Skype's Been Hijacked in China, and Microsoft Is O.K. With It
Cybersecurity By Vernon Silver on March 08, 2013
Cybersecurity By Vernon Silver on March 08, 2013
A pair of China residents using Skype to communicate
Jeffrey Knockel is an unlikely candidate to expose the inner workings of Skype’s role in China’s online surveillance apparatus. The 27-year-old computer-science graduate student at the University of New Mexico, Albuquerque doesn’t speak Chinese, let alone follow Chinese politics. “I don’t really keep up with news in China that much,” he says. But he loves solving puzzles. So when a professor pulled Knockel aside after class two years ago and suggested a long-shot project—to figure out how the Chinese version of Microsoft’s (MSFT) Skype secretly monitors users—he hunkered down in his bedroom with his Dell (DELL) laptop and did it.
Since then, Knockel, a bearded, yoga-practicing son of a retired U.S. Air Force officer, has repeatedly beaten the ever-changing encryption that cloaks Skype’s Chinese service. This has allowed him to compile for the first time the thousands of terms—such as “Amnesty International” and “Tiananmen”—that prompt Skype in China to intercept typed messages and send copies to its computer servers in the country. Some messages are blocked altogether. The lists—which are the subject of a presentation Knockel will make on Friday, March 8, at Boston University, as well as a paper he’s writing with researchers from the University of Toronto’s Citizen Lab—shed light on the monitoring of Internet communications in China. Skype’s videophone-and-texting service there, with nearly 96 million users, is known as TOM-Skype, a joint venture formed in 2005 with majority owner Tom Online, a Chinese wireless Internet company.
The words that are subject to being monitored, which Knockel updates almost daily on his department’s website, range from references to pornography and drugs to politically sensitive terms, including “Human Rights Watch,” “Reporters Without Borders,” “BBC News,” and the locations of planned protests. (The system he traced does not involve voice calls.) Knockel says his findings expose a conflict between Microsoft’s advocacy of privacy rights and its role in surveillance. Microsoft, which bought Skype in 2011, is a founding member of the Global Network Initiative, a group that promotes corporate responsibility in online freedom of expression. “I would hope for more,” Knockel says of Microsoft. “I would like to get a statement out of them on their social policy regarding whether they approve of what TOM-Skype is doing on surveillance.”
On Jan. 24, an international group of activists and rights groups published an open letter to Skype, calling on it to disclose its security and privacy practices. Microsoft, when asked for comment on Knockel’s findings and activists’ concerns, issued a statement it attributed to an unnamed spokesperson for its Skype unit. “Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.” Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.” Hong Kong-based Tom Group (2383), the parent of Tom Online, didn’t respond to e-mailed requests for comment for this story.
In an October 2008 statement addressing TOM-Skype censorship, it said: “As a Chinese company, we adhere to rules and regulations in China where we operate our businesses.” China’s Ministry of Foreign Affairs didn’t immediately respond to faxed questions seeking comment.
When Internet users in China try to access Skype.com, they’re diverted to the TOM-Skype site. While the Chinese version bears the blue Skype logo—and provides services for online phone calls and text chats—it’s a modified version of the program found elsewhere in the world. The surveillance feature in TOM-Skype conducts the monitoring directly on a user’s computer, scanning messages for specific words and phrases, Knockel says. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype computer server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, his research shows. Whether that information is then shared with the Chinese government wasn’t explored by Knockel—and couldn’t be learned from TOM-Skype.
Knockel’s project began in April 2011, when one of his advisers at the University of New Mexico, computer science professor Jedidiah Crandall, referred him to a 2008 paper by Nart Villeneuve, a Canadian security researcher. Villeneuve had identified Chinese servers that stored TOM-Skype’s flagged messages, yet he couldn’t tell for certain which terms had triggered the surveillance. “He didn’t know what the keyword list was,” says Masashi Crete-Nishihata, research manager at Citizen Lab in Toronto and an author of the upcoming paper on Knockel’s findings. “What was interesting about what Jeff did was grab the keyword list.” To get the words, Knockel downloaded TOM-Skype onto his computer and watched how the monitoring worked. Every time he went online, servers in China would silently send his machine an updated blacklist that would serve as the surveillance filter on his laptop.
Yet there was a hitch: The lists were in code. Each term appeared as a random-looking series of numbers and letters. To crack the code, Knockel focused on one word Villeneuve had identified as being routinely blocked: the common obscenity known as the f-word. Knockel’s plan was to create a single-word Rosetta stone by figuring out which string of code corresponded to “f—.” If he succeeded, he could eventually decipher other codes and identify the associated words that set off the surveillance.
First, he needed to take control of the list on his own computer, instead of letting the Chinese servers send the list to him.
Once he accomplished this, Knockel analyzed the coding with a technique known as a binary search. He chopped the list in half, and then sent the f-word in a TOM-Skype instant message. If it got blocked, he knew the banned term was in a slice of the list under examination. He’d then chop it again. “We would delete half the list. A half. A half,” he says. “By repeatedly halving the list like this, we were able to eventually find the exact line that contained the word.” From there, he played with it. Why not change the “f” and see what “duck” looked like? The whole process took about a week, he says. On later versions of the software, he also poked around and found encryption keys, or passwords that the program itself uses to understand the garble. “I reverse-engineered the software,” he says. “From there it just exploded.”
Crandall, his adviser, gave him an A+ for the class. “These things were major feats,” he says of Knockel’s work. “He comes across as shy at first, but once you get to know him, he’s very much an iconoclast who likes to get into trouble and speak truth to power.”
The terms Knockel discovered yield a rare view of the faceless actors behind Chinese surveillance. “Some keywords are highly targeted—specific locations, going down to exact address details of where a protest is going to happen,” Citizen Lab’s Crete-Nishihata says.
These included lines from demonstration organizers’ instructions during 2011′s Jasmine Revolution pro-democracy gatherings, such as “McDonald’s in front of Chunxi Road in Chengdu,” Knockel found. The data posted on Knockel’s university department website show that the lists have changed over time to keep up with events. In all, more than 2,000 terms have come and gone from the lists since April 2011, says Crete-Nishihata, who helped analyze the data.
Recent additions include phrases with the word “Ferrari,” a reference to the March 2012 car-crash death of a Communist Party leader’s son, and “723,” a reference to the July 23, 2011, date of a train crash that killed 40 people. Knockel says one of the most surprising findings is that the latest enhancement to TOM-Skype sends information about both sender and recipient to the Chinese computer servers. That means that even users of the standard Skype program outside China are subject to monitoring if they communicate with users of the Chinese version, he says. “If you are talking to someone using TOM-Skype, you yourself are being surveilled,” he says.
Jeffrey Knockel is an unlikely candidate to expose the inner workings of Skype’s role in China’s online surveillance apparatus. The 27-year-old computer-science graduate student at the University of New Mexico, Albuquerque doesn’t speak Chinese, let alone follow Chinese politics. “I don’t really keep up with news in China that much,” he says. But he loves solving puzzles. So when a professor pulled Knockel aside after class two years ago and suggested a long-shot project—to figure out how the Chinese version of Microsoft’s (MSFT) Skype secretly monitors users—he hunkered down in his bedroom with his Dell (DELL) laptop and did it.
Since then, Knockel, a bearded, yoga-practicing son of a retired U.S. Air Force officer, has repeatedly beaten the ever-changing encryption that cloaks Skype’s Chinese service. This has allowed him to compile for the first time the thousands of terms—such as “Amnesty International” and “Tiananmen”—that prompt Skype in China to intercept typed messages and send copies to its computer servers in the country. Some messages are blocked altogether. The lists—which are the subject of a presentation Knockel will make on Friday, March 8, at Boston University, as well as a paper he’s writing with researchers from the University of Toronto’s Citizen Lab—shed light on the monitoring of Internet communications in China. Skype’s videophone-and-texting service there, with nearly 96 million users, is known as TOM-Skype, a joint venture formed in 2005 with majority owner Tom Online, a Chinese wireless Internet company.
The words that are subject to being monitored, which Knockel updates almost daily on his department’s website, range from references to pornography and drugs to politically sensitive terms, including “Human Rights Watch,” “Reporters Without Borders,” “BBC News,” and the locations of planned protests. (The system he traced does not involve voice calls.) Knockel says his findings expose a conflict between Microsoft’s advocacy of privacy rights and its role in surveillance. Microsoft, which bought Skype in 2011, is a founding member of the Global Network Initiative, a group that promotes corporate responsibility in online freedom of expression. “I would hope for more,” Knockel says of Microsoft. “I would like to get a statement out of them on their social policy regarding whether they approve of what TOM-Skype is doing on surveillance.”
On Jan. 24, an international group of activists and rights groups published an open letter to Skype, calling on it to disclose its security and privacy practices. Microsoft, when asked for comment on Knockel’s findings and activists’ concerns, issued a statement it attributed to an unnamed spokesperson for its Skype unit. “Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.” Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.” Hong Kong-based Tom Group (2383), the parent of Tom Online, didn’t respond to e-mailed requests for comment for this story.
In an October 2008 statement addressing TOM-Skype censorship, it said: “As a Chinese company, we adhere to rules and regulations in China where we operate our businesses.” China’s Ministry of Foreign Affairs didn’t immediately respond to faxed questions seeking comment.
When Internet users in China try to access Skype.com, they’re diverted to the TOM-Skype site. While the Chinese version bears the blue Skype logo—and provides services for online phone calls and text chats—it’s a modified version of the program found elsewhere in the world. The surveillance feature in TOM-Skype conducts the monitoring directly on a user’s computer, scanning messages for specific words and phrases, Knockel says. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype computer server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, his research shows. Whether that information is then shared with the Chinese government wasn’t explored by Knockel—and couldn’t be learned from TOM-Skype.
Knockel’s project began in April 2011, when one of his advisers at the University of New Mexico, computer science professor Jedidiah Crandall, referred him to a 2008 paper by Nart Villeneuve, a Canadian security researcher. Villeneuve had identified Chinese servers that stored TOM-Skype’s flagged messages, yet he couldn’t tell for certain which terms had triggered the surveillance. “He didn’t know what the keyword list was,” says Masashi Crete-Nishihata, research manager at Citizen Lab in Toronto and an author of the upcoming paper on Knockel’s findings. “What was interesting about what Jeff did was grab the keyword list.” To get the words, Knockel downloaded TOM-Skype onto his computer and watched how the monitoring worked. Every time he went online, servers in China would silently send his machine an updated blacklist that would serve as the surveillance filter on his laptop.
Yet there was a hitch: The lists were in code. Each term appeared as a random-looking series of numbers and letters. To crack the code, Knockel focused on one word Villeneuve had identified as being routinely blocked: the common obscenity known as the f-word. Knockel’s plan was to create a single-word Rosetta stone by figuring out which string of code corresponded to “f—.” If he succeeded, he could eventually decipher other codes and identify the associated words that set off the surveillance.
First, he needed to take control of the list on his own computer, instead of letting the Chinese servers send the list to him.
Once he accomplished this, Knockel analyzed the coding with a technique known as a binary search. He chopped the list in half, and then sent the f-word in a TOM-Skype instant message. If it got blocked, he knew the banned term was in a slice of the list under examination. He’d then chop it again. “We would delete half the list. A half. A half,” he says. “By repeatedly halving the list like this, we were able to eventually find the exact line that contained the word.” From there, he played with it. Why not change the “f” and see what “duck” looked like? The whole process took about a week, he says. On later versions of the software, he also poked around and found encryption keys, or passwords that the program itself uses to understand the garble. “I reverse-engineered the software,” he says. “From there it just exploded.”
Crandall, his adviser, gave him an A+ for the class. “These things were major feats,” he says of Knockel’s work. “He comes across as shy at first, but once you get to know him, he’s very much an iconoclast who likes to get into trouble and speak truth to power.”
The terms Knockel discovered yield a rare view of the faceless actors behind Chinese surveillance. “Some keywords are highly targeted—specific locations, going down to exact address details of where a protest is going to happen,” Citizen Lab’s Crete-Nishihata says.
These included lines from demonstration organizers’ instructions during 2011′s Jasmine Revolution pro-democracy gatherings, such as “McDonald’s in front of Chunxi Road in Chengdu,” Knockel found. The data posted on Knockel’s university department website show that the lists have changed over time to keep up with events. In all, more than 2,000 terms have come and gone from the lists since April 2011, says Crete-Nishihata, who helped analyze the data.
Recent additions include phrases with the word “Ferrari,” a reference to the March 2012 car-crash death of a Communist Party leader’s son, and “723,” a reference to the July 23, 2011, date of a train crash that killed 40 people. Knockel says one of the most surprising findings is that the latest enhancement to TOM-Skype sends information about both sender and recipient to the Chinese computer servers. That means that even users of the standard Skype program outside China are subject to monitoring if they communicate with users of the Chinese version, he says. “If you are talking to someone using TOM-Skype, you yourself are being surveilled,” he says.
No comments:
Post a Comment