Skype Finalizes Its Move To the Cloud; To Kill Older Clients -- Remains Tight Lipped About Privacy (arstechnica.com) 74
When it was first created, Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing muscle and bandwidth acted as "supernodes," and coordinated connections between other machines on the network. This p2p system was generally perceived as being relatively private, a belief that has since been debunked. There were several technical challenges, which led Microsoft to move most of Skype's operations to the cloud. Ars Technica is reporting that the company has finalized the switch. From the article: Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.The issue, as the report points out, is that Microsoft is strangely not talking about privacy and security concerns. The article adds: The Ed Snowden leaks raised substantial questions about the privacy of services such as Skype and have caused an increasing interest in platforms that offer end-to-end encryption. The ability to intercept or wiretap Skype came as a shock to many, especially given Skype's traditionally peer-to-peer infrastructure. Accordingly, we've seen similar services such as iMessage, WhatsApp, and even Facebook Messenger, start introducing end-to-end encryption. The abandonment of Skype's peer-to-peer system can only raise suspicions here.Matthew Green, who teaches cryptography at Johns Hopkins, said: "The surprising thing here is not that Microsoft can intercept Skype calls (duh) but that they won't just admit it."
Is free software in this realm? (Score:2)
What can you recommend in FOSS, and can such things work reliably without a heavy backend infrastructure?
Re: (Score:3)
For mobile, use Signal by Open Whisper Systems.
Re: (Score:2)
You can setup your own jabber server, on your own infrastructure, then run a client that utilizes GnuPG.
Channels are secured via TLS, both between client and server and from server to server. Then the messages themselves are encrypted with GnuPG, so only someone who has your public key can communicate with you. Mind you, this setup isn't as convenient as more traditional services, but that's always been the trade off for secure communications.
Re:Is free software in this realm? (Score:5, Informative)
slashdot should have a bot to do this: for the millionth time, there is NO free (as in beer) FOSS jabber server that supports all the necessary XEPs for reliable message delivery on mobile devices (devices with frequent network dropouts, IP changes, packet loss). PAID version of ejabberd is the closest you can get to reliable xmpp message delivery.
and 2nd of all, there are almost no xmpp clients that support the said XEPs. last time i checked, there were only 2 somewhat equipped for it. one is discontinued, the other one is Conversations. again, Conversations isn't free (as in beer). it used to be on fdroid too but i can't find it there anymore.
for those interested, to have reliable xmpp communication on a mobile device, you need at the very least - xep-198, xep-280, xep-313
xmpp is overly complicated, stupid (xml), doesn't reflect current user requirements (mobile devices) and speed of its evolution is hampered by the massive number of stakeholders.
Re: (Score:2)
Good data, but you were the first to introduce mobile messaging as a requirement. While mobile messaging is a requirement for some use cases, it's not universal. In fact, in some cases it would be seen as a detriment. Specifically, I'm thinking businesses who don't want to leak data on unsecured personal devices, but I'm sure there are others.
Re: Is free software in this realm? (Score:1)
Re: Is free software in this realm? (Score:1)
Re: (Score:2)
i was responding to the suggestion to run your own jabber server, not to the question about replacing skype.
regarding asterisk - while i've spent a decade working with it (and freeswitch), i would not recommend it as a replacement for skype. its primary problem, like jabber's, is the protocol. SIP will never be a good fit for today's NATed IPv4 networks (hence the crap like STUN, TURN, ICE and SIP ALGs). IAX2 solves these problems with ease, but there are almost no phones with support for that protocol. the
Re: (Score:1)
Are they not ideal as they don't transparently switch between internet sources or the amount, overhead or is it due to the client side setup (How they get configured)?
I ask as someone who has never had a large SIP service.
Re: (Score:2)
1. even the most basic server setup is way too difficult for the average Joe user (a Teamspeak server takes minutes, Asterisk will take you the whole day)
2. setting up your SIP phone is a lot more difficult than skype/teamspeak/discord/whatsapp/viber/etc.. (codecs, NAT traversal technique, SIP encryption, RTP encryption, presence settings)
3. even if you get everything right on 1st attempt, as soon as you find yourself behind a different router, you may need to reconfigure everything to get it to work again.
Google Talk (Score:2)
as another exemple:
Google Talk is available over XMPP.
And if both endpoints use OTR, you can get end-to-end encryption (e.g.: Jitsi on one side, and Adium - Mac OS X's Pidgin cousin - on the other)
Note that some of the more advanced feature that are only available in Google Hangout are not available on the Google Talk interface (offline message. and "who has read what" status).
---
Saddly Facebook's XMPP gateway has been shut down (you need to use a plugin compatible with FB Messenger, which is not available
Re: (Score:2)
Jitsi (in addition to Pidgin). (Score:2)
In addition to the afore mentioned Pidgin, there is also Jitsi.
It, too, can connect to XMPP (e.g.: Google Mail. Or a private server) and SIP.
It, too, uses OTR to guarantee end-to-end encryption over the chat channel.
It is multi platform, available on Linux, Windows, Mac and Android (as far as I know, either pidgin itselfs, or other software using its libpurple library are also available on nearly any platform you would want).
Jitsi can in addition place encrypted call, using ZRTP (as far as I know, Pidgin cu
Re: (Score:2)
https://ring.cx/ [ring.cx]
Its decentralized and uses end-to-end encryption. It also isn't attached at the hip to a humungous browser (Chrome) the way Signal is.
Re:Peer to Peer suspicous? (Score:4, Interesting)
> Am I the only one who considered the old Peer to Peer mode of Skype suspicious?
No. When the Skype client relies heavily on obfuscation it SHOULD be extremely suspicious!
* http://www.oklabs.net/skype-re... [oklabs.net]
If M$ kills off Skype 6.20 then it will be time to migrate to something else that is open source and doesn't have known backdoors.
* https://news.ycombinator.com/i... [ycombinator.com]
Patent Admission (Score:5, Informative)
Not only do they wiretap your Skype calls, they patented it: http://appft1.uspto.gov/netacg... [uspto.gov].
Skype was never perceived as secure (Score:1)
From the very beginning, Skype's protocol was undocumented. (That's one of the reasons there weren't competing compatible implementations.)
And since it was undocumented, everyone assumed it had to be fundamentally insecure.
And then there was the fact that it was banned in various countries on the explicit and publicly-known condition that the ban wouldn't be lifted until the governments in question were given access to the keys. This confirmed the insecurity, to openly known fact. That it's insecure isn't a
Re:Skype was never perceived as secure (Score:5, Insightful)
This is just a PR move. Everyone interested knows that Skype is insecure and can be tapped on demand by Microsoft and certainly many other groups. It's just that if they admit it the mainstream media will run stories about it, and damage the Skype brand. As long as they refuse to confirm or deny there is no story.
Re: (Score:2)
This is just a PR move. Everyone interested knows that Skype is insecure and can be tapped on demand by Microsoft and certainly many other groups. It's just that if they admit it the mainstream media will run stories about it, and damage the Skype brand. As long as they refuse to confirm or deny there is no story.
This is exactly right. There is no question that all Skype transmissions are practically open postcards. Microsoft avoids any bad publicity by just not bringing attention to the fact.
Strange nobody ever reverse engineered it (Score:2)
It seems kind of strange nobody ever reverse engineered the protocol. Maybe it's too hard to do or too well encrypted, but it seems like a lot harder things have been reversed or cracked.
Re: (Score:2)
> It seems kind of strange nobody ever reverse engineered the protocol.
Old versions of the protocol were:
skype protocol reverse engineered [google.com]
Re: (Score:2)
Specifically see:
Skype Reverse Engineering : The (long) journey ;)..
* http://www.oklabs.net/skype-re... [oklabs.net]
Re: (Score:2)
Here is a list of Skype reverse engineering whitepapers
* http://www.oklabs.net/wp-conte... [oklabs.net]
* http://www.oklabs.net/wp-conte... [oklabs.net]
* http://www.oklabs.net/wp-conte... [oklabs.net]
* http://www.oklabs.net/wp-conte... [oklabs.net]
* http://www.oklabs.net/wp-conte... [oklabs.net]
XP support? (Score:2)
...Clients for the new network will be available for Windows XP ...
But... but... but... Microsoft has stated that XP is dead and unsupported, haven't they?
Re: (Score:2)
Re: (Score:2)
They never said they wouldn't introduce new surveillance capabilities to XP, though. There are plenty of XP holdouts, and it's still very widely used in "interesting" (to IC) nations because a) it runs well on any old hardware that's available, and b) it's been thoroughly and completely pirated. If your goal is to intercept as many conversations as possible, particularly in places like Iran, the Koreas, Syria, etc., you had better make your wiretapping client available for XP.
Proprietary means no security (Score:5, Informative)
Re: (Score:3)
Other than this quibble - yep:
No one has any idea whether it's secure, therefore it isn't trustworthy.
EULA ; Opensource clients (Score:2)
If you read the fine print in the EULA, Microsoft is willing to help law enforcement wherever it is required by local laws.
And if you believe the log of the AppArmor jail you linux client is running in, it's a really badly designed, badly behaving application.
On the other hand, the mix of JSON and XML used by Web Skype has been reverse engineered, plug-ins are availabe for libpurple (thus for Pidgin, Adium, Telepathy, etc.) so you can set-up your own end-to-end encryption layer over skype (e.g.: OTR) if bot
Re: (Score:2)
The Skype protocol is proprietary. No one has any idea if it is secure or not. Therefore it isn't secure. Support open standards and protocols.
That's some thinly veiled nonsense you've got there. You're arguing that because we are unable to verify a claim, the claim is necessarily untrue, when in reality our ability to verify a claim has no bearing on whether or not the claim is true (much as we might prefer for that to not be the case).
I'm all for open source when it comes to these matters because I firmly believe that public scrutiny is one of the best tools we have for improving the security of our software, and that it also comes with the nice
You can be sure it is recorded (Score:2, Troll)
The interesting problem is that for POTS, they need warrants to wiretap. For new internet technologies the laws are not in place, so the NSA and FBI pretty much have said "It's available, it's not required to warrant by law, so let's Hoover up everything". And that's what they are doing. Microsoft already has an "NSAKEY" in its Windows encryption, and since taking over Skype they've "re-architected" everything. I'd be highly surprised if they DIDN'T have it all piped straight to the TLA government agencies.
So the linux Beta test of skype is a lie? (Score:2)
They left out linux in the list... so that means they are beta testing a dead product?
What gives? Microsoft never does things like that.
Re: (Score:2)
Re: (Score:1)
Possibly, but it doesn't matter much. As I understood it, the beta was just a wrapper around the web version. The web version works very well under GNU/Linux, it even works on ChromeOS.
Does "works well" include handling group calls (or whatever Skype calls them)? Because last time I tried using it, back in March, answering a group call didn't work with the web client in Linux using Chrome.
OT: Skype Linux Desktop Alpha has group call (Score:1)
Does "works well" include handling group calls (or whatever Skype calls them)?
Yes but not in the Web version - currently only the Linux desktop version (with caveats). See https://support.skype.com/en/f... [skype.com] (Calling and call troubleshooting):
Does this fix the incoming group call issue I have on Skype for Linux today?
Yes, the problem with receiving incoming group calls is fixed in Skype for Linux Alpha. Make sure the people you're calling or receiving calls from are using the latest version of Skype.
Re: (Score:2)
What's with; the crazy! punctuation? (Score:2)
That is all.
approved for gov't use (Score:1)
Goodbike (Score:2)
Other than Skype for Bidness (which I'm forced to use at work) I've moved to Discord with a whole slew of other people
BUH-BYE
Huh? (Score:1)
What's so strange and surprising about this? They need to spy on people. Really all they did is remove what little value Skype had left. I already quit using it. Not that WhatsApp is any better...
Expect quality drops.... (Score:2)
I have been noticing that the web client has a lot crappier quality for audio and video, closer to the google hangout quality. So those of you using it for podcasts to get better audio of guests..... expect to look for something else...
Sadly the free and easy solutions for high quality audio conferencing are going away.
Preset limits on message / attachment size (Score:2)
privacy concerns are tos fudder (Score:2)
all successful, quality, conferencing apps use a client server approach with muxing of streams taking place on the server itself allowing you to reserve maximum bandwidth for voice quality
the architecture of the platform isnt the privacy concern, the tos are
WhatsApp and Facebook Messenger for privacy, lol? (Score:3)
You've got to be kidding if you think switching on WhatsApp and Facebook Messenger give you more privacy. All it does is change who is doing the spying. Skype is Microsoft which seems to be cozy with the government. Facebook doesn't seem as cozy with the government in public, but I think that is probably all show anyways.
However, Facebook's apps are designed to be spyware, while Skype isn't last I checked. How is installing Spyware more private than non-spyware?
With Windows 10 and patches to earlier operating systems, Microsoft entered the spyware business big time. Maybe the Skype app is spyware now too, I haven't seen anything posted on that? Microsoft has always been cozy with the government like the daily scans for NSA provided keywords on all Microsoft OSes, but this move to being more like Facebook and Google has been more recent.
Skype's privacy policy:
https://privacy.microsoft.com/... [microsoft.com]
"However, we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you."
Facebook messenger policy:
https://www.facebook.com/polic... [facebook.com]
"We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others."
"We use the information we have to improve our advertising and measurement systems so we can show you relevant ads on and off our Services and measure the effectiveness and reach of ads and services."
So Skype = NSA spying.
WhatsApp/Facebook Messenger = Facebook spying and almost certainly the NSA even though Facebook tries to imply otherwise.
What we need are more options like Signal Private Messenger that actually seem to care about privacy.
iMessage probably is one of the more privacy oriented messengers (with the exception of Signal). Apple hasn't seemed to be big on spyware other than the stint in Yosemite.
Re: (Score:2)
WhatsApp supports Signal now. [whispersystems.org]
So does Facebook Messenger. [whispersystems.org]
Re: (Score:2)
Having secure transport doesn't help if the client end is spyware.
Re: (Score:2)
http://ring.cx/ [ring.cx] is looking good... Decentralized using DHT, and e2e encrypted. It doesn't live inside Chrome browser, either, which I think is a big handicap for Signal.
If you want security, DIY (Score:2)
But which Asterisk manager is the least PITA?
Re: (Score:2)
Big US brands that help 5 nations mil/govs on all data flowing will be trusted with gamers chat and for making expected free international calls.
If US designed networking products are seen to be trusted in the open, it will be for pushing complex disinformation.
Encryption will be more diverse and creative.