Is Skype the new Palladium?

February 7, 2005
By

From Wikipedia on Trusted computing:

Internet freedom advocates characterize a “trusted system” more as a system you are forced to trust rather than one which is particularly trustworthy. As described by trusted computing opponents, the new systems would come at a high cost, by trusting networked computers to controlling authorities rather than to individuals.

The Skype Privacy Policy clearly states that your computer may be used by Skype:

disk space, bandwidth and processing power may be utilized to provide the Skype Services

It furthed describes how your computer may act as a hub (essentially a server) for use by others:

From time-to-time your computer may become a Supernode… This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software…

And Skype of course reassures us that:

The system has been designed so that being a Supernode will not interfere with the normal operations of your computer.

Whew. That’s a relief.

Oddly, the Skype End User License Agreement (EULA) is far less clear on the point:

4.1 Permission to utilize Your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilize the processor and bandwidth of Your computer for the limited purpose of facilitating the communication between You and other Skype Software users.

Here they tell us we are granting them permission to use our resources just for the purposes of facilitating the communication between me and other users. Now wait a minute. What’s up with this discrepency? Letting Skype use my computer to facilitatie my own communications is one thing. But it is an entirely different matter to grant permission for Skype to use my private property to facilitatie the communications of strangers, communications to which I am not a party.

Forgetting this discrepency (which itself seems somewhat dubious), the fact is with Skype as it is today, your computer can become a hub (Supernode) and carry the conversations of others, without your explicit knowledge or active consent. The parallels to Palladium are many. In both cases, a big brother in the sky tells us whose computer we can trust, as well as when and how we should trust it. And all the protocols and algorithms are secret, not exposed to peer review or the kind of extensive public scrutiny required to affirm the security of the design.

In the EFF report Trusted Computing: Promise and Risk the authors clearly suggest to the U.S. government that they should force Microsoft to:

  1. make publicly available the interface specifications to major functional components of its code,
  2. to significantly better support interoperable components to allow others to compete with more secure technology,
  3. to define and set specifications through industry standards bodies and consortia.

It seems to me like all three of the above would apply equally to Skype.

I quote an associate:

There is a “social cost” to using Skype. You willingly help bad guys get their work done, in addition to all the good that gets done over Skype. Good defined as things you personally consider good or benign — all from your personal perspective.

If you are willing to pay this price of letting bad guys use your machine, then that’s up to you. No one can stop you. But users should be aware of these costs and offer or withhold their consent accordingly.

This is a personal decision. Contrast this with paying taxes that build roads that the bad guys use to flee their bankrobbery. I don’t have a personal choice in paying taxes, nor of whether they are spent on building roads that lead to banks.

But I do have a choice with how my computer is used. It’s my personal, private property.

I wonder how many Skype users even know their computers and internet bandwidth can be used to carry traffiic for others. This includes SkpeOut calls that Skype is making money on. Shouldn’t we be gettting a piece of that action?

Nobody would let Microsoft get away with this.

25 Responses to Is Skype the new Palladium?

  1. Christian Rees
    February 7, 2005 at 12:27 pm

    Right on David.

    Another issue with Skype is that their system has a single-point-of-failure, the Login Server.

    According to this very interesting piece of reverse engineering by Salman A. Baset and Henning Schulzrinne at Columbia University, arxiv.org/pdf/cs.NI/0412017, a single IP – 80.160.91.11 – apparently hardcoded in the Skype program, is used for authentication of users.

    What would happen is somone launched a dDoS-attack against it?

    Should that happen, people will realize how problematic the Skype architecture is (apart from the fact that it’s a walled-garden).

  2. February 9, 2005 at 5:43 am

    Not to mention, this concept violates most acceptable use agreements with cable and DSL providers.

  3. February 9, 2005 at 8:13 am

    Good point, Andy. That’s true, most DSL/cable terms of use forbid one from reselling their pipe (such as to forbid one from setting up a wi-fi hotspot), but that’s exactly what you are doing with Skype (probably unknowningly for most Skype users).

    Your PC could be carrying a phone call and thus aiding a terrorist, or worse — a Democrat! Heaven forbid.

  4. February 9, 2005 at 2:10 pm

    That paper is full of errors and written about a year ago, the Skype client has changed quite a bit since then, and I think you will find that the single point of failure is no longer present. Also, your points on the EULA are duly noted, however to be blunt, no one cares. It is free, and saves a ton of money the moment you start using it. As far as Democrats sharing your computer this "black helicopter" hysteria is same innuendo that Telco’s used a year ago claiming that VoIP could never call 911 and we were all going to be deprived of EMS. They seemed to have changed there tune on that one.

  5. February 9, 2005 at 6:43 pm

    I don’t consider the issue of 911 and other telco issues you mention in any way similar to the *FACT* that the Skype software/system usurps my computer and network in ways I cannot control. I have no idea who might be using it. It’s not "black helicopter" hysteria. That’s how Skype works and Skype says as much. And as I say, nobody would ever let Microsoft get away with this.

    I agree that nobody cares. That’s obvious. I wonder how many Skype users even know that Skype is doing this. Skype uses computer resources of one user and charges another user for those resources, without compensating the first user. And no one cares. Oh yeah, it’s because the Skype guys are so cool. I almost forgot.

    BTW, they are so cool they apparently have scared some bloggers off from quoting my post here. Those bloggers have mentioned it to me in private. Apparently, that’s how "cool" they are.

  6. February 10, 2005 at 10:03 pm

    Skype, as you pointed out, states how the network uses your computer. Sharing your resources allows for the community to enjoy free high quality voice calling.

    I don’t know of too many products Microsoft releases that are completely free from licensing costs. If you develop a P2P OS and distribute it for free, I will gladly share resources with others to avoid licensing costs.

    Of course you do have the option of not using Skype, or any other P2P application should you decide to do so.

  7. February 11, 2005 at 3:10 am

    Thank you for posting this. For some time, I thought Skype was the new internet crack rock for me. Now I see where the addiction leads to, and I don’t want none of that SMACK.

  8. February 11, 2005 at 8:19 am

    I’m a proponent of P2P, but the lack of transparency with the Skype approach is a major concern for me. In particular, it’s unlike P2P file sharing, where I’m sharing stuff I have, not just passing other peoples’ stuff through my PC. Far more important to me is that with other P2P apps, I have some control over such behavior; the UI provides some indication to me when others are downloading (and what they are downloading); and finally the protocols are open and documented, so I know what’s going on (at least for any such app I’d use).

    Skype cloaks all this in secret. They take over my machine, decide for me what parts of it they want to use, how, and by whom. And they never tell me what they are doing. It would be one thing if Skype let me decide whether I wanted to let the whole world use my resources (perhaps with extra benefiits to me), or let only people on my buddy list use my resources, or have any controls at all. With Skyple I have none and it doesn’t even tell me when someone is using my PC/bandwidth.

    It’s a personal choice, of course, and I have no issue with someone electing to use Skype and let whomever use their bandwidth and PC to plot who knows what. What I wonder though is how many people really appreciate the implications of using Skype. Nobody reads those policies and Skype knows it. I think Skype should be more transparent and explicit about it so users know what they are signing up for.

  9. SpykeOopsSkype
    February 25, 2005 at 4:25 am

    Thanks for your comments MrBlog. As you correctly state, the problem doesn’t lie with the general concept of P2P or resource pooling, but Skype’s lack of transparency and other dubious practices.

    I was installing it, but was held off in my tracks by the aforementioned privacy policy and EULA. Yes I do read them.

    I have uninstalled it now. Free calls are welcome, but transparency for me comes free and foremost. I’d rather pay.

  10. February 27, 2005 at 4:15 am

    Good point David,

    I realize that use the people’s bandwith and resources for P2P’s benefits is the base of P2P thinking.

    BUT,

    This is good in free and open community of filesharing and others, but not so good for a private companny with propietary protocols, today, they are cool, but tomorrow maybe not so nice.

  11. me
    February 27, 2005 at 10:25 am

    funny, stuart henshall isn;t leaving his opinion on this.

    He likes to write on all the positive stuff, but not the negative.

    No one can argue with facts that come from skyps own mouth., er ummm eula.

  12. A User
    March 17, 2005 at 12:10 pm

    Other Skype users can not connect to your PC if you are behind a firewall. All users with a DSL or cable modem connection should always use a home router or personal firewall to prevent hacking attempts to your PC anyway. You can still connect to the Skype network to make and receive calls.

  13. March 19, 2005 at 5:01 pm

    Well, "A User" (if that really is your name 🙂 ) I believe Skype is not viable if everyone (literally) takes your advice and connects their PC behind a firewall. Us "smart ones" behind firewalls depend on the "dumb ones" not behind firewalls to route our Skype packets for us. Hence we are back to my original question.

  14. pablo
    March 29, 2005 at 2:59 pm

    Well, I use Skype,but I realized that it is using this kind of malware techniques, when I had to install a test web server on my machine and couldn’t do it using port 80, after reviewing which ports where used by process I discover that Skype process was using my port 80.

    I also use FWD communicator which is much better, but i’ll stop using Skype when all my contacts have a fwd account.

  15. Lou
    March 30, 2005 at 12:18 pm

    The EULA seems completely reasonable to me. On the face of it, why wouldn’t I be OK with facilitating communication between myself and others – isn’t that the point of Skype?

    It’s only when I’m facilitating communications between others-and-others that things get dicey.

    The privacy policy is questionable.

    "This may include the ability for your computer to help anonymously and securely facilitate communications between other users of the Skype Software who, due to network and firewall constraints, cannot establish direct connections."

    Question:

    Under what circumstances would they choose to elevate somebody to a Supernode?

    I am assuming that the vast majority of connections (ie. me to you) are routed freely via regular IP traffic protocols.

    If somebody is stuck behind a closed network or firewall, how would elevating me to a Supernode help the situation?

    If I can communicate with that user, then I would have to assume that my computer is behind the same closed door.

    Pablo, if you want, you can force Skype to use a specific port and block access to 80.

  16. Jason Paol
    April 6, 2005 at 1:23 am

    has anyone tried the new video skype

    www.skypesee.com

    Fantastic ! and long overdue

  17. Mart
    June 30, 2005 at 3:13 am

    There is a lot of paranoia here – I take it you are all american and have probably been abducted by aliens as well. Anyway, as A user said – sit behind a firewall – problem solved. The routing element of skype is NOT fundamental as it only tries to speed up the calls between point to point – in most instances the two IPs will communicate directly, hence sitting behind a firewall will not denegrate the Skype network.
    And as for Mr Blog who reckons skype deterred others from quoting his blog – yeah right, whatever !!! Did they send the boys round and ask them not to. Maybe the feds paid them a visit huh ? Or the secrect service ? Why people feel the need to knock skype is beyond me – p2p and the cumulative power of internet linked hardware is clearly the way forward in computer technology, but dinosaurs dont like change I guess…

  18. McGroarty
    July 12, 2005 at 3:51 pm

    Mart is being less than truthful here. If Skype can negotiate an inbound connection port with your firewall (this is usually done via UDP or uPnP) you are still susceptible to becoming a relay.

    Further, in many countries you become responsible for communications routed through your network.

  19. ladi ladi
    July 21, 2005 at 5:17 am

    I’m a NEW user to the whole Internet telephony game, and i raaaaarely, if never besides today read privacy statements as i am generally to lazy and really don’t give a crap. But this situation was different, prompting me to to think twice about what i was agreeing to since it is my private conversations and information over a network that i am very unaware of.

    I read the privacy statement, and i did find this entire thread’s topic alarming also, as it implied using my computer as a node to carry other conversations which may not even involve me at all. But i also came accross more that i was interested in…

    My question to you guys since you strike me to be well informed on the subject and program, is, as i believe i was reading in the privacy statement, is it true that skype uses the transmission data (our conversations) for marketing purposes and hence assumes full authority of our conversations and the content? Can they read our conversations like a book on their server screens? I’m not paranoid, however, i am only being reasonable to my natural inhertied right to a private conversation without having the marketing world analyze, use, and sell segments of my personal data they feel useful.

    #3, Does anyone here know of any more secure, private, respected internet telephone services (programs) that you may ultimately pay a little more for, but gain with privacy? I think a few extra pennies/min are worth some privacy.

    #4 Maybe i am wrong about how Skype handels the conversational content, but please feel free to point out otherwise.
    Thanks,
    ladi ladi

  20. Dr. No
    May 12, 2006 at 1:21 pm

    Here is everything being told about Spype, sorry, Skype 😉
    http://www.secdev.org/conf/skype_BHEU06.pdf
    http://www.secdev.org/conf/skype_BHEU06.handout.pdf
    Note: those guys are no Hillbillies, EADS is a global leader in aerospace, defence and related services…

    no skype no mor for me…

  21. JEpley
    March 15, 2007 at 7:30 pm

    LOL, you wrote

    "There is a lot of paranoia here – I take it you are all american and have probably been abducted by aliens as well. Anyway, as A user said – sit behind a firewall – problem solved. The routing element of skype is NOT fundamental as it only tries to speed up the calls between point to point – in most instances the two IPs will communicate directly, hence sitting behind a firewall will not denegrate the Skype network.
    And as for Mr Blog who reckons skype deterred others from quoting his blog – yeah right, whatever !!! Did they send the boys round and ask them not to. Maybe the feds paid them a visit huh ? Or the secrect service ? Why people feel the need to knock skype is beyond me – p2p and the cumulative power of internet linked hardware is clearly the way forward in computer technology, but dinosaurs dont like change I guess… "

    Skype’s EULA states "4.1 Permission to utilize Your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilize the processor and bandwidth of Your computer for the limited purpose of facilitating the communication between You and other Skype Software users."

    You can

  22. Yonah
    July 11, 2007 at 9:01 am

    JEpley: "the EULA clearly states that they are going to use your PC, bandwidth & resources"

    Yes, big deal. How much isn’t stated. Which is great for you. That gives you the green light to sound the alarm bell that the sky is falling and Skype is going to take over your computer first and the world second.

    Please. There isn’t anything "Virus" like about the program at all, not do you have the proper knowledge to even define what a virus actually is. Criminals will use any system. Word of mouth, telephone, snail mail, or message in a bottle. The encryption system is used to keep phone calls and IM from being leaked to other users in the network, and is a nice feature for those living in a country like China. Unlike you, I’ve actually used the program. It works great, I pay a flat rate to call phone in the USA unlimited, and .02 cents a minute to China.

    You’re like a child. Always crying "Mine, mine, mine!" What good are you to the rest of us? What good is a society where everyone is only concerned for themselves and scoffs at the very idea of sharing any resource or utility with another? So a small portion of bandwidth and CPU time are given to a network which benefits the others that use it. Not a problem for most people. But a selfish bastard like you? That’s ground for all out war.

  23. MrBlog
    July 13, 2007 at 10:41 am

    I think there is a middle ground between these two positions (JEpley and Yonah).

    I think my point is, if they are not going to do anything harmful, why don’t they say so in the EULA?

    If they aren’t doing anything harmful, how about showing us the source code?

    If they aren’t going to do anything harmful, why do they require our permission to do so?

  24. Svankensen
    November 21, 2007 at 9:12 am

    At this point ask your self do I want my computer, bandwidth & IP

  25. oli
    January 17, 2009 at 5:55 pm

    This “relayed transfer” seems to only make sense in a case where you have 2 computers (with skype) on the same LAN and one of the computers is blocked from reaching the outside network. The blocked one would relay through the computer that has outside access. I don’t see any other useful purpose for this implementation.

    Just the fact that this is implemented and the eula doesn’t clearly allow for it makes me wonder what other undocumented “implementations” skype offers…
    …and doesn’t China have a special version that they HAVE to use?

Buy Me A Beer

css.php