Thursday, March 14, 2013

Technology Insider: from Bloomberg BusinessWeek

Skype's Been Hijacked in China, and Microsoft Is O.K. With It
Cybersecurity By on March 08, 2013

A pair of China residents using Skype to communicate
A pair of China residents using Skype to communicateate

Jeffrey Knockel is an unlikely candidate to expose the inner workings of Skype’s role in China’s online surveillance apparatus. The 27-year-old computer-science graduate student at the University of New Mexico, Albuquerque doesn’t speak Chinese, let alone follow Chinese politics. “I don’t really keep up with news in China that much,” he says. But he loves solving puzzles. So when a professor pulled Knockel aside after class two years ago and suggested a long-shot project—to figure out how the Chinese version of Microsoft’s (MSFT) Skype secretly monitors users—he hunkered down in his bedroom with his Dell (DELL) laptop and did it.
 
Since then, Knockel, a bearded, yoga-practicing son of a retired U.S. Air Force officer, has repeatedly beaten the ever-changing encryption that cloaks Skype’s Chinese service. This has allowed him to compile for the first time the thousands of terms—such as “Amnesty International” and “Tiananmen”—that prompt Skype in China to intercept typed messages and send copies to its computer servers in the country. Some messages are blocked altogether. The lists—which are the subject of a presentation Knockel will make on Friday, March 8, at Boston University, as well as a paper he’s writing with researchers from the University of Toronto’s Citizen Lab—shed light on the monitoring of Internet communications in China. Skype’s videophone-and-texting service there, with nearly 96 million users, is known as TOM-Skype, a joint venture formed in 2005 with majority owner Tom Online, a Chinese wireless Internet company.
 
The words that are subject to being monitored, which Knockel updates almost daily on his department’s website, range from references to pornography and drugs to politically sensitive terms, including “Human Rights Watch,” “Reporters Without Borders,” “BBC News,” and the locations of planned protests. (The system he traced does not involve voice calls.) Knockel says his findings expose a conflict between Microsoft’s advocacy of privacy rights and its role in surveillance. Microsoft, which bought Skype in 2011, is a founding member of the Global Network Initiative, a group that promotes corporate responsibility in online freedom of expression. “I would hope for more,” Knockel says of Microsoft. “I would like to get a statement out of them on their social policy regarding whether they approve of what TOM-Skype is doing on surveillance.”
Click on the image for an interactive graphic
On Jan. 24, an international group of activists and rights groups published an open letter to Skype, calling on it to disclose its security and privacy practices. Microsoft, when asked for comment on Knockel’s findings and activists’ concerns, issued a statement it attributed to an unnamed spokesperson for its Skype unit. “Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.” Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.” Hong Kong-based Tom Group (2383), the parent of Tom Online, didn’t respond to e-mailed requests for comment for this story.
 
In an October 2008 statement addressing TOM-Skype censorship, it said: “As a Chinese company, we adhere to rules and regulations in China where we operate our businesses.” China’s Ministry of Foreign Affairs didn’t immediately respond to faxed questions seeking comment.
 
When Internet users in China try to access Skype.com, they’re diverted to the TOM-Skype site. While the Chinese version bears the blue Skype logo—and provides services for online phone calls and text chats—it’s a modified version of the program found elsewhere in the world. The surveillance feature in TOM-Skype conducts the monitoring directly on a user’s computer, scanning messages for specific words and phrases, Knockel says. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype computer server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, his research shows. Whether that information is then shared with the Chinese government wasn’t explored by Knockel—and couldn’t be learned from TOM-Skype.
 
Knockel’s project began in April 2011, when one of his advisers at the University of New Mexico, computer science professor Jedidiah Crandall, referred him to a 2008 paper by Nart Villeneuve, a Canadian security researcher. Villeneuve had identified Chinese servers that stored TOM-Skype’s flagged messages, yet he couldn’t tell for certain which terms had triggered the surveillance. “He didn’t know what the keyword list was,” says Masashi Crete-Nishihata, research manager at Citizen Lab in Toronto and an author of the upcoming paper on Knockel’s findings. “What was interesting about what Jeff did was grab the keyword list.” To get the words, Knockel downloaded TOM-Skype onto his computer and watched how the monitoring worked. Every time he went online, servers in China would silently send his machine an updated blacklist that would serve as the surveillance filter on his laptop.
 
Yet there was a hitch: The lists were in code. Each term appeared as a random-looking series of numbers and letters. To crack the code, Knockel focused on one word Villeneuve had identified as being routinely blocked: the common obscenity known as the f-word. Knockel’s plan was to create a single-word Rosetta stone by figuring out which string of code corresponded to “f—.” If he succeeded, he could eventually decipher other codes and identify the associated words that set off the surveillance.
 
First, he needed to take control of the list on his own computer, instead of letting the Chinese servers send the list to him.
 
Once he accomplished this, Knockel analyzed the coding with a technique known as a binary search. He chopped the list in half, and then sent the f-word in a TOM-Skype instant message. If it got blocked, he knew the banned term was in a slice of the list under examination. He’d then chop it again. “We would delete half the list. A half. A half,” he says. “By repeatedly halving the list like this, we were able to eventually find the exact line that contained the word.” From there, he played with it. Why not change the “f” and see what “duck” looked like? The whole process took about a week, he says. On later versions of the software, he also poked around and found encryption keys, or passwords that the program itself uses to understand the garble. “I reverse-engineered the software,” he says. “From there it just exploded.”
 
Crandall, his adviser, gave him an A+ for the class. “These things were major feats,” he says of Knockel’s work. “He comes across as shy at first, but once you get to know him, he’s very much an iconoclast who likes to get into trouble and speak truth to power.”
 
The terms Knockel discovered yield a rare view of the faceless actors behind Chinese surveillance. “Some keywords are highly targeted—specific locations, going down to exact address details of where a protest is going to happen,” Citizen Lab’s Crete-Nishihata says.
 
These included lines from demonstration organizers’ instructions during 2011′s Jasmine Revolution pro-democracy gatherings, such as “McDonald’s in front of Chunxi Road in Chengdu,” Knockel found. The data posted on Knockel’s university department website show that the lists have changed over time to keep up with events. In all, more than 2,000 terms have come and gone from the lists since April 2011, says Crete-Nishihata, who helped analyze the data.
 
Recent additions include phrases with the word “Ferrari,” a reference to the March 2012 car-crash death of a Communist Party leader’s son, and “723,” a reference to the July 23, 2011, date of a train crash that killed 40 people. Knockel says one of the most surprising findings is that the latest enhancement to TOM-Skype sends information about both sender and recipient to the Chinese computer servers. That means that even users of the standard Skype program outside China are subject to monitoring if they communicate with users of the Chinese version, he says. “If you are talking to someone using TOM-Skype, you yourself are being surveilled,” he says.
 

Thursday, March 7, 2013

This week in Technology Insider: from Boomblerg BusinessWeek

Features

As Evernote's Cult Grows, the Business Market Beckons

By on February 28, 2013
(Corrects in fifth paragraph the rate at which Evernote is adding users)
Zerkel, a productivity consultant, recommends Evernote to nearly all of his clientsPhotograph by Damien Maloney for Bloomberg BusinessweekZerkel, a productivity consultant, recommends Evernote to nearly all of his clients

It happens gradually, devoted fans insist. Once you get it, they say, you live and die by Evernote, the five-year-old, everything-in-one-place personal organization application that is hyped by its creators as your “external brain.”
 
Joshua Zerkel has seen it happen again and again—and he’s lived it to some degree, too. The 37-year-old San Franciscan came across Evernote a few years ago and was attracted to its ability to work across platforms more cleanly than the note-taking software he’d been using. Today he’s one of several dozen “Evernote Ambassadors”—power users who volunteer to spread the word about its wonders. Zerkel is a productivity consultant for businesses and individuals, and he recommends Evernote to almost all his clients; leads Evernote training sessions; and just published his second e-book about best Evernote practices, Evernote @ Work. The company pays him nothing, yet even he finds some users a little over the top. “There are definitely Evernote junkies,” he says.
 
VIDEO:
Ted Barnett is one of them. A serial entrepreneur who now works as chief operating officer of digital publisher Byliner, Barnett answered questions about his Evernote usage before they could be asked, with a crisp outline he’d created in Evernote. He heard of the app from a friend in 2009 and was attracted to the idea that he could enter and access his data, stored in the cloud, from any smartphone, tablet, or computer. His first entry recorded vital health statistics he entered via his phone during a doctor visit.
 
“I have a terrible memory,” Barnett says, explaining that he used to rely largely on physical notebooks to keep track of ideas, until he started adding those to Evernote. Then he added a cheat sheet of parents’ names at his daughter’s school. Now, at the end of a work meeting, he’ll photograph the whiteboard, store that picture in Evernote, add some thoughts and questions, and send it around to his team. On his recent vacation in Istanbul, he used Evernote to create a one-man Fodor’s guide to the city for friends. Basically, the more Barnett used Evernote, the more he thought of new ways to use it.
 
Evernote says it has 50 million users around the world (a third in the U.S.) and is adding 100,000 a day. Operating on a “freemium” model, the company makes money primarily from the sliver of that user base that pays $45 a year, or $5 a month, for a souped-up version with more storage capacity. It has been profitable, and though it’s investing heavily now, it expects to be profitable again soon. But with $251 million in venture backing and a valuation estimated at $1 billion, Evernote has greater ambitions. Chief Executive Officer Phil Libin talks about reaching a billion users; others at the company freely throw around the phrase “the Evernote lifestyle.”
 
VIDEO:
That’s a lot of expectations for an experience that boils down to three columns in a browser window. You type, or clip or upload a new “note” (an image, a recording, or a Web page) into the right-hand column; store it in a “notebook” listed on the left-hand side; and browse or search in the middle. The promise is that Evernote saves your ideas, documents your meetings, archives articles, reminds you what your kid wants for Christmas, and coughs up the business card of Plaid Jacket Guy from that conference in Scottsdale. In addition to segregating such material into notebooks, users can organize it with tags, but don’t have to.
 
Evernote’s search function, with optical character recognition that even picks up words within pictures, is impressively accurate and speedy. The effectiveness of this function is crucial, because the willingness to dump work and personal material in one place is central to Evernote’s worldview.
 
“I always hated the term life/work balance,” Libin, 41, declares during an interview at Evernote’s offices in Redwood City, Calif. “I never had a distinction between work and personal life. I had a BlackBerry (BBRY) from Day One, and people would say, ‘This is terrible, now you check your e-mail at 11 o’clock at night.’ Yeah, but that’s great! I love that I can check my e-mail at 11 o’clock at night.”
 
VIDEO: