i've got another question: why doesn't the EFF have a comments section on their articles? it's fucking irritating that i can't interact with the author of the article and have to do this on HN.
skype uses "supernodes", i.e. machines with fixed ip addresses, to effect its udp hole-punching to get p2p comms links working. iirc, the architecture of skype is such that supernodes also handle the key exchange (kex) between peers, which is more than a bit dodgy imo.
the kex should occur directly between the two hosts independent of the supernode, but i recall that this has been their architecture for many years, meaning skype can eavesdrop on any chat/call they choose by manipulating the supernodes. the main change that occurred when MS bought skype was that the supernodes were moved from being presumably-arbitrary hosts with fixed ips to hosts controlled directly by MS. since MS controls the nodes where both udp hole-punching _and_ kex occur, they can trivially MITM comms.
i wouldn't be one bit surprised if skype has been owned by intel services for many years. being literally owned by MS only makes this process easier and avoids involving foreign nationals.
I'm the author of the original article and I'm happy to receive e-mail at my EFF address (as another commenter pointed out, you can find my staff information page by clicking on my name there).
The focus of my post is the legal uncertainty about why Microsoft may not be able to improve the cryptographic privacy of Skype (even if they accepted our view that they ought to). Microsoft's recent statement seem to suggest Microsoft thinks there are now (or will soon be) legal considerations limiting its ability to protect users' privacy.
I'm aware of the key exchange problem and, in fact, the (lack of a) way for users to verify keys is the particular kind of anti-eavesdropping protection that my article calls out. I don't think that the supernode architecture or Microsoft's changes to it necessarily made a major qualitative change to Skype's privacy properties. Microsoft made a blog post at the time of the architectural change, and again recently, denying that wiretapping was the motivation for the changes. It's possible that the changes made wiretapping Skype calls easier even if that wasn't the motivation for making them.
According to the 2005 report, Skype effectively functions as a CA for its users, but there is no way for the users to check whether the CA's statements are accurate.
howdy seth. it's nice to see people calling out skype since i think it likely the service has been co-opted for many years, long before they are listed as having participated with PRISM. i stopped using it for anything but "casual" comms back in ~2005.
as you point out, your focus is on the legal nature of improving the encryption. you mention CALEA, which i'm quoting here for clarity
"A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
you are right to point out that skype, under the current laws, is not likely to be considered a "telecommunications carrier". however, they do provide a bridge to the PSTN and this may be part of the legal issue. i suspect they are referencing the yet-to-be-public CALEA II, which may very well require services like skype to be preemptively backdoored for the FBI, etc.
i see skype's current backdoor situation and their comments that you cite as more of a PR/damage control dance than anything. none of the companies that participated in PRISM did/can admit their participation. everyone who does cooperate with the intel services is going to concoct some reason they "had" to cooperate, whether it's true or not.
to me, all of this PRISM and CALEA II nonsense is a reminder that unless a software product is open source, you're unlikely to have any kind of guarantee or expectation of privacy.
Personally I'm relieved that the eff does not have public comments on articles, people find them from search engines, news site, and shouty blogs often - could you imagine the signal to noise?
skype uses "supernodes", i.e. machines with fixed ip addresses, to effect its udp hole-punching to get p2p comms links working. iirc, the architecture of skype is such that supernodes also handle the key exchange (kex) between peers, which is more than a bit dodgy imo.
the kex should occur directly between the two hosts independent of the supernode, but i recall that this has been their architecture for many years, meaning skype can eavesdrop on any chat/call they choose by manipulating the supernodes. the main change that occurred when MS bought skype was that the supernodes were moved from being presumably-arbitrary hosts with fixed ips to hosts controlled directly by MS. since MS controls the nodes where both udp hole-punching _and_ kex occur, they can trivially MITM comms.
i wouldn't be one bit surprised if skype has been owned by intel services for many years. being literally owned by MS only makes this process easier and avoids involving foreign nationals.