Sunday, 20 March 2011

Warning: Cyber-dissidents should not use Skype

Skype security weaknesses could endanger 'vulnerable users' | Technology | guardian.co.uk

"The free messaging and internet phone service Skype carries a number of worrying security concerns which could put users living in oppressive regimes in danger, says the advocacy group Privacy International.

"The free internet telephony service has around 700m users worldwide, including at least 20m in China and an unknown number in Middle Eastern countries.

"Among areas that Privacy International has identified as weaknesses are:

"• the use in the Skype interface of names rather than unique IDs, meaning that people can be impersonated in the user list;

"• Skype downloads are not made through a secure connection (to, say,https://skype.com), which means that other sites can masquerade as the main site and offer compromised versions of the software - something that has happened in the past in China;

"• the audio compression system used in Skype allows phrases to be identified with an accuracy of between 50% and 90%, even with encryption applied."


Clearly cyber-dissidents should not use Skype. The only VoIP product we can recommend for dissidents in hostile environments would be GNU SIP Witch, but this only runs on the Linux platform. Therefore for most users we would recommend not using any voice system to present obvious messages. Encryption software like PGP and Tor for privacy protections should be used to move significant data. Anyone in a repressive situation should become familiar with encryption, proxy and privacy technology. Reporters Without Borders have published an excellent guide to secure blogging. Voice communications should be short, high coded and impossible to detect. Establish via secured encrypted anonymous emails a set of code words and phrases to be used in the case that telephone communications are needed. Never provide key data on any phone line of VoIP unless you have the skill to implement it.

Despite the popularity of Twitter and Facebook these services still pose a potential risk for users. When concerned about personal safety bloggers should follow advice proved in the Reporters Without Borders guide to Blogging. Any communication which is not strongly encrypted can be read by governments and there is little most firms will do to protect the privacy of users who are officially breaking local laws. Yahoo! has even gone as far as to turn in specific activists to the government of China.

Also never become dependent on a single channel of communication. A network should not only use security but also replicate key data in many locations to prevent it being taken down. Every site should, potentially, be reproduced by a number of Poxy servers.

Always remember that the potential of cyber-activism also comes with the risk that governments will be able to monitor and track communications. So far Arab regimes have proven themselves to be ineffective at this kind of surveillance, but this will likely not continue.

Remember that sometimes the most secure form of communication is a whisper or a vague handwritten note.

No comments:

Post a Comment