Why I Don't Use Skype (and why you shouldn't, either)
I often get asked for my Skype address, sometimes in relation to business or casual conversation. I politely decline with some degree of hand-waving about my reasons, and suggest an alternative form of communication (typically either Google Talk or Google Hangouts, depending on the context—both are built right in to Gmail!). I'd like to outline some of the reasons why I've made the decision to avoid Skype, primarily so I have something to link to when someone asks me about it.
First and foremost, we don't really know what Skype actually does. The binary (the actual program you run on your computer) is obfuscated, so attempts at disassembling it [PDF] to verify some of its strange behavior and the information it is transmitting have so far come up with very little. This is an issue, because Skype produces encrypted traffic even when you are not actively using Skype. This means we can only speculate on what information Skype is collecting about you after you've so graciously chosen to install it, and perhaps more importantly who it is sending that information to.
Quoting Salman Baset:
When a Skype client is not in a call and is running on a machine with public IP address, it has on the average 4-8 active TCP connections and atleast one UDP connection.
While connecting to external IP addresses is normal for a server/client architecture and necessary for receiving notifications, the volume of traffic and number of connections is concerning, considering the compounding issues between Skype's peer-to-peer architecture [PDF] and the "reasonable level of detection accuracy" in snooping on voice calls in Skype [PDF], despite the [purportedly] encrypted nature of the Skype protocol.
Speaking in general terms, Skype is "black box" software which has undergone no public review despite very concerning observed behavior. When new Skype malware (like Skype IMBot, of which an analysis is available, or the more recent Skype account hijacking) is released, there are very few options to protect ourselves if we've got Skype installed. On Linux, tools like AppArmor and TOMOYO exist, but without the ability to easily view the source and understand the attack (per perhaps even fix it proactively, before it occurs) we are at the mercy of Skype's new maintainers to provide a timely resolution in a reactive approach.
If you use a proprietary program or somebody else's web server, you're defenceless. You're putty in the hands of whoever developed that software.
Asides
Some of the other things I found interesting, more recently than the research I've linked in this post, include Skype's role in the Syrian conflict, in which a claim was made as follows:A media activist in Idlib named Mohamed said a rebel informant working for the government was killed in Damascus six months ago after sending warnings to the Free Syrian Army on Skype. “I saw this incident right in front of my eyes,” Mohamed said. “We put his info on Skype so he was arrested and killed.”
Skype (Microsoft) has also made other concerning statements after accusations of helping the U.S. Government spy on its own citizens.
Wikipedia also lists a large number of known flaws in Skype, which I've chosen to avoid duplicating in this post.
0 Replies
Replies are automatically detected from social media, including Twitter, Facebook, and Google+. To add a comment, include a direct link to this post in your message and it'll show up here within a few minutes.