond that, actually make sure that you only do this for sites that are really a danger, rather than making up arbitrary rules with exceedingly low precision.
I would prefer they put their efforts into making a secure operating system in the first place instead of trying to nanny their users in such a creepy fashion.
I suspect different teams are involved with scanning for malware URLs in Skype and implementing core OS protections, so the tradeoff you imply is illusory. Besides, Microsoft already puts a lot of effort into the security of Windows, with seemingly good results. There's nothing wrong with defense in depth.
Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different—we don't go through your email to sell ads.
This is just microsoft running chat logs through automation scripts. I'm would assume these links also coordinate content of the conversation with the link and are correlated into bing search results.
Side Note: I wouldn't be surprised if google chrome submits url and page content to googlebot (for crawling).
48 comments
[ 3.1 ms ] story [ 60.0 ms ] threadhttp://www.fastcolabs.com/3007320/tracking/bitcoin-coming-br...
Pidgin supports OTR, but it crashes enough to raise concerns about that last point.
This isn't so much a "how can I be secure" question, but a "what alternatives to Skype do I have that work on Linux" question.
Which is one I'm also interested in, since I also want something thats (1)linux compatible, (2) easy and accessible for "average users" of any OS, (3) and secure. And I'm hoping for those things in that order.
For real-time text chat you can try Cryptocat: it's cross-pratform, implements the OTR protocol [1] and is rather user-friendly.
[1] https://en.wikipedia.org/wiki/Off-the-Record_Messaging
I realize I could probably use Yate for everything, but I know asterisk and openfire better at this point, so I use them. :)
http://seclists.org/fulldisclosure/2013/May/80
It's concerning.
I for once disagree here that such actions are innocent. When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.
That sounds like a line out of a Scroogled ad.
A server is a black box controlled by someone else. They may tell you it'd doing X but there's no way to verify that.
Skype was originally marketed as having end-to-end encryption. Now, we know that since Microsoft bought Skype they've added wiretapping support, which works by making themselves a man-in-the-middle. They claim they only do this temporarily for people they are actively wiretapping.
This, however, shows that Microsoft regularly MITMs you, for the purpose of evaluating whether links are dangerous. This means that basically all of Skype's former privacy claims are no longer true. They simply regularly look at your unencrypted traffic, which means that they are a target for attackers, governments, and pretty much anyone who wants to eavesdrop or read your messages.
MITM usually refers to 3rd parties routing your traffic. So if your ISP or network admin was sniffing your Skype messages, that would be what is generally called MITM.
Well obviously, a machine is reading your confidential messages, if only to scan them for links. In the most benign case, the link scanning could be done in the skype client (closed source software on your machine), and MS's servers are seeing a list of links + an encrypted message.
But we just don't know, do we?
On the other hand, I am wary of posting anything that can be construed as pro-Microsoft here.
https://news.ycombinator.com/user?id=recoiledsnake
7:1 When the LORD thy God shall bring thee into the land whither thou goest to possess it, and hath cast out many nations before thee, the Hittites, and the Girgashites, and the Amorites, and the Canaanites, and the Perizzites, and the Hivites, and the Jebusites, seven nations greater and mightier than thou; 7:2 And when the LORD thy God shall deliver them before thee; thou shalt smite them, and utterly destroy them; thou shalt make no covenant with them, nor shew mercy unto them: 7:3 Neither shalt thou make marriages with them; thy daughter thou shalt not give unto his son, nor his daughter shalt thou take unto thy son.
7:4 For they will turn away thy son from following me, that they may serve other gods: so will the anger of the LORD be kindled against you, and destroy thee suddenly.
7:5 But thus shall ye deal with them; ye shall destroy their altars, and break down their images, and cut down their groves, and burn their graven images with fire.
God says...
groanings causes constantly countryman divination reigning five translated measuring Predicament meh pilgrimage Bridegroom Sacrifice fuller unpleasantly snap_out_of_it land soothed no_more_tears cheer Thailand couldest dispraised ocean Nay ship murmured doing grammarian greet little_fish etext range thickets deafness heat Vanilla flourished service_sector continency plausibility stole seeth standing hell relapse propound hidden Substance harvest loose I_quit you're_wonderful all-pitying
That's actually a lie, making people think a website is safe just because they see https:// in the address bar.
In fact, automated link visits is a common practice used by many email spam filters, and it makes sense to implement it in other messaging systems such as Skype.
That is not acceptable. If you think there is a virus in a URL, attach a warning as web browsers do with domains that have had reports of distributing malware. And beyond that, actually make sure that you only do this for sites that are really a danger, rather than making up arbitrary rules with exceedingly low precision.
http://www.scroogled.com/mail
THINK GOOGLE RESPECTS YOUR PRIVACY? THINK AGAIN.
Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different—we don't go through your email to sell ads.
Side Note: I wouldn't be surprised if google chrome submits url and page content to googlebot (for crawling).