Dear Eric, Eric S Johnson: > Sauer: We answer to this question: We provide a safe communication option > available. I will not tell you whether we can listen to it or not. > > In other words, no evidence there, either. > >
There is also no useful definition of safe. Does that include secure? Does that mean safe from Skype? Safe from the Syrian government? Safe from anyone without a super computer? > > (NB the question is "do we have evidence." Not "are we inclined to suspect, > based on our intuition / religion / ideology / paranoia .") > We have all kinds of information that clearly shows evidence of interception capabilities. That information leads to many questions. I outlined a number of those issues in this post: http://lists.randombit.net/pipermail/cryptography/2013-May/004264.html It is not simply 'are we included to suspect' - we are past suspicion, now we are looking for explanations about the *scope* of the compromised communications channel. Please feel free to address the points I made in that email - both how each thing isn't concerning and how you imagine the system is built such that this evidence shouldn't concern anyone. > > > skype can force update itself > Indeed. > > > Skype's auto-update feature can be turned off (at least, every version of > Skype I've ever run allows that, including the one I'm running now, > 6.3.0.107). > > How have you verified that a specific person cannot be targeted and that this setting is impossible to disregard? Generally, we require source code for such a verification. Furthermore, I wonder if an old patched Skype client that is remotely exploitable is really one where someone cannot update it remotely? It seems unlikely. > > "At a meeting with representatives of ISPs and the Austrian regulator on > lawful interception of IP based services held on 25th June, high-ranking > officials at the Austrian interior ministry revealed that it is not a > problem for them to listen in on Skype conversations. > > > > I agree-this one (from 2008, thus well predating Skype's acquisition by MS) > seems categorical. It seems like such an outlier, though, that one wonders > whether it's based on a misunderstanding (as so many other reports of "Skype > can be monitored" have been (usually because they're referring to monitoring > one of the endpoints, not in-line interception)). > The malware angle is a perfectly fine explanation and we have seen it time and time again. > > > I'm totally not asserting Skype is uncrackable (anything can be cracked, > with enough computing power) This statement here is madness or it is nonsense. Yes, if we brute force something over millions of years, anything may be cracked. Generally though, competently designed crypto systems are broken without brute force but through shortcuts or implementation flaws. In those cases, it is rarely a problem of computing power. When you say that nothing is uncrackable, I find it frustrating. Salsa20 isn't uncrackable but short of brute force, we know of nothing to speed up an attack against it. It is currently understood that bruteforce of Salsa20 will take a lot longer than a human lifetime, say on the order of the history of the entire human civilization give or take hundreds of millions of years. Skype on the other hand seems to require no cracking except perhaps for the link between the user's computer and a few Skype servers. This is very different from say, Salsa20; to suggest that this is even in the same ballpark is silly. -just looking for a smoking gun, or even a gun, > or even smoke, or even a bullet-hole, or even a bullet casing, or even > unused ammo, or anything vaguely evidence-like. They claim in their privacy policy to record data that people consider confidential, they interface with CALEA compliant telephone systems, they discover and fetch urls only shared between two parties over Skype, we know they have other metadata, we also see from Microsoft's report that they do have *some* data to hand over. It goes on and on. When we combine this with targeted malware, I think we would have to be blind to say that there is nothing even vaguely evidence-like. Even if we leave out the malware, the url scanning and the privacy policy are both directly observable without having a third party involved other than a friend you trust or by simply reading their website. I'd love to see examples from the competent court that Skype has traditionally recognized and to see evidence that they have produced under court order. My guess is that there is little that requires cracking at all and it simply requires compelling disclosure of logged or server side stored data. All the best, Jacob _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
