See your link here
Skype caught in Chinese PR SNAFU
3 comments- TAGS:censorship, China, eBay, security, Skype, surveillance
- IT TOPICS:Desktop Applications, Government & Regulation, Internet, Security, VoIP
In Friday's IT Blogwatch, Richi Jennings stands open-mouthed at eBay's Chinese security-censorship-surveillance PR faux pas. Not to mention Mister Lucas's weird imaginings of amazing, other-worldly conflicts...
Gregg Keizer reports:
Text chats conducted using the Chinese version of Skype that contain keywords such as "Taiwan independence" and "Communist Party" are logged along with identifying IP addresses and usernames, then stored on insecure servers, a Canadian researcher said yesterday.
The practice may be part of the Chinese government's online censorship and cyber-surveillance efforts ... Nate Villeneuve, a security researchers with the Citizen Lab at the University of Toronto, outlined an investigation of TOM-Skype, the Chinese edition of the popular chat and VoIP software that was co-developed by the Chinese company TOM Online and Skype, a unit of eBay Inc.
...
Although Villeneuve blasted TOM-Skype for lax security practices; -- it left its servers unsecured and stored the encryption key needed to decrypt the logs on the same servers -- he saved most of the report to outline the surveillance aspects of what he had uncovered.
Jacqui Cheng adds:
Clearly, there are a number of problems with this discovery, starting with security. Villeneuve notes that the information contained on the servers could be used to exploit the TOM-Skype server network, and an attacker can access detailed user profiles ... crafty hackers already know where these servers are and how to get into them.
...
Additionally, the findings raise the question as to what extent TOM and Skype are cooperating with the Chinese government. The report questions the legal basis for TOM-Skype to capture and log this information, who has access to it, and what will be done with it in the future. Villeneuve notes that Skype is neither transparent nor forthcoming about the exact nature of its compliance with Chinese authorities, a disturbing trend among US-based Internet companies.
Nart Villeneuve himself answers some tricky questions:
Every time I typed the word “****” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.
...
This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.
...
The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.
Mike Masnick recalls:
Remember how Skype was supposed to be "untappable" due to end-to-end encryption? Well, we've already seen that's not true, thanks to leaks that showed the German government had figured out ways to tap Skype, and it will probably come as no surprise to many that China has been tapping and storing Skype conversations.Some of the findings of this report are not new. Back in 2005, reports came out that various Chinese telecoms were investing in special "filters" for Skype that would block conversations using certain keywords. But, of course, it seemed rather obvious that if they were blocking those keywords, they would also use them to spy on what people were talking about.
...
A Skype spokesperson told the Wall Street Journal: "The idea that China's government might be monitoring communications in and out of the country shouldn't surprise anyone." No, it shouldn't surprise anyone, but one might think it's rather troubling that Skype promotes itself as having end-to-end encryption, when that's clearly not true. Even more telling, the only thing about this report that seemed to actually concern representatives from Skype was the fact that the conversations had been readable by outsiders.
Skype president Josh Silverman "blogs":
I'm writing to let you know where we stand, and what we're doing to resolve the problem ... TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens. The software is distributed in China by TOM and TOM, just like any other communications company in China, has established procedures to meet local laws and regulations. These regulations include the requirement to monitor and block instant messages containing certain words deemed "offensive" by the Chinese authorities.
...
In April 2006, Skype publicly disclosed that TOM operated a text filter that blocked certain words in chat messages ... It was our understanding that it was not TOM's protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed.We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM's servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach.
Ryan Singel is incensed:
A Chinese-language version of Skype scans users' chat messages for keywords such as "democracy," and sends a copy of the offending message to [TOM-Skype's] servers ... despite adamant claims by the Ebay-owned company that its software offers encrypted, safe communication.
...
Captured messages discuss sensitive topics such as Taiwanese independence, tainted milk and the banned Falun Gong group ... Villeneuve also found chat messages stored on the servers that had no such keywords, leading him to believe the system also has the ability to target individual users based on their handles.
As is Preston Gralla:
China, with eBay's cooperation, is engaged in a massive surveillance effort beyond any previously imagined ... Back in November... McCain spoke out against Yahoo for cooperating with the Chinese authorities for handing information about a Chinese journalist to the Chinese police ... [and] criticized Google for cooperating with China.Interestingly enough, he also had this to say about eBay and Skype: "Skype, which is owned by eBay, reportedly helps the Chinese government monitor and send through text messages."
Despite that, though, McCain was only too happy to have as a key advisor Meg Whitman, a current director and former President and Chief Executive Officer of eBay ... Today's he's completely silent about the surveillance scheme in which eBay plays a major role.
Jan Geirnaert is "utterly disgusted" -- and more than a little suspicious:
I would ask if there is any relation to the global reset the Skype p2p Cloud (due to a so called Microsoft bug in the update) around august the past year… Maybe that was necessary to be able to tap into ongoing communications. Maybe something like a global p2p cache flush.
Cyrus Farivar talks straight:
It's disgraceful and morally wrong that Skype allowed this to happen. But worst of all, this is a company whose Estonian roots should have provided the historical context, knowledge and experience as to what the consequences of feeding a repressive regime are.
And finally...
Buffer overflow:
Other Computerworld bloggers:
- Don Tennant: Making buying fun
- John Brandon: Bookmark alert: Liveblogs for Sarah Palin and Joe Biden debate
- Martin MC Brown: Windows clouds are rolling in
- Shark Tank: Social engineering, social troubleshooting
- Shark Bait: Now what time is it?
Like this stuff? Subscribe to the RSS feed.
Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 22 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.
Previously in IT Blogwatch:
Print
Email this
Digg this
