The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China.The whole deal blew up when someone noticed that particular words in IM messages prompted the client software to send off an encrypted message to some address in China. Fortunately (or unfortunately, depending on how you look at it) visting that address revealed that the servers were improperly configured and secured. Thus all the logs, collected messages and information about the parties involved in the communications were visible. From CNN:
Notice how a keyword that only recently became interesting ("milk powder") is on that list. Thus, it is likely that the Tom-Skype client occasionally updates its list of words from those servers or another source.
What [ the researcher ] found was that the Tom-Skype program also passes the messages caught by the filter to a cluster of servers on Tom's network. Because of poor security on those servers, he was able to retrieve more than a million stored messages. The filter appears to look for words like "Tibet," "democracy" and "milk powder" -- China is in the throes of a food scandal involving tainted milk.
This directly contradicts a blog posting on Skype's Web site, which says that the software discards the filtered messages and neither displays nor transmits them anywhere.
In light of this, I renew my call for a free and open source alternative to Skype. Something that is just as easy to setup and use. As I said in that past article, I believe we have all the required pieces. They just need to be assembled into a complete package.
It is antics like this that should make us think twice about trusting proprietary, closed-source software. It demonstrates the inherent value of free and open source code: Backdoors and hidden activities such as this don't have a chance. They will be discovered and removed. With proprietary software you can never know what you get. This is not just limited to software that hails from a heavily monitored society. Even in the west, the most reputable software vendors have had moments where the mere opportunity to capture more data than they really needed about you was just too tempting to pass.
Free and open source is the answer to a world written in code. Our data, our thoughts, our privacy should be worth enough to us that we want to protect them. We have seen here again that you cannot do that with proprietary software.
Other related posts:
Fake popup study: Users are idiots? I don't think so...
Google anonymises IP addresses in their logs? Not really...
A very well-made malware installation site
Comment by slugster, on 3-Oct-2008 21:03
That headline is bollocks. The problem is not the closed source application, the problem is doing business with a closed government. Yet again the Chinese prove that they can't be trusted, and a big company shows their determination to stoop to a low level just to get into a market.