Sunday, August 19, 2007

Skype and the outage...

It is pretty possible according to mathaba.net:

Is it considerable coincidence, or a sign of modifications which would inevitably be difficult to execute without significant disruption?

Around 2 weeks ago the Bush administration pushed through Congress a law to bolster the government’s ability to intercept electronic communications without a court order.

The so-called Protect America Act, which passed both the House and Senate by wide margins just before Congress went on its August recess, allows the government to intercept the phone calls and e-mails of people in the United States who communicate with people overseas, and for the first time, allows the government to intercept communications between foreigners which are merely routed through the United States, as well as conversations of Americans traveling abroad.

The new law expanding the government's spying powers gives the Bush Administration a six-month window to install possibly permanent back doors in the nation's communication networks.

Prior to the law's passage, the nation's spy agencies, such as the National Security Agency and the Defense Intelligence Agency, didn't need any court approval to spy on foreigners so long as the wiretaps were outside the United States.
Now, those agencies are free to order services like Skype, cell phone companies and arguably even search engines to comply with secret spy orders to create back doors in domestic communication networks for the nation's spooks. Other nations like Australia have similar legislation in place already or on the books.

Skype presents a challenge to spooks, not so much because of its alleged encryption which could possibly be broken by backdoor access or weaknesses in a system that has not received much independent review and is updated almost daily, but because of its essential peer-to-peer (P2P) nature which makes monitoring of communications more difficult.

To enable compliance with the new U.S. laws, which also include that the service providers such as Skype are not allowed to report these activities and are to be immune from prosecution claims for example for violation of the U.S. constitutional or legal rights to privacy, it would be necessary to ensure that the Skype super-nodes are upgraded with software modifications to ensure more centralised routing and easier access to monitoring.

The fact that Skype has not had a serious outage in many years of operation until just two weeks after the passage of this new law could be mere coincidence, but otherwise could point to just such upgrades and modifications having been performed, and gone wrong. Messing with the Skype super nodes is no light matter, and the Skype P2P technology developed in Estonia was a closely guarded secret. U.S. company eBay, which owns also PayPal, faces allegations of compromise on security and privacy issues. It purchased Skype for some 5 billion dollars last year.

Most of the original Skype programmers have since left the company and changing the P2P algorithms to allow compromise could be a tricky and risky business whilst around 8 million users are online, and may have simply gone wrong. The choice of words by Skype in revealing its problems - software and "algorithms" - also lends credence to this theory: algorithms are typically used in automated encryption systems.

The original Skype protocol which had received an independent review and generally received the thumbs up for security implementation has long since been modified hundreds of times with automatic updates to most clients now being in force, thus there would be nothing to guarantee that those systems had not since been hopelessly compromised.

Skype's C.E.O. had promised an interview with Kurt Sauer for Mathaba News last year, but the interview never materialised. Several attempts were made to establish communication, but were ignored. When it was brought to his direct attention that a company with significant Israeli involvement was compromising the security of Skype users passwords, no response to the concerns was given and the company in question progressed to be an integral part of the Skype extras included for download.

No comments: