Skype's IP-leaking security bug creates denial-of-service cottage industry


It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location

Privacy groups, activists and journalists call on Skype to document its privacy practices

A coalition of journalists, privacy advocates, and Internet activists have published an open letter to Skype and Microsoft, calling on them to "publicly document Skype’s security and privacy practices" in a Transparency Report:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.

2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.

3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.

4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.

5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

Open Letter to Skype (via /.)

Government Skype surveillance "may be a good thing"

John C. Dvorak, on why Skype backdoors allowing government spying on users is "not a bad thing":

I would not be surprised if one of the reasons why Microsoft bought Skype was to outfit the product with backdoor access for the US government's top eavesdropping agency, the National Security Agency.

This may be a good thing ... Hopefully, Microsoft is in bed with various governments to allow them to listen in on our calls. This sounds crazy, but no. It would be an ironic twist, but if it were the case, Microsoft would be required to keep the quality high so everyone doesn't bail out and go elsewhere.

A wacky theory, but it does make sense.

What's Up With Skype? [PC Mag via Popehat. Photo: Shutterstock]
Self-delusion is an ugly thing: "While on a 1:1 audio call, users will see content that could spark additional topics of conversation that are relevant to Skype users and highlight unique and local brand experiences. So, you should think of Conversation Ads as a way for Skype to generate fun interactivity between your circle of friends and family and the brands you care about." Cory

The Playstation Vita as a cellphone

Sony's tiny but powerful pocket game console has 3G, but no phone app. Skype to the rescue. [Ars]

Microsoft buys Skype, attacks reverse engineer with bogus takedown notices and florid language

Microsoft-owned Skype has launched a campaign to shut down programmers who use reverse-engineering to understand its protocol and make interoperable products. Their PR agency calls this "nefarious attempts to subvert Skype's experience." Unfortunately for Skype and Microsoft, "experience" is not something the law protects -- after all, if a Skype user wants to talk to another person who uses a third-party Skype client, why would the law want to prevent that? Meanwhile, it appears that the sourcecode over which Microsoft is asserting copyright was created by the reverse-engineer they're harassing.

The day of publishing his initial details, Google's Blogger (where his blog is hosted) received a DMCA (Digital Millenium Copyright Act) notice that two of his blog entries had to be removed: the post about his success in reverse-engineering the Skype protocol and then a second post about more technical details.

The complainant issuing the DMCA notice was in fact "Skype Inc" and the basis for the complaint is "Source code. The publication of this code, in addition to infringing Skype's intellectual property rights, may encourage improper spamming activities." (Google publishes DMCA complaints to ChillingEffects.org.)

Skype issued a second DMCA copyright notice after this researcher published more Skype related code. Those files have since moved to being hosted elsewhere. Skype is claiming copyright on the code even though the open-source code was written by the researcher. Another DMCA takedown attempt regarding the same work was issued again in early August when the researcher tried doing a DMCA counter-notice, and he ended up putting up links again to this "copyrighted" work.

Skype Goes After Reverse-Engineering (via /.)