On 19/05/13 00:29 AM, Ethan Heilman wrote:
Actually I think that was the point, as far as anyone knew and from the last
published semi-independent review (some years ago on the crypto list as I
recall) it indeed was end2end secure.
Skype has never claimed it is end to end secure ...
I think that is false. Skype have in the past facilitated (contracted?)
at least one independent audit of the system that is still posted on
their website. As an audit, it provides a point-in-time statement that
we can rely upon to a great extent, as both representations of the
special auditor and of Skype.
This was also circumstantially confirmed in around 2007 when it was
discovered that intelligence agencies were sharing attack kits, as you
suggest [0].
This raises then several questions - for me at least. (1) when did
Skype change, (2) what actions did they take to change the public
perception of their offering, (3) how far have they unwound it?
(1) when? It has long been suggested that Microsoft did this. But they
have been coy about it, they have admitted to some form of legal
provision, but they certainly haven't announced the wholesale dropping
of the e2e security as suggested by URL scanning.
(2) deception. People are entitled to rely on the representations made
by other people, especially when they are made on the basis of some
product offering for security. Skype made their reputation as being
free and secure (e2e) telephony. The latter was something that many
people bought into. It is now the largest telco in the world, by
minutes, in no small part because people enjoyed both security as well
as free calls to their friends.
If however they have changed that security claim, and declined to inform
users, then that is a deception. Worse, it is a deception against their
users, for the benefit of others (in this case intel & police) that are
not their users.
If indeed they have done this, then people like us -- the security
community -- are entitled to report the deception widely.
But, we cannot report that deception until we get proof. Hearsay
doesn't cut the mustard [1]. Now we have proof.
(3) How far does this go? The URL scanning indicates that there is far
more going on than some special supernode mode to decrypt on demand by
court orders [2]. This indicates a complete roll-back from e2e to
client-server security. Which brings with it data mining, live feeds to
intel and police and Microsoft support and the Egg Board, marketing
sales, vulnerability to corruption & bribery, and routine use in civil
court cases such as divorce [3].
This is not the reputation that Skype was made on. I would wonder
whether there is anything left of it?
iang
[0] police agencies were also having trouble and complaining at that
time in the press and to lawmakers; see last quote below.
[1] at least, in anglo countries, society's convention is that one
sticks to the facts. In Germany and perhaps others, proof of facts is
not necessarily a defence against defamation of a company. From what I
recall, we'd probably need some locals to explain it more.
[2] 1st and 2nd quotes below.
[3] E.g., as John reported, a clear case of non-intelligence low-bar
availability for a routine prosecution of some random journeyman level
scumbags. John, if you're still suffering our questions, was your case
civil or criminal?
in fact they have
hinted many times that they can and do listen to users conversations:
"Skype, Skype's local partner, or the operator or company facilitating
your communication may provide personal data, communications content
and/or traffic data to an appropriate judicial, law enforcement or
government authority lawfully requesting such information. Skype will
provide reasonable assistance and information to fulfill this request
and you hereby consent to such disclosure." -
http://www.skype.com/en/legal/privacy/#collectedInformation
"After Microsoft in May 2011 acquired Skype, she provided legal
technology of Skype audition, says the executive director of Peak
Systems Maxim Emm . Now, any subscriber can switch to a special mode
in which the encryption keys that were previously generated on the
phone or computer, the subscriber will be generated on the server.
[..]
With access to the server, you can listen to the conversation or read
the correspondence. Microsoft provides the opportunity to use this
technology, intelligence agencies around the world, including Russia,
the expert explains."
google translated from Russian
http://www.vedomosti.ru/politics/news/10030771/skype_proslushivayut
"Skype spokesman did not deny the company's ability to intercept the
communication. On the question of whether Skype could listen in on
their users' communication, Kurt Sauer, head of the security division
of Skype, replied evasively: "We provide a secure means of
communication. I will not say if we are listening in or not." -
http://en.wikipedia.org/wiki/Skype_security#cite_ref-22
Local German police also appear to use malware to attack skype, so it
appears that at some point in the past skype may not have been
cooperating with all LE requests. -
http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle
Pretty much as far back at the 1700's communications companies have
provided backdoors to state security and intelligence agencies. This
was true in the age of telegrams and telex and it is true in the age
of voip. As a general rule "any third party in any communication
scheme is likely cooperating with all friendly intelligence agencies".
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
