Most generous interpretation: this could easily be an old, deprecated API in an enormous, complicated codebase on an engineering team with high turnover.
If Skype wanted to give user data to the NSA, they would send it over from their servers instead of implementing a backdoor that requires the NSA to already already have software on the target's computer (at which point, assuming they managed to get root, they could circumvent whatever protections Skype was using anyway).
Big corporations are, by definition, large complex organizations. There is legal, executive management, developers, ops, etc. Hypothesizing about their actions as a singular entity can over simplify things. I don't know about the specifics in the article, but as a general rule there are a number instances where an intelligence agency may approach only a developer, an ops person, or someone in legal to obtain what they want instead of showing up and serving the corporate entity with a NSL. Saying the organization as a whole could provide data exfiltration much more efficiently by other means, does not rule out the possibility that other techniques could be used instead for various non-technical reasons.
You didn't respond to the substance of his objection. The problem with the "NSA backdoor" hypothesis is that it doesn't make logistical sense: it requires the NSA to already have installed software on the victim's computer. If the NSA has installed software on your machine that it can control, you are going to, in the parlance of our times, "get Mossad'd".
Of course, of course, this is unlikely to be an NSA backdoor. But maybe .... </CK_LOUIS>
i dabbled in this api way back in the past so i may be wrong about its capabilities.
skype used to be EXCELLENT at working in most networks, including "locked down" corporate ones. Network admins used to find it notoriously difficult to "ban" on networks.
so relying on skype to exfiltrate info may serve two purposes:
1) use another program's capabilities instead of reinventing the wheel.
2) hide the fact that some random program is doing network access.
skype could be one of a range of data exfiltration mechanisms with different levels of obfuscation.
> it doesn't make logistical sense: it requires the NSA to already have installed software on the victim's computer.
Well, if you have any of the closed-source companies' software on your system (and by definition, that is +/- 310mio citizens, in the US alone), you are sure to have NSA backdoors on your system. Such backdoors certainly do not require manual intervention for them to be exploited on large scale.
No one outside of the software provider can audited the code, and presumably even they haven't audited the code. Recently there was the source code backdoor that was suspected to had been placed inside Juniper routers by the NSA. If I remember correctly, it wasn't found because it was hidden on a high right column.
The Juniper backdoor was a bit particular in that it was known that the code in question had been developed and distributed by the NSA. It's more of a stretch to accuse every single vendor of proprietary code in the USA of building NSA back doors into their products. It would require the knowing assistance of tens of thousands of people across those companies.
My point was that you don't actually know, and you don't technically need all the vendors. Just the big ones, and there's not really that many. Even more to the point, you don't even need all of the big ones, just the ones on the biggest network, which honestly probably just one vendor on the whole network due to volume purchase discounts and interoperability concerns.
But more to the point, you don't know what's going on in closed source code. It's trust. However the trust can, and has been violated in the past (whether by the provider or by a third party is immaterial). You just don't know. Now that doesn't mean that open source software is immune. I seem to remember there was a backdoor found in the Linux kernel a few years ago. These things happen, but at least it's easier to audit.
Can you give an example of one of these instances? I've heard of this sort of thing outside of the U.S. (James Bond bribes East German clerk to get the microfilm), but I haven't heard of domestic agencies doing this in the U.S.
Isn't it already disclosed in the Snowden documents that Skype has received NSLs?
$600k to a particular airline employee, $1 million for a single parcel worker (this was over a few years).
Also there is the various NSA efforts to insert people into the encryption standards process, as well as use cooperative sources within companies to insert vulnerabilities in the commercial encryption systems:
Also the FBI/Yahoo email program was apparently done by just the CEO, a lawyer, and a few members of the email team. The security team wasn't informed, nor the board.
The DEA program is pretty shocking and a great example, thanks for sharing!
The second one sounds more like an interdiction program, where vulnerabilities are inserted into the devices (this is a thing that was in the Snowden documents). The document gives no details. The highlights on the side are from an NYT journalist, not source material.
I disagree that the last example is an example of that. It's still unclear what the scanning was doing.
First of all, Skype is Microsoft. Second, they're well known to collaborate already. If NSA wanted a Skype feed, they could have it server or client side.
This. It could well have been a backdoor that predates the "superpeer" change MS introduced right after acquisition. Skype was already under pressure from European authorities at the time, to provide intercept capabilities; European criminal networks (mafia etc) were early adopters and everybody knew it.
That collaboration looks like the same mechanism used to adhere to warrants, subpoenas, and NSLs. Do you think that any internet service in the world doesn't have similar mechanisms to comply with law enforcement requests in their home country?
I think you are misleadingly using the word "collaboration".
I also think you have failed to understand the article correctly; there is no reference to client side collection. Take another look.
NKW gave a nice summary of some recent actions. For more historical examples, I highly suggest any of James Bamford's excellent books on the NSA. _The Puzzle Palace_ is a massive tomb, but a very good read. I haven't had a chance to read _Shadow Factory_ yet, but it is in my pile.
In the "Athens" affair, most commentators dismissed CIA involvement saying that if the US gov needed the data, they could just ask.
Well after the investigation went through and some data came out regarding the Vodafone server hack it was clear that the organizations that could pull something like this, there like ... Maybe 5 with CIA the most likely candidate.
So, we like to oversimplify but life is way more complicated.
BTW I think that the Athens affair is one of the top 3 hacking stories that I know of.
While this simple reasoning is appealing, I have to disagree. Both its premises (Skype was peer to peer before MS) and conclusion (MS made it a client-server system because Evil).
- Real peer to peer on internet is not really possible, since most end users are behind NAT. Skype resorts to a number of hole punching techniques, but really only uses STUN/ICE, effectively using super-nodes as relay for sessions. This directly means that all these communication are transiting through a third party, and not peer to peer.
- Super-nodes used to be regular end users (with some simple algorithm to elect as supernode users with high up-time, high throughput. Fun fact: only windows client users were possible super-nodes). This model proved to be too fragile. In case the network falls down (which happened some years ago), then the super-nodes are no longer available, and get instantly DoS when coming back up due to every other node trying to get back. This is a vicious cycle in which the network cannot get back up. So for a long time now (before MS) super-nodes are just backed by Skype-hosted servers in data-centers.
- Thin clients are a real thing in e.g. the african market, where a lot of very old phones are still in circulation, no "apps" are possible. Think of your old Nokia 3310.
- Persistent group chats. Users wanted it.
- And on a more "political" aspect: MS needed to promote its cloud infrastructure (Azure), lower its physical resources fingerprint (get rid of Skype datacenters), and unify its technical stack (Linux/C++ now Windows/C#)
Skype claimed that the move to central servers was because peer-to-peer would not work on smartphones which were becoming their user base.
The old Skype for Windows was really locked and obfuscated. I remember that it would not even start on my PC with a debugger installed, even though it was not running in the debugger.
honestly it amazes me that people still call such interpretations paranoid in a world where information about the rampancy of such programs is readily available, including for this specific application
Edit: it's not paranoia if there's demonstrable history of such things. It's making a reasonable assumption from available facts.
further, all the arguments against this interpretation assume that those introducing security vulnerabilities for surveillance purposes abide by some kind of logic - which by the very nature of such activities they demonstrate that they do not. They (3 letter agencies) want every possible vector of information gathering regardless of the privacy, security, and legal issues that arise.
It seems to me to be a paranoid interpretation because if Microsoft wants to hand Skype-related user data over to the NSA, they'll do so on the server side and not the client side.
Secondly, this is a pretty stupid way of doing it. 'If you use this client identifier than anything goes' seems vastly more like a stupid coding mistake than it does a sneaky covert backdoor into accessing Skype from the local machine.
If I wanted to hand user data over to a 3rd party that tapped the entire backbone, I'd make that user data unencryptable. Why would I want to send Gbps of traffic to that third party? Then everyone would know. If they can just analyze the recorded traffic, none has to know.
Intelligence agencies want as many possible vectors for attack as possible. Especially unknown ones that you are not prepared for them to exploit. Everyone is assuming they wouldn't bother with a client backdoor... That right there is enough reason for them to get a client backdoor!
>further, all the arguments against this interpretation assume that those introducing security vulnerabilities for surveillance purposes abide by some kind of logic
Of course they do. You may disagree with the logic, but it's there. Vectors of intelligence gathering have to be both sufficiently covert and useful for an agency to consider. This vulnerability is neither.
sure! Oh except for the fact that i linked an articule documenting skype specifically catering to NSA surveillance programs, and the NSA having a history of getting software to introduce vulnerabilities they can exploit...
It's the facts that are the problem with your weird theory: this doesn't even make sense as an NSA backdoor. It only works if they've already backdoored your computer.
I think he means 'if nsa were logical actors, they would patch vulnerabilities, not leave them to be exploited by anyone, and they would use NSLs/collaborators/special NSA Voodoo to get their data'.
This idea is built on the assumption that (1) they think their defensive role is as vital as their offensive one, (2) there is plenty of special NSA voodoo to go round. Which is false. In particular, it is better that a hack come from a vendor vuln that anybody could find than from crypto wizardry (e.g. Logjam or signed drivers with md5 collisions).
The NSA did an illogical thing, therefore everything they do is illogical. It is illogical to create a backdoor that requires already owning the machine, therefore the NSA did exactly that.
Exactly right. Skype used to do peer-to-peer connections with nobody in the middle. If you knew how to modify the port forwarding configuration of your router, you could get very high quality connections.
Now, everything goes through Microsoft servers where it can be conveniently wiretapped.
That is not at all a realistic interpretation. This is an 'authentication bypass' for a Skype API for locally executed code. Any even slightly serious attacker who has got to that point has already won - they don't need a 'Skype backdoor'.
Are Mac OS apps unable to debug other applications or generally mess with their process space? If so, like on Windows, then this API is basically a courtesy and not a real security boundary in the first place.
I'm really just going by basic idea that once an attacker can run arbitrary code on your desktop, it's game over. That attacker doesn't gain anything by engineering and organizing some 'backdoor' into Skype, they've already owned you.
There is some basic sandboxing, for example a debugger cannot attach to a running copy of iTunes (but you can start it under gdb and bypass the call that enables the sandbox).
The backdoor allows access to the Skype application which is running in the same environment as the process 'abusing' it.
It's stupid programming and perhaps could be used for convenience by a worm or virus but it does not allow privilege escalation.
Worst case scenario there is a bug in the API that allows privilege escalation, then it might be a sandbox escape, if it is possible to use the API from inside the sandbox which I doubt.
Out of curiosity, why is the API so massive? I have not seen Skype's core features change over ~10 years. I know the architecture has been redesigned but the ability to make calls and send IMs surely goes through an underlying network shim.
Why the rest of it? Is it overengineered? Am I missing something?
I think it's more in Hanlon's razor territory than Ockham's razor. It's absolutely not unheard-of to see deliberate backdoors in a lot of commercial software (usually as some debugging port that the devs didn't think anyone would find), but it's just much more likely that it's a product of incompetence than malice.
The backdoor aside, but using Skype seems to be a real pain recently. It used to be something that offered unmatched quality and service, but with time passing it is lagging behind. Skype on Mac OS X now starts like in 10 seconds and even the shutdown takes 10-15 seconds (on SSD). Video calls are fine, but the fans are quickly 100%. It's funny but the (long unmaintened) Linux skype seems to be better at video calls.
This news only proves that the Skype codebase must be an unmanageable mess. I can undetsrand that. But also it seems that MS is moving to the web version of skype, in the meantime not taking care too much about the native clients.
Calling this a backdoor is an extreme measure. I wasn't able to see any working example, nor any responsible disclosure which seems bad.
Also, if somebody has the ability to run arbitrary code on your machine, I would think that it's game over at that point - backdoor or not. This is not a remote exploitable backdoor it seems.
This is unequivocally a backdoor, by definition. They backdoored their own API for the benefit of their own plugin being allowed to run unauthenticated.
What we can't say is whether this is a backdoor created for nefarious purposes. All we can say is that the backdoor exists and, if we accept that authentication on this API is valuable, then it's an egregious violation of security principles by effectively having some hardcoded credentials which bypass a security layer.
You can wave it away as local-only and claim that if you have code running on the box, it's already pwned, but this is rationalization: this backdoor bypasses a layer of security that is otherwise present. Can an otherwise unprivileged process (e.g. one from another user) call this API? The details are not specified.
I tend to think this looks more like incompetence perpetrated a long time ago and forgotten, but that doesn't make it any less of a back door.
> They backdoored their own API for the benefit of their own plugin being allowed to run unauthenticated.
Well, something with its name.
"Curiously, the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name "Skype Dashbd Wdgt Plugin"."
How else would you call the possibility to sidestep access controls by setting a specific string as identifier?
> I wasn't able to see any working example, nor any responsible disclosure which seems bad.
First, those two statements kind of contradict each other. Second, from the advisory linked from the article:
10/13/2016 - Vulnerability disclosed to vendor
10/26/2016 - Patch released by vendor
12/12/2016 - Advisory published
> Also, if somebody has the ability to run arbitrary code on your machine, I would think that it's game over at that point.
Yes, it has been game over all the time: People execute arbitrary code on their machines by installing free programs they downloaded from somewhere. But that's not the point. The point is that some application that has control over very sensitive data includes a possibility (to avoid the word "backdoor") to access that data without user-confirmation and alarms, which are otherwise built into the application on a design level.
If it's really malicious and was done with coordination at MS, what would stop them from putting a backdoor in a binary build?
Sure people who build it from source would be protected, but that's still not the majority of users for a product like Skype. I don't get the OSS cause being shoehorned into every conversation.
Yes, or more specifically, because I trust the keys published by the developers are controlled only by the developers, and because I trust the developers to compile correctly.
I've heard rumors that the Skype codebase is a giant mass of unmaintainable code "approaching a singularity" and for this reason alone you wouldn't expect it to be terribly secure. At one time I wondered if I was too paranoid for adding another user account for the sole purpose of running Skype, but I no longer wonder.
That and the fact that OS X security is not fantastic to begin with, and I don't want anything weird showing up in screen sharing with job interviews (say, in search history).
There's always a tradeoff. Windows and Linux can be locked down fairly well but you usually end up wanting to install programs of dubious origin. High-profile Linux distros with security-conscious maintainers are good choices, like Fedora or Debian.
I wouldn't touch Arch with a ten-foot pole, a combination of disastrous design decisions and maintainers that don't take reports of security vulnerabilities in default package configurations seriously has really soured any love I had for the distro once I got past the obnoxious fans and overtly hostile user experience. Arch is the only distro where I've made bug reports for security vulnerabilities and gotten asinine responses like "users should only install this package on trusted networks."
The train of thoughts here is that less common == smaller exposure, therefore less likely to be a target. Also, your statement isn't entirely true, for example, OpenBSD, albeit not being a linux distribution, is a project orders of magnitude smaller, yet with equal, if not greater, focus on security.
Less common = smaller number of victims for the same attack.
The attacker has to make it work for the software combination one is using. That's more rewarding if more people use the same software.
It seems to get worse every release for a long time now. People around me insist on using it but I prefer WhatsApp, Slack and Hangouts for various tasks Skype tries to do.
Super unlikely this is an intentional backdoor. OS X privesc vulns definitely aren't nearly rare enough to come by to justify backdooring software like Skype for local privesc.
The article says the backdoor has been present for "5+ years". Microsoft's acquisition of Skype was completed in Oct. 2011 (just over 5 years ago). Based on the timing, that seems unlikely unless MS's first order of business was to backdoor Skype.
Given the context of this API, it would be of very little value to the NSA. (It is only accessible by applications that are already running on the user's computer, and only provides access to Skype.)
If the NSA wanted to intercept or forge Skype conversations and had access to Microsoft to do so, they would have a much easier time doing so on the server side.
I respond to this link earlier in these comments. The so-called collaboration is of the same nature as any other communications company in the world responds to warrants, subpoenas, etc in their home country.
Despite the tone of the article, there is nothing to suggest that anyone at Microsoft was doing anything more than creating the most cost-effective method to handle requests it was coerced to fulfill.
Alternatives to "collaboration":
1. Deny all requests. Get held in contempt of court. Go out of business.
2. Have dedicated staff to manually dig through every data repository to handle each request in a bespoke manner.
On this specifically, I'm doubtful. The 'backdoor' isn't very high value.
In many other cases technology transfer, joint management/ownership, market access, political favors, lucrative contracts, direct infiltration, nationalist instincts, and bribery are all reasons for Microsoft to work with the NSA and other intelligence agencies. They were caught providing backdoor access along with Google to all outlook (and gmail) emails to the FBI, for example.
No. A backdoor is considered to be deliberate and obfuscated from easy discovery, with the intent to be secret access.
If every system flaw or coding bug is a backdoor, then defects like OpenSSL's Heartbleed would be deemed backdoors, and they're not.
Unless you're wearing a heavy tin foil hat and think the coding mistake for Heartbleed was intentional. I guess I can't dissuade you from that train of thought.
> Unless you're wearing a heavy tin foil hat and think the coding mistake for Heartbleed was intentional. I guess I can't dissuade you from that train of thought.
Are you addressing me personally? What does that have to do with what I said?
> A backdoor is considered to be deliberate and obfuscated from easy discovery, with the intent to be secret access.
When I say it was done intentionally, I mean opening an authentication-less was intentional.
It could be disguised as an access for their own service and the real purpose be mass surveillance, or it could be a simple mistake in a big codebase, but the "door" is definitely not a bug.
Even though nowadays we keep hearing about nefarious backdoors, they used to simply refer to hidden service entrances for software creators, a completely legitimate use.
Why is it that everything either has to be a blatant backdoor or an innocent mistake or tinfoil hat territory? I find it hard to believe that nobody ever wrote a backdoor and took the time to conceal it as an innocent, plausible mistake.
Alright, I'm burnt out and I don't want to think about work for a few mins, so:
I tire of the logic such as "well...what IF...someone...did that intentionally!" Then people think they're smarter than everyone else, using words like sheeple and such.
Shit happens. Merges fail. Teams miss stuff. I once randomly discovered a hole in a web app where data was being leaked from an ajax call without logging in. No conspiracy.
Yes, if I were a 1337 haxxor and I wanted to disguise a commit to, say, Linux for my backdoor I would disguise it as a mistake. Totally right, that would be smart and awesome. I'd have something to say on the next HN post of "What makes a Senior Software Engineer", because a junior engineer would not be this smart.
As an aside, long before the NSA reveals of 2013 there had been reports of back doors in skype. My clock skew causes me to forget how many years ago that was, but I'm gonna say somewhere 2005-2008. As 2013 passed, I thought back on that and laughed.
So yeah, Skype is backdoored. Is this one of them? Perhaps. Or it's yet another big corp fail. Orrrr...getting crazy now....it's a bug, but then it was discovered long ago by smart people and has been exploited. So it wasn't internal conspiracy, just a good find by some NSA dude.
I agree! It's absolutely possible that a clever person would disguise an intentional backdoor as an innocent mistake.
As the two can't be distinguished at first blush, the wise approach is to adopt an innocent-until-proven-guilty approach. Which is to say assume it's an accident until it can be proven intentional. This way, both possibilities are taken seriously without jumping from zero all the way to tinfoil at the drop of a hat.
Maybe I misunderstood the current situation? Of course other services exploiting it isn't intentional, but giving a free pass to one of their own services was definitely intentional?
The article mentions: "the actual Skype Dashboard widget does not seem to utilize the backdoor into the Skype Desktop API despite the name" which, to me, lends more credence to the assumption that this was perhaps a test or a prototype and only included in the shipped version accidentally.
