Skype Technologies S.A. logo (Photo credit: Wikipedia) |
Arstechnica reported back in May that the original P2P supernodes that Skype used were hosted on regular users computers with sufficient bandwidth. They are now being moved to GRSecurity Linux nodes hosted by Microsoft. Via Ars:
Skype is now being powered by a little more than 10,000 supernodes that are all hosted by [Microsoft]. It's currently not possible for regular users to be promoted to supernode status. What's more, the boxes are running a version of Linux using grsecurity, a collection of patches and configurations designed to make servers more resistant to attacks. In addition to hardening them to hacks, the Microsoft-hosted boxes are able to accommodate significantly more users. Supernodes under the old system typically handled about 800 end users, Kortchinsky said, whereas the newer ones host about 4,100 users and have a theoretical limit of as many as 100,000 users.
The move is being criticized by various hacker groups that the move to centralized servers hosted by Microsoft will make it easier to intercept users communications so they can be logged and turned over to the authorities.
From Extreme Tech:
Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -– who owns Skype and knows the keys used for the service’s encryption -– is helping.
As a rebuttal, Skype's Adrian Asher contacted Extreme Tech with the following statement:
As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes which can be located on dedicated servers within secure datacenters. This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes). We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community.
Alleged leaked source code says otherwise though. Softpedia reported back on July 18th that a hacktivist affiliated with the Anonymous group known as Stun claimed responsibility to the code theft, and as released the code on The Pirate bay. Via Softpedia:
An Anonymous-affiliated hacker that goes by the name of Stun, claims to have leaked Skype’s source code and the de-obfuscated binaries as a form of protest against the “governmental backdoor.”
“After Microsoft acquiring Skype for 8.5 billion dollars and proceeding to add back doors for government to the program, the software has been hacked and it's source code released,” Stun wrote next to links that point to three files hosted on The Pirate bay.
In the same article on Softpedia, a security researcher named Janne Ahlberg said that the code that Stun released was really old reversed engineered code from another researcher released earlier this year. Skype took legal action against that researcher last year. Either way, Ahlberg says the leak is a hoax.
What do you think about this? Can Skype be trusted? Let us know how you feel in the comments.