Sunday 14 July 2013

What if Microsoft is telling the truth 

about Skype?

Snowden’s NSA documents appear to be genuine. So, it’s likely that PRISM is increasingly monitoring Skype audio and video data. Additionally, Microsoft will have worked for many months with the FBI and NSA which now enables PRISM to access Skype sessions without the need for separate governmental authorization.

Considering that the NSA cooperates with other Security Agencies worldwide this is worrying for environmental activists as they likely subjected to government scrutiny of their digital communications. Because activists usually have fairly limited resources (time, money, knowledge) to implement adequate security measures this can seriously endanger the success of environmental activities. Good security measures are therefore needed in order to minimize or even prevent government listening in when activists communicate and cooperate with each other using off-the-shelf, easy to use digital collaboration tools like Skype.


Microsoft denial

Microsoft on the other hand vehemently denies it gives authorities direct access to its Skype product. Their statement is; “To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product."

On its law enforcement webpage, Microsoft argues that it has no legal obligation to enable its Skype product for wire tapping. “The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype”. Instead; “Luxembourg and EU law apply to Skype. Law enforcement requests for Skype records are processed through Luxembourg in the same manner now as before the Microsoft acquisition.”. 
This would mean that, with regard to providing customer data, the “European Data Retention legislation” will apply which only covers “non-content” data, i.e. meta-data. Any request to hand over VoIP content data will, from a pure legal perspective be rejected with regard to Skype since, also in Europe VoIP applications are not legally required to be wire tap-able. In several countries, including the USA, requests to change the law in this respect are currently being discussed. The only content data Microsoft is legally obliged to hand over when it accepts an official governmental request is related to data stored in the Skype user account i.e. profile details and most likely the user's password hash. 

So, if Snowden's NSA documents point to the NSA having free access to Skype voice and video but Microsoft denies that they provide such direct access, somebody is apparently lying. In most public media the overall picture is that we should not trust Microsoft. The general opinion is that the company does provide a hidden backdoor into its Skype product and/or that it has provided decryption possibilities to the NSA. 

An alternative scenario

Just for arguments sake I thought it would be interesting to try to identify a scenario in which nobody is lying. So, lets say that Microsoft is telling the truth. They do not provide any government, blanket or direct access to their products, there is no hidden backdoor in Skype and they did not hand over any kind of encryption key to the NSA. What scenario can we come up with the? Well, such a scenario might be more scary than one would expect.

Although Microsoft engineers seem to have helped the FBI/NSA to tap into the Skype application we have not (yet) seen any detail on how this access is technically done. It is generally known however that the NSA employs highly skilled hackers and it would not be a crime for Microsoft to provide consulting services to the NSA in order to help them to hack into its products, including the Windows Operating System.

By doing this, Microsoft does not give direct access. It merely provides consulting services which could also have been provided by other, specialized companies. But, Microsoft will be much more effective as they clearly know all the intricate, technical details of their own software. By providing these consulting services Microsoft will not hand over any front door keys. Instead, Microsoft consultants can help NSA hackers to more effectively find various ways to compromise the Windows Operating System, to quickly identify new vulnerabilities that, while still unknown to the public can be exploited (zero day), even temporarily (window of opportunity). New vulnerabilities are appearing all the time so this is not a one off thing. It is already publicly known that Microsoft (as well as other firms) “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix”. And finally, but now I am stretching it, Microsoft might even provide the NSA sight of (some of) its not publicly available internal source code which could make identifying new vulnerabilities even easier and more effective.

Such early warning knowledge accompanied with high quality consulting could result in an ongoing stream of dedicated Trojans, Worms, zero day exploits, and possibly also a very effective Rootkit that no scanners, not even Microsoft’s own would be able to detect. A consulting service would not be illegal, commercially defend-able (others are doing it to) and also not contradict Microsoft’s statement regarding not providing direct access to their products, because they don’t. 

No secure alternatives

This scenario is as scary as Microsoft merely building in hidden backdoors. Such consulting services simply give the NSA all the knowledge to increase its ability to very effectively hack into the Windows Operating System and compromise any application that is installed on it. This will also bypass encryption. According to Edward Snowden this is actually happening; “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." It is interesting to note that also Microsoft points into this direction on its law enforcement page regarding the security of Skype "In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments".

Environmental activists are generally, and should be worried about government scrutiny of their digital communications. They must however realize that, no matter which communication and collaboration application they choose and despite all encryption they add on top, these measures can be bypassed. Under the above scenario, Skype would be as secure or insecure as any other encrypted communication tool. So, because of the recent PRISM upheaval, ditching Skype and moving to another communication/collaboration tool might not make a difference. It is not a secretly hidden backdoor in Skype we should be worried about, it is the security of the whole environment including the underlying operating system that matters and governments hacking into it. No application, neither closed nor open source will be able to withstand the invasive power of highly professional, continuous research for zero day exploits, dedicated Trojans or highly professional Rootkits targeted at the underlying operating system.

So, if Microsoft is telling the truth in its statement about the security and privacy of Skype, we should be worried as much as if it was a lie. No communication and collaboration application will be safe. By merely focusing on the end user application, we might be looking into the wrong direction.

The solution

What should environmental activists, who are worried about government scrutiny do? If your communications must be secure, make sure, very sure that the operating system you are running your communication/collaboration application on can be trusted. If the operating system has been used for a while, e.g for browsing the internet, receiving email you should consider it to be insufficiently secure for highly sensitive communications. This will be fairly similar for both closed and open source operating systems plus applications as both have potential (zero day) vulnerabilities that can be found and exploited. No matter how many Anti Virus scanners you are running, targeted and/or yet unknown Trojans will not be picked up. Secondly, use good security practice and only install applications you know you can trust, always use strong passwords and be very vigilant when receiving all kinds of digital external communications.
For sensitive communication, activists must make sure they have a freshly installed machine which has not been connected to the internet before, which is fully patched before going online (preferably use local copies of the original update files) and where the hardware platform (e.g. laptop) has been under personal control all the time. Al these measures are effective however up to the point where we can trust the integrity of the applications that we install.

And what if it turns out that, despite its strong denial Microsoft has been lying? What if this company actively builds hidden backdoors into its software in order to enable spying by governments? If this is so then we should realize that, logically, in many jurisdictions this will not be different for other big corporations like e.g. Apple, IBM, HP, Intel, AMD, Samsung, Blackberry, LenovoHuawei, etc. Notice these vendors provide both software and hardware? If we cannot trust these firms because they collude with their governments, then we must be very afraid because, even with only open source software solutions there will be nowhere to hide.




7 comments:

  1. I heard someone breathing during a skype call. This is for real.

    ReplyDelete
  2. It's a fact that Skype VoIP sessions are listened into. Not only by the NSA and also not only Skype. Also other VoIP applications are eavesdropped. The most likely scenario is (governments) hacking into the endpoint (i.e. the workstation) instead of a backdoor in a single application like Skype. See e.g. hackingteam, da vinci on http://www.hackingteam.it/index.php/remote-control-system

    ReplyDelete
  3. Chiến lược được hoạch định theo quan điểm phát triển là đi thẳng vào các công trình hiện đại, kết nối giữa các lĩnh vực vận chuyển container giá rẻ và kết nối quốc tế, giảm chi phí gui hang ve Ha Noi. Mục tiêu là vận tải phải đáp ứng được phát triển kinh tế, trong đó có chú trọng xuất nhập khẩu. Song, chúng tôi đang gặp rất nhiều thách thức”, Thứ trưởng Đông nói và cho biết, trước hết là thách thức về huy động nguồn lực phát triển kết cấu hạ tầng giao thông để vận chuyển đi Thanh Hoá, trong điều kiện nguồn vốn ngân sách đầu tư rất hạn chế. Đến 2020 nhu cầu phát triển các dự án ưu tiên cần khoảng 50 tỉ USD. Tuy nhiên, vốn có thể lượng chuyển hàng đến Huế được mới khoảng 30%.

    Thách thức thứ hai là phải giảm được chi phí vận tải, trong khi chi phí vận chuyển đến Bình Dương đang quá cao làm ảnh hưởng đến cạnh tranh, xuất nhập khẩu. Theo đánh giá của WB, chi phí logistics của Việt Nam hiện chiếm trên trên 20% GDP, trong đó chi phí chuyen phat nhanh di My chiếm 50-60%. "Về lĩnh vực này, chúng tôi cho rằng phải tăng cường kết nối vận tải, đẩy mạnh phát triển các vận tải chi phí thấp, chẳng hạn như Hàng hải, Đường thủy nội địa. Gần đây, Bộ GTVT có đề xuất với WB hỗ trợ lập báo cáo hàng năm về logistics và cơ sở dữ liệu phục vụ cho kết nối các phương thức chuyen hang nhanh di Singapore.

    Đây là các thông tin quan trọng giúp cơ quan quản lý nhà nước hoạch định và giám sát thực hiện chính sách liên quan đến GTVT, thương mại và nâng cao năng lực cạnh tranh dịch vụ chuyen phat nhanh sang Dai Loan, cũng có thể đưa lên cổng thông tin điện tử để giúp các doanh nghiệp định hướng trong phát triển kinh doanh, đây cũng chính là những vấn đề mà công ty vận tải Hà Nội chúng tôi hiện đang yếu", Thứ trưởng nói

    ReplyDelete
  4. i think you should upload image in your post to attractive reader. ex : i am working at hoc pha che tai tphcm and my company is day nau an

    ReplyDelete
  5. Theo suy nghĩ của mình thì điều đó chưa đúng, nhất là ở quốc gia mình.

    Cho mình hỏi, bên bạn chuyên cung cấp thang may gia dinh 350 kg phải không?

    Bên mình cung cấp dich vu van tai hang hoa thang máy, van chuyen hang hoa di Phu Quoc, vận chuyển hàng hoá đi Sài Gòn, vận chuyển hàng hoá đi Nha Trang, vận chuyển hàng hoá ra Huế, van chuyen hang ra Ha Noi giá chất lượng cao.

    Đặc biệt nếu bạn có nhu cầu van chuyen hang hoa ra Hai Duong, vận chuyển hàng hoá đi Bắc Ninh, vận chuyển hàng hoá ra Hải Phòng, van chuyen hang ra Thai Binh thì mình sẽ để giá rẻ nhất cho bạn.

    Cảm ơn bạn nhiều nhé.

    ReplyDelete
  6. Là 1 siêu thị Uy Tín – Đáng Tin Cậy. có nhiều năm kinh nghiệm trong lĩnh vực tổn phí. Chúng tôi luôn đặt “Lời ích các bạn lúc vay tiền lên hàng đầu”. Sau khoáng đãng năm phát triễn nghiên cứu. nhận biết được sự phiền toái và thủ tục rượm rà lúc vay tiền bây giờ. bắt buộc chúng tôi đưa ra biện pháp mới ăn nhập sở hữu xu hướng mới Vay tiền mặt – với tiền nhanh trong ngày.

    một. Thủ tục vay đơn thuần nhất bây giờ
    Chỉ bắt buộc giấy tờ không phải giám định rườm rà. Bằng tài xế hoặc Hộ khẩu đã vay được tiền.
    2. thời gian giải ngân tiền mặt nhanh nhất hiện nay
    Cam kết phê chuẩn hồ sơ trong 15 – 30 phút. Giải ngân tiền mặt sau 30 phút – tới 2h nếu khiến cho giấy tờ trước 21H Tối. Chúng tôi cam kết giải quyết trong ngày. không để tồn sang hôm sau.
    3. Vay toền online miễn sao bạn với mạng internet
    gần như khi đa số nơi. xem xét website. Chúng tôi sẽ với chuyên viên tham vấn chuyên nghiệp tương trợ bạn. Bạn ko phải cần đi xa chờ đợi. Chỉ nhu cầu nhấc máy và gọi. Sẽ vay được tiền.
    4. không hề của cải đảm bảo, không hề chứng minh thu nhập
    Chỉ bắt buộc thủ tục thanh thoát như trên. Chúng tôi ko buộc phải ai bảo lãnh khoản vay cho bạn. đề nghị siêu im tâm không làm phiền người nhà bạn.
    vay tien nhanh, vay tiền nhanh, vay tiền online, vay tien online, vay tien, vay tiền, vay tien, vay tín chấp, vay tin chap, vay tiền nhanh nhất, vay tien nhanh online, vay tiền nhanh online, vay tiền online nhanh, vvay tien online nhanh,
    vay tien nhanh nhat,



    ReplyDelete
  7. "Welcome to MedbooksVN. We are proud of spreading free medical books for more than 500.000 medical students and doctors all over the world.
    medical book pdf
    medical book free pdf
    free download medical
    medical book pdf
    free medical book pdf"

    ReplyDelete