a lil poll question for this morning, and every morning

i want to know what everyone's attitude towards security and privacy is.

let us look at the following:

we use skype daily, trusting all our skype activities are protected and locked away through the use of a login screen.

now imagine this,

what if someone could look at the following without your skype password and without your skype account being logged in?:

-a full list of your skype contacts, both skype and skypeout

-a full events log
---who you called using skype and when
---who you called using skypeout and when
---who called you using skype and when
---who called you from a traditional phone and when
---who you were chatting to and when
---the first thing that was said in each chat session

the combination of information can be regarded as invasion of privacy... so what if someone could access that information without your password.... would you be concerned? would you say this was pretty normal of an application?

more importantly what should skype do...

if such was possible would you continue to use skype?


i would welcome all views on this matter, and also any questions...i look forward in particular to posts made by skype staff.

in the meantime, be sure not to do ne thing dodgy on skype, big brother might be watching you in the near future


happy skyping all

Lukman,

I can live with Skype having that sort of information - they would be liable for it getting any further.

Your post makes me feel uneasy about others having access to that information. Is this an 'imagine' question, or based on reality?

private reply sent via pm

Lukman
On a shared computer its not difficult to view other peoples data. All files are on the PC and admin have rights to look at an/all those files of ANY program.

Additionally for SKYPE, as BOTH sides need to have authorised contacts, you would not be able to access the contacts of the 'other' user.

Regards

So when did this rumour start?

Lukman,

I think we all know that your question is not a hypothetical one. I solved it by always running Skype from a USB memory stick, thus taking all that information with me instead of leaving it on the PC's hard disk.

thanks gladiator... is that to then say i can access someone elses msn history by simply copying up their msn files? that's not true according to my experiences...

furthermore skype has always said all those information are personal and strictly confidential... is it so hard to request that skype has some algorithm that checks to see which files are being loaded for an account? a simple encrypted tag? for example, if i try to load lukman_chowdhury's files into gladiator's skype account, shype would read this tag and say hang on something dodgy is going on, this tag does not belong to this account? doesn't seem too difficult. maybe it is, maybe it isn't... at present i feel the channel records of my tv card are way more secure.. i tried to make manual changes to add more channels, it read some sort of checksum and said hang on this is not the file i created...

to simply say it is true for ANY program, is not the same as saying skype is as secure as i'd like it to be... we want security from skype, that's why many people use it... just because everyone else gives us non-secure programs is no excuse for skype to say it's ok we'll do that too, skype takes it's pride in security, so a little more encryption and a little more checking against accounts and records would help dramatically.

think about all the users using skype in internet cafe's.

and yes contsct's details are not authorised, however, one can still see who is on ur list, (now imagine a guy cheaiting on his wife ok he deserves to be hanged, but that's off the point)... also details of all interaction are recorded in the history tab... i don't want people knowing who called me and who i called and when... that's my business and no one elses... at present i've not seen msn leak that bit of history out.



rumour? umm, started last night when i needed to know if it was possible to access that information without a password and found the answer to be "yes".




lucdecauwer, you are right, that appears to be the only way for real security now...but problem is my laptop is not the most behaved... running programs off usb is not too reliable.

i think skype could do something about this if they cared.

Ok, I'll bite.
Send me a list of my contacts as proof of concept.

lol, sorry to disappoint u spud5, but as gladiator and lucdecauwer's posts suggest, this only effects users of shared computers... i.e. anyone you share a computer with would be the person to watch out for, in particular is they have an admin account... but the potential of this which worries me most is that say an internet cafe has skype installed... now one would think that by requiring login details all their skype details are kept private, and the fact the ensure they click file>sign out ensures that privacy... well that's not the case, if you use an internet cafe's local installation of skype, you leave a lot of private information in public

hence lucdecauwer writes "I solved it by always running Skype from a USB memory stick, thus taking all that information with me instead of leaving it on the PC's hard disk.".... now nowhere on skypes site did i read that a password alone was not enough to talk securely.

so unfortunately, i cannot provide evidence for you, unless of course you let me at your computer's folders and let me browse through few my point is that skype needs to encrypt files and also ensure that files being loaded are the ones expected... otherwise, anyone with access to your hard drive has access to a lot of your skype information, which you would have otherwise thought to be secure and private.

although I do not see this as a SKYPE security hole, I will bug track it to SKYPE anywal. Lets see what they think

Regards

Yup I agree. It wouldn't be difficult to hash the data (against a substring of the password perhaps). This would stop the casual snooper from loading the files into another account.

reply from a member of skype staff (high up in the ladder) is

but to be frank, the skype system has been like this for at least the last year (since i began using it)

thank you for reporting it, though i don't see why you would not feel it's a security hole... i for one think the above (in the first post) information about my skype usage is as personal as it gets and do not appreciate that it is so easily accessable, and i'm not even an advanced user.



bingo. i agree 100%, then again i'd say make it harder, don't just stop at the casual user... the casual snooper is not usually a person who can do domage with what they find.

well its bug tracked now.

thank you gladiator, much appreciated

You also have to consider that much of this information is being held centrally in Skype directory. Now one would have a reasonable expectation of privacy given European Data Protection laws. However, now that Skype is owned by a US company, can we be sure that this information is not being illegally exported to the US?

I believe Skype are liable under EU data protection laws for services sold and delivered in EU countries. I doubt if their corporate governance would condone any illegal transfer of data.

lol, and the conspiracy theories begin, which is exactly why spud5 previously asked for proof...

personally, i'm not bothered what skype does once info leaves my computer... it's something i'mnot aware of and therefore something i'd only care about when it effects me, because until then, it's all just hearsay. nothing solid.

the reason i took this thread with so much interest is because, to have skype leave files on my own computer without any real protection is like being kicked in the face and being told to look away. at least if they were to illegally export the files they'd be doing so having let me exit the building first. at present they're entering my metaphoric building, locking the door behind them, giving me a good kicking, then laughing at me.

------------edit section----

someone's voted for "less important than skype focusing on making new features"....

i'd rather have a basic but secure product, than something that does amillion things but forgets the issue of privacy
---end ofedit section--------

I fully agree: they'd better focus on getting the basic functions right, and give decent user support, instead of adding bells and whistles that are of no interest to the majority of the users.

Let's keep Skype small and clean. After all, for those who want extra features, there's the API that enables third parties to add extra features to Skype.

i don't necessairly object to skype expanding into new areas... but i only object when this is at a cost to other more important areas... i do love all the extra functions, but this is not worth it if the basic services are messed up.

i don't think skype has it'spriorities set right, if they did... customer service would be something they knew about.

Its called democracy!

oh if only that were true with skype... maybe then we'd have decent customer service

I know (via chat) a number of the CS staff, and they have some pretty decent people, I don't blame the CS people at all.

There a lot of users out there, many with no issue at all (there setup) and many with legitimate complaints, which were NOT caused by CS group.

you should rember there are over 15M+ HAPPY users with SKYPE and only a small % with legitimate complaints.

Adam

thanks gladiator, but i don't blame all the cs people, just most...

firstly, a lot of the responces are like automated cut and paste jobs... i'd rather they not reply at all then insult me by sending me something unrelated.

but i do not appreciate the excuse of the ratios of happy customer against unhappy customers against skype staff.... every company finds themselves in varioussituations... the skype customer service is much debated asyou already know,.. so i'll keep it short and shut up... is skype invested more money to train and also hire more people who could read, then the service would improve dramatically overnight.

i have no personal grudge against cs staff... they are simply doing what they are paid and told to do, it's the skype concept that is flawed. successful companies manage to overcome such obstacles... skype needs to decide it's priorities ... they spend much time in bringing out new features before fixing existing ones but i am confident most skype users would just appreciate a reliable basic working version... maybe some of the development time can be spent on customer services... anyway, this is not something i would hold you or any employee of skype accountable for, i'd have no right to do that... it is something skype as an entity is to be held accountable for.


thank you nonetheless for the input, as always i appreciate your feedback

In general terms, I understand your points, but the blame is not the CS group, all companies have cut and paste/standard first line responses, that not unique at all to SKYPE, indeed we ALL do it here on the forums.

lets be honest how many companies have forums as open as this one, a place where they allow discussion on competitors, allow any frm of complaint/criticism.

SKYPE surely has faults, but in general, they DO put them right albeit after the event, with a little forward planning could in my opinion have been avoided.

with regards to responces, skype is the only one i have found where there is no telephone number to call and shout at someone... ok not so much shout... i take a reasonable approach and argue my case in a civilised way... so that's 1 to other companies 0 to skype in my eperiences. it is true that many companies use this cut and paste technique... but at least with them the cut and paste solutions match the problem... with skype you mention headphones and they will talk about your contacts power socket.



i take pride in my responces on the forum... i cannot recall posting cut and paste solutions.. you will find each of my posts are edited and targeted specifically at the poster, adding a personal touch to each, treating each poster as an individual... so just on that note it's not ALL, maybe MOST, but certainly not all.... i too am an individual, i too have a right not to be part of all

with regards to the open forum, i cannot argue with that... i skype forum. i do not usually join forums... am the member of only 2 forums... have been the member ofonly 2 forums in my entire life... i love the skype forum for it's openness and i appreciate that greatly... i've always praised this forum... and yes i've seen other companies forums where they delete anything they don't like to read.

so all in all... i still feel (as too do almost all skype users) skype just isn't serious enough about us... it is only interested (or appears to be) in bringing out new gimicks.

I must admit all my dealings with Skype support people have been positive. Gripes I have are PSTN related and I think, *hope* are getting fixed.

As an aside - I just signed on for a new SkypeIn number in the UK, the process from start to finish, including testing the line took less than 5 minutes, which is pretty smooth. Can't get voicemail to work, though but I'm sure I'll figure out what's wrong with that pretty shortly.

The copy & paste inside the forum still annoys me. I took a fat break in 2005 when moderator started to shout. And it was exactly about this topic.

And if this is returning then at a point it gets enough, and then it's better to take a break here, go to some other forum where people appreciate each other more and then return to Skype forum when situations have cooled down.

I don't understand Auser's positive experience regarding Skype Support. My experience is 50% good 50% holy crap, bad!

The problem of Skype is that people don't read, copy & paste "solutions" or they damage their Caps-Lock key.

At this place, it's time to thank Raul and Jaanus to help out in many cases, who are 2 very caring Skype Staff members.

Yeah, the privacy thing is "problem confirmed", but I don't like if it returns like in 2005 , when In past, (that means 2005 and before) this problem that you describe was not possible but only by Drive Image or Ghost backups which caused problems when a user made a simple copy only. it was a big problem for others and me. Simply copying the Application folder had crashed skype back then. that is bad since I would have lost my message history without that drive image backup. So : The perfect solution would be if the contact list would have no local copy on the USERs HDD but the message history would still be copyable for backup reasons like now!

as opposed to skype forcing us to keep a public copy, why not give us the option to export/backup from inside the skype application... in this way it too no longer needs to reside on the hdd.

agreed.

NAFCOM, seems you are beta tester as well?

was it the terminology in the reply that suggests it?

anyway, just an update... a responce,



my reply




enjoy!

Well some one with a different name posted EXACTLY the same comment in bug tracker, so I put 2 + 2 together and came up with 3.

homebase to nafcom, your cover's blown...

As I said, the Skype support people I have dealt with have been positive, and timely.

However, this doesn't deflect the fact that I have serious problems with SkypeOut quality to mobile phones, and did faithfully report them. Fair enough, Skype refunded the calls but that's not the point; there is no feedback on root cause analysis and the associated fix. I just don't bother calling Mobile's using SkypeOut anymore, the associated pain ain't worth it.

So on an individual basis the people I have dealt with get top marks. From a customer services perspective Skype hasn't got a clue about customer service and continuous improvement, that's a CS management issue.

Great product, though.

further still




it's responces like that, which remind me there is still hope with skype.

right.. am off for an hour...so i say.

Interesting perspective.



Yes, I am.


- Not really. My Skype CallTo name is witten in the forum profile I have here and real name is written in my Skype profile, too.


That's also a good idea. But this way you have a problem if Skype applcation got one or Windows or whatever and all you have is the Application Data folder left :-( So I vote NO for this - sorry.

thanks, i try not to post too many bad ideas

however, with regards to problems... problems can arise in all situations, even at present they arise.. one needs only to look at the posts in this forum to see that the current setup is not fault free. but at least with the way i suggest, it will be more private. indeed problems will still arise... but people prefer security over reliability. no point having avery reliable service is it is insecure. sacrifices must always be made, compromisations... it is for this reason skype needs to begin to listen to user feedback and to sort out their priorities...

at present, and certainly in my prespective this is the case, it appears most peoples' (the average user's) priorities are as follows: secure application, reliable basic features, good customer support system, and then new features.

every vote counts, and for that reason i will always try to swing no's into yes's... so do always expect to hear me making a stand

I suggest making it an option so let it decided by the user. I prefer - in contract to you Lukman - the way it is currently.

And you are welcome

The reason is that I am the only one using my PC and in this respect I have everything under better control the way it is now

lol, one needs to look beyond one's own needs... for example i too am on my personal laptop and never use skype elsewhere, so not really a problem that effects me... but hey, let's shout out on behalf of everyone who does not wish to damage their throats.

with regards to the suggestion you have just made... i think the principle is the same principle i had in mind... give the user a choice.. at present that choice is not there... it is simply forcing everyone to have these files sitting around... if someone chooses that it would be fine for them, then yes i totally agree, but we need that choice. so on that basis, can we then count u as a "yes"?
(cant blame a guy for trying as they say)

in slight relation to the above


i was playing around with windows live messenger 8.1 beta


tools>options>security




i assume this option addresses the very topic this thread was refering to... so Skype, if windows live messenger can think about the "silly customers who stupidly use their product on a shared computer" i think u could do that too. sure it'll require resources on your part.... but surely u'd invest in that for your customers.... right?

come on skype, ur the best, so go one step better than the rest.

I Agree Indeed,

I Also Think That Skype Should Have A Set Team Of Moderators That Moderate Skype And Can Retrieve Chat Logs For Users.

Also Watching Users That Are Potential To Harm Skype.

EDITED
I removed your avater, as by forum rules you are not allowed selected avaters of SKYPE Staff/Super Users or Moderators.
Please do not use that again
-GLADIATOR

wow, if you're refering to chat messages, thats a "hell no" vote from me. i can see abuse of power written all over that, the whole point of skype chat is the privacy and security... i certainly deal with a lot of people in confidential matters, and i would not appreciate having my chat's monitored.

btw, imatate, http://forum.skype.com/index.php?act=Stats&CODE=leaders suggests you are not a moderator... and somewhere i did read that copying a moderator avatar is against the forum rules... change it oru might just end up finding your self banned from the forums for imitation.


from http://www.skype.com/share/forums/policy.html

correct, and removed

further update....

i sent a support request to skype with time stamp 29.10.2006 19:58:49 GMT



and a reply time stamped 07 November 2006 18:18



am i the only one that thinks that reply does not address my question?

a quick analysis, if i may.

i simply wanted to know if particular info was accessable without a password in a particular scenario... a yes or no answer would have done the trick.




why? my password was not at risk, and i did not suggest so in my e-mail... i think the support member has assumed i thought my account had been hacked... surely they should know better than to assume... my e-mail was plain, simple, to the point... i simply wanted to know if data could be obtained without a password... i did not say my account has been hacked... so why suggest it has?


the reply has not in any way addressed my question, instead they have made an assumption that my computer was either hacked into or infected with a virus... this is a typical example of support failing with basic communications..

btw, i must say the responce time is impressive (well, on a skype scale, not so when compared to other companies... but that's just my opinion)

I never heard of thats. Its simly not correct.

You can be added back into chats after leaving

lol, yup that too.... i just love getting replies from skype staff... do you think any of them actually use skype? i wouldhave assumed the support team would know about the product they were providing support for.

I think some do, and probably some do not.

lol, that's a shame.... you're probably right... but i think without experience those who do not are in effect perhaps restricting their value in the skype team.

Lukman, you have always struck me as an intelligent young man, and with that said, I am a bit surprised that you were not already aware of these shortcomings. I figured you had already taken a look with a binary text editor and then implemented some precautions regarding the data stored to the HD or if using USB, that as well. Nevertheless, with that said, it always comes down to, if one man made it, another can break it.

The best suggestion, beyond SkyPE fixing this, is following basic security tips and making the data as secure as possible on the device. However, as I said, with the right tools, another can break it.

Oh, and I am of the firm opinion that Big Brother is watching, especially since EBay bought them- it comes down to, are you worth having a second look or third at...

WP

thank you


well i tend not to go around peeking at files unless needed... and in this case my browsing through the files was the result of being prompted by someone via skype.

with regards to implementing some precautions, i'm not bothered if someone gets through to my data, if i was i'd have put a password on my windows (admin) account, and on my laptop's bios password feature. but im confident that no one unauthorised would gain access to my laptop, hence i tend not to bother. i began this thread in hope that it would raise awareness and make skype do something about it. with regards to taking a look with binary text editors, when i tried opening some files it just returned stuff that seemed very random to me... (even stuff like that is too complex for me )

indeed if one man made it another can break it.. what shocked me, was that a very non-technically minded user (myself) was able to gain access to that info. now it's scary to think what those who have much more technical knowledge than myself have access to... do they even need access to the shared computer or can that just access the info by other means?


very true.



hmm, not sure what makes you write that... what influence do u feel ebay has made in the context of big brother watching us?

thank you for the feedback