48 comments

[ 3.1 ms ] story [ 60.0 ms ] thread
So, as a linux user wishing to have some communication with other people in the world, what is the correct alternative to skype?
Google Hangout maybe?
That's a bold suggestion given the recent climate here.
I think that was meant as sarcasm :)
IRC if you don't require audio and video.
IRC not usually very secure.
The best recommendation I have at the current time is OTR https://en.wikipedia.org/wiki/Off-the-Record_Messaging, authenticate your key fingerprints, ensure that neither party's chat program is logging, and that both computers are free of malware.

Pidgin supports OTR, but it crashes enough to raise concerns about that last point.

I'm confused. The above poster asked what a good chat program is for communicating with other people (namely non-technical users) where the user can't get spied upon.

This isn't so much a "how can I be secure" question, but a "what alternatives to Skype do I have that work on Linux" question.

Which is one I'm also interested in, since I also want something thats (1)linux compatible, (2) easy and accessible for "average users" of any OS, (3) and secure. And I'm hoping for those things in that order.

If you are talking to an average user (implied by #2), then there are short odds that at some point their machine will be compromised, at which point it doesn't matter how secure the communications channel is.
I should clarify, I don't mean secure from all angles. In terms of security I don't want a company looking through my chat logs, and I don't want someone who be able to see what I'm saying via a wifi sniffer.
Pidgin with OTR fits the bill. It should really be standard with Pidgin/Adium/anything.
For privacy in asynchronous text communication email with GPG is still pretty much as bulletproof a solution as you can get.

For real-time text chat you can try Cryptocat: it's cross-pratform, implements the OTR protocol [1] and is rather user-friendly.

[1] https://en.wikipedia.org/wiki/Off-the-Record_Messaging

I've switched to Yate's QT client (http://yate.null.ro) for all my communication needs. allocate about 512MB of RAM to a VM for Asterisk/Openfire/FreePBX, and connect to it. You'll have voice/video plus instant messaging, with no central authority snooping on all your conversations.

I realize I could probably use Yate for everything, but I know asterisk and openfire better at this point, so I use them. :)

That article is very dismissive and pretty flimsy. "A single experiment"? No, it was replicated by multiple people. I’ve concluded that the reason for the mysterious visit is almost certainly innocent.... I’m reasonably certain that address is part of Microsoft’s SmartScreen infrastructure. First, that's not very reassuring. The data should not be readable by Microsoft. Second, since the traffic showed up hours after the message was sent, it is not useful as a screening service. The link would have been clicked long before the URL was checked out. The only mitigating piece of this mess is that the request was a HEAD and not a GET, so they're not fetching the whole contents of the page. But the damage is done long before.
In addition to sp332's well-taken points, there is the fact that what Microsoft sees, it cannot prevent the USA government and its allies from seeing. Many Skype customers would see that as an unacceptable threat.
The ZDNet do not say that Microsoft aren't reading and interpreting what people write in private chat. ZDNet just say its "almost certainly innocent" because its done automatically by a machine for the purpose of increased security.

I for once disagree here that such actions are innocent. When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.

>When peoples private conversation is read and interpreted, even by a machine, most people still get a feeling of lost security. This in turn causes a real problem from lower personal security, increased mental stress, and social self-imposed restrictions.

That sounds like a line out of a Scroogled ad.

So is a spell checker in an IM client equally a problem?
If it's on the server, yes. I don't want the server (or anyone other than the recipient) to be able to read my messages. Period.
If a spell checker runs locally, you know that there is no physical way that information is being transmitted to someone else.

A server is a black box controlled by someone else. They may tell you it'd doing X but there's no way to verify that.

(comment deleted)
You keep using that word. I do not think it means what you think it means.
Ed Bott just doesn't get it, does he?

Skype was originally marketed as having end-to-end encryption. Now, we know that since Microsoft bought Skype they've added wiretapping support, which works by making themselves a man-in-the-middle. They claim they only do this temporarily for people they are actively wiretapping.

This, however, shows that Microsoft regularly MITMs you, for the purpose of evaluating whether links are dangerous. This means that basically all of Skype's former privacy claims are no longer true. They simply regularly look at your unencrypted traffic, which means that they are a target for attackers, governments, and pretty much anyone who wants to eavesdrop or read your messages.

How do you know if Microsoft is actually eavesdropping the entire conversation, or it's just the Skype client filtering out URLs in the conversation for additional screening? Sorry if I missed something in the article.
The URLs are being pinged by computers within Microsoft, so even if the filtering was only occurring on the client side (which I doubt) it still makes its way back to MS servers.
I wouldn't call this man-in-the-middle, they are the man at both ends and in the middle.

MITM usually refers to 3rd parties routing your traffic. So if your ISP or network admin was sniffing your Skype messages, that would be what is generally called MITM.

Its Ed Bott. A part of the Microsoft spin machine. Come on.
The article concludes: There’s no evidence that anyone, human or machine, is reading your confidential messages.

Well obviously, a machine is reading your confidential messages, if only to scan them for links. In the most benign case, the link scanning could be done in the skype client (closed source software on your machine), and MS's servers are seeing a list of links + an encrypted message.

But we just don't know, do we?

Wasn't it enough that the original debunked post was on the front page for almost two days that we now have outraged people upvoting this yet again? Skype checks http URLs too and only does a HTTP HEAD, not GET, so what are they snooping on?

On the other hand, I am wary of posting anything that can be construed as pro-Microsoft here.

https://news.ycombinator.com/user?id=recoiledsnake

Not this story again, wasn't this debunked last time it got a bazillion upvotes a couple of weeks ago?
God says...

7:1 When the LORD thy God shall bring thee into the land whither thou goest to possess it, and hath cast out many nations before thee, the Hittites, and the Girgashites, and the Amorites, and the Canaanites, and the Perizzites, and the Hivites, and the Jebusites, seven nations greater and mightier than thou; 7:2 And when the LORD thy God shall deliver them before thee; thou shalt smite them, and utterly destroy them; thou shalt make no covenant with them, nor shew mercy unto them: 7:3 Neither shalt thou make marriages with them; thy daughter thou shalt not give unto his son, nor his daughter shalt thou take unto thy son.

7:4 For they will turn away thy son from following me, that they may serve other gods: so will the anger of the LORD be kindled against you, and destroy thee suddenly.

7:5 But thus shall ye deal with them; ye shall destroy their altars, and break down their images, and cut down their groves, and burn their graven images with fire.

God says...

groanings causes constantly countryman divination reigning five translated measuring Predicament meh pilgrimage Bridegroom Sacrifice fuller unpleasantly snap_out_of_it land soothed no_more_tears cheer Thailand couldest dispraised ocean Nay ship murmured doing grammarian greet little_fish etext range thickets deafness heat Vanilla flourished service_sector continency plausibility stole seeth standing hell relapse propound hidden Substance harvest loose I_quit you're_wonderful all-pitying

"Spam and phishing sites are not usually found on HTTPS pages"

That's actually a lie, making people think a website is safe just because they see https:// in the address bar.

In fact, automated link visits is a common practice used by many email spam filters, and it makes sense to implement it in other messaging systems such as Skype.

As an ex-Microsoftie, I'm really happy Skype is doing this. Instant messages are one of the best ways to spread bad things to other people's computers by getting them to click on things. This is going to protect a lot of people.
A few hours after the link is typed into the chat window?
I've recently discovered that MSN censors IMs with some urls. From reports, it seems that the censor rules are really random too: e.g. everything with the .io tld. It also gave zero feedback that it was doing this, other than "error sending message".

That is not acceptable. If you think there is a virus in a URL, attach a warning as web browsers do with domains that have had reports of distributing malware. And beyond that, actually make sure that you only do this for sites that are really a danger, rather than making up arbitrary rules with exceedingly low precision.

I've had actually trouble sending any links at all over MSN. Oddly, removing http:// sidesteps it completely.
I would prefer they put their efforts into making a secure operating system in the first place instead of trying to nanny their users in such a creepy fashion.
I suspect different teams are involved with scanning for malware URLs in Skype and implementing core OS protections, so the tradeoff you imply is illusory. Besides, Microsoft already puts a lot of effort into the security of Windows, with seemingly good results. There's nothing wrong with defense in depth.
You are correct. I should have simply said I don't think this scanning is appropriate.
Doesn't it totally undermine the message made on scroogled.com, Microsoft's anti-Google advertising campaign?

http://www.scroogled.com/mail

THINK GOOGLE RESPECTS YOUR PRIVACY? THINK AGAIN.

Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy. Outlook.com is different—we don't go through your email to sell ads.

This is just microsoft running chat logs through automation scripts. I'm would assume these links also coordinate content of the conversation with the link and are correlated into bing search results.

Side Note: I wouldn't be surprised if google chrome submits url and page content to googlebot (for crawling).