Re: [liberationtech] Microsoft Accesses Skype Chats
Google is not transparent about it. It started doing this with Gmail too. It didn't ask my permission. It didn't tell me what it was doing. If you click on a link from within one of your own personal emails, it opens via a Google redirect. Yes, Google already handles your mail. But you trust it not to pry. It transpires that this trust was misplaced. Google already, apparenty, serves adverts that match a content scan it has done of your personal communications. The question is where you would draw the line. And where Google has drawn the line. And whether you have any control over where the line goes at all. So this is just the half of it. Google has also started using search accounts, so when you log into Gmail it also logs you into search automatically. Thus your Google searches are tracked, and your links from Google searches are tracked, and a complete picture of your online activity is linked to you Google account. Add this to the scans it has taken of your personal emails, and it's demonstrated inclination to use your personal information in any way that suits its own interests, then you have in my opinion a thuggish intrusion of privacy. Google is behaving like a hoodlum with the run of the town. It has the power and the resources to take people's personal data. It has decided to use that power without any apparent regard for the personal space of its customers. Who decides what my personal boundaries are? Google does, apparenlty. I think it is instructive to imagine who Google thinks owns the behavioural information it gleans from your personal emails, your searches and your links from your searches and your mails. I would say it is my own business. Google thinks it owns that information. Google never told me it was tracking my behaviour. It never told me what it was doing with that data. It never asked my persmission. Perhaps Google doesn't keep the behavioural data it collects about people. It might treat the information as momentary - as transient as sand falling through its fingers - that it uses to sell advertising for that moment alone. Well then it wouldn't need to link my searches and browsing to my Google account, would it? But it does. Excuse me if this is common knowledge. Because it is news to me as a mere, powerless internet user - or Google user, as it has become. But the only reason why Google would need to link your browsing and searching to your Gmail account (and all the other behavioural and personal data therein) is to assemble a fixed and growing body of behavioural data about you as an individual. It constitutes a deep psychological profile - a computer mirror of your self. This information is what Google thinks it owns. This information that is the very stuff of you - the very soul of you. Google thinks it owns this information and that it can do what it likes with it. It is most amusing to say, but it is very serious indeed - and really, it is necessary to follow this line of reasoning to this point before drawing the obvious metaphors: but Google owns your soul, man. This state of affairs has become so serious that people now assume Google is already reading your personal communications, and that this is normal. As Kyle said: Google doesn't claim that nobody can read your content, and it's fairly obvious even to casual users that Google can see what you're discussing. Woah there, boy. Refer your sorry ass to the metaphor favoured by Sir Tim Berner's Lee: when the Post Office handles my mail I work on the assumption that it does not open my letters and read them, or snoop on my chit-chat. This is called trust. I do not have that trust for Google. I did nevertheless once have this trust. And it is true that I invested this trust with Google. It is crucial to understand that Google relied on my investing that trust with it in order to get my business in the first place. Just like it relied on everyone's trust. That is why it has the virtual monopoly it has on search. It's success is a function of everyone's trust. I trusted Google not to scan my personal mails for their content, nor to track my behaviour. It has abused that trust. There is a very particular way in which people have accepted this abuse as normal, Kyle. That is, they have not necessarily deemed it acceptable. This is how abuses of power work. People think it's wrong but they also think they can't do anything about it. So it just passes for normal. Google violates your privacy because it can. You consequently become like chump citizen of a totalitarian state. You carry on under the oppressive knowledge that someone's notching up every step, every turn, every word. In psychic terms, you become a gimp. Your soul becomes a rag doll. What would Google do with it? Are there limits? Do you even know? If your assumed trust was initially that Google would not read your personal communications, and it abused that trust and snatched your personal data, then what now of your assumption that it can be trusted
Re: [liberationtech] Microsoft Accesses Skype Chats
Welcome to what Gilles Deleuze called les sociétés de contrôle https://files.nyu.edu/dnm232/public/deleuze_postcript.pdf www.youtube.com/watch?v=GIus7lm_ZK0 BTW, as you can see, Youtube (also owned by Google) carries a message decoding it.. Ergo, they don't care. It's not you - just your information! :-) Best Regards | Cordiales Saludos | Grato, Andrés L. Pacheco Sanfuentes a...@acm.org +1 (817) 271-9619 On Fri, May 31, 2013 at 3:10 AM, Mark Ballard markjball...@googlemail.com wrote: Google is not transparent about it. It started doing this with Gmail too. It didn't ask my permission. It didn't tell me what it was doing. If you click on a link from within one of your own personal emails, it opens via a Google redirect. Yes, Google already handles your mail. But you trust it not to pry. It transpires that this trust was misplaced. Google already, apparenty, serves adverts that match a content scan it has done of your personal communications. The question is where you would draw the line. And where Google has drawn the line. And whether you have any control over where the line goes at all. So this is just the half of it. Google has also started using search accounts, so when you log into Gmail it also logs you into search automatically. Thus your Google searches are tracked, and your links from Google searches are tracked, and a complete picture of your online activity is linked to you Google account. Add this to the scans it has taken of your personal emails, and it's demonstrated inclination to use your personal information in any way that suits its own interests, then you have in my opinion a thuggish intrusion of privacy. Google is behaving like a hoodlum with the run of the town. It has the power and the resources to take people's personal data. It has decided to use that power without any apparent regard for the personal space of its customers. Who decides what my personal boundaries are? Google does, apparenlty. I think it is instructive to imagine who Google thinks owns the behavioural information it gleans from your personal emails, your searches and your links from your searches and your mails. I would say it is my own business. Google thinks it owns that information. Google never told me it was tracking my behaviour. It never told me what it was doing with that data. It never asked my persmission. Perhaps Google doesn't keep the behavioural data it collects about people. It might treat the information as momentary - as transient as sand falling through its fingers - that it uses to sell advertising for that moment alone. Well then it wouldn't need to link my searches and browsing to my Google account, would it? But it does. Excuse me if this is common knowledge. Because it is news to me as a mere, powerless internet user - or Google user, as it has become. But the only reason why Google would need to link your browsing and searching to your Gmail account (and all the other behavioural and personal data therein) is to assemble a fixed and growing body of behavioural data about you as an individual. It constitutes a deep psychological profile - a computer mirror of your self. This information is what Google thinks it owns. This information that is the very stuff of you - the very soul of you. Google thinks it owns this information and that it can do what it likes with it. It is most amusing to say, but it is very serious indeed - and really, it is necessary to follow this line of reasoning to this point before drawing the obvious metaphors: but Google owns your soul, man. This state of affairs has become so serious that people now assume Google is already reading your personal communications, and that this is normal. As Kyle said: Google doesn't claim that nobody can read your content, and it's fairly obvious even to casual users that Google can see what you're discussing. Woah there, boy. Refer your sorry ass to the metaphor favoured by Sir Tim Berner's Lee: when the Post Office handles my mail I work on the assumption that it does not open my letters and read them, or snoop on my chit-chat. This is called trust. I do not have that trust for Google. I did nevertheless once have this trust. And it is true that I invested this trust with Google. It is crucial to understand that Google relied on my investing that trust with it in order to get my business in the first place. Just like it relied on everyone's trust. That is why it has the virtual monopoly it has on search. It's success is a function of everyone's trust. I trusted Google not to scan my personal mails for their content, nor to track my behaviour. It has abused that trust. There is a very particular way in which people have accepted this abuse as normal, Kyle. That is, they have not necessarily deemed it acceptable. This is how abuses of power work. People think it's wrong but they also think they can't do anything about it. So it just passes for
Re: [liberationtech] Microsoft Accesses Skype Chats
Pranesh Prakash: I noticed recently that (all?) URLs sent via Google Hangouts automatically get replaced by a Google URL redirection (the way their search results do if you're logged in). That's not limited to when you're logged in. And Google is not transparent about it, in fact they deliver code to make it look like there was no redirection before you click on a link in Google search results. Of course, Google only wants the best for everyone and is not evil. Yes, that's sarcasm. Google, like every company not run as, say, a fully family owned and run business without external shareholders (there it isn't necessarily the case, though still quite likely since they will have to compete with other companies), is driven by the expectation and requirement to monetize whatever they can, and this is guaranteed to impact ethics as soon as the pressure grows strong enough. Of course there could be, can be, and I would think most likely are legitimate uses for this URL redirection (such as the warning screens when you're about to visit a known phishing site), but I bet there is more to it. After all, you could work around this by just embedding this information directly in search results, or not displaying such search results unless set in preferences. But then, there is also a pretty obvious non legitimate use case there: tracking. And Google is all about tracking. Initially this was not the case, but during the past 10 years this has changed rapidly. Every new service introduced within the recent years has, if you think about it, a lot of benefit if the primary goal is to know more about your users. Just think about * Gmail, with its laughable privacy policy (yes they do say they will track you, and anyone who can sum up 1 + 1 knows this means you cannot use them for political work, and then you shouldn't rely on not directly paid services for doing anything sensitive anyways - there are viable alternatives), which is surely not suitable for organizations who care about keeping content of their e-mails to themselves, but is still used by way too many organizations, and many universities * Doubleclick, which was already one of the world's largest ad networks before Google bought it, embedding tracking cookies on every other website you visit, and was then combined with Google Ads for much even more reach (and sales) * Recaptcha, a way to look nice, because you're offering a useful feature, and on the other hand get integrated into loads of websites which this way ensure users' data ends up with Google * Google+, together with the Google+ icon which, just like Facebooks', is always pulled form Googles' servers, since they so need to now who is accessing websites which have the logo on it. * Google APIs are added to loads of websites, and loaded by (nearly) every web browser which accesses those websites. They always load data from Google servers, even if it's just about loading some Javascript you could easily host yourself. * Google Analytics, now embedded into pretty much every second website you visit on a daily basis * The accidental collection of information on the location of wireless networks as they were mapping for streetview. I could go on for much longer. If you take all these opportunities for Google to collect information and think about how this enables them to track your movements across multiple websites (*some* Google service is basically embedded on every website nowadays), even without cookies (but it workseven better with global cookies so Google uses them whereever they can), just based on your browsers' unique signature (definitely when combined with your IP address) [1], then it can become quite obvious how embedding Google services to your website and using them to send e-mail (and making your buddies send e-mail to them) is not going to increase your karma. It causes me pain each time I read an article which supports the view that Google is somehow doing good. It is not. Just like any other company, that's not what their business is about. And by their sheer size, they are actually pretty evil, since they have the power to centralize way too much information. And they happily will. And this is never a good thing. Definitely, other corporations are no better, some are worse. But none of them is as huge, as uncontrolled, and as widely deployed and enabled to collect every one of your daily actions online. There are alternatives to Google services. Use them, for your own good, and for the good of people you interact with. The myth of Google being for the people needs to be crushed. Al -- GPG key http://zimmermann.mayfirst.org/pks/lookup?search=0x39A8722D GPG FPA38F 4F71 749E 609F 397E EB52 778E 4678 39A8 722D Info https://tachanka.org/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
I noticed recently that (all?) URLs sent via Google Hangouts automatically get replaced by a Google URL redirection (the way their search results do if you're logged in). I've not seen any documentation of this on Google's help pages, though. Sure, Google Hangouts doesn't sell itself on its security, and a redirect is more transparent than secret visits from a Microsoft server. That said, how exactly is this different from what Skype is doing? ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
Skype isn't transparent about it - you include a link in a chat and it looks normal and the people who click on it go directly to the URL provided. But Microsoft later visits it surreptitiously, despite the claims that nobody can read your content. Google is transparent about it - you include a link and you get something that will redirect you to it. (I imagine this is to prevent the spreading of all sorts of phishing and malware as commonly happens in, say, Facebook chats). Google doesn't claim that nobody can read your content, and it's fairly obvious even to casual users that Google can see what you're discussing. On Thu, May 30, 2013 at 1:35 PM, Pranesh Prakash pran...@cis-india.org wrote: I noticed recently that (all?) URLs sent via Google Hangouts automatically get replaced by a Google URL redirection (the way their search results do if you're logged in). I've not seen any documentation of this on Google's help pages, though. Sure, Google Hangouts doesn't sell itself on its security, and a redirect is more transparent than secret visits from a Microsoft server. That said, how exactly is this different from what Skype is doing? ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/18/2013 06:43 AM, Rich Kulawiec wrote: First: thanks for the followup/information/analysis. Most helpful. To follow up on what I'd mentioned as possible further things to test, yes it does follow redirects (but sadly does not follow looped redirects), and yes it follows things that the skype client has determined are links (generally anything that starts with www..., not just http...). Interestingly, Firefox, on hitting my redirect-loop, bounced back and forth for a bit before giving up, the MS scan only hit the URLs once. Is this because it's coded to detect loops, or is it only scanning links once per some timeframe? Second: [great walk-through of why this summary below is accurate snipped] Bottom line: either Microsoft is telling the truth, in which case this was a hopelessly inept and ridiculously ineffective malware scanning exercise, or they're lying and just threw this fabricated story against the wall to see if it would stick. My money's on the latter: I think they're evil, not stupid. I agree -- not sure I'd go straight to evil, but I find it too far of a stretch for the current explanation to hold. ---rsk Jon -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRmnVNAAoJEKmYlZ/5Jr+LVQEP/3gC7SYXvRfT68Q2xLXqM7SH ESilV8WUgi9dGmcGZqbjTNs20ZIUOGUeejnVCknIxIwYhs8rt7PV2E42g7YK0PAN SI860P+HCkdDH6w2VefsvmA3yjM+baaNz8K/J0kf3ON30VptBmcmDyFDwLQ9M41L mAr/P9quKEzt2RdShCZ59ctdxsQkFgc/Zy8Fmaxgd5IrFzgR2DdtJkU3lSHU+ttn pRQ54LAPZJwKYa3UJMa1fDn4HoQ9SC0+qgYSapwG5JyBwvSjq5bwIGCwN1yg1/BC QiaWnk6EfULHtPibT5iy8sQmiqvldnrYtHHTOCa/gUSTXZiNJVq5/w9VCiuGb1IK AgIAtBRAjl0QDUHgE4r0I7Q6DbfHX6nqQEvCvyOGscyHfHYT6Qfq6gXMgeuYY0eR IUVwJFtwQwnANhfQogc3NQTMFa7vU9whB52rzlvzF9bx2BgI528Eh3cRYyFqgCKg RES+dyoIeJhoaTi9NpcJvmZBEY/vDsndLpabcy21TaXXk0Xv+2uion1rSq3PXXtV tLjojrFqW0lnFbcTWrvCs4Aoxl22ynEFrycQwR+O4RhEk8Ph+ynZhB+Gddx2YSvx 0+VSeg/tAKrd5ep4a85ptkO3XcQSPTDGsu4sZ/qsvkhCBJcVwZuMEzKSjMt/pHEr 7THovA4a+Pf60tYp7GTZ =knHg -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
On 05/17/13 12:31, Rich Kulawiec wrote: ... And incidentally, the proffered rationale for this doesn't fly, given that (a) they're only sending HEAD: actually scanning destination URLs for malware et.al. would require fetching the whole page and (b) they're only retrieving HTTPS URLs (per Heise) which is not what someone actually looking for malware would do. Moreover (c) even if they classified a URL as malicious, let's sayhttps://example.net/blah, the recipient of said URL is likely to access it via a data path outside their control, thus -- unless they blocked it *inside* Skype -- they have no way to prevent access to it and delivery of whatever malware payload awaits. (delurking) A) it would very interesting if a bunch of people filed a complaint with the Data Protection Authority of Luxembourg (where Skype is registered in Europe) making this argument above in well-crafted detail, and report back on response http://www.cnpd.public.lu/fr/support/contact/index.php (gotta love their address BTW) (they have a dumb webform, so suggest use info at cnpd.lu instead) B) FYI all, in Feb I managed to exercise my right of access to personal data from Skype under EU Data Protection Law. They ducked this for months, but after 6 emails to Luxembourg DPA, finally complied. Because I deliberately did this on an account I hadn't used for a while, it's not clear how much Internet call/chat metadata they retain, so I have a new request running If anyone wants a suggested template for how to do (A) and or (B) contact me offlist (I'll post details if a lot of interest) N.B. 1. you don't have to be European to do this (but probably helps if an EU resident or can cite chats/calls with those who are). Interesting also to what happens if a US-based user tries to get call metadata citing EU law (in theory this could work if that data is held in EU) 2. FYI Skype in Europe maintains they aren't a telco http://www.itworld.com/networking/347950/french-regulator-says-skype-must-register-telco-or-risk-prosecution, and thus not subject to the notorious EU Data Retention Directive. However this may actually be worse, becuase they would also not be obligated to delete metadata after a some period (6 mths to 2 years depending on various vagaries) 3. would be interesting to ask about whether Skype voice crypto is (still ?) genuinely end-to-end as well, as this not mentioned in privacy statement and finessed in FAQs, becuase will trigger test of whether DPA can force Skype to specify that (I did this already - awaiting answers) 4. the Luxembourg DPA website is in French German but you can write to them in English 5. To make a subject access request to Skype, seems like best email is cro at skype.net, but also instructive to go through the website and see if you can figure out how to contact them electronically in the circular maze of their support info. Procedure is then to complain to DPA if they ignore of fob off. Caspar Bowden @CasparBowden -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
On Tue, May 14, 2013 at 09:14:19PM +0530, Pranesh Prakash wrote: Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Everyone who thinks that's the *only* thing that Microsoft is quietly doing behind everyone's back, raise your hand. And incidentally, the proffered rationale for this doesn't fly, given that (a) they're only sending HEAD: actually scanning destination URLs for malware et.al. would require fetching the whole page and (b) they're only retrieving HTTPS URLs (per Heise) which is not what someone actually looking for malware would do. Moreover (c) even if they classified a URL as malicious, let's say https://example.net/blah, the recipient of said URL is likely to access it via a data path outside their control, thus -- unless they blocked it *inside* Skype -- they have no way to prevent access to it and delivery of whatever malware payload awaits. Source code is truth; all the rest is smoke and mirrors, hype and PR. If Microsoft had the *slightest* interest in telling y'all the truth, then they would have answered the group letter earlier this spring with code, not with glib prose crafted by a committee of talented spokesliars. ---rsk p.s. Heise's discovery is an existence proof that it's possible to intercept the contents. Therefore we must presume that other entities besides Microsoft may have this capability -- doubly so given that some of those entities have not only the resources, but the motivation. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
On 05/17/2013 07:31 AM, Rich Kulawiec wrote: On Tue, May 14, 2013 at 09:14:19PM +0530, Pranesh Prakash wrote: Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Everyone who thinks that's the *only* thing that Microsoft is quietly doing behind everyone's back, raise your hand. And incidentally, the proffered rationale for this doesn't fly, given that (a) they're only sending HEAD: actually scanning destination URLs for malware et.al. would require fetching the whole page and (b) they're only retrieving HTTPS URLs (per Heise) which is not what someone actually looking for malware would do. Let me address (b) first - I want to clarify that there is HEAD scanning on HTTP URLs, *not just HTTPS*. This comes from the same IP, with a 2-3 hour delay from posting in skype to seeing in the logs: 65.52.100.214 - - [15/May/2013:09:16:33 -0700] HEAD /skype.html HTTP/1.1 200 320 - - I'm doing some follow-up tests to see if it follows redirects, links posted without http:// or https:// , links without www.* and so on. This could inform the utility of (a) (I'm arguing as a devil's advocate here). Given that MS might have an existing catalog of malware sites and/or a separate method for finding new ones; this HEAD scanning may be looking for new, unknown redirects to known malware sites. (However, this wouldn't find in-page redirects or javascript redirects/additions, and a number of other popular malware/adspam distribution tools). Moreover (c) even if they classified a URL as malicious, let's say https://example.net/blah, the recipient of said URL is likely to access it via a data path outside their control, thus -- unless they blocked it *inside* Skype -- they have no way to prevent access to it and delivery of whatever malware payload awaits. Skype does detect and activate links based on some regex-like system, so it's remotely possible that this same process could have an overridden link to a pass-through warning page/etc. Also could be worth testing... Source code is truth; all the rest is smoke and mirrors, hype and PR. If Microsoft had the *slightest* interest in telling y'all the truth, then they would have answered the group letter earlier this spring with code, not with glib prose crafted by a committee of talented spokesliars. ---rsk p.s. Heise's discovery is an existence proof that it's possible to intercept the contents. Therefore we must presume that other entities besides Microsoft may have this capability -- doubly so given that some of those entities have not only the resources, but the motivation. It's also possible that the skype client is reporting these urls separately from the content of a chat as part of its link-verification and activation. As you say, without the source, it's not really knowable. More interesting, the IP is listed by ARIN as being from Redmond, which means that at the very least, the URLs pass through the US and could be subject to warrants, NSLs, and so forth; which is somewhat at odds with the Skype-data-is-in-Luxembourg text from http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/ : What is Microsoft and Skype’s position on CALEA? The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law. J -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] Microsoft Accesses Skype Chats
Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Here is the /. lede: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
On Tue, May 14, 2013 at 5:44 PM, Pranesh Prakash pran...@cis-india.org wrote: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html Hello: This confirms that the traffic between skype clients is not encrypted as it was (supposed to be) before Microsoft acquired skype. Regards, -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
I understand that the Skype traffic IS encrypted. The problem is that Skype itself (and now, Microsoft) holds the key, not the conversants.. Best Regards | Cordiales Saludos | Grato, Andrés L. Pacheco Sanfuentes a...@acm.org +1 (817) 271-9619 On Tue, May 14, 2013 at 10:57 AM, Eduardo Robles Elvira edu...@gmail.com wrote: On Tue, May 14, 2013 at 5:44 PM, Pranesh Prakash pran...@cis-india.org wrote: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html Hello: This confirms that the traffic between skype clients is not encrypted as it was (supposed to be) before Microsoft acquired skype. Regards, -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
..on Tue, May 14, 2013 at 11:04:11AM -0500, Andrés Leopoldo Pacheco Sanfuentes wrote: I understand that the Skype traffic IS encrypted. The problem is that Skype itself (and now, Microsoft) holds the key, not the conversants.. Yes, this is correct. There's a good lesson here in encryption, key ownership and topology. Cheers, -- Julian Oliver http://julianoliver.com http://criticalengineering.org On Tue, May 14, 2013 at 10:57 AM, Eduardo Robles Elvira edu...@gmail.com wrote: On Tue, May 14, 2013 at 5:44 PM, Pranesh Prakash pran...@cis-india.org wrote: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html Hello: This confirms that the traffic between skype clients is not encrypted as it was (supposed to be) before Microsoft acquired skype. Regards, -- Eduardo -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/05/13 17:08, Julian Oliver wrote: ..on Tue, May 14, 2013 at 11:04:11AM -0500, Andrés Leopoldo Pacheco Sanfuentes wrote: I understand that the Skype traffic IS encrypted. The problem is that Skype itself (and now, Microsoft) holds the key, not the conversants.. Yes, this is correct. There's a good lesson here in encryption, key ownership and topology. Another possible explanation is that the Skype client is submitting the links (but not the entire contents of the chat) to Microsoft. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRkmVHAAoJEBEET9GfxSfMI5sIAIg6N5wwpAGR/Xr5y21H7yGI wCsa/CSdasSdtbS7nd9LgL69uNgAkAg8MoF0MiWiXlJwr0wkDHRC0UC2Byw66WxO HavdjBWkcxtMIub6tNgS/FpsXN72k6Jy4koEKx+T4UafwYO8j+g9BC0ZH17DmJIm 7Meob3gv4/qxlRhjcixYiEpCoVDWE4E9I/PRMxlNOESTi8qgZrBKtShzvbiS0KM7 mrUZCSbPFQ/JFF13d2WpSRHwF+RZ+XGZwM9KpoUcDRSYRORBaNnRya4Snac9s5j+ BtFnESMvNiUp9qsuEuK50GNuzbhhPfBpFeady9hudrNPmOMkKw7IQMlGAJie9iw= =1WWF -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
On 14-05-13 18:08, Julian Oliver wrote: ..on Tue, May 14, 2013 at 11:04:11AM -0500, Andrés Leopoldo Pacheco Sanfuentes wrote: I understand that the Skype traffic IS encrypted. The problem is that Skype itself (and now, Microsoft) holds the key, not the conversants.. Yes, this is correct. There's a good lesson here in encryption, key ownership and topology. Exactly what I'm trying to accomplish with [1]. 1: http://eccentric-authentication.org/ Guido. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
Tested it, got the following: HEAD /this_is_a_test2.html HTTP/1.1 from 65.52.100.214 with no User Agent. -tom On 14 May 2013 11:44, Pranesh Prakash pran...@cis-india.org wrote: Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Here is the /. lede: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
Also, it came about two hours after I sent the link to a friend. -tom On 14 May 2013 14:39, Tom Ritter t...@ritter.vg wrote: Tested it, got the following: HEAD /this_is_a_test2.html HTTP/1.1 from 65.52.100.214 with no User Agent. -tom On 14 May 2013 11:44, Pranesh Prakash pran...@cis-india.org wrote: Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Here is the /. lede: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Microsoft Accesses Skype Chats
Anyone try searching for private links in bing yet? Sent from my iPad On May 14, 2013, at 14:41, Tom Ritter t...@ritter.vg wrote: Also, it came about two hours after I sent the link to a friend. -tom On 14 May 2013 14:39, Tom Ritter t...@ritter.vg wrote: Tested it, got the following: HEAD /this_is_a_test2.html HTTP/1.1 from 65.52.100.214 with no User Agent. -tom On 14 May 2013 11:44, Pranesh Prakash pran...@cis-india.org wrote: Heise Security is reporting that Microsoft accesses links sent over Skype chat.[1] Here is the /. lede: A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation[2]). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and fishing URLs. [1]: http://www.heise.de/newsticker/meldung/Vorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html [2]: http://translate.google.com/translate?sl=autotl=enjs=nprev=_thl=enie=UTF-8eotf=1u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html ~ Pranesh -- Pranesh Prakash Policy Director Centre for Internet and Society T: +91 80 40926283 | W: http://cis-india.org PGP ID: 0x1D5C5F07 | Twitter: @pranesh_prakash -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech