China and TOM-Skype Podcast Recorded Today

Today, Mike Qaissaunee and I recorded a podcast on TOM-Skype. Last month I blogged about a report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. The report was published on Oct 1, 2008 Nart Villeneuve and the Information Warfare Monitor. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. In this 25 minute and 21 second podcast we discuss the report, confidentiality and security issues with TOM-Skype, the Chinese version of Skype.

Here's a list of questions asked during the podcast:

Can you tell us a little more about this report?

How about some background on Skype in China?

How about some details from the report?

You said these are publically accessible servers - can others besides the Chinese access these servers?

Can you review the major findings from the report?

What kinds of questions has the report raised?

How does the report say the sensorship actually works?

How about some detail on those servers?

The report claims it may be possbile to map users social networks using the logged information. Can you explain?

How has Skype responded?

Here's how you can get the answers:

To read show notes and listen to Mike Q and my 25 minute and 21 second podcast (Sept 2006) titled China and TOM-Skype, click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

China’s TOM-Skype Platform Analysis

Earlier this month Nart Villeneuve and the Information Warfare Monitor released an interesting joint report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. His research focuses on International Internet censorship and the evasion tactics used to bypass Internet filtering systems.

In the report Villeneuve takes a look at confidentiality and security issues with TOM-Skype, the Chinese version of Skype. If you are not familiar with Skype, it is a software application users download and install on their computers. Once installed it allows users to make free computer-to-computer voice calls over the Internet. In 2004, Skype connected with TOM Online, a large wireless provider in China. The two companies put together a Chinese version of Skype called TOM-Skype and released it to the Chinese public.

Shortly after TOM-Skype’s release in 2006, human rights groups started to question the applications security practices, and several accused the company of censoring chat. Here’s a piece from Villeneuve’s report:

Human rights groups criticized Skype, suggesting that the company was “legitimizing China’s system of censorship”, while others suggested that TOM-Skype contained Trojan horse capabilities that could be used for surveillance by the Chinese Government.

Skype responded to those criticisms stating:

The text filter does not affect in any way the security and encryption mechanisms of Skype.

Full end-to-end security is preserved and there is no compromise of people’s privacy.

Calls, chats and all other forms of communication on Skype continue to be encrypted and secure.

There is absolutely no filtering on voice communications.

Skype also said that censored messages are simply discarded and not displayed or transmitted anywhere. Villeneuve’s current report challenges these statements, documenting and questioning the security practices of TOM-Skype. Major findings from his report include:

The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

Analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The report is both upsetting and fascinating. It includes a technical section describing how Villeneuve believes the content is being censored and logged and how security and privacy are being breached. In the report forward Villeneuve says:

The lessons to be drawn from this case are numerous and issues of corporate social responsibility will be raised. If there was any doubt that your electronic communications – even secure chat – can leave a trace, Breaching Trust will put that case to rest.

This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.

This is an excellent case study that could be used (for example) in a networking, Internet security or policy course. The entire 16 page report can be downloaded in PDF format here.

Internet Disruptions: Skype, Microsoft and Shotguns

On Thursday, August 16, Skype users experienced a critical disruption. The disruption was the result of a massive restart of Skype user computers around the world within a very short period of time. The reboot was the result of a series of Microsoft update patches that required a reboot. According to the Skype press release:

"The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact".

"Normally Skype’s peer-to-peer network has an inbuilt ability to self-heal, however, this event revealed a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly. Regrettably, as a result of this disruption, Skype was unavailable to the majority of its users for approximately two days".

The press release continues:

"The issue has now been identified explicitly within Skype. We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk.

This disruption was unprecedented in terms of its impact and scope. We would like to point out that very few technologies or communications networks today are guaranteed to operate without interruptions".

I've been away on vacation and have not been as connected as I usually am - as a result the outage did not really affect me. I do use Skype frequently and if I had been in the office it would have caused some problems. I find it interesting, and a little disturbing, that one of the first things Skype clarifies in the press release is the fact that the outage was not caused by any "malicious activities".

On Monday there was another incident that caught my attention - someone has been shooting (with a gun) fiber optic cables in the Cleveland area. As a result, Internet service providers in the entire country experienced a slowdown. You can read the Network World gunfire piece here. Here's a couple of quotes from the piece:

TeliaSonera AB, which lost the northern leg of its U.S. network to the cut, said that the outage began around 7 p.m. Pacific Time on Sunday night. When technicians pulled up the affected cable, it appeared to have been shot. "Somebody had been shooting with a gun or a shotgun into the cable," said Anders Olausson, a TeliaSonera spokesman.

The company declined to name the service provider whose lines had been cut, but a source familiar with the situation said the lines are owned by Level 3 Communications Inc.

Within the last week we've had both upper layer and physical layer major Internet disruptions. It certainly makes me think twice about our communications vulnerabilities.

Some Interesting Skype Alternatives

Network Computing recently published a piece evaluating 6 Skype Alternatives here. Each alternative adds enhanced features that Skype currelty does not offer. Here's the list:

Grand Central - This product allows you to select one phone number and link up to six phone numbers you enter into your user profile. For example, you can set your Grand Central account to ring both your office phone and your cell phone. The one you pick up is the one that connects the call.
Grand Central was acquired by Google a few days ago (Mike Q was the first to tip me off) and is currently taking number reservations on their website.

TalkPlus - TalkPlus is sort of the opposite of Grand Central - it allows you to have several phone numbers that all ring to one phone. TalkPlus is inexpensive but not free. They currently offer number in 32 different countries and especially looks like a great product if someone has relatives in other parts of the world.

Jajah - I've blogged on Jajah in the past - see link here. Jajah provides a paid service that allows calls to be routed to landline/cell to landline/cell in many parts of the world without long distance fees. Here's how it works: Let's say I'm a Jajah customer and I want to call my brother who is living in London. I log into my Jajah account at jajah.com, enter my brother's landline or cell number and my landline or cell number. Jajah makes the connection and rings my phone and then my brothers phone over connections that are local to each of us.

Talkster - Talkster's paid service provides calls from phones to to voice-enabled instant-messaging services like GoogleTalk and Yahoo IM. One of the neat things about Talkster is that it allows you to see your friends presence (whether or not they are on IM) using you mobile phone browser.

Jangl - Jangl is a currently free service (even for international calls) that works similar to Jajah - it connects phone network end-points. The difference is Jangl does not require that you know the number you want to call. Jangl uses semi-permanent phone numbers and allows people to call you that don't know your permanent number.

Jaxtr - Jaxtr is similar to Jangl with a flashier user interface. It is also currently a free service for domestic and international calls. Both Jangl and Jaxtr's anonymity features cater to the "social networker" market.

Each of these products offer features and functionality beyond current Skype offerings - it will be very interesting to see what Google does with Grand Central.

*****
Listen to Mike Q and my latest podcast "One Week with the iPhone" linked here.

Skype Everywhere

There have been a couple of interesting Skype product upgrades/releases over the past few days.

The first is SoonR Talk, an AJAX enabled application that allows Skype to run on the iPhone and other mobile devices.

The second is the release of Skype on the Nokia N800 Internet tablet. The small hand-held device connects to available Wi-Fi networks that we're all finding just about everywhere these days.

Here's a Yahoo News quote from Gartner analyst Elroy Jopling:

"We will see more Skype and similar free Wi-Fi phone services moving into mobile devices in the U.S. and Europe, he said, although Europe could adopt it more quickly. However, he said he expects to see "mobile operators put up as many roadblocks as they can" in both places".

Both of these products allow free Skype voice calls from anywhere to anywhere with Wi-Fi access.

I'll be finishing my Day 2/3 NCTT Conference blog tomorrow - the Conference was EXCELLENT!

*****
Listen to Mike Q and my latest podcast "One Week with the iPhone" linked here.