topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:03 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Proofed! Microsoft is actively scanning Skype traffic and uses the data  (Read 9314 times)

JoTo

  • Super Honorary
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 236
    • View Profile
    • Donate to Member
Hi there,

what we all suggested and accepted when we signed up for a Skype account is now proofed by the german team of "heise". It is not only a paragraph in the EULA of Skype, but Microsoft is actively scanning Skype traffic for https urls and visits the collected URLs automatically shortly after they have posted.

Neither MS nor Skype wanted to declare why this is done and what is done with the collected data furthermore. They both hide themselves behind ridiculous statements about "this is for security reasons to protect our users from SPAM". Ha, ha, ha! What do these companies think how dumb we are that we believe such a crap?

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

Read the full article here:
German page: http://www.heise.de/...est-mit-1857620.html
English page: http://www.h-online....u-write-1862870.html

As they try to hide this and they conjure up excuses, proofs for me they have dishonest plans with the data. So give these criminals a big BOOOOOOOOHHHH or better some false https urls to keep their servers busy and leading them to virus pages that let their servers explode! :(

Greetings
JoTo

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
"this is for security reasons"
-ha! What do these companies think how dumb we are?

I cannot answer your quoted question, but the scanning really is for security reasons.

JoTo

  • Super Honorary
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 236
    • View Profile
    • Donate to Member
Hi Curt,

aha, and why, as the article states too, don't they scan normal http urls then too? They just scan https URLs. So Spammer, Scammers, Phishsers signed a codex to only use https connections?  :)

Greetings
JoTo

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Even if their motives are honorable, there are situations where this policy could be problematic -- imagine posting a link to pay-per-view content, or posting an activation link for an account or a subscription service, or how about a link to remove content like the image deletion links imgur has.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Mmm, I like those examples, Jibz :up:

JoTo

  • Super Honorary
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 236
    • View Profile
    • Donate to Member
Hmmm, seems Jibz had a lot of coffee lately. He is sooooo creative in finding good points and samples i never thought of.  ;D

Greetings
JoTo

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
According to ZDNet, only HTTP HEAD requests are sent (i.e., the page itself isn't actually fetched, only meta-information is returned) - and you'd have to be dealing with a REALLY retarded site to trigger any actions (but OK, there's plenty of sites retarded enough to trigger non-idempotent actions even on GET).

There's also this piece in the article:
Update: And contrary to heise Security's assertion, I found many examples of plain HTTP links that had been scanned by SmartScreen.

So, that leads me to another quote:
You can put that tinfoil hat away, at least for now.

Anyway, you obviously aren't discussing anything sensitive using a proprietary IM protocol, just like you don't discuss those things over facebook, plaintext email, and anything non-HTTPS... right? Oh, and this whole thing is pretty much a non-issue anyway, considering you've agreed to the TOS which means your messages are stored for some random period of time on Skype's servers. Not that even the TOS would matter, patriot act and all.
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
...So you're saying I shouldn't (live) Tweet about tomorrow's bank robbery for at least a week then?

 :D

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
When you consider that a lot of businesses are using Skype for communications between employees, handling their customer service, etc., and could be handling data that is supposed to be confidential, subject to NDA's, etc. this is not good.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
When you consider that a lot of businesses are using Skype for communications between employees, handling their customer service, etc., and could be handling data that is supposed to be confidential, subject to NDA's, etc. this is not good.

Outside the rather brilliant sarcasm, I'm pretty sure that was f0dder's point. I've seen tons of different companies that use Yahoo Messenger for *FacePalm* "Internal Messaging"..

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Outside the rather brilliant sarcasm, I'm pretty sure that was f0dder's point. I've seen tons of different companies that use Yahoo Messenger for *FacePalm* "Internal Messaging"..
-Stoic Joker (May 16, 2013, 07:16 PM)
Indeed.

Anyway, sarcasm aside, I'm honestly not sure what to think of the URL-scanning. As mentioned above, it doesn't really matter in the face of Patriot Act, and the TOS that states they record your messages for 30-90 days (or whatever). And there's plenty of valid reasons for helping John & Jane Doe (the main demographic of Skype & MSN, I'd guess?) against malware - and HTTP HEAD is pretty harmless (dunno how it helps identify malware spreading sites, but ho humm).

Oh well, I guess this was a wake-up call for some. It's not like there wasn't wiretap abilities in Skype before MS bought it, at least now it's sorta kinda semi-official.
- carpe noctem