foobar on computers, software and the rest of the world


Skype surveillance: You can't trust closed-source software

, posted: 3-Oct-2008 06:50

It has been widely reported now that apparently Skype is helping Chinese authorities monitor the Internet. Specifically, Tom-Skype - a joint-venture between eBay and a Chinese provider - is searching IM messages for 'suspicious' words and then sends copies of those messages to some server bank located in China, presumably for further analysis. The New York Times writes:
The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China.
The whole deal blew up when someone noticed that particular words in IM messages prompted the client software to send off an encrypted message to some address in China. Fortunately (or unfortunately, depending on how you look at it) visting that address revealed that the servers were improperly configured and secured. Thus all the logs, collected messages and information about the parties involved in the communications were visible. From CNN:

What [ the researcher ] found was that the Tom-Skype program also passes the messages caught by the filter to a cluster of servers on Tom's network. Because of poor security on those servers, he was able to retrieve more than a million stored messages. The filter appears to look for words like "Tibet," "democracy" and "milk powder" -- China is in the throes of a food scandal involving tainted milk.

This directly contradicts a blog posting on Skype's Web site, which says that the software discards the filtered messages and neither displays nor transmits them anywhere.

Notice how a keyword that only recently became interesting ("milk powder") is on that list. Thus, it is likely that the Tom-Skype client occasionally updates its list of words from those servers or another source.

In light of this, I renew my call for a free and open source alternative to Skype. Something that is just as easy to setup and use. As I said in that past article, I believe we have all the required pieces. They just need to be assembled into a complete package.

It is antics like this that should make us think twice about trusting proprietary, closed-source software. It demonstrates the inherent value of free and open source code: Backdoors and hidden activities such as this don't have a chance. They will be discovered and removed. With proprietary software you can never know what you get. This is not just limited to software that hails from a heavily monitored society. Even in the west, the most reputable software vendors have had moments where the mere opportunity to capture more data than they really needed about you was just too tempting to pass.

Free and open source is the answer to a world written in code. Our data, our thoughts, our privacy should be worth enough to us that we want to protect them. We have seen here again that you cannot do that with proprietary software.

Other related posts:
Fake popup study: Users are idiots? I don't think so...
Google anonymises IP addresses in their logs? Not really...
A very well-made malware installation site








Comment by slugster, on 3-Oct-2008 21:03

That headline is bollocks. The problem is not the closed source application, the problem is doing business with a closed government. Yet again the Chinese prove that they can't be trusted, and a big company shows their determination to stoop to a low level just to get into a market.


Author's note by foobar, on 3-Oct-2008 21:57

@slugster: You are missing my point. Government or not, private organisation or not: If the source were open, this kind of back door would not have happened.


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

foobar's profile

 
New Zealand


  • Who I am: Software developer and consultant.
  • What I do: System level programming, Linux/Unix. C, C++, Java, Python, and a long time ago even Assembler.
  • What I like: I'm a big fan of free and open source software. I'm Windows-free, running Ubuntu on my laptop. To a somewhat lesser degree, I also follow the SaaS industry.
  • Where I have been: Here and there, all over the place.




Google Search


Recent posts

Attack on net neutrality right...
Munich already saved millions ...
Iceland's public administratio...
More Apple madness (follow up)...
Apple demonstrates: With great...
Smooth sailing with the Karmic...
Censorship in New Zealand: Wid...
Image roll-over effects withou...
How about: Three strikes and Y...
UK government supports open so...


Top 10

How to write a Linux virus in ...
(11-Feb-2009 06:33, 457994 views)
Follow up: How to write a Linu...
(12-Feb-2009 08:10, 64358 views)
A truly light-weight OS: Writt...
(3-Feb-2009 10:39, 46495 views)
The 'Verified by Visa' fiasco ...
(20-Jun-2008 09:59, 32267 views)
EEE PC with XP is cheaper than...
(9-May-2008 06:50, 20203 views)
11 reasons to switch to Linux...
(4-Feb-2009 09:24, 20116 views)
Would you use Google App Engin...
(8-Apr-2008 20:02, 19395 views)
Censorship in New Zealand: Wid...
(16-Jul-2009 12:11, 18847 views)
Django Plugables: Tons of plug...
(11-Apr-2008 03:24, 16798 views)
Slow file copy bug in Vista: A...
(21-Dec-2007 12:18, 15927 views)