[conspire] Living on clouds one through nine

Rick Moen rick at linuxmafia.com
Thu Apr 7 11:20:08 PDT 2022


Ladies and gentlemen, Jamie Zawinski!  (See footnote.)

(Those who know or suspect the name of the firm and of the CTO, please,
no names:  There might be legal dangers, even 23 years later.)

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 7 Apr 2022 11:10:12 -0700
From: Rick Moen <rick at linuxmafia.com>
To: golugtech at diypython.us
Subject: Re: [Golugtech] Microsoft's Skype "Legal Intercept" patent
	application
Organization: If you lived here, you'd be $HOME already.

Quoting Syeed Ali (syeedali at syeedali.com):

> United States Patent Application
> 20110153809

I often have a somewhat skeptical view of Mr. Steve Gibson of Gibson
Research Corporation, for reasons far out of scope for this comment.  
(He's said quite a number of things on technology matters that are...
apocryphal.)  Nonetheless, I'll quote what he said in a "Security Now"
podcast with radio host Leo Laporte:

  Microsoft has obtained a patent for specifically intercepting Skype
  conversations.  This is their application 20110153809 called "Legal
  Intercept."  And in the abstract at the top of it, it said - I'm reading
  now from this:  "Aspects of the subject matter described herein relate to
  silently recording communications.  In aspects, data associated with a
  request to establish a communication is modified to cause the
  communication to be established via a path that includes a recording
  agent.  Modification may include, for example, adding, changing, and/or
  deleting data within the data.  The data as modified is then passed to a
  protocol entity" - this is all patent speak - "that uses the data to
  establish a communication session.  Because of the way in which the data
  has been modified, the protocol entity selects a path that includes the
  recording agent.  The recording agent is then able to silently record the
  communication."

  And skipping down then to paragraph 28 of the details, it says, "As
  mentioned previously, traditional techniques for silently recording
  telephone communication may not work correctly with VoIP and other
  network-based communication technology.  As used hereafter, the term VoIP
  is used to refer to standard VoIP as well as any other form of
  packet-based communication that may be used to transmit audio over a
  wireless and/or wired network.  For example, VoIP may include audio
  messages transmitted via gaming systems, instant messaging protocols
  that transmit audio, Skype and Skype-like applications, meeting
  software, video conferencing software, and the like."

  And then separately cited in an article about this, Jeffrey Chester,
  who's the executive director for the Center of Digital Democracy, said
  the technology aligns with Microsoft's broader goals.  The company "aims
  to incorporate tracking technologies for its Skype services as it
  aggressively expands its mobile advertising system across the world.
  Skype will likely soon have ad targeting and user-profiling digit
  strings attached.  This underscores the need for strong mobile and
  location privacy safeguards."

  So we've talked a number of times because there has been this grumbling
  in the U.S. Congress about their response to our law enforcement's
  concern, which is certainly understandable, that they are no longer able
  to eavesdrop on an increasing percentage of Internet traffic.  And so, as
  we know, there has been talk of legislation that would require services
  to allow the service provider to respond to a law enforcement request
  for eavesdropping and decryption.  And specifically Skype had been immune
  to this because as you and I know, Leo, we have a point-to-point
  communication.  That is, Skype's encrypted, and encryption technology is
  extremely good.  And but moreover, our data is going between my endpoint
  and your endpoint over an undecryptable connection.

https://www.grc.com/sn/sn-308.htm

Growing up in the era of J. Edgar Hoover, I always bore in mind that you
should never say something on the telephone that you would mind very
much appearing on the front page of the _New York Times_,  VoIP in
general, and certainly Skype in particular, merely continue that long
tradition.

Of course, the broader topic (too broad for this post) is where _can_
you have reasonable expectation of decent security and privacy.
Definitely not Skype.  Not Dropbox for reasons Gibson details elsewhere
in the interview.  In general, outsourced services leveraging
proprietary software are a poor bet -- but anyone who's surprised by
that hasn't been paying attention.

Personally, I have a lasting preference for, as a _starting_ point,
having full physical and administrative control of my computing and
data, at both ends of communication, and using best-of-breed open
source.  Where I _don't_ control both ends, I assume porous privacy and
security to a first approximation.[1]


I offer an anecdote.  In 1999, I was chief sysadmin at a then-major
Linux industry firm, one where I had extremely grave doubts about upper
management and the vulture capitalists backing the then-pre-IPO
enterprise.  Late in my term of employment there, I had particular
reasons to think that my new immediate boss, the CTO, was both a literal
large-scale crook and was surveilling intra-company data on the company
LAN.  Later, after I resigned to go elsewhere, the IPO imploded, and 
the CTO, who'd misdirected about 2/3 of the second round of funding to 
two firms he himself controlled, was allowed to resign instead of
facing criminal charges.  Incidentally, I got confirmation of my 
suspicion of his eavesdropping:  He'd been tapping and analysing logged
data from one of the monitoring ports on the firm's ethernet switch.

But before that happened, there I was, considering the security risk
from my own boss to be intolerable, specifically in that I wanted to be 
able to SSH from work to my Linux server at home, and not have
compromised security.  I reasoned, if I cannot trust my boss, then
logically I cannot trust the ongoing security of the company-issued
Debian workstation at my desk, either, if only because I wasn't always
physically there.

So, I went onto the used market, and bought my first-ever laptop, a Sony
VAIO PCG-505TX.  I used it, and only it, for any personal computing from
my work desk, including any SSHing/SCPing to my server.  Any time I 
left my cubicle, the VAIO went with me.  Strong encryption across the
connection, known keys, and physical control of _both_ ends is the minimal 
requirement for sound security and privacy, so that's what I did.

And I don't trust someone _else's_ claim of strong encryption, e.g.,
that would be the fatal error some folks still make concerning Skype.
And, even when one of those outsourced offerings swears up and down that
there is "end-to-end encryption" (hence no possibility of
man-in-the-middle hijinks), often the reality is that that is not
the case.


[1] That having been said, if you assume you probably cannot trust
entirely the transport or one endpoint, you can take compensating
measures, e.g., as Gibson and Laparte notes, you can apply your own
"pre-encryption", to which you and not others have the keys, to a data
stream before handing the data to, e.g., Skype or Dropbox.  This is
thus commonly used for storing backup data on "The Cloud" -- which local
tech figure "jwz" = Jamie Zawinski habitually refers to as "The Clown" as
a reminder that the phrase merely means "somebody else's computer".
See, e.g.:  https://www.jwz.org/blog/2018/06/lol-github/

Bowdlerising slightly:

   So MICROS~1 bought Github and everybody's freaking out right now
   trying to re-host their projects on someone else's service.
   THIS IS WHAT HAPPENS WHEN YOU STORE YOUR DATA IN THE CLOWN.

   The Clown is just someone else's computer and they can and will f**k
   you.  If it's not on your computer, it's not under your control. 
   Why do you all keep doing this to yourselves??

   Stop hitting yourself.  Seriously, stop it.


-- 
GolugTech mailing list
GolugTech at diypython.us
http://diypython.us/mailman/listinfo/golugtech_diypython.us

----- End forwarded message -----



More information about the conspire mailing list