Top News

I think ,you know to import and export WordPress users from one site to another, that's right? This could be really helpful when you are merging sites and want to automatically add all users from existing websites. In this article, I will show you a Special Tip To Import and Export Users In WordPres.
Special Tip To Import and Export Users In WordPress

Why You Need to Import & Export Users in WordPress?
While there are several use-cases for importing and exporting WordPress users, the three most common scenarios when you need to import & export users in wordpress are:
  • When you purchase a website and want to merge the content and user base
  • When you want to consolidate two sites and merge their content and user base.
  • When you want to import all users into an email list or your CRM.
On large multi-author sites or a membership site in WordPress, each user profile has tons of useful data (like profile photo, bio information, social links, and more).

While you can surely ask them to recreate their profile, it’s inconvenient and not an ideal user experience.

Having said that, let’s see how to easily import and export users from one WordPress site to another.

How To Export Users in WordPress ?
First thing you need to do is install and activate the Cimy User Manager plugin.
Upon activation, you need to visit Users » Cimy User Manager page and scroll down to the export section.
How To Export Users in WordPress

The plugin will show you the upload path and will ensure that it’s writable. This is where your export CSV file will be stored.

By default, the plugin will use commas to separate fields and quotes as text delimiter.
If you will be using this CSV file elsewhere and need to change these values, then you can do so here. Otherwise, you can leave them as they are.

Next, you need to select how you want to sort rows in your export file. By default, the plugin will add users by their registration date. You can change that to sort by login name, username, email, or post count.
If you will be using the CSV file with Microsoft Excel, then you can check the box next to Enable Excel compatibility mode option.

If you have used Cimy User Extra Fields plugin, then the last option allows you to include that data into the CSV file as well.
Once you are done with the options, you need to click on the Export button. The plugin will now export your WordPress user data and save it as a CSV file on your server. You will see a success message with a download button along with the list of users exported to the CSV file. Simply click the download button to save the file in your computer.
Now you can use this file to import users into another WordPress site.

How To Import Users in WordPress?
This step will also require the same Cimy User Manager plugin that we used above to export users. Make sure that you have this plugin installed and activated on the site where you want to import users. Next you need to visit Users » Cimy User Manager page to import users.
How To Import Users in WordPress

First you need to click on the choose file button and select the CSV file you want to import. If your CSV file uses different delimiters than comma and double quotes, then you need to change them here.

You also need to check the box next to Create Users option. This will allow the plugin to create new users with the information in your CSV file. Under the email notifications, you can check the options to send new users their account details and send password to existing users.

Finally, you can click on the Import button. The plugin will now upload your CSV file from your computer and import users into your WordPress database. You will see a success message with details on how many users imported, created, or modified during the process.
Have you ever wanted to send a email to all registered users on your WordPress site? If you run a multi-user WordPress site, then sometimes you may need to send notifications emails to your users. In this article, I will show you simple way to send email to all registered users in WordPress.
Simple Way To Send Email to All Registered Users in WordPress
If you allow user registration on your WordPress site, then you may be automatically adding registered users to your email list as well. In case you are not adding your registered users in an email list, or your email list is not segmented, then you would need an alternative solution to send a email to all registered users. You can use this feature to send emails about important announcements, account status, password update requests, and more. Let’s see how you can easily email all registered users on your WordPress site.

So How You Can Send a Email to All Registered Users in WordPress
First thing you need to do is install and activate the Email Users plugin. For more details, see our step by step guide on how to install a WordPress plugin. Upon activation, the plugin will add a new menu item labeled ‘Email User’. Clicking on it will take you to the page where you can choose who you want to email.
Use Email Users plugin to Send a Email to All Registered Users in WordPress
You can send individual message to specific users, or you can send a message to user groups. Users with the same user role have the same user group for example, administrators, editors, authors, subscribers, etc. You need to click on ‘Send Individual Message’ link to send email to specific or all users on your WordPress site.
So How You Can Send a Email to All Registered Users in WordPress
Start by selecting a mail format for your email and then select recipients from the drop down list. You can use the CTRL (Command key on Mac) to select multiple users. Next, you need to add a subject line and your email message. Once you are satisfied with the email message, click on the Send Email button. The plugin will send your email message to all selected users.

Sending Email to User Groups in WordPress 
User Email plugin also comes with a feature that allows you to send emails to specific user roles. This feature is helpful if you have a lot of users, and you can’t select them all one by one in the individual message form. It is also helpful when you just want to email specific user roles like authors or editors.
Sending Email to User Groups in WordPress
First you need to select a mail format (Plain text or HTML) for your email message. After that you can select which user roles or groups you want to send this email to. Next, add a subject for your email message and then add the email message that you want to send. Click on the Send Email button to send the message.

How To Turn Emails On/Off for Specific Users in WordPress You can select which users will receive individual or group messages by visiting the Email Users » User Settings page. 
How To Turn Emails On/Off for Specific Users in WordPress
Select the user you want to edit and then select an action from bulk actions menu. You can turn off notifications (individual messages) as well as mass emails (emails sent to multiple users or user groups).

When you have made your changes, make sure to click on the apply button to save your changes. Individual users on your site can control email settings on their profile pages as well. Upon login, users can go to their Profile page, and they will notice two new options to opt-in or out of email messages.

Good luck !
Have you come across sites that require you to tweet before you can download the freebie? If you offer file downloads on your WordPress site, then you too can add this pay with tweet feature to your site. It allows users to get the freebie and spread the word at the same time. How To Use Pay With a Tweet Plugin? A solution for all. In this article, I will show you how to add pay with a tweet button for file downloads in WordPress.

How To Use Pay With a Tweet Plugin

First thing you need to do is download and install the Pay With a Tweet plugin. Upon activation, you will need to go to Pay with a Tweet » Configuration and configure the plugin.
To use Pay with a Tweet plugin, you will need to create a Twitter App and then add your consumer key and secret key on this configuration screen. Don’t worry we will show you how to create a Twitter App and obtain these keys.
Creating a Twitter App 
To create a Twitter App for Pay with a Tweet plugin, visit Twitter Developers website. Sign in with your Twitter username and password, and then click on your account name on the top right corner of the screen. A flydown menu will appear, and you need to click on My Applications to proceed.

Twitter will now display new application form. You need to provide an application name and description. In the website URL field, enter the URL of your website where you will be using this app. In the callback URL, you need to enter the callback URL shown in Pay with a Tweet plugin’s configuration screen. Lastly, you need to agree with the terms of service and click on Create your Twitter application button.
Twitter will now create the application and redirect you to the app dashboard. There you need to click on the Permissions tab to change the application permission. By default, newly created apps have read-only access, you need to change it change it to Read and Write.
After saving your new application settings, you need to click on the Test OAuth button. You will find your consumer key and consumer secret keys which you need to copy and paste in Pay with a Tweet’s configuration screen.
Adding File Downloads
Now that you have configured Pay with a Tweet plugin. The next step is to upload the file users will be able to download after the tweet. To do that, you need to go to Pay with a Tweet » Upload Files and select the files you want to upload.
Adding File Downloads

Once you have uploaded your files, they can be managed from Pay with a Tweet » Manage Files screen.
Creating Your Pay With a Tweet Button
To create your Pay With a Tweet Button, you need to click on Pay with a Tweet » New Payment Button. Enter a title for your payment and then add the tweet you want users to send when they click on the payment button.
The third option on the screen is to add a button image. This button image will be used to display your button. Click on the choose file button to add the image to upload.

After adding the button image, you need to select the download which users will receive once they send out the tweet. The file you uploaded earlier will appear here and you can select it. Lastly, you need to click on Create Payment Button to make this button live.
Adding the Pay With a Tweet Button To a Post or Page After you create your button, you can see and manage all your buttons on Pay with a Tweet » Manage Buttons screen. You will see a shortcode next to the button you just created.

To display your Pay with a Tweet button in a WordPress post or page, you need to copy this shortcode and paste it into your post/page. Once you publish your post, your users will be able to pay with a tweet to access the file download.

Would you like to create a custom login page for your WordPress site? This post i will show One Simple Way To Create a Custom Login Page for WordPress. You know that, a custom login page allows your users to login from a custom page on your site instead of the default WordPress login page. In this article, we will show you how to create a custom login page for WordPress without writing any code.
Two Simple Ways To Create a Custom Login Page for WordPress

So Why we Need to Create a Custom Login Page for WordPress? 
If you are running a membership site without using a WordPress membership plugin, then your users will register and login using the default WordPress login screen.

This may work fine for small websites. However, if you are running a business website or a busy online community, then you may want to show your own brand instead of WordPress.

One way to do that is by adding your own logo and white label the WordPress admin dashboard. But if you don’t want users to access the admin area when they login, then you will need to add a custom login page.

A custom login page works like any other page of your WordPress site. It uses the colors and styles of your WordPress theme, and users don’t even get to see the admin area of your WordPress site.

Create Custom Login Page For WordPress with Theme My Login
First thing you need to do is install and activate the Theme My Login plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will enable custom login page that matches your WordPress theme. You can simply visit the login page, and you will see the custom login page.

However, Theme My Login is a powerful plugin. It can also be used to create custom registration and profile pages, custom emails, and setting up custom redirects.

To enable these features you will need to click on the TML menu in the admin bar to configure plugin settings.
Create Custom Login Page For WordPress with Theme My Login

Simply check the box next to the module that you want to enable. Enabling each module will also enable the module’s settings tab.

For example, enabling custom emails module will add the Email tab under TML menu item.  Theme My Login also comes with a custom login widget. Visit Appearance » Widgets page and add Theme My Login widget to a sidebar.

 Good luck .................!
Right now, the Web—not apps—appear to be the best way to find rare Pokémon in Pokémon Go.If you’ve been wondering how to find Pikachu, Scyther, Electabuzz, or any other rare Pokémon, you might not have to wait much longer: new crowdsourced Pokémon Go maps are teaching players how to find Pokémon in Pokémon Go.

But the best Pokémon Go map doesn’t use crowdsourcing at all: it pulls directly from the data that developer Niantic sends to the Pokémon Go clients. Right now, we’re saying that the best Pokémon Go map is Pokévision, which provides a real-time look at the Pokémon spawning around you, and more importantly, when they’ll de-spawn or vanish. Pokévision is just a teeny bit difficult to use, but it’s terrific—when the servers are online, that is. (Our story has more tips on how to use it.)
Maps Show You Where To Catch 'em all For Pokémon Go

Crowdsourced Pokémon Go maps, then, may end up being the “previous generation” of finding Pokémon.

Numerous maps are available, but here are the best Pokemon Go maps we’ve found: the first, at Pokecrew.com, zeroes in on your location and begins showing what Pokémon might be nearby. And if you happen to live in the Boston area, you’re in real luck: a sweet Google Map known as Gotta Catch ‘Em All  happens to list all the locations local players have found, complete with a list of rare and ultra-rare Pokémon. A separate Google Mappegs Pokémon locations in Seattle and Tennessee. Pokemapper also provides a worldwide look at Pokémon locations, but without the sophistication of other sites. 

The latest Pokémon Go maps

More and more and more Pokémon Go maps are constantly being added, but only a few have the quality, depth and variety to make them worth your time. Here are the latest Pokémon Go maps sites:

Pokeflex seems to be the best of the latest crop of sites, though the its maps are specific to about a dozen or so areas, and vary in terms of quality and even format depending upon where they are. Check out the Pokémon Go maps in the San Francisco Bay Area, Texas, and Pennsylvania. Pokefind takes a slightly different tack: it’s set up for you to find a specific Pokémon nearby—this is for the completionists who have already been hard at work for the past week or so. A recent update now makes the site more responsive.
The latest Pokémon Go maps

More and more maps also seem to be foregoing the locations of Pokemon themselves for the locations of Pokéstops and gyms. If you want to know where you can find Pokéstops, you might try checking out Mapokemon.com, which lists a number of them—through you may find when you drill down close to home there aren’t many listed.
 
Real-estate site Trulia has also published a map to the best Pokemon Go locations to find certain types of Pokemon, but without specifics. This might be handy if you’re in an area without a convenient crowdsourced map.
Maps Show You Where To Catch 'em all For Pokémon Go

Pokémon Go tasks players to go out in the real world and discover new Pokémon, who tend to cluster around interesting real-world landmarks, shops, and other locales. Each player can “capture” a Pokémon using a Pokéball, then train it at a local “gym.” Special items, such as incense and lures, are used to attract new Pokémon to the player. (Macworld’s beginner’s guide to Pokémon Go has more on how the game is played.)
What gear do you need for Pokémon Go? Here are our recommendations.
So which map should you use? We’d recommend maps that allow you to enter a specific Pokémon name, then show their locations, as well as displaying a quick guide to what’s around you. For that, we’d definitely recommend the Gotta Catch ‘Em All map if you live in the Boston area—it’s comprehensive, attractive, and detailed. Pokecrew.com comes in second at the moment, however—it quickly shows you the type of Pokémon that’s closest to you, and allows you to scan a map of nearby locations and discover what’s there. (The site is under heavy load, though, so it might not show any Pokémon until the servers are beefed up.) Developers are moving fast, though, so expect these sites to be updated with additional features and Pokémon as time goes on.

Also, do keep in mind that “trolls” sometimes drop by sites and seed them with rare (but fake) Pokémon. To avoid fake Pokémon, you might try “checking” a site with the locations of Pokémon you’ve caught yourself, or ones that require you to register an account to access them. Neither are foolproof solutions, but you may save yourself some angst.

Pokémon Go map apps may be risky
Unfortunately, Web pages seem to be the way to go at the moment. There are at least two Android apps to crowdsource Pokemon locations: Map for Pokemon Go: PokemonMap and Pokemap: Find Your GO Pokemons. Neither seem to do the job, according to the app reviews.

On the iOS side, Pokemon Go Maps ($1) lets players enter locations, and has a chat tab for sharing other tips and advice. After two days, it doesn’t have enough reviews for a rating—people must be too busy catching monsters to leave a review. Gabbermap is a free community-powered map that can help you find anything, but just added a bot named @pokebot to help users find rare Pokémon.

So do the Pokémon Go maps destroy the mystery of Pokémon Go? Maybe, or maybe not. Lucy Guo, one of the Pokecrew developers as well as a product designer at Snapchat and a cofounder at Scale, said she didn’t believe that all of the mysteries of Pokémon have been uncovered. “Hopefully see how Pokémon actually move,” she said on Product Hunt, when asked what the project hopes to discover. “Everyone’s thinking different things, our hypothesis is that it’s time and location based. And we just want to catch ’em all.”

Why this matters: One of the joys of Pokémon Go is discovery: yes, it might be slightly obvious that water Pokémon might cluster around lakes and beaches, but which ones? Is the Metropolitan Museum of Modern Art a haven for rare Pokémon? Is Central Park? If you’re simply a believer in discovering what’s out there, well, then consider these “spoilers” and avoid them. On the other hand, if your son or daughter is dying to get their hands on a Pikachu, you might be able to “encourage” them to look in a certain spot—or casually mention that there just might be an Onyx at the mall where you’re taking them shopping.
Most health apps don't have good privacy or security safeguards. That handy health app on your phone—the one with access to your medical history, your doctor’s name, even your home address—may be vulnerable to hackers. Technology experts discussed the risks at a House hearing July 14 with the Energy and Commerce subcommittee.
Hackers love health apps because it's easy attacks

The fast growth of information technologies in the health care sector has outpaced the industry’s efforts to safeguard them. A report by IMS Health, a research and service provider for health care professionals, showed that more than 165,000 mobile health (or mHealth) apps were available in 2013. Many of the apps offer access to users’ electronic health records from doctors or hospitals.

Hackers particularly love the kind of medical information stored in health apps because it’s harder to change. A stolen credit card number can be cancelled, but medical histories, and the home addresses and Social Security numbers that often go into medical records—these things are hard to change and can therefore be sold for a higher price on the black market.

Few privacy policies and no regulation

Health apps are popular, but not very private. One-fifth of mobile devices in the United States have a health app installed. A study in the March issue of the Journal of the American Medical Association in March, however, showed that of 271 apps studied, 81 percent did not have privacy policies. Of the 19 percent (41 apps) that did have privacy policies, only four specified that they would seek permission before sharing data with third parties.

The act of selling of data collected by the apps isn’t regulated. Health apps also are not subject to privacy and security regulations in the Health Insurance Portability and Accountability Act (HIPAA). Nicolas Terry, Indiana University Maurer School of Law Professor and a health care technologies regulation expert, called for Federal regulatory agencies to step in and create patient-information protections for the apps. “The most disruptive mobile health apps are those that are patient-facing,” Terry explained, referring to apps where information is directly available to users. Such a direct app-patient relationship lacks any professional buffer between the user and the information, he said. As a result, traditional regulation of safety, quality, and confidentiality suffer.

“Patient privacy should be well addressed. The selling of this information should be more transparent,” said Diane Johnson, director of the Strategic Regulatory at Johnson & Johnson, a multinational medical products and services provider that offers a number of mHealth apps. Johnson and others stressed that for mHealth app users, it’s a case of buyer beware.

Here's one ray of hope: Data saved in individual devices may be safer than data saved to clouds, said Bettina Experton, president of Humetrix, a health app developer based in Del Mar, California. Users’ information is “highly secure in personal devices,” Experton said. “Your phone can store securely when it’s encrypted. It’s in your hands and under your control.”
Canonical will support Ubuntu 16.04 LTS with updates until 2020.
Canonical just released Ubuntu 16.04.1, the first point release in the Ubuntu 16.04 “Xenial Xerus” series. All the changes made to Ubuntu 16.04 have been combined into a new installer image, which you can now download.
Ubuntu 16.04.1 is out with improvements to software installation and low-graphics mode


What’s a point release?

If you’re already using Ubuntu 16.04, you don’t need to do anything special to upgrade to Ubuntu 16.04.1. Just install the updates available in the Update Manager application and your system will be upgraded to the latest software.

Point releases like this one are primarily useful for new installs. They bundle together the latest security updates, bug fixes, and other improvements. If you have an Ubuntu 16.04 LTS live CD or live USB drive you use, you’ll want to replace it with Ubuntu 16.04.1 to ensure you have the latest security updates.

Some point releases include new “hardware enablement stacks”—new versions of the Linux kernel and graphical X server backported from less stable Ubuntu releases to make Ubuntu work better on new hardware. This one doesn’t, but Ubuntu 16.04.2 LTS, which will be released in February 2017, will.

What’s new since 16.04

Aside from a large number of important security patches and bug fixes, Canonical has made some notable changes to the Ubuntu 16.04 desktop. These changes arrived in updates, so you’ll already have them if you’ve been using Ubuntu 16.04 and keeping it updated.

Ubuntu 16.04’s new Software installation application, based on GNOME Software, has seen some improvements. It now allows you to search for and install Snap packages in the graphical interface. It was also updated to allow installation of third-party .deb packages, like the ones you can download to install Steam, Google Chrome, and Skype.

The Unity desktop has seen some tweaks, and it uses less fancy animations in “low graphics mode.” If you’re running Ubuntu 16.04 in a virtual machine or on an older computer without an accelerated 3D graphics driver, Unity will now be easier on your hardware and perform better.

For more detailed technical information, you can consult the list of release notes and security notices on Ubuntu’s website. The Ubuntu 16.04.1 LTS release includes all patches for security notices up to and including July 19. Newer patches can be downloaded from the Update Manager after you install it.
Hackers can snoop and even type keystrokes from at least 8 wireless keyboard vendors. A vulnerability across at least eight brands of wireless keyboards lets hackers read keystrokes from 250 feet away, according to wireless security vendor Bastille.
Hackers can type keystrokes from at least 8 wireless keyboard vendors

The problem is that the keyboards transmit to their associated PCs without encryption, and it’s just a matter of reverse engineering the signals to figure out how to read what keys are being hit, say Bastille researchers. An attacker could inject keystrokes while the keyboard is idle and the machine is logged in, they say, using a dongle that can be fashioned for less than $100.

The keyboards involved were chosen because they were readily available to the researchers, and the problem may exist with other brands, says Marc Newlin, a Bastille research-team member. Those in which Bastille found the vulnerability contained transceivers that didn’t encrypt the wireless signals and don’t support firmware updates that could correct the problem.

The keyboards examined are made by Hewlett-Packard, Anker, Kensington, RadioShack, Insignia, Toshiba, GE/Jasco and EagleTec. They use transceivers from MOSART Semiconductor except for Toshiba, which uses one from Signia Technologies, and GE/Jasco, which uses an unknown transceiver. Jasco licenses the GE brand name for the keyboards it makes. The exact models exploited by Bastille are listed here.

MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords All the transceivers operate in the 2.4GHz ISM radio band, which lacks standards for how to secure traffic being transmitted, so each vendor comes up with its own scheme or not, Bastille says. This problem could exist in other keyboards, but Bastille Research only checked out a dozen.

To take advantage of the weakness, the researchers created a wireless dongle that fit in the attacker’s laptop. It was made by writing new firmware and software for an existing dongle called Crazyradio that is used to control an inexpensive toy quadcopter drone called Crazyflie.

Because the keyboards send out packets on a regular basis whether anyone is typing or not, attackers can scan and lock in on the keyboards and be ready to start capturing keystrokes when someone starts using them. That means attackers could capture passwords, credit card information and other sensitive data. They could also generate their own keystrokes to install malware, the researchers say.

While this attack works at 250 feet line-of-sight it does work at greater distances, but they cite 250 feet because at that distance it works with 100% accuracy all the time, Newlin says.

The researchers recommend customers with these devices switch to Bluetooth or wired keyboards.A Jasco spokesperson said in an email that customers with the affected keyboards can call 1-800-654-8483 for help. Vendors of the other keyboards did not respond to emails. KeySniffer is similar to a weakness and exploit Bastille discovered earlier in wireless keyboards and mice that it called MouseJack. Those attacks could be made from greater distances and through walls and glass windows.
Today i will show The best Pokémon Go map grabs data directly from the Pokémon Go servers. If you want the best Pokémon Go map, why not use the game’s servers to tell you where to find Pokémon? That’s the aim of Pokévision, which claims to use the the game’s own API to discover the Pokémon in your midst.
Pokémon Go map grabs directly from servers

Pokévision’s premise is simple: It taps the game’s API to provide a real-time “cheat sheet” pointing to the locations of the nearest Pokémon in Pokémon Go. Each Pokémon location comes with a timer; when that timer expires, the Pokémon de-spawns and disappears. 

“Find all Pokémon near you (or a selected target location) in real time for Pokémon Go. Pokémon nearby will be marked along with their appearance timer on the map,” the Pokévision site claims. “These are real-time Pokemon locations, meaning they are currently live and can be found exactly at the marked spots.”

The map won't find Pokémon lured to you by incense or a lure, as those are only shown to you or the players around you, and not the world at large.

Why this matters: Pokévision may be the best Pokémon Go map precisely because it’s the ultimate cheat: Instead of asking classmates for the answers, Pokévision lifts the answers from the teacher. It begs the question: Doesn’t this violate the spirit of Pokémon Go, which is discovery? Possibly. However, the map doesn’t collect the Pokémon for you; it simply shows you where they are. If anything, this adds an urgency to the gameplay, as the rare Pokémon you want to collect may be a few miles away. The first chapter of Pokémon Go might have been a walking adventure; Pokévision could turn it into a road rally.
Pokémon Go map grabs data directly from the Pokémon Go servers

How to use Pokévision to find Pokémon
The problem is that Pokévision is quickly becoming one of the web’s most popular Pokémon maps, and the site’s servers are getting swamped. At first, you might get the impression that while Pokévision is great at showing where to find Pokémon in some major cities—London, downtown San Francisco, the Santa Monica, Calif. pier—it offers nothing outside of those areas. But don't give up.

The Pokévision site might be a little obtuse, but it does seem to work. To find Pokemon near a given location, you need to drop a location peg by clicking on the map. (Asking the map to find your location seems a little wonky, so we suggest you manually scroll to where you want to search.)

Once you’ve established a location, click the big red button at the bottom of the site to search for Pokémon nearby. Note that the button restricts searches to every 30 seconds, and there’s a faint scroll bar that shows when you can check again. When I first used it, the site didn’t find any Pokémon near me. But when I clicked again, Pokévision found three—in other words, it might take a couple tries.

The site’s Twitter feed indicates that the site is going up and down, depending on the number of people accessing the game and the website. It’s also not clear whether the site’s operators are going to restrict usage to a few countries, or try to broaden its coverage to all of the numerous countries that now play Pokémon Go.

In any case, we’ll be updating our list of the best Pokémon Go maps soon to add Pokévision at the top of the list. The bar has been raised. Assuming developer Niantic doesn’t somehow block the use of the Pokémon API to find Pokémon, finding Pokémon within Pokémon Go just go a lot easier. 
Microsoft's move of Skype to the cloud comes with a continuing lack of disclosure on security and privacy.

Skype is moving to the cloud from its previous peer-to-peer (P2P) approach, and the sky is falling! Ok, not quite. It’s not a revolutionary move, given changes Microsoft already made in Skype’s infrastructure in 2012 after its acquisition of the service from eBay, which in turn bought it from its founders. Rather, it’s a technical and business change that lets Skype more rapidly roll out services that have a heavy reliance on back-end server elements, and which can be more reliable if handled centrally.
Skype moves to the cloud, but what about security?

Centralization doesn’t have to reduce a user’s expectation of privacy. But because Skype has never provided substantive disclosure about how it encrypts data and exactly how much it gives governments of your private texts, voice calls, and video sessions, we have little information on which to make a judgment. Centralizing Skype makes it somewhat easier to tap conversations, although there’s no good reason to change architecture entirely for that purpose.

The Guardian newspaper reported in 2013, based on documents provided by NSA whistleblower Edward Snowden, that the NSA had dramatically increased its ability to collect data from Skype several months after the Microsoft acquisition. In response, Microsoft reiterated its policy about working with legal requests, but has never clarified or refuted whether it can tap into encrypted conversations.

I don’t suggest the move to the cloud is a reason to stop using Skype—that reason has been in place since any other option existed with greater transparency about how its end-to-end encryption works.

When the Internet was thinly spread and expensive 
When Skype’s founders started to build the system in 2003, the Internet was much less resilient, and it was extremely expensive to buy and manage servers in data centers and carry huge amounts of traffic around the net. Rather than rely on centralization and a requirement of high-quality routes between data centers and end users, Skype used peer-to-peer (P2P) technology that let every other logged-in Skype user’s copy of the software share some of the load.

This was a revolution in the developing world, where network infrastructure has since substantially improved due to the rise of inexpensive cell phones, but at the time was stretched thin. Even in highly industrialized nations in the early 2000s, it was often unbelievably expensive to make non-local calls. I traveled briefly through Europe in 2000 and Costa Rica in 2002, and every tiny storefront had some kind of national or international calling service advertised. Many used low-speed dial-up phones and voice over IP relays.

Skype was built like a series of tin cans with string stretched between them, and had extremely efficient voice-compression algorithms (codecs) and a lot of tolerance for dropped packets and loss of latency. A villager in South America could go to an Internet café and pay for a relatively affordable slice of time compared to other methods and make a call to a relative in the United States that probably sounded not much worse than long-distance phone service.

Many network endpoints were (and still are) hidden behind network address translation (NAT), which allows a single public Internet address to be shared by any number of privately internally routed addresses. Nearly all home and business networks are set up this way, because a public Internet address can expose a system to more risk, and because the old-style addresses still in use are scarce and thus expensive to obtain. (Old-style addresses use IPv4, a decades-only standard; IPv6, developed almost 20 years ago, is still making inroads and will solve scarcity and other problems.)

Skype’s inventors got around this problem with supernodes, which until 2012 were any Skype user’s copy of the program that was on a publicly addressed network segment. (You can read this very detailed examination for more.) The supernodes would let Skype software that couldn’t directly reach other software connect, but at least at times would also route portions of calls and files transferred. In areas with poor connectivity, peer-to-supernode connections could act like a smaller pipe connected to a bigger one, allowing communications where a direct route to a data center wouldn’t have worked.

According to an analysis by a researcher in 2006, a supernode could carry up to about 100Kbps of data to route calls and file transfers, too, although the median use was 60Kbps when relaying data. (The researcher was then at Cornell University and collaborated with two Google researchers; now he’s at Microsoft Research.)

Couldn’t supernodes enable snooping? Not precisely, but it didn’t hurt, either.

Look, up in the cloud! It’s a supernode!
Skype was designed from the start with what was then robust end-to-end encryption. Data sent between two peers was encrypted so that only each recipient’s software could unscramble it, making it essentially safe to pass through other supernodes. Supernodes, if monitored, could tap information about end points IP addresses and other details, but little else.

However, Skype has only ever revealed sketchy details about its system. On its site, there’s only this thin page. Apple, often seen as very tight-lipped, has a 63-page PDF detailing iOS security, including iMessage. The Electronic Frontier Foundation (EFF) gave Skype an extremely poor score in evaluating messaging safety as a result; Apple’s is much higher.

What’s known is that each Skype client is issued a private/public key pair using public-key cryptography. If implemented well, communications between any set of clients all using Skype should be effectively impossible to listen in on. However, there’s a flaw. Skype issues the digital certificates that validate legitimate access to an app’s private key in such a way that it’s possible for Skype to create any number of additional certificates that also pass muster.

Apple’s system for iMessage and FaceTime is designed so that Apple creates private keys and can’t access them later or spoof new ones. The same is true for all systems that rely on the Signal protocol developed by Open Whisper Systems, which includes the Whatsapp messaging system’s software.

Adding to concerns, Microsoft eliminated peer-based Skype supernodes in 2012 and moved all supernodes to the cloud. At the time, some speculated that was to allow easier “wiretapping,” although that ability already existed. Shifting to the cloud makes it easier still, though not much more. Skype will also support a Web-based app, which by its nature will have less ability to provide strong end-to-end encryption.

Cloud cuckoo land
Microsoft put out a statement about the latest move: “The changes to Skype’s architecture will not impact our current privacy statement. We are committed to delivering a secure experience for our users and Skype software applies highest industry standard encryption to all Skype audio and video calls. It is an important part of our security strategy now and as we make the transition over to a cloud infrastructure.”

This answers zero questions about what that secure experience is and how it’s implemented. With options like iMessage for Apple ecosystem users, WhatsApp for nearly every platform, and extremely strongly protected additional offerings like Signal from Open Whisper and Silent Circle’s hardware and apps, there’s no reason to settle.

If you want to have the most robust and most protected communications, regardless of the reason, Skype isn’t it. The move to the cloud makes it worse at privacy than it was before, but without a full, independent, and released report on the apps, algorithm, and infrastructure, we can only assume they don’t meet the high bar set by so many other apps and systems.