Whatsapp, Slack, Skype and apps based on popular Electron framework vulnerable to backdoor attacks

This week at B-Sides LV, security researcher Pavel Tsakalidis presented his work on security defects in the Electron framework, a cross-platform development framework that combines Javascript with Node.js: apps built with Electron include Skype, Slack, Whatsapp, Visual Studio Code and others. Read the rest

Microsoft contractors are listening to your Skype conversations

Look, this is getting old. Just assume that everyone one is listening to you fart, copulate and sing in the shower, all the damn time. My former co-worker and professional tall person, David Murphy, took the time today to rap about Microsoft humping up on top of the digital surveillance dog-pile. He points out that, according to Vice, an unnamed Microsoft contractor has spilled the beans on the fact that Microsoft has been holding on to five to ten-second snippets of folks using Skype's translation functionality to yammer on with on another. Did I mention that he provided samples of the audio clips? There's totally samples of the audio clips. Apparently, Microsoft's having their contractors listen in on the clips to improve on Skype's translation chops.

When confronted about their snooping, Microsoft assured Vice's investigator that the snippets were fired over to the company's contractors via a secure web portal, with all identifying data removed from the recordings.

As David points out, there's no way to keep Microsoft from doing this. Worse than this, the company, oh-so greasily, completely neglects to mention that underpaid humans are listening on what you say during your Skype calls.

From Lifehacker:

...Microsoft doesn’t indicate in its FAQ that your speech is being analyzed by real people. In fact, this description almost implies that it’s a fully mechanical process, which it is not—nor could it be, since a machine wouldn’t be able to pick the correct translation. The entire point is that a human being has to train the system to get better.

Read the rest

Microsoft to make Skype usable again

Earlier this year, Microsoft brought sweeping changes to Skype's UI, giving it something of a SnapChat makeover. The communication app's user base, I among them, was less than impressed, to say the least. Where it was once an easy way to receive forwarded telephone calls and chat via video or audio with folks across multiple platforms, the changes made it a shit sandwich to do much of anything with. The outcry from Skype users was such that, last month, Microsoft announced that they'd continue to offer the old school version of Skype's desktop app. Now, in the name of not alienating their users, they've taken their software UI rollback one step further. They're bringing back the features that folks actually use Skype for, back to the application and making it easier to ignore the service's new SnapChat-like features.

From Ars Technica:

With this new focus on calling and messaging, the Snapchat-like statuses have been removed. The desktop interface is styled a lot closer to the legacy application, and the use of animations and gradients has been somewhat toned down. The mobile interfaces put the key calling and messaging buttons along the bottom of the screen, providing easier access to the dialer pad. The company is promising to reinstate other features from the legacy client—multiple chat windows, greater control over online status and privacy, better searching, and more. The legacy clients will still be end-of-lifed, but it seems that they'll stay around until the feature disparity is resolved

Good.

Image by Microsoft Corporation - The file was uploaded on the English Wikipedia by user AxG on September 3, 2012., Public Domain, https://commons.wikimedia.org/w/index.php?curid=21862425 Read the rest

Microsoft gives classic Skype a stay of execution after user complaints

For years, I maintained a Skype number that’d forward to whatever phone number I happened to be using at the time. It was the only way to make myself reachable on the phone, despite my switching to a new mobile number every time I moved to a different region. It worked well enough—until last year when Microsoft redesigned the iOS version of their app to make it damn near unusable as a phone forwarding service. I hated Skype’s mobile makeover so much that I decided not to renew my annual plan with the service. If you want to find me, these days, it has to happen via Twitter or email. It seems that users of Microsoft’s desktop version of the app have all sorts of loathing for its recent redesign as well. According to The Verge, the backlash against version 8.0 of the app has been so widespread that it’s put Microsoft back on its heels.

From The Verge:

Last month, Microsoft announced it would be shutting down the desktop version of Skype 7.0, otherwise known as classic Skype, in September and transitioning users and businesses to the redesigned Skype 8.0. Following what the company describes as “customer feedback,” classic Skype will be sticking around for “some time” to “bring all the features you’ve asked for into Skype 8,” per Windows blog Thurrott. Skype 8 was first unveiled as a mobile redesign last year, inspired by trends set by Facebook and Snapchat, and it was widely disliked at the time as well.

Read the rest

NSA can wiretap Skype wholesale

Another gem from the latest Der Spiegel NSA leaks: the NSA can listen in on all Skype traffic and read Skype messages, because Microsoft hands over its keys. Read the rest

Skype's IP-leaking security bug creates denial-of-service cottage industry

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location Read the rest

Privacy groups, activists and journalists call on Skype to document its privacy practices

A coalition of journalists, privacy advocates, and Internet activists have published an open letter to Skype and Microsoft, calling on them to "publicly document Skype’s security and privacy practices" in a Transparency Report:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.

2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.

3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.

4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.

5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

Open Letter to Skype (via /.) Read the rest

Government Skype surveillance "may be a good thing"

John C. Dvorak, on why Skype backdoors allowing government spying on users is "not a bad thing":

I would not be surprised if one of the reasons why Microsoft bought Skype was to outfit the product with backdoor access for the US government's top eavesdropping agency, the National Security Agency.

This may be a good thing ... Hopefully, Microsoft is in bed with various governments to allow them to listen in on our calls. This sounds crazy, but no. It would be an ironic twist, but if it were the case, Microsoft would be required to keep the quality high so everyone doesn't bail out and go elsewhere.

A wacky theory, but it does make sense.

What's Up With Skype? [PC Mag via Popehat. Photo: Shutterstock] Read the rest

Self-delusion is an ugly thing: "While on a 1:1 audio call, users will see content that could spark additional topics of conversation that are relevant to Skype users and highlight unique and local brand experiences. So, you should think of Conversation Ads as a way for Skype to generate fun interactivity between your circle of friends and family and the brands you care about." Read the rest

The Playstation Vita as a cellphone

Sony's tiny but powerful pocket game console has 3G, but no phone app. Skype to the rescue. [Ars] Read the rest

Microsoft buys Skype, attacks reverse engineer with bogus takedown notices and florid language

Microsoft-owned Skype has launched a campaign to shut down programmers who use reverse-engineering to understand its protocol and make interoperable products. Their PR agency calls this "nefarious attempts to subvert Skype's experience." Unfortunately for Skype and Microsoft, "experience" is not something the law protects -- after all, if a Skype user wants to talk to another person who uses a third-party Skype client, why would the law want to prevent that? Meanwhile, it appears that the sourcecode over which Microsoft is asserting copyright was created by the reverse-engineer they're harassing.

The day of publishing his initial details, Google's Blogger (where his blog is hosted) received a DMCA (Digital Millenium Copyright Act) notice that two of his blog entries had to be removed: the post about his success in reverse-engineering the Skype protocol and then a second post about more technical details.

The complainant issuing the DMCA notice was in fact "Skype Inc" and the basis for the complaint is "Source code. The publication of this code, in addition to infringing Skype's intellectual property rights, may encourage improper spamming activities." (Google publishes DMCA complaints to ChillingEffects.org.)

Skype issued a second DMCA copyright notice after this researcher published more Skype related code. Those files have since moved to being hosted elsewhere. Skype is claiming copyright on the code even though the open-source code was written by the researcher. Another DMCA takedown attempt regarding the same work was issued again in early August when the researcher tried doing a DMCA counter-notice, and he ended up putting up links again to this "copyrighted" work.

Read the rest