Beware eBay bearing Skype
Ominous security omens
Comment One of my stranger hobbies is collecting interesting and weird anecdotes I find in the news. I have a few areas that always fascinate me, such as finding people who miraculously escape certain death, or items about human memory and cognition, or eccentric individuals who embody some strange aspect of the human condition.
Some of my favorites, though, are the stories of folks who lose something and then have it returned to them, years or sometimes decades later.
- A German man lost his suitcase in 1979 while traveling in Senegal. Twenty-four years later, police in Dusseldorf found his luggage and notified the 61-year-old. At first he didn't want to reclaim the suitcase, since it was stocked full of disco-era clothing that he didn't want to see, but his wife convinced him to go ahead and be a sport. There was no word on how well the orange leisure suit fit.
- A fourth-grader at Connoquenessing Elementary School in Butler, Pennsylvania, sent a laminated card aloft in the 1980s by attaching it to a green balloon. The note asked the finder to send it back to the school. Twenty years later, a farmer named Robert Brindle, who lived about 170 miles away from Butler, sent the card to the school, who passed it along to the now 30-year-old man who had launched it years earlier.
- Lisa Tonks, of Peru, Indiana, was vacationing with her family at Yellowstone National Park in the 1980s when she lost her wallet. Twenty years passed as the wallet sat in a police evidence room gathering dust. A police technician saw the wallet, noticed the Social Security card in it, traced the number to Tonks, and sent the wallet back to the grateful woman ... along with the $177 that had remained safely in it for two decades.
Those are great stories (readers who are aware of more, feel free to send 'em my way!), but in each case, someone loses something, only to regain it again, long after they'd given up hope of ever seeing it again. Of course, these are the exceptions. I lost my wallet about twenty years ago in a movie theater in Kansas City, Missouri, and I've never heard tell of it since. But that's nothing: I've lost shoes, umbrellas, books, pictures, CDs, sunglasses, and even underwear (don't ask). None of it has ever made its way back to me.
The big story in the news over the last week or so hasn't been about a loss, however - it's been about a gain. eBay agreed to purchase Skype, a peer-to-peer-based Voice over IP (VoIP) app, for a whopping $1.3bn in cash and $1.3bn in stock, with another $1.5bn to come down the road if Skype met financial targets by 2008. VoIP has been in the news a lot in recent months, with Microsoft buying Teleo, Google rolling out Google Talk, Yahoo! acquiring Dialpad, and even AOL introducing a new service designed to let users make phone calls over the net. Now eBay is joining the party by snapping up Skype.
I'm not really interested in why eBay bought Skype (although I'm pretty sure it's to make it easier for bidders to contact sellers) or whether or not the auction giant paid too much money or not (the general consensus seems to be: "Oh yeah!") for a company that has made $60m this year but has yet to post a profit. I'm more interested in what the purchase of Skype means for security.
What's that you said?
Skype has many things going for it. Among the various software-based VoIP apps (which thereby excludes hardware-based offerings like Vonage from consideration), Skype probably works the best in terms of computer-to-computer, computer-to-land line, and computer-to-cell based calling. It's easy to set up and use, and it works on Windows, Mac OS, and Linux boxes. Skype also provides more than just VoIP, with IM and file transfer also available. I've used it quite a bit, and overall, I've been happy with its sound quality, as have many other people, given that the program has been downloaded more than 100 million times. It has more than 52 million registered users (among those two million paying customers), and well over three million people are online and using the program right now, as I'm typing this column.
But that doesn't mean that Skype is perfect. Far from it. Skype claims that it uses strong encryption to protect phone calls, IM messages, and file transfers:
"Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates."
Here's the problem with that statement: since Skype is an insistently closed source program - and one that additionally uses a proprietary protocol, but I'll get to that in a moment - we have no way of verifying Skype's security. We simply have to take them at their word that their encryption works. For such an important program, that's quite a problem. I'm just not sure how safe I feel when Skype says: "Trust me - everything's going to be fine."
That's bad enough, but now Skype is going to be owned by eBay. I know that lots of people just loooove eBay. I use them myself, most recently to enhance my Li'l Abner comics collection, but I'm careful about the information I give them. Why? Well, it seems that there are three kinds of companies: those that fight for customers' privacy in the face of the demands of law enforcement; those that require some sort of official, constitutionally-mandated documents - like, oh, say, a warrant or subpoena - before handing over customer info to the cops; and eBay.
Think I'm being a little harsh on eBay? At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials:
"I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.
We do not require a subpoena except for very limited circumstances. We require a subpoena when we need the financial information from the site, credit card info or sometimes IP information. ...
So, that really opens the door for us. That means that what our policy is that if you are law enforcement agency you can fax us on your letterhead to request information: who is that beyond the seller ID, who is beyond this user ID. We give you their name, their address, their e-mail address and we can give you their sales history without a subpoena. ...
We will probably tell you too that you might want to get a subpoena because we are looking for credit card info and you ask that. ...
We also do other things to facilitate your investigation by looking and doing some searches around on our own, typically to see if there are some other user ID's associated with that thing. ...
We are doing a lot of work with law enforcement agencies."
I'm nearly speechless after reading Sullivan's comments. Think about what he's saying: if eBay receives a fax on offical letterhead (not that that would ever be faked, oh no) - just a simple fax, mind you, just a fax, unaccompanied by a court order - it will gladly fork over the following info about you, or any other eBay user:
- Full name
- User ID
- Email address
- Street address
- ZIP code
- Phone number
- Secondary phone number
- Shipping information (including name, street address, city, state, ZIP)
- Bidding history on an item
- Items for sale
- Feedback left about the user
- Bidding history
- Prices paid for items
- Feedback rating
- Chat room and bulletin board posts
Understatement of the week: that is one hell of a list! It's long, it's scary, and it's troubling. So what do we have? Software that says it's completely secure, but without a good way to verify that claim, now owned by a company that will basically give up an astonishing amount of personal information about you at the slightest peep from the authorities. This looks and smells bad. It's a questionable act to trust your personal and business phone calls, instant messages, and file transfers to Skype already, but it seems almost the height of foolhardiness to do the same now with a Skype owned by eBay.
So is there any alternative to Skype? Sure! In particular, I'm keeping my eye on Gizmo Project. Sure there are similarities: both are easy to use, install on Win/Mac/Lin, utilize encryption (although so far we don't kind what kind of encryption scheme Gizmo Project is using), and enable users to make calls to and receive calls from landline and cell phones (both are also closed source, although it appears that portions of Gizmo will be open sourced, so we'll be able to verify at least part of what Gizmo Project says about itself). However, Gizmo Project differs from Skype in several key ways. Where Skype uses its own proprietary protocol, Gizmo Project uses the open SIP (Session Initiation Protocol) standard (and it now supports the open Jabber protocol for IM). But here's the biggie: where Skype only allows free VoIP calls to other Skype users, Gizmo Project is committed to interoperability, so that it will be able to interconnect with any SIP-compatible VoIP system. Gizmo Project isn't anywhere near finished yet, but it is good enought to test, and if its current status is any indication, it's going to be one to contend with... especially if the new eBay Skype is as problematic as I'm worried it will be.
Of course, these other services are not perfect. Skype is decentralized thanks to its peer-to-peer nature, which makes it somewhat harder to track and wiretap, while most of the other services - like Gizmo - are centralized around a few servers. If the US FedGov really wants to, it'll be a lot easier to set up some sort of Carnivore-type server in place that looks at all traffic used by those services. Encryption sure helps in that scenario ... until your phone call hits the PSTN (Public Switched Telephone Network), or the boys up in Washington start demanding a back door key. And guess what? The title of this FCC press release, dated 5 August 2005, says it all: FCC Requires Certain Broadband and VoIP Providers to Accommodate Wiretaps (110 kb PDF). Gulp.
Things are about to get very interesting in the VoIP world. There are simply too many 800 pound gorillas - both corporate and governmental - throwing their weight around. As security pros, we need to watch this space, while insisting on a few basic principles: openness, support for standards, and interoperability. If eBay goes down the wrong path with Skype, we need to move ourselves - and our friends, families, and business associates - to a more open, yet secure, alternative. If we don't keep our eyes - and ears, naturally! - open, we could find, after a few years, that we've lost something special, and there's no possiblity of getting it back.
Kuhn, D. Richard, Thomas J. Walsh, and Steffen Fries. Security Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-58 (January 2005). http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing web applications for corporate, educational, and institutional clients.