How To: Put Skype in a Box (Linux)

[bigbrosbitch 65]

​Preamble:

If you are a Windows refugee who has recently sought asylum by following these steps: https://airvpn.org/topic/14938-dual-boot-windoze-with-linux-mint-172-in-25-steps/ 

then you now have a dual boot Windoze-Linux system where you can limit your data leakage damage to Microhack enterprises at boot-up time.

For instance, you can probably limit Spyware O/S activity to certain games that do not run well in Virtualbox or with meta-compatibility layer technology e.g. Play on Linux/WINE.*

* Although the games support list looks very promising these days. Cross-platform software enhancements also mean that Windows' main advantage - superior gaming and range of titles - may soon be lost.

Despite the undeniable gains to your privacy and security in running a solid linux distro over Windows, there is a good chance your partner/room-mate/other will be addicted to VOIP, social media,  jabbering, and stalking their ex-sweethearts or school friends on-line.

 

As a consequence, you will be probably be asked to install potentially hostile proprietary binary blobs just minutes after having established a clean system - Skype will be one of the stand-out requests statistically for the fairer sexes in all jurisdictions.

 

Why Care About Skype?

There are good reasons to be paranoid about Skype and its potentially damaging activities.

Briefly, Skype has been fully backdoored since February, 2011. Microsoft has been playing tag-team with the Stasi since at least 2007, allowing 'encrypted' communications to be laid open bare for authoritarian freaks:

http://www.idownloadblog.com/2013/06/06/new-leaked-presentation-nsa/

   

So just what kind of data is PRISM collecting? Everything.

 

“According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.”

​
Here is Microsoft getting 'the reach around' from the men-in-black on a pretty NSA slide:

 

​

Neither is Skype encrypted end-to-end. This means Microsoft can (and does) also read your messages and snoop on video chats.

Horrifying stuff right? Maybe those sex chats with transgender midgets in eastern Russia were a mistake after all? ​

So, how can we try and maintain the integrity of the Linux system that is otherwise 100% open-source software, except for the typical few codecs and drivers?


Skype Solutions

Firstly, before taking out two life insurance policies on your loved one and researching uncommon poisons via Tor Browser, try to convince them to to install and use secure open-source software as an alternative.

Several programs are available, but I prefer Jitsi for video/VOIP/chat because it is relatively easy to set up, open-source and provides military grade encryption. Other alternatives for Linux suggested by Prismbreak include:

https://prism-break.org/en/categories/gnu-linux/
 

- Mumble
- Linphone
- Tox (experimental)

​
Unfortunately, your better half will exclaim with 99% probably (Scrodingers cat is always dead in this particular universe):
 

 "But none of my other 80 million logged-in Skype friends use Jitsi!"; or

 "But Skype creates my account for me!?"

​

This means you are stuck unless you want to boot Windoze or run Windows in a virtual environment for Skype purposes. This is a lot of stuffing around, particularly if you want Linux to be used most of the time as the defacto stable system.

You cannot suggest Skype for the Web (via a browser and suitable plug-ins), due to the plug-in's unavailability in Linux at this time. See:

https://web.skype.com/

So, in order to save your marriage and limit malicious activity by Skype on your local system (e.g. network/file scanning) it is worth enforcing an AppArmor profile.**

** Unless you wish to place complete trust in Bill "Snowden is a Traitor" Gate's special brand of malware, which is already known to turn every desktop from Win 7 onwards into a glorified i-phone-home.


Skype 4.3 Apparmor Profile for Ubuntu/Mint

Assuming you have installed 32 or 64 bit Skype and tested it without any video/sound problems in the first instance, then you are ready to enforce the profile to put chains around it.***

*** Sound problems are not uncommon for Linux in earlier versions, but easily rectified in most instances.

I have successfully imported into Linux Mint the recent github Skype profile below and enforced it without any voice or video problems. If you have not already installed apparmor-notify (to get on-screen notifications of activities blocked/complained about), then do so now via Synaptic Package Manager as this will assist in any debugging.

This profile below should be named usr.bin.skype and can sit in the /etc/apparmor.d/ directory.

For example:

​

sudo nano /etc/apparmor.d/usr.bin.skype

​

Cut and paste text below and save (from https://gist.github.com/AgentME/5640268).
 

#include <tunables/global>
/usr/bin/skype {
  #include <abstractions/base>
  #include <abstractions/user-tmp>
  #include <abstractions/audio>
  #include <abstractions/nameservice>
  #include <abstractions/ssl_certs>
  #include <abstractions/fonts>
  #include <abstractions/ibus>
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/X>
  #include <abstractions/freedesktop.org>
  #include <abstractions/gnome>
  #include <abstractions/kde>

  network,

  /usr/bin/skype mr,
  /opt/skype/skype pix,
  /opt/skype/** kmr,
  /usr/share/fonts/** m,
  @{PROC}/*/net/arp r,
  @{PROC}/*/cmdline r,
  @{PROC}/*/auxv r,
  @{PROC}/sys/kernel/ostype r,
  @{PROC}/sys/kernel/osrelease r,
  /usr/bin/xdg-open rUxmlk,
  /dev/ r,
  /dev/tty rw,
  /dev/snd/* mrw,
  /{dev,run}/shm/ r,
  /{dev,run}/shm/pulse-shm-* mrw,
  /etc/pulse/client.conf r,
  /dev/pts/* rw,
  /dev/video* mrw,
  @{HOME}/.cache/fontconfig/** lkmrw,
  @{HOME}/Downloads/* krw,
  @{HOME}/Downloads/ krw,
  /etc/xdg/Trolltech.conf rk,
  @{HOME}/.config/Trolltech.conf* rwk,
  /etc/xdg/sni-qt.conf r,
  /usr/share/locale-langpack/* mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled rm,
  /usr/share/nvidia-331/** rm,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu0/cpufreq/* r,
  @{HOME}/.Skype/ krw,
  @{HOME}/.Skype/** krw,
  @{HOME}/.config/Skype/ krw,
  @{HOME}/.config/Skype/** krw,
  /usr/share/skype/** kmr,
  /usr/share/skype/sounds/*.wav kr,
  /etc/passwd mr,
  /usr/share/icons/** kr,
  /sys/class/power_supply/ r,

  @{PROC}/[0-9]*/status r,
  @{PROC}/[0-9]*/net/** r,
  @{PROC}/[0-9]*/task/ r,
  @{PROC}/[0-9]*/task/** r,

  /usr/bin/pavucontrol rmUx,

  deny @{HOME}/.mozilla/ r,
  audit deny @{PROC}/[0-9]*/fd/ r,
  audit deny /var/cache/fontconfig/ w,
  deny /sys/devices/** r,
  audit deny /etc/xdg/sni-qt.conf k,
}

​


Then in terminal run:
 

sudo aa-enforce /etc/apparmor.d/usr.bin.skype

​

Check the status of the Skype profile with:
 

sudo apparmor_status

​

Distros other than Ubuntu seem to regularly have these Skype profiles available in the 'extras' directory by default. They can therefore be manually turned on as required without these extra steps. For example, see:

In Debian https://packages.debian.org/jessie/all/apparmor-profiles/filelist

In ArchLinux https://wiki.archlinux.org/index.php/Skype

And so on.


Conclusion

When your back is to the wall and you face crushing child support payments unless you tolerate a vicious binary blob that taints your freshly installed Linux box, then the least you should do is put Microhack's Skypanopticon in a simple sandbox.

All going well, your partner can Skype all day long on the home network - happily sharing her biometrics, voice print and psychological problems with the invisible goon squad - without Bill Gate's deformed love child unnecessarily running his shit-stained fingers across all your precious electronic data.

 

Good luck!
​