Microsoft Reads Your Skype Chat Messages 275
An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."
Damned if they do... (Score:5, Informative)
"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"
http://thenextweb.com/insider/2013/04/05/new-skype-malware-spreading-at-2000-clicks-per-hour-makes-money-by-using-victims-machines-to-mine-bitcoins/ [thenextweb.com]
And they try to prevent it by detecting malware and we get headlines like this. Looks like people are on a witch hunt here.
Re: (Score:2)
Fairly sure that intercepting private communications over a network is illegal without a warrant.
Re:Damned if they do... (Score:5, Insightful)
Not if you agree to it in the TOS.
Re:Damned if they do... (Score:4, Funny)
What does Skype have to do with ST:TOS?
Re: (Score:2)
True enough, but I'd say they have no grounds for safe harbour in this case, so wouldn't that leave them open as being a copyright infringement provider?
Re:Damned if they do... (Score:4, Interesting)
Not if you agree to it in the TOS.
Except those can *never* trump national law. If its illegal in law - no terms of service, agreement or contract can suddenly make it legal again.
they don't technically need to intercept it at their end... if the filtering list is built into the client, then they never intercept it anymore than they intercept your typing in order to send it...
Re: (Score:2, Informative)
They intercept it if they use it for anything else other than passing it to the receiver. It's not the skype client going to those URLs. It's microsofts system going to those URLs.
Re:Damned if they do... (Score:5, Insightful)
Email spam filters are evil too! My ISP is reading my emails, OMG!
Re: (Score:2)
Emails are sent in the open - like postcards.
Incidentally the spam filtering is only a service provided specifically because you as a customer demands it. It's easy as hell to opt-out should you want to.
Re:Damned if they do... (Score:4, Insightful)
Re: (Score:3)
Yes, it would.
Re: (Score:3)
Re:Damned if they do... (Score:4, Interesting)
We reserve the right to monitor our network for the purposes of would fly in most any country. In the EU privacy laws would probably prevent them from storing or distributing the information, but I'd think an automated scan of the linked URL would be fine. If it's not then everyone in the EU can look forward to a LOT more spam and malware since any hosted or cloud scanning technology is out.
Re: (Score:2)
Users of my mailservers have the ability to turn on/off spam filtering. It's on by default, all we'll have to do is turn it off by default and tell the customers how to turn it on again. Problem solved.
Re:Damned if they do... (Score:4, Insightful)
It depends on if skype is sending all chats, or just the links. It depends on if microsoft is archiving what it receives or just checking them for malware. As usual, more information is required to make an informed judgement on this issue.
Re: (Score:2)
Re:Damned if they do... (Score:4, Informative)
It's a distinction between a federated and a proprietary network. When you make a telephone call, your mobile operator may or may not be the responsible for the far end. They are selling you access to a world wide telephone network, parts of which are operated by many companies even within a single country. The rules for this network are defined in part by the ITU and in part by the national laws of the various participating countries. In most of the western world, these place limits on who is allowed to listen in to messages. In contrast, Microsoft is selling you access to a private network that is owned and operated entirely by them.
The laws apply to federated networks because you may not have a direct business relationship with the carriers for a potentially large part. They do not need to apply for non-federated private services, because you have a direct business relationship with the supplier, in this case Microsoft.
Re: (Score:2)
Then feel free to not use the service.
Re: (Score:2)
Illegal for the government.
The Bill of Rights is a document that restricts (in theory) what the government can do to you. Corporations can quarter troops in your house, limit your speech, etc. You, of course, also have the right to shoot them right in their face. :-)
Re: (Score:3)
And how exactly would I go about shooting Microsoft in the face?
I don't know...Ballmer's head is a pretty big target... Seems doable.
Re: (Score:3)
Yeah, but he's just one man - shoot him and another will just take his place. Corporations are people now, right? Doesn't that mean there should be some way to murder them?
Re:Damned if they do... (Score:5, Informative)
Re: (Score:2)
You don't have to use those channels of course.
Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?
Google (Score:3)
Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?
Google Talk. Works out of the browser.
Once web rtc hits mainline version of browser (soonish), it will work out of the browser without even a plugins.
Or you can install Jitsi and use that to log into your google chat instead of the webclient. And if the other end too has encryption (Off-The-Record on the message channel or ZRTP on the audio/video channels) (for exeample if the other end is using Adium to chat) the transmission is completely encrypted end-to-end with no way for google to intercept anything.
Re: (Score:3)
Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?
Google Talk. Works out of the browser.
Yeah, coz Google would *never* read your private data...
Re: (Score:3)
Google has always been pretty open about what they do and dont have access to.
And for the record, they have NEVER cooperated with a foreign government to disclose private info, unlike Microsoft. So maybe lay off of them here.
Use end-to-end encryption (Score:3)
Yeah, coz Google would *never* read your private data...
Doesn't matter. Just on the next line I suggested using end-to-end encryption.
You can log with any XMPP software that supports Off-The-Record to have end-to-end encryption on chat (for example Jisti, Pidgin, Adium, maybe Trillian too, but I'm not sure) you can log with any XMPP software that supports ZRTP to have end-to-end encryption on audio/video (jisti again).
Both OTR and ZRTP are standards, so as long as software at both ends support it you get encryption, you don't need to use the same software, only
Re:Damned if they do... (Score:4, Informative)
Google must be fucked then, as they provide antispam and antimalware functionality in Gmail, and have done for almost a decade.
Re: (Score:3)
Yep. I'll also assume that Microsoft will create a version of 'Scroogled' for themselves.
Re:Damned if they do... (Score:4, Interesting)
The key phrase is "private communications". If the TOS specifically state the communication is non-private, the laws regarding private communication may well not apply. The US government is currently taking the position that email and chat messages do not constitute private communication and hence do not require a warrant to monitor, do you really think the actual network providers will be held to a higher standard?
Re: (Score:2)
Please cite where an instant messaging client is defined as a "network operator" in telecommunications law. Given IM can be implemented with various technologies like store and forward, P2P, or direct client-to-client connection, I'm guessing you can't.
Re: (Score:3)
Why would they possibly need your permission to go to a web site you referenced? If I overhear you say you are going to McDonald's, do I need to get YOUR permission to go to McDonalds?
Re:Damned if they do... (Score:4, Interesting)
Nope. First, if you don't want your site open to the public, protect it. There is no indication that MS tried to get around any authentication methods or used false credentials to gain access to the site.
Second, robots.txt is a convention and nothing else. Nobody is required to abide by it, and there certainly is no law against ignoring it.
Third, the article said the requests came in 'several hours' after the messages were sent, so any one-time URLs should have already been used or expired.
Last, and most importantly, any questions of improper access would be strictly between MS and the web site owner, not some third party who happened to reference the URL. Granted, in some (very few) cases the web site owner and the third party can be the same person, but even then the person would have to be acting in the capacity of web site owner. not Skype user.
So no, they do not need the permission of the Skype user to access the URL.
Re: (Score:3)
"Nope. First, if you don't want your site open to the public, protect it. There is no indication that MS tried to get around any authentication methods or used false credentials to gain access to the site."
I actually agree with you but various governments including the US don't see things this way given that people have been punished for accessing publicly accessible unprotected US government resources and for port scanning. The issue therefore becomes one of double standards - if Microsoft complained to th
Re: (Score:3)
No.
This isn't "Company filters messages for spam"
This is: private IMs between parties are tested for whatever reasons without the consent of the parties when accessed over the Skype transport.
1) Communications are being filtered and parsed, perhaps not in real-time. In the US, one would suspect the TSA, DHS, etc.
2) After parsing, found URLs are then tested for whatever purposes as though they were a random third party-- which they are not.
3) ToS or not, the repurposed communications are used in possible ToS
Re: (Score:2)
Re:Damned if they do... (Score:5, Insightful)
Nobody else was dumb enough to click the link.
You don't deal with many ordinary end users do you...
Re: (Score:2)
Re:Damned if they do... (Score:5, Insightful)
I once renamed shutdown.exe from the Windows resource kit to DONOTRUN.exe, and sent it in a mail round to the company (in the I love you/Melissa days), warning people in the subject, and message to NOT RUN THE ATTACHED attachment.
People then started coming to me complaining they'd lost work because their computer had shutdown.
It's amazing, it really is.
Alternate headline (Score:5, Insightful)
Alternate headline: Microsoft protects hundreds of millions of Skype users by going to the effort of checking even https URLs in chat for malware and spam
Re:Alternate headline (Score:5, Informative)
The problem with that, according to TFA, is that they only check https but not http. The latter being what malware sites use.
Also, they are sending HEAD requests, not GET. They are only getting the headers, not the content, so have no way of knowing if there is malware at the URL.
Re:Alternate headline (Score:5, Insightful)
Since you don't have any way to know exactly what they are doing, it is kind of silly to call that a 'problem'. Maybe they only do a HEAD because the response indicates authorization is required. Maybe they only visit a URL once, and already have visited the http site. Maybe they only do anything if something else triggers it (number of hits on a URL in a certain amount of time). You have no way of knowing that they only check https, you just know that in this particular case they only checked https. You have no way of knowing that that only get the headers, just that in this particular case they only got the headers.
Re:Damned if they do... (Score:5, Informative)
Those who care about keeping the contents of their IM conversations secret should not use Skype. As stated in their privacy policy [skype.com] "Skype may gather and use information about you, including (but not limited to) information in the following categories: ... (n) Content of instant messaging communications, voicemails, and video messages"
The EFF recommends [eff.org] using Pidgin or Audium with OTR encryption enabled, for reasonably secure instant messaging.
I'm glad the non-tech-savvy folks use Skype, though. If Microsoft weren't able to intercept these things, I'd have to clean out viruses from my in-laws' computers more often.
Re: (Score:2)
Looks like people are on a witch hunt here.
I don't think that phrase means what you think it means. The term "witch hunt" is usually used when the threat being hunted is a phantasm, whipped up from irrational fear and mob mentality. These threats are real and the mob is less aware of them than would be healthy. There is malware spreading. Microsoft is reading your supposedly encrypted comms. These witches really do walk among us. And to the extent that this culture of corporate surveillance is establishing
Re:Damned if they do... (Score:5, Insightful)
That's funny. I remember their reputation always being "no one knows how the key exchange works and therefore nobody can trust it."
"Encrypted" means jack shit. Skype never had a reputation for being secure because they never showed anyone that they are. With any serious VoIP protocol (e.g. zfone) they tell you how it works. If the design is a trade secret, then it's a scam. You've known that for decades.
Re: Damned if they do... (Score:2)
Re: (Score:3)
Better software how?
How can you have a general purpose OS with installable programs from the Web, but still prevent malware?
If the user can install Firefox, they can install malware.
The only way past this is to lock down the apps the iOS App Store and Windows Store style with heavy sandboxing and DRM, which keeps system modifications out but is very good at combating malware.
You can install a rootkit on Linux and Android has a huge malware problem, are you implying that they're bad software because of that?
Re: (Score:2)
>How can you have a general purpose OS with installable programs from the Web, but still prevent malware?
How about implementing application-based permissions rather than the common user-based approach which is largely irrelevant on single-user machines? The original One Laptop Per Child OS had such a security system - a program couldn't access the camera unless you explicitly granted it permission to do so. Ditto the microphone, flash storage beyond its own fenced-in storage area, etc. Android is part
Re: (Score:3)
The problems with that approach are:
1) The programs will get a lot more complex in order to work around the lack of permissions. Example, what if the user denies a GPS navigation program access to the GPS? The program will have to keep prompting the user for the access. What if Angry Birds keeps prompting the user for access to the GPS and refuses to run without it?
2) The dancing bunnies problem: http://www.codinghorror.com/blog/2005/07/the-dancing-bunnies-problem.html [codinghorror.com]
Users have repeatedly shown that they w
This is news? (Score:5, Insightful)
How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
Re: (Score:3, Informative)
Except not. As far as Microsoft has announced, they don't mine your messages for advertising's sake (if they did, their entire "Scroogled" campaign would be hugely hypocritical and I'm sure someone would have called them on it). This is exclusively scanning for a URL and matching against a database - they're not saving any information about your messages, especially if they don't contain a link.
I'd say "take your FUD elsewhere", but this is Slashdot and a post about Microsoft...
Re:This is news? (Score:5, Informative)
Except Microsoft does mine your email context to serve up contextual ads.
http://www.nbcnews.com/technology/microsofts-new-outlook-mail-welcome-hotmail-replacement-917473 [nbcnews.com]
They says theirs isn't as deep, so it respects your privacy more, but what it really means is that they're not as good at serving up contextual ads, but they're still scanning your email.
Re: This is news? (Score:2)
Interesting, didn't realize they needed to visit a site for a database lookup.
I would consider a private URL to an SSL site the equivalent to a password (the GET part being just as encrypted as the POST or a session cookie), that they would visit these sites is shocking to me.
Re: (Score:2)
As far as Microsoft has announced, they don't mine your messages for advertising's sake
Right, except that they do.
I was chatting with my boss via Skype about hard drives and after a minute or two, there is a contextual ad about hard drives in the Skype UI.
Not mining for ad purposes, my ass.
Re: (Score:2)
Re:This is news? (Score:5, Informative)
http://rt.com/usa/yahoo-microsoft-campaign-political-862/ [rt.com]
Microsoft has been caught selling DATA to advertisers.
And they have a patent specifically covering selling your personal private data to advertisers, allowing advertisers to bid on that data.
http://www.bizjournals.com/seattle/blog/techflash/2010/02/gates_ozzie_other_microsoft_execs_patent_personal_data_mining.html [bizjournals.com]
It is only bad business if the media calls them out on it, which hasn't really happened. That is why Microsoft spends a small fortune on astroturfing, shifting the focus on Google for privacy concerns.
Re: (Score:3)
Microsoft has been caught selling DATA to advertisers.
When you are using "FREE" SERVICES (FaceBook, GMail, Google Seach, Yahoo, etc), then you need to realize that *YOU* are the product being sold.
Re: (Score:2)
Microsoft's recent ad campaign suggesting that Google reading your messages is somehow unethical make it news, I'd imagine.
There *may* be some moral difference between reading your messages for your protection versus reading your messages to target ads, b
Scroogled is the reason (Score:3)
http://www.scroogled.com/
This campaign of lies funded by MS is now a double lie because MS unlike Google isn't open about it. Everyone knows gmail scans your messages. Nobody knew Skype does the same.
THAT is why it is news and deserves to be repeated over and over to shut up all the MS trolls who were so happy to spout the scroogled fud.
Re: (Score:2)
How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
At least one way it is news is that it is verifiable empirical evidence that can be shown to the huge portion of people who still think, "Oh, sure, you and your tin-foil hat. Maybe it is possible, but they aren't reading my communications. They can't be monitoring everyone."
Fishing URLs? (Score:2, Funny)
DUH (Score:2)
Of course they do this.
Every online chat service reads your messages.
Problems with closed sorce (Score:3, Insightful)
Just in case you weren't already certain that they were monitoring your communications through Skype, they are.
Skype is not a secure communications channel. If this bothers you, use irc over i2p.
Re: (Score:2)
Re:Problems with closed sorce (Score:4, Informative)
Re: (Score:2)
It might be a good idea to look into I2P-Messenger to send secure messages. It keeps the message encrypted until the end point. The other traffic through I2P makes it harder to monitor length of the message and who its going to.
I wonder... (Score:4, Interesting)
Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?
If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
Re:I wonder... (Score:5, Interesting)
It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
Also, this:
that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
Re: (Score:3)
Well devil's advocate here, the URI string wouldn't be sent over the air unencrypted, so one could consider that more secure assuming you forget the fact that 99% of received email is also sent over the wire un-encrypted.
Maybe there is a common conception that Skype is a secure connection and one wouldn't have to worry about sending such a damning web link. If anything though, this article lays out quite clearly, that there are at least automated taps on Microsoft's end scanning all input messages.
Some OSes still can't do Server Name Indication (Score:2)
It's not like SSL'ing a website is all that difficult.
It is if you want to have Windows XP or Android 2.x access it. The SSL stacks that ship with these operating systems don't understand Server Name Indication (SNI) and can therefore see the certificate for only the first site on port 443 of a given IP address. To avoid a certificate mismatch warning, you'd have to get a dedicated IPv4 address for the site, and with IPv4 scarcity, that's a lot more expensive than the name-based virtual hosting that one would use with clear HTTP or HTTPS+SNI unless, for exampl
Re:I wonder... (Score:4, Insightful)
What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
I bet they run Linux.
Re: (Score:2)
I'd honestly be fascinated to know; because, if you flip the context around, 'Microsoft reads your skype URLs' is equivalent to 'some poor sysadmin at MS runs a system that accesses any URL anybody on the internet chooses to feed it.' That sure as hell isn't something I'd want to take on lightly...
Hmmm ... (Score:5, Interesting)
So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.
Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?
Hate M$, sounds plausible (Score:2)
Re: (Score:2)
So what MS is saying.... (Score:2, Insightful)
.....is that they are Scroogling Skype users?
"Fishing URLs" (Score:2, Funny)
Here is an example of a fishing URL [wildlifedepartment.com].
Denial of Service Potential? (Score:4, Interesting)
Don't Get Scroogled! (Score:3, Insightful)
Totally plausible (Score:3)
By the way, if privacy is your problem, you're not fixing it by using someone else's infrustructure. You should expect, by default, that they're going through your information. Build your own server or forever hold your peace.
So are they now responsible if they miss one? (Score:2)
Good old MS (Score:2)
They haven't changed a bit. And that's why we love them :).
Third-party involvement (Score:3)
First rule: if you're routing your traffic through someone else's infrastructure (in this case MS's Skype servers), they are monitoring it. The only way around this is client-based encryption where the infrastructure in between doesn't have access to the encryption keys.
Second rule: if the encryption setup requires someone else's servers to be involved, they do have access to the encryption keys. The only way around this is to either have the clients communicating directly or to use a key exchange protocol that's resistant to eavesdropping.
Third rule: if you're truly concerned about confidential information, you shouldn't be depending on someone else's infrastructure in the first place. It's something you don't and can't control, which means using it's an inherent risk that should be avoided if possible. Get hosting or set up a server in your data center and run your own servers.
That Skype chat's monitored should come as no surprise. MS will monitor Skype and MSN's IM service (whatever they're calling it this week). Google monitors Google Voice and Chat. Facebook monitors Facebook Chat. Your e-mail provider monitors your e-mail. If you're worried about security or confidentiality, acknowledge this and take appropriate measures.
Re: (Score:2)
obligatory "encrypt it, lamer" post (Score:2)
http://null-byte.wonderhowto.com/how-to/encrypt-your-skype-messages-thwart-snooping-eyes-using-pidgin-0131804/ [wonderhowto.com]
Why would they? (Score:2)
They are probably making sure Terrorists arn't using Skype.
Or Child Pornographers!, yeah that's the ticket!
Why do you hate America and/or Children?
Re: (Score:2)
They should also scan emails for egg, bacon, spam and sausage.
Re: (Score:2)
...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...
Re: (Score:3)
It's one thing to run links through spam filters, it's quite another to access those links directly.
"Hey Joe, we'll be running up the new turbine tomorrow. It's a new system so we've put in a kill switch. Access http://system.aviationco.com/automation/stop?user=joe&pass=uhoh [aviationco.com]" But don't use it unless, you have to, it drops a rod in the turbine and that's 50,000 bucks a pop".
Re: (Score:2)
Re: (Score:3)
*sigh* it's the principle of the thing, not the specific implementation. Guess what, I made the whole "Aviation Co" thing up. Joe doesn't even exist. Shock, horror, there *is no* turbine.
It's simply an example to illustrate the point that links sent in private emails should remain unmolested. You can't assume that accessing them is safe. And yes, people should not be sending unsafe links through IM but let me re-iterate, as a service provider, You can't assume that accessing them is safe
Re: (Score:2)
Re: (Score:3, Informative)
How would you even propose they filter spam links without a basic request? Do they blacklist all URL shorteners, or do you just let all spam that uses URL shorteners to go through?
Re: (Score:2)
Good question. It seems that one would maintain a list of spammy URLs and you might carve out a special case for URL shorteners. They are typically well-known sites.
There's an old medical phrase, "First, do no harm". I try and apply it with what I do in IT.
Re: (Score:3)
HTTP HEAD request to check for a response code of 200 vs. 301 or 302.
Re: (Score:3)
Which, from the article, is exactly what they're doing.
Re: (Score:2)
A competent web developer does not perform data-changing action off a GET request. That's ignoring the other problem of including the username/password in the URL.
Re: (Score:3)
"Don't get Scroogled^H^H^H^H^H^H^H^H^HMicrosofted!"
Re:So much for the "MS cares for your privacy". (Score:5, Informative)
https://www.eff.org/who-has-your-back-2013 [eff.org]
Microsoft is extremely hypocritical in their claims of privacy protection, and their attacks on Google.
Re:Is there any way? (Score:5, Insightful)
Both Facebook and Google's chats use bog standard XMPP (aka Jabber). Normal, clueless people use Facebook to chat. The few that don't use Facebook use the chat inside Gmail, or the one installed on their smartphone. Encryption over XMPP is very common; You'd need to use a non-standard client (say, Pidgin), but it's feasible.
The major problem is that encryption requires support at both ends:
Even a totally proprietary chat network(if it's been cracked open far enough that 3rd party clients exist, or 3rd-party wrappers around the first party client or libraries exist) can be used to send encrypted payloads; but only if both users are set up for that(Pidgin with OTR, say, works just fine over AOL's 'Oscar' protocol; but only if both ends are using it. This is the real killer. If you don't have control over what your clueless compatriot is using, none of the client-side encryption options are going to help you much. Not supported in Google's gmail web app window thing? No deal. Not supported by cellphone's default chat client? no deal.
You'll still probably get SSL, from all but the shittiest chat services; but that only protects you from people watching the wire, not from the service provider(who is the man in the middle, with one SSL-protected connection to you and a second to your chat compatriot).
Same with email: it's less common than it used to be for email to go between the client and the mailserver in the clear; but it's still damn rare for messages to be encrypted at the client end and thus safe from the mailserver operator.