Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Communications Privacy

Microsoft Reads Your Skype Chat Messages 275

An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."
This discussion has been archived. No new comments can be posted.

Microsoft Reads Your Skype Chat Messages

Comments Filter:
  • Damned if they do... (Score:5, Informative)

    by mystikkman ( 1487801 ) on Tuesday May 14, 2013 @10:32AM (#43720511)

    "New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"

    http://thenextweb.com/insider/2013/04/05/new-skype-malware-spreading-at-2000-clicks-per-hour-makes-money-by-using-victims-machines-to-mine-bitcoins/ [thenextweb.com]

    And they try to prevent it by detecting malware and we get headlines like this. Looks like people are on a witch hunt here.

    • Fairly sure that intercepting private communications over a network is illegal without a warrant.

      • by afidel ( 530433 ) on Tuesday May 14, 2013 @10:36AM (#43720567)

        Not if you agree to it in the TOS.

        • by Anonymous Coward on Tuesday May 14, 2013 @10:41AM (#43720655)

          What does Skype have to do with ST:TOS?

        • by ADRA ( 37398 )

          True enough, but I'd say they have no grounds for safe harbour in this case, so wouldn't that leave them open as being a copyright infringement provider?

      • by sohmc ( 595388 )

        Illegal for the government.

        The Bill of Rights is a document that restricts (in theory) what the government can do to you. Corporations can quarter troops in your house, limit your speech, etc. You, of course, also have the right to shoot them right in their face. :-)

      • by interval1066 ( 668936 ) on Tuesday May 14, 2013 @11:09AM (#43720999) Journal
        (In the US) private entities don't need warrants. Warrants are a control on government. Microsoft can do whatever they want on communication channels they own. You don't have to use those channels of course.
        • You don't have to use those channels of course.

          Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?

          • Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?

            Google Talk. Works out of the browser.
            Once web rtc hits mainline version of browser (soonish), it will work out of the browser without even a plugins.

            Or you can install Jitsi and use that to log into your google chat instead of the webclient. And if the other end too has encryption (Off-The-Record on the message channel or ZRTP on the audio/video channels) (for exeample if the other end is using Adium to chat) the transmission is completely encrypted end-to-end with no way for google to intercept anything.

            • Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?

              Google Talk. Works out of the browser.

              Yeah, coz Google would *never* read your private data...

              • Google has always been pretty open about what they do and dont have access to.

                And for the record, they have NEVER cooperated with a foreign government to disclose private info, unlike Microsoft. So maybe lay off of them here.

              • Yeah, coz Google would *never* read your private data...

                Doesn't matter. Just on the next line I suggested using end-to-end encryption.

                You can log with any XMPP software that supports Off-The-Record to have end-to-end encryption on chat (for example Jisti, Pidgin, Adium, maybe Trillian too, but I'm not sure) you can log with any XMPP software that supports ZRTP to have end-to-end encryption on audio/video (jisti again).

                Both OTR and ZRTP are standards, so as long as software at both ends support it you get encryption, you don't need to use the same software, only

      • by Richard_at_work ( 517087 ) on Tuesday May 14, 2013 @11:13AM (#43721095)

        Google must be fucked then, as they provide antispam and antimalware functionality in Gmail, and have done for almost a decade.

    • Maybe all those Bitcoins are being mined in Redmond. Nobody else was dumb enough to click the link.
    • Alternate headline (Score:5, Insightful)

      by recoiledsnake ( 879048 ) on Tuesday May 14, 2013 @10:35AM (#43720553)

      Alternate headline: Microsoft protects hundreds of millions of Skype users by going to the effort of checking even https URLs in chat for malware and spam

      • by Anonymous Coward on Tuesday May 14, 2013 @10:49AM (#43720765)

        The problem with that, according to TFA, is that they only check https but not http. The latter being what malware sites use.
        Also, they are sending HEAD requests, not GET. They are only getting the headers, not the content, so have no way of knowing if there is malware at the URL.

        • by bws111 ( 1216812 ) on Tuesday May 14, 2013 @12:14PM (#43721839)

          Since you don't have any way to know exactly what they are doing, it is kind of silly to call that a 'problem'. Maybe they only do a HEAD because the response indicates authorization is required. Maybe they only visit a URL once, and already have visited the http site. Maybe they only do anything if something else triggers it (number of hits on a URL in a certain amount of time). You have no way of knowing that they only check https, you just know that in this particular case they only checked https. You have no way of knowing that that only get the headers, just that in this particular case they only got the headers.

    • by Sqr(twg) ( 2126054 ) on Tuesday May 14, 2013 @11:04AM (#43720955)

      Those who care about keeping the contents of their IM conversations secret should not use Skype. As stated in their privacy policy [skype.com] "Skype may gather and use information about you, including (but not limited to) information in the following categories: ... (n) Content of instant messaging communications, voicemails, and video messages"

      The EFF recommends [eff.org] using Pidgin or Audium with OTR encryption enabled, for reasonably secure instant messaging.

      I'm glad the non-tech-savvy folks use Skype, though. If Microsoft weren't able to intercept these things, I'd have to clean out viruses from my in-laws' computers more often.

    • by Bob9113 ( 14996 )

      Looks like people are on a witch hunt here.

      I don't think that phrase means what you think it means. The term "witch hunt" is usually used when the threat being hunted is a phantasm, whipped up from irrational fear and mob mentality. These threats are real and the mob is less aware of them than would be healthy. There is malware spreading. Microsoft is reading your supposedly encrypted comms. These witches really do walk among us. And to the extent that this culture of corporate surveillance is establishing

  • This is news? (Score:5, Insightful)

    by csumpi ( 2258986 ) on Tuesday May 14, 2013 @10:36AM (#43720583)
    AOL reads your messages. Google reads your messages. Facebook reads your messages. Apple reads your messages. Microsoft reads your messages.

    How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Except not. As far as Microsoft has announced, they don't mine your messages for advertising's sake (if they did, their entire "Scroogled" campaign would be hugely hypocritical and I'm sure someone would have called them on it). This is exclusively scanning for a URL and matching against a database - they're not saving any information about your messages, especially if they don't contain a link.

      I'd say "take your FUD elsewhere", but this is Slashdot and a post about Microsoft...

    • by RedK ( 112790 )
      Actually, no one sells the information they gather to advertisers, that's just bad business. What they sell is ad placement based on the information they've gathered. The advertiser has no access to it.
    • by c ( 8461 )

      AOL reads your messages. Google reads your messages. Facebook reads your messages. Apple reads your messages. Microsoft reads your messages.

      How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.

      Microsoft's recent ad campaign suggesting that Google reading your messages is somehow unethical make it news, I'd imagine.

      There *may* be some moral difference between reading your messages for your protection versus reading your messages to target ads, b

    • http://www.scroogled.com/

      This campaign of lies funded by MS is now a double lie because MS unlike Google isn't open about it. Everyone knows gmail scans your messages. Nobody knew Skype does the same.

      THAT is why it is news and deserves to be repeated over and over to shut up all the MS trolls who were so happy to spout the scroogled fud.

    • by Bob9113 ( 14996 )

      How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.

      At least one way it is news is that it is verifiable empirical evidence that can be shown to the huge portion of people who still think, "Oh, sure, you and your tin-foil hat. Maybe it is possible, but they aren't reading my communications. They can't be monitoring everyone."

  • Damn you Microsoft, what is wrong with fishing?? after this probably hunting URLs will be frowned upon by skype
  • by eviljav ( 68734 )

    Of course they do this.
    Every online chat service reads your messages.

  • by stewsters ( 1406737 ) on Tuesday May 14, 2013 @10:52AM (#43720819)
    This is the problem with closed source. You don't know what your software is doing, and its difficult to figure out.
    Just in case you weren't already certain that they were monitoring your communications through Skype, they are.
    Skype is not a secure communications channel. If this bothers you, use irc over i2p.
    • by elvinz ( 2920215 )
      If you use an open source client you could end up with the same problem. You can connect with Pidgin to gtalk, using SSL, and still have Google read your messages.
      • by MiG82au ( 2594721 ) on Tuesday May 14, 2013 @11:38AM (#43721395)
        Not if both sides use the OTR plugin that comes with Pidgin.
      • This is absolutely true. It is one of the weaknesses with using a server to communicate. You can encrypt your messages, but the server still knows who you are talking to and approximately how much data you are sending.

        It might be a good idea to look into I2P-Messenger to send secure messages. It keeps the message encrypted until the end point. The other traffic through I2P makes it harder to monitor length of the message and who its going to.
  • I wonder... (Score:4, Interesting)

    by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 14, 2013 @10:54AM (#43720835) Journal

    Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?

    If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?

    • Re:I wonder... (Score:5, Interesting)

      by malakai ( 136531 ) on Tuesday May 14, 2013 @11:03AM (#43720939) Journal

      It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
      Also, this:

      even if they are HTTPS URLs and contain account information

      that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
      Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
      I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).

      Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.

      • by ADRA ( 37398 )

        Well devil's advocate here, the URI string wouldn't be sent over the air unencrypted, so one could consider that more secure assuming you forget the fact that 99% of received email is also sent over the wire un-encrypted.

        Maybe there is a common conception that Skype is a secure connection and one wouldn't have to worry about sending such a damning web link. If anything though, this article lays out quite clearly, that there are at least automated taps on Microsoft's end scanning all input messages.

      • It's not like SSL'ing a website is all that difficult.

        It is if you want to have Windows XP or Android 2.x access it. The SSL stacks that ship with these operating systems don't understand Server Name Indication (SNI) and can therefore see the certificate for only the first site on port 443 of a given IP address. To avoid a certificate mismatch warning, you'd have to get a dedicated IPv4 address for the site, and with IPv4 scarcity, that's a lot more expensive than the name-based virtual hosting that one would use with clear HTTP or HTTPS+SNI unless, for exampl

    • Re:I wonder... (Score:4, Insightful)

      by gallondr00nk ( 868673 ) on Tuesday May 14, 2013 @11:11AM (#43721035)

      What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?

      I bet they run Linux.

      • I'd honestly be fascinated to know; because, if you flip the context around, 'Microsoft reads your skype URLs' is equivalent to 'some poor sysadmin at MS runs a system that accesses any URL anybody on the internet chooses to feed it.' That sure as hell isn't something I'd want to take on lightly...

  • Hmmm ... (Score:5, Interesting)

    by gstoddart ( 321705 ) on Tuesday May 14, 2013 @10:57AM (#43720857) Homepage

    So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.

    Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?

  • I hate M$ but their explanation sounds plausible. Not saying they don't have an unknown, secondary motivation also, just.,.. it sounds like something a programmer might think to do to combat the malware problem
  • .....is that they are Scroogling Skype users?

  • by wcrowe ( 94389 )

    Here is an example of a fishing URL [wildlifedepartment.com].

  • by duplo1 ( 719988 ) on Tuesday May 14, 2013 @11:12AM (#43721075)
    Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
  • by Nethemas the Great ( 909900 ) on Tuesday May 14, 2013 @11:18AM (#43721155)
    Wait... Who were we talking about?
  • by Kimomaru ( 2579489 ) on Tuesday May 14, 2013 @11:19AM (#43721171)
    I do not like to defend Microsoft, but I can see this as being the case. Skype's got quite a bit of problems with Messenger Spam, this may be a mechanism to review them.

    By the way, if privacy is your problem, you're not fixing it by using someone else's infrustructure. You should expect, by default, that they're going through your information. Build your own server or forever hold your peace.
  • If they are claiming that the reason to read/inspect the contents of the Skype messages is to protect users from spam and fishing URLs, can they be held legally responsible if they fail in that? It's no longer a "common carrier" if you are taking such actions, is it?
  • They haven't changed a bit. And that's why we love them :).

  • by Todd Knarr ( 15451 ) on Tuesday May 14, 2013 @11:40AM (#43721425) Homepage

    First rule: if you're routing your traffic through someone else's infrastructure (in this case MS's Skype servers), they are monitoring it. The only way around this is client-based encryption where the infrastructure in between doesn't have access to the encryption keys.

    Second rule: if the encryption setup requires someone else's servers to be involved, they do have access to the encryption keys. The only way around this is to either have the clients communicating directly or to use a key exchange protocol that's resistant to eavesdropping.

    Third rule: if you're truly concerned about confidential information, you shouldn't be depending on someone else's infrastructure in the first place. It's something you don't and can't control, which means using it's an inherent risk that should be avoided if possible. Get hosting or set up a server in your data center and run your own servers.

    That Skype chat's monitored should come as no surprise. MS will monitor Skype and MSN's IM service (whatever they're calling it this week). Google monitors Google Voice and Chat. Facebook monitors Facebook Chat. Your e-mail provider monitors your e-mail. If you're worried about security or confidentiality, acknowledge this and take appropriate measures.

  • Comment removed based on user account deletion
  • They are probably making sure Terrorists arn't using Skype.

    Or Child Pornographers!, yeah that's the ticket!

    Why do you hate America and/or Children?

Variables don't; constants aren't.

Working...