Wednesday, Jun 01, 2011
But someone else was listening in -- Egypt's security service.
An internal memo from the "Electronic Penetration Department" even boasted it had intercepted one conversation in which an activist stressed the importance of using Skype "because it cannot be penetrated online by any security device."
Skype, which Microsoft Corp. is acquiring for $8.5 billion, is best known as a cheap way to make international phone calls. But the Luxembourg-based service also is the communications tool of choice for dissidents around the world because its powerful encryption technology evades traditional wiretaps.
Throughout the recent Middle East uprisings, protesters have used Skype for confidential video conferences, phone calls, instant messages and file exchanges. In Iran, opposition leaders and dissidents used Skype to plot strategy and organize a February protest. Skype also is a favorite among activists in Saudi Arabia and Vietnam, according to State Department cables released by WikiLeaks.
In March, following the Egyptian revolution that toppled President Hosni Mubarak, some activists raided the headquarters of Amn Al Dowla, the state security agency, uncovering the secret memo about intercepting Skype calls. In addition, 26-year-old activist Basem Fathi says he found files describing his love life and trips to the beach, apparently gleaned from intercepted emails and phone calls.
"I believe that they were collecting every little detail they were hearing from our mouths and putting them in a file," he says.
A cottage industry of U.S. and other companies is now designing and selling tools that can be used to block or eavesdrop on Skype conversations. One technique: Using special "spyware," or software that intercepts an audio stream from a computer -- thereby hearing what's being said and effectively bypassing Skype's encryption. Egypt's spy service last year tested one product, FinSpy, made by Britain's Gamma International UK Ltd., according to Egyptian government documents and Gamma's local reseller.
Peter Lloyd, a lawyer for Gamma, declined to discuss the testing but said the company didn't sell the product to the Egyptian government. "Gamma International UK Ltd. cannot otherwise comment upon its confidential business transactions or the nature of the products it offers," he said.
Adrian Asher, Skype's chief information security officer, says his company can't prevent these technologies from compromising its service: "Can we control [spyware] taking an audio stream off the speakers or the microphone? No, there is nothing we can do."
He describes Skype's emergence as a tool for dissent as an accident. "I don't actively create a product that is useful for the dissidents of the world," he says. "While I guess it's a happy by-product, I can't give them any assurances."
Dissidents are discovering other potential vulnerabilities in using Skype. This month, rebels in Libya found what appeared to be spyware they say was being distributed via their Skype contact lists.
The Wall Street Journal asked security company Symantec Corp. to analyze the file, which turned out to be a "remote access tool" that could let an outsider remotely eavesdrop on audio and capture keystrokes.
Symantec said the file is being distributed on a website named after the date the Libyan protests began. Still, the file's origins aren't clear. "The actual attacker could be anywhere in the world," says Symantec's Kevin Hogan.
In China, Skype users are subject to censorship. To enter the Chinese market in 2004, Skype agreed to a unique arrangement in which a special version of its software there filters users' text chats and blocks politically sensitive keywords. Skype operates in China through a partnership with TOM Online, a unit of Hong Kong-based TOM Group Ltd., which provides the filtering technology, according to Skype.
"TOM Online, like every service provider, has an obligation to be compliant with applicable laws and regulations," Skype said in a statement. "It is possible that chat messages sent to or from a TOM-Skype user in China may be subject to archiving and monitoring."
A 2008 study by the Citizen Lab, a research center at the University of Toronto, found serious security and privacy breaches in the Chinese Skype service that it said suggested it was being used for "widespread and systematic surveillance" of "dissidents and ordinary citizens." Researchers found that TOM Online had captured millions of records of text chats and voice calls, including users' personal information, and kept them on publicly accessible servers.
Skype said afterward that the security breach had been fixed. Li Xiuli, TOM Online's marketing director, now says the company doesn't monitor or record any of its users' communications or personal information.
However, in a recent filing with the U.S. Securities and Exchange Commission, Skype said TOM Online's filtering technology "allows instant messages to be filtered and stored along with related data based on content." Skype added that it understands its joint venture "is obligated by the government to provide this filtering and storage."
In some countries, including Oman, Egypt, Iran and the United Arab Emirates, Skype is blocked or partially blocked, although such efforts often aren't effective. Several western companies, including Boeing Co.'s Narus Inc. and Bitek International Inc., both in California, and the German firm Ipoque GmbH, sell sophisticated products that can detect Skype traffic and allow networks to block it. The companies all declined to discuss their foreign customers.
"If requested to do so, we can completely stop it from working on a country-wide level," says Graham Butler, Bitek's chief executive. He says Bitek also can capture Skype traffic and turn it over to governments for analysis.
Countries sometimes say they block Skype because its free or low-cost calls cut into the revenue of local phone companies. But a secret 2009 State Department cable from the American embassy in Oman -- where Skype isn't authorized -- notes that "the unstated and likely more significant rationale. . .may be that such services are out of reach of the listening ear of the government." The cable was made available to certain media outlets by WikiLeaks and reviewed by The Wall Street Journal.
Oman's Telecommunications Regulatory Authority confirmed that Skype isn't authorized in part because it "does not meet the requirements of legal interception in Oman."
The emergence of Skype as a tool for dissidents marks another odd twist in the service's short, colorful history. Skype, which now has more than 663 million registered users world-wide, traces its roots to a file-sharing program, Kazaa, that grew popular for exchanging pirated music soon after its launch in 2001.
Kazaa's founders, Niklas Zennstrom of Sweden and Janus Friis of Denmark, hired a group of Estonian programming whizzes to build the software. It used what is known as a "peer-to-peer" design. Users could share files (in this case, music) directly with each other as peers, not relying on a middleman in the form of a centralized server.
Kazaa attracted millions of users but soon faced legal challenges from the music industry. So Messrs. Zennstrom and Friis focused on a new project: building a highly encrypted, peer-to-peer Internet phone service. Again, they tapped the Estonian programmers. In 2003, Skype went live.
Tom Berson, a California cryptographer hired by Skype in 2005 to evaluate its security, says he met the programmers, who told him they grew up when Estonia was part of the Soviet Union and had the perils of "wiretapping in mind" when creating Skype.
"In many products, security is an afterthought, it's kind of bolted on afterwards," Mr. Berson says. "Skype is different in that it was designed in from Day 1."
The main reason Skype included high-level encryption wasn't a fear of wiretapping, says a spokesman for the Estonian programmers. Skype sometimes routes multiple calls through one user's computer and the engineers wanted to make sure that user couldn't eavesdrop, the spokesman says.
Skype is tough to intercept not only because of its design, but also due to its legal status. In the U.S., Europe, and elsewhere, laws require telecommunications providers to install interception capabilities, so police can eavesdrop on criminals if necessary. But Skype doesn't see itself as falling under those laws.
Besides, Skype says it can't intercept calls between Skype users even if it wanted to. That's partly because conversations don't pass through Skype's own computers. In addition, the encryption key for each call is known only to the computers participating in the call, not to Skype itself.
That's a headache for police and spy agencies. In Egypt, the Mubarak regime's secret police fretted about the service in a 2009 internal memo, calling it "a safe and encrypted Internet communication system, to which most extremist groups have resorted to communicate with each other."
The same year, Italian authorities told the European Union that criminals involved in prostitution rings, arms sales and drug trafficking were turning to Skype and similar Internet phone services to evade police. The customs and tax police in Milan reported overhearing a cocaine runner telling an accomplice to use Skype to receive the details of a two-kilogram delivery.
"It's a great tool for the bad guys," says Mr. Butler, the Bitek chief executive. But, he says, "It's not as secure as people think."
(MORE TO FOLLOW) Dow Jones Newswires
01-06-11 0354GMT
When young dissidents in Egypt were organizing an election-monitoring project last fall, they discussed their plans over Skype, the popular Internet phone service, believing it to be secure.
(From THE WALL STREET JOURNAL)
By Steve Stecklow, Paul Sonne and Matt Bradley
But someone else was listening in -- Egypt's security service.
An internal memo from the "Electronic Penetration Department" even boasted it had intercepted one conversation in which an activist stressed the importance of using Skype "because it cannot be penetrated online by any security device."
Skype, which Microsoft Corp. is acquiring for $8.5 billion, is best known as a cheap way to make international phone calls. But the Luxembourg-based service also is the communications tool of choice for dissidents around the world because its powerful encryption technology evades traditional wiretaps.
Throughout the recent Middle East uprisings, protesters have used Skype for confidential video conferences, phone calls, instant messages and file exchanges. In Iran, opposition leaders and dissidents used Skype to plot strategy and organize a February protest. Skype also is a favorite among activists in Saudi Arabia and Vietnam, according to State Department cables released by WikiLeaks.
In March, following the Egyptian revolution that toppled President Hosni Mubarak, some activists raided the headquarters of Amn Al Dowla, the state security agency, uncovering the secret memo about intercepting Skype calls. In addition, 26-year-old activist Basem Fathi says he found files describing his love life and trips to the beach, apparently gleaned from intercepted emails and phone calls.
"I believe that they were collecting every little detail they were hearing from our mouths and putting them in a file," he says.
A cottage industry of U.S. and other companies is now designing and selling tools that can be used to block or eavesdrop on Skype conversations. One technique: Using special "spyware," or software that intercepts an audio stream from a computer -- thereby hearing what's being said and effectively bypassing Skype's encryption. Egypt's spy service last year tested one product, FinSpy, made by Britain's Gamma International UK Ltd., according to Egyptian government documents and Gamma's local reseller.
Peter Lloyd, a lawyer for Gamma, declined to discuss the testing but said the company didn't sell the product to the Egyptian government. "Gamma International UK Ltd. cannot otherwise comment upon its confidential business transactions or the nature of the products it offers," he said.
Adrian Asher, Skype's chief information security officer, says his company can't prevent these technologies from compromising its service: "Can we control [spyware] taking an audio stream off the speakers or the microphone? No, there is nothing we can do."
He describes Skype's emergence as a tool for dissent as an accident. "I don't actively create a product that is useful for the dissidents of the world," he says. "While I guess it's a happy by-product, I can't give them any assurances."
Dissidents are discovering other potential vulnerabilities in using Skype. This month, rebels in Libya found what appeared to be spyware they say was being distributed via their Skype contact lists.
The Wall Street Journal asked security company Symantec Corp. to analyze the file, which turned out to be a "remote access tool" that could let an outsider remotely eavesdrop on audio and capture keystrokes.
Symantec said the file is being distributed on a website named after the date the Libyan protests began. Still, the file's origins aren't clear. "The actual attacker could be anywhere in the world," says Symantec's Kevin Hogan.
In China, Skype users are subject to censorship. To enter the Chinese market in 2004, Skype agreed to a unique arrangement in which a special version of its software there filters users' text chats and blocks politically sensitive keywords. Skype operates in China through a partnership with TOM Online, a unit of Hong Kong-based TOM Group Ltd., which provides the filtering technology, according to Skype.
"TOM Online, like every service provider, has an obligation to be compliant with applicable laws and regulations," Skype said in a statement. "It is possible that chat messages sent to or from a TOM-Skype user in China may be subject to archiving and monitoring."
A 2008 study by the Citizen Lab, a research center at the University of Toronto, found serious security and privacy breaches in the Chinese Skype service that it said suggested it was being used for "widespread and systematic surveillance" of "dissidents and ordinary citizens." Researchers found that TOM Online had captured millions of records of text chats and voice calls, including users' personal information, and kept them on publicly accessible servers.
Skype said afterward that the security breach had been fixed. Li Xiuli, TOM Online's marketing director, now says the company doesn't monitor or record any of its users' communications or personal information.
However, in a recent filing with the U.S. Securities and Exchange Commission, Skype said TOM Online's filtering technology "allows instant messages to be filtered and stored along with related data based on content." Skype added that it understands its joint venture "is obligated by the government to provide this filtering and storage."
In some countries, including Oman, Egypt, Iran and the United Arab Emirates, Skype is blocked or partially blocked, although such efforts often aren't effective. Several western companies, including Boeing Co.'s Narus Inc. and Bitek International Inc., both in California, and the German firm Ipoque GmbH, sell sophisticated products that can detect Skype traffic and allow networks to block it. The companies all declined to discuss their foreign customers.
"If requested to do so, we can completely stop it from working on a country-wide level," says Graham Butler, Bitek's chief executive. He says Bitek also can capture Skype traffic and turn it over to governments for analysis.
Countries sometimes say they block Skype because its free or low-cost calls cut into the revenue of local phone companies. But a secret 2009 State Department cable from the American embassy in Oman -- where Skype isn't authorized -- notes that "the unstated and likely more significant rationale. . .may be that such services are out of reach of the listening ear of the government." The cable was made available to certain media outlets by WikiLeaks and reviewed by The Wall Street Journal.
Oman's Telecommunications Regulatory Authority confirmed that Skype isn't authorized in part because it "does not meet the requirements of legal interception in Oman."
The emergence of Skype as a tool for dissidents marks another odd twist in the service's short, colorful history. Skype, which now has more than 663 million registered users world-wide, traces its roots to a file-sharing program, Kazaa, that grew popular for exchanging pirated music soon after its launch in 2001.
Kazaa's founders, Niklas Zennstrom of Sweden and Janus Friis of Denmark, hired a group of Estonian programming whizzes to build the software. It used what is known as a "peer-to-peer" design. Users could share files (in this case, music) directly with each other as peers, not relying on a middleman in the form of a centralized server.
Kazaa attracted millions of users but soon faced legal challenges from the music industry. So Messrs. Zennstrom and Friis focused on a new project: building a highly encrypted, peer-to-peer Internet phone service. Again, they tapped the Estonian programmers. In 2003, Skype went live.
Tom Berson, a California cryptographer hired by Skype in 2005 to evaluate its security, says he met the programmers, who told him they grew up when Estonia was part of the Soviet Union and had the perils of "wiretapping in mind" when creating Skype.
"In many products, security is an afterthought, it's kind of bolted on afterwards," Mr. Berson says. "Skype is different in that it was designed in from Day 1."
The main reason Skype included high-level encryption wasn't a fear of wiretapping, says a spokesman for the Estonian programmers. Skype sometimes routes multiple calls through one user's computer and the engineers wanted to make sure that user couldn't eavesdrop, the spokesman says.
Skype is tough to intercept not only because of its design, but also due to its legal status. In the U.S., Europe, and elsewhere, laws require telecommunications providers to install interception capabilities, so police can eavesdrop on criminals if necessary. But Skype doesn't see itself as falling under those laws.
Besides, Skype says it can't intercept calls between Skype users even if it wanted to. That's partly because conversations don't pass through Skype's own computers. In addition, the encryption key for each call is known only to the computers participating in the call, not to Skype itself.
That's a headache for police and spy agencies. In Egypt, the Mubarak regime's secret police fretted about the service in a 2009 internal memo, calling it "a safe and encrypted Internet communication system, to which most extremist groups have resorted to communicate with each other."
The same year, Italian authorities told the European Union that criminals involved in prostitution rings, arms sales and drug trafficking were turning to Skype and similar Internet phone services to evade police. The customs and tax police in Milan reported overhearing a cocaine runner telling an accomplice to use Skype to receive the details of a two-kilogram delivery.
"It's a great tool for the bad guys," says Mr. Butler, the Bitek chief executive. But, he says, "It's not as secure as people think."
(MORE TO FOLLOW) Dow Jones Newswires
01-06-11 0354GMT
