A balanced (but not detailed) perspective on Skype's security....http://biz.yahoo.com/ap/060216/wiretapping...skype.html?.v=1
N.B. Bruce Schneier is one of the best known and well respected independent experts on security, especially cryptography.
Full Version: Skype Use May Make Eavesdropping Passe
Thanks ... 
Interesting!
Interesting!
Can you imagine this? Anti-Skypers have been claiming falsely for ages that Skype is not secure and that conversations are subject to eavesdropping by 3rd parties and government authorities. Then an article comes out explaining that Skype is not merely secure but is so secure that eavesdropping is a thing of the past. Then less than 24 hours later, articles start appearing with the claim that our civilization is at risk from criminals who receive aid from Skype for their nefarious activities, all because Skype is actually TOO SECURE. The press is irresponsible.
http://arstechnica.com/news.ars/post/20060...60217-6206.html
It won't result in Skype adding a back door. Instead, it will result in all the competitor VOIPs being exposed for their insecurity. The fact is that unencrypted VOIP is far less secure than unencrypted PSTN. If you're going to use VOIP and speak anything as private as a credit card number, then you probably ought to insist on encryption. In that scenario, there's not much choice beyond Skype.
http://arstechnica.com/news.ars/post/20060...60217-6206.html
It won't result in Skype adding a back door. Instead, it will result in all the competitor VOIPs being exposed for their insecurity. The fact is that unencrypted VOIP is far less secure than unencrypted PSTN. If you're going to use VOIP and speak anything as private as a credit card number, then you probably ought to insist on encryption. In that scenario, there's not much choice beyond Skype.
I don't buy the claim that they're less interested in what is said as opposed who is talking. Mind you that without knowing what you're saying they'll never be able to get a conviction or gain knowledge of a plot.
And the fact that Skype is closed-source *and* now owned by an American firm (a country which considers itself at war and will therefore stop at nothing to get a stronghold over the 'terrorists') I believe that Skype communications aren't secure for very long.
And the fact that Skype is closed-source *and* now owned by an American firm (a country which considers itself at war and will therefore stop at nothing to get a stronghold over the 'terrorists') I believe that Skype communications aren't secure for very long.
[quote=BigPilot]I don't buy the claim that they're less interested in what is said as opposed who is talking. Mind you that without knowing what you're saying they'll never be able to get a conviction or gain knowledge of a plot.
And the fact that Skype is closed-source *and* now owned by an American firm (a country which considers itself at war and will therefore stop at nothing to get a stronghold over the 'terrorists') I believe that Skype communications aren't secure for very long.[/quote]
Absolutely correct. Anyone who believes otherwise is delusional. And the funny part is that the US government will be the first to propogate the idea that NO backdoors exist...
And the fact that Skype is closed-source *and* now owned by an American firm (a country which considers itself at war and will therefore stop at nothing to get a stronghold over the 'terrorists') I believe that Skype communications aren't secure for very long.[/quote]
Absolutely correct. Anyone who believes otherwise is delusional. And the funny part is that the US government will be the first to propogate the idea that NO backdoors exist...
[quote=muppetmaster]And the funny part is that the US government will be the first to propogate the idea that NO backdoors exist...[/quote]All speculations, no facts ...
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted!
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted!
[quote=Jean Mercier][quote=muppetmaster]And the funny part is that the US government will be the first to propogate the idea that NO backdoors exist...[/quote]All speculations, no facts ...
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted![/quote]
Skype is hastening the eventual requirement for tapping, by bringng the government's attention to the issue. Do not kid yourself, Skype is part of a US listed public company that also runs a financial arm. And it is a well known fact that the NSA has worked with other technology companies 'quietly' to insert back doors (such as IBM sharing part of the Lotus Notes export key with NSA so they were easily cracked).
So you may like to pretend it is all pure speculation to have your artificial sense of security, but most of us should be aware of realities.
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted![/quote]
Skype is hastening the eventual requirement for tapping, by bringng the government's attention to the issue. Do not kid yourself, Skype is part of a US listed public company that also runs a financial arm. And it is a well known fact that the NSA has worked with other technology companies 'quietly' to insert back doors (such as IBM sharing part of the Lotus Notes export key with NSA so they were easily cracked).
So you may like to pretend it is all pure speculation to have your artificial sense of security, but most of us should be aware of realities.
[quote=Jean Mercier][quote=muppetmaster]And the funny part is that the US government will be the first to propogate the idea that NO backdoors exist...[/quote]All speculations, no facts ...
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted![/quote]
You want facts? Then look up 'NSAKey' on Google. It's pretty obvious Microsoft Windows is crawling with backdoors, most which you will never find since they're so deeply hidden inside the operating system that they can't be detected (lookup 'Rootkit' on Google).
I'll tell you my reasoning: the Americans would be idiots if they hadn't put in backdoors into MS-Windows....but I know they're *NOT* idiots, so I am assuming there ARE backdoors in Windows.
And believe me, i am also not happy about what the US is trying to make us believe!
I feel more like Garnet Stone: competitors of Skype will have to adopt encryption and i will feel more confident to tell my secrets to my boss, business partner or mistress if it is encrypted![/quote]
You want facts? Then look up 'NSAKey' on Google. It's pretty obvious Microsoft Windows is crawling with backdoors, most which you will never find since they're so deeply hidden inside the operating system that they can't be detected (lookup 'Rootkit' on Google).
I'll tell you my reasoning: the Americans would be idiots if they hadn't put in backdoors into MS-Windows....but I know they're *NOT* idiots, so I am assuming there ARE backdoors in Windows.
[quote=BigPilot]You want facts? Then look up 'NSAKey' on Google.[/quote]Thanks Big Plot 
Didn't know about the NSA key. Interesting.
But still ... also speculations. Somehow strange that Microsoft didn't seem to provide a convincing answer!
I agree however with we should be awake concerning possible backdoors!
Didn't know about the NSA key. Interesting.
But still ... also speculations. Somehow strange that Microsoft didn't seem to provide a convincing answer!
I agree however with we should be awake concerning possible backdoors!
It's an unfair, paranoid, and clueless conjecture to compare Skype's encryption to Lotus or NSAkey where adding a back door was indeed simple. I just don't think there will ever be a Skype back door. Schneier and other security experts will be proven correct: Skype is the end of eavesdropping. This is making other VOIP players really mad.... because many of them will be unable to compete.... so it's no wonder they try to belittle the usefullness, effectiveness, and legality of Skype encryption.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.
To Skype Corporate:
This issue is sacred to many, and I would suspect even the founders of Skype themselves. As we see Google fighting for its competitive advantage, will you do the same?
How long can you afford to not definitively make a statement about this issue that is barreling down on you?
Certainly, once the EU knows Skype is bugged, all the EU will abandon it for an alternative. You know this...your Europeans.
Please make your position known as to what you intend to do? The lack of communication is fostering others to look to new developers who will simply piggy back on your own success. Remeber you are naught even 3 years old.
From a Skype lover....
This issue is sacred to many, and I would suspect even the founders of Skype themselves. As we see Google fighting for its competitive advantage, will you do the same?
How long can you afford to not definitively make a statement about this issue that is barreling down on you?
Certainly, once the EU knows Skype is bugged, all the EU will abandon it for an alternative. You know this...your Europeans.
Please make your position known as to what you intend to do? The lack of communication is fostering others to look to new developers who will simply piggy back on your own success. Remeber you are naught even 3 years old.
From a Skype lover....
[quote=Copperred]once the EU knows Skype is bugged, all the EU will abandon it for an alternative. You know this...your Europeans.[/quote]
Not meaning to pick on Copperred, but where do people get the idea that "Skype is bugged"? There is not one shred of evidence for that. In fact, all the evidence is at the other extreme. Even if you're afraid to admit that Skype is absolutely secure (in terms of encryption), it's still several orders of magnitude more secure than ANY of its competitors, and there's no reason to think it won't forever remain so. It's my casual observation that the folks who under-appreciate the importance of good cryptography are the same ones that don't know what good cryptography is anyway.
Not meaning to pick on Copperred, but where do people get the idea that "Skype is bugged"? There is not one shred of evidence for that. In fact, all the evidence is at the other extreme. Even if you're afraid to admit that Skype is absolutely secure (in terms of encryption), it's still several orders of magnitude more secure than ANY of its competitors, and there's no reason to think it won't forever remain so. It's my casual observation that the folks who under-appreciate the importance of good cryptography are the same ones that don't know what good cryptography is anyway.
Garnet_Stone,
No worries.... I am not implying that Skype is presently bugged, but that given Skype is now US owned it is likely that it will have to comply with FCC rules to do so and be forced to open up.
Given this impending future....will Skype (EU) fight this or roll over dead given the payout in it for them?
Skype's founders have been silent on this issue and I think it looks poorly on them. Many people the world over value their privacy period....and that Skype created this software is great, but will it now change for its new master? If they were too, I believe many in the EU would create a new alternative in reaction.
It boils down to if Skype will protect the global individuals long term right to privacy or not? It isa moral issue.
I again ask Skype to please make a statement that is clear on your beliefs so the community knows where you stand.
Cheers...
No worries.... I am not implying that Skype is presently bugged, but that given Skype is now US owned it is likely that it will have to comply with FCC rules to do so and be forced to open up.
Given this impending future....will Skype (EU) fight this or roll over dead given the payout in it for them?
Skype's founders have been silent on this issue and I think it looks poorly on them. Many people the world over value their privacy period....and that Skype created this software is great, but will it now change for its new master? If they were too, I believe many in the EU would create a new alternative in reaction.
It boils down to if Skype will protect the global individuals long term right to privacy or not? It isa moral issue.
I again ask Skype to please make a statement that is clear on your beliefs so the community knows where you stand.
Cheers...
QUOTE(Copperred)
Garnet_Stone,
No worries.... I am not implying that Skype is presently bugged, but that given Skype is now US owned it is likely that it will have to comply with FCC rules to do so and be forced to open up.
Given this impending future....will Skype (EU) fight this or roll over dead given the payout in it for them?
Skype's founders have been silent on this issue and I think it looks poorly on them. Many people the world over value their privacy period....and that Skype created this software is great, but will it now change for its new master? If they were too, I believe many in the EU would create a new alternative in reaction.
It boils down to if Skype will protect the global individuals long term right to privacy or not? It isa moral issue.
I again ask Skype to please make a statement that is clear on your beliefs so the community knows where you stand.
Cheers...
No worries.... I am not implying that Skype is presently bugged, but that given Skype is now US owned it is likely that it will have to comply with FCC rules to do so and be forced to open up.
Given this impending future....will Skype (EU) fight this or roll over dead given the payout in it for them?
Skype's founders have been silent on this issue and I think it looks poorly on them. Many people the world over value their privacy period....and that Skype created this software is great, but will it now change for its new master? If they were too, I believe many in the EU would create a new alternative in reaction.
It boils down to if Skype will protect the global individuals long term right to privacy or not? It isa moral issue.
I again ask Skype to please make a statement that is clear on your beliefs so the community knows where you stand.
Cheers...
Please bear with me...
First, you don't understand the FCC regulation in the USA. In the worst case scenario, the current law would never require Skype to gather new information, but only to release information that it already has. In other words, a "back door" would allow the government to see information that is in Skype's posession, and since Skype never comes into posession of the decryption keys, there is nothing for the government to "discover".
Second, if there were a move to change the law (requiring Skype to gather new information), it's likely to never become law because of the US Constitution. Encryption is defined as a weapon for self-protection that is protected by the 2nd Amendment.
Third, looking at the EU from a political standpoint, will they want to offer fewer freedoms than the US? I doubt it.
Fourth, from a technical standpoint, it's probably impossible to install a back door in Skype without eliminating its encryption altogether. This is why we're now seeing reports of criminals using Skype.... the competitors see an opportunity to attack Skype and get on level ground. Unfortunately for them, the Skype/eBay ecosystem is already too important to the world economy, especially in the USA, the EU nations, and China. Skype will be able to prove that it's impossible to make its encryption system unsafe for criminals while making it safe for commerce.
Fifth, the FCC has so far been unable to establish much jurisdiction over Skype at all because of its cheeky claim that Skype is not "telephony". Of course this has more to do with the FCC's silly "E911" rules, but it seems to also relate to eavesdropping regulations.
QUOTE(garnet_stone)
It's an unfair, paranoid, and clueless conjecture to compare Skype's encryption to Lotus or NSAkey where adding a back door was indeed simple. I just don't think there will ever be a Skype back door. Schneier and other security experts will be proven correct: Skype is the end of eavesdropping. This is making other VOIP players really mad.... because many of them will be unable to compete.... so it's no wonder they try to belittle the usefullness, effectiveness, and legality of Skype encryption.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.
Nothing but ignoring reality.
QUOTE(muppetmaster)
Nothing but ignoring reality.
Muppetmaster, you're losing your touch! Or maybe you're just not feeling well. No facts? No attempt at a reasoned argument? You seem to have even given up beating dead horses. I feel cheated.
[quote=garnet_stone]
Fourth, from a technical standpoint, it's probably impossible to install a back door in Skype without eliminating its encryption altogether. This is why we're now seeing reports of criminals using Skype.... the competitors see an opportunity to attack Skype and get on level ground. Unfortunately for them, the Skype/eBay ecosystem is already too important to the world economy, especially in the USA, the EU nations, and China. Skype will be able to prove that it's impossible to make its encryption system unsafe for criminals while making it safe for commerce.
[/quote]
You're wrong off course. I've already claimed that it would be doable to reduce the effective encryption stength to a level which can be cracked relatively easily, but only by the people who know how it was done, to everyone else the encryption would simply *seem* like 256bit AES. This would require alteration of the source code, off-course and it would assume that most people switch to a newer Skype version, but it IS possible. That's why I'm not so happy about a US company buying Skype.
Fourth, from a technical standpoint, it's probably impossible to install a back door in Skype without eliminating its encryption altogether. This is why we're now seeing reports of criminals using Skype.... the competitors see an opportunity to attack Skype and get on level ground. Unfortunately for them, the Skype/eBay ecosystem is already too important to the world economy, especially in the USA, the EU nations, and China. Skype will be able to prove that it's impossible to make its encryption system unsafe for criminals while making it safe for commerce.
[/quote]
You're wrong off course. I've already claimed that it would be doable to reduce the effective encryption stength to a level which can be cracked relatively easily, but only by the people who know how it was done, to everyone else the encryption would simply *seem* like 256bit AES. This would require alteration of the source code, off-course and it would assume that most people switch to a newer Skype version, but it IS possible. That's why I'm not so happy about a US company buying Skype.
[quote=BigPilot][quote=garnet_stone]
Fourth, from a technical standpoint, it's probably impossible to install a back door in Skype without eliminating its encryption altogether. This is why we're now seeing reports of criminals using Skype.... the competitors see an opportunity to attack Skype and get on level ground. Unfortunately for them, the Skype/eBay ecosystem is already too important to the world economy, especially in the USA, the EU nations, and China. Skype will be able to prove that it's impossible to make its encryption system unsafe for criminals while making it safe for commerce.
[/quote]
You're wrong off course. I've already claimed that it would be doable to reduce the effective encryption stength to a level which can be cracked relatively easily, but only by the people who know how it was done, to everyone else the encryption would simply *seem* like 256bit AES. This would require alteration of the source code, off-course and it would assume that most people switch to a newer Skype version, but it IS possible. That's why I'm not so happy about a US company buying Skype.[/quote]
You might be able to criticize me for speculating about people's motives, but I am not wrong about the overall excellence of Skype encryption and its clever strategies to keep it that way.
You on the other hand think that bad encryption, bad programming, and a general carelessness is the same thing as installing a "back door, and you speculate that Skype would do this intentionally, with the complicity of the US government, and that none of this information would leak to hackers. That's amazing, and it confirms my suspicions about the motives of those whose think the way you do.
Fourth, from a technical standpoint, it's probably impossible to install a back door in Skype without eliminating its encryption altogether. This is why we're now seeing reports of criminals using Skype.... the competitors see an opportunity to attack Skype and get on level ground. Unfortunately for them, the Skype/eBay ecosystem is already too important to the world economy, especially in the USA, the EU nations, and China. Skype will be able to prove that it's impossible to make its encryption system unsafe for criminals while making it safe for commerce.
[/quote]
You're wrong off course. I've already claimed that it would be doable to reduce the effective encryption stength to a level which can be cracked relatively easily, but only by the people who know how it was done, to everyone else the encryption would simply *seem* like 256bit AES. This would require alteration of the source code, off-course and it would assume that most people switch to a newer Skype version, but it IS possible. That's why I'm not so happy about a US company buying Skype.[/quote]
You might be able to criticize me for speculating about people's motives, but I am not wrong about the overall excellence of Skype encryption and its clever strategies to keep it that way.
You on the other hand think that bad encryption, bad programming, and a general carelessness is the same thing as installing a "back door, and you speculate that Skype would do this intentionally, with the complicity of the US government, and that none of this information would leak to hackers. That's amazing, and it confirms my suspicions about the motives of those whose think the way you do.
'those whose think'? What does that mean?
[quote=muppetmaster]'those whose think'? What does that mean?[/quote]I will explain Muppet Master: taiping mistaik
[quote=Jean Mercier][quote=muppetmaster]'those whose think'? What does that mean?[/quote]I will explain Muppet Master: taiping mistaik [/quote]
A typing mistake would be a spelling error, not a grammmmaaatical one.
[/quote]
A typing mistake would be a spelling error, not a grammmmaaatical one.
:lol:
[quote=muppetmaster][quote=Jean Mercier][quote=muppetmaster]'those whose think'? What does that mean?[/quote]I will explain Muppet Master: taiping mistaik [/quote]
A typing mistake would be a spelling error, not a grammmmaaatical one.[/quote]
Whoops.
[/quote]
A typing mistake would be a spelling error, not a grammmmaaatical one.[/quote]
Whoops.
Skype has existed for 2.5 years. During this time no United States government official has, to my knowledge, publicly expressed an opinion that Skype is a threat to national security.
Why? In my opinion either NSA long ago broke the encryption or Skype gave them a back door key. Loose lips sink ships so why disturb the honeypot?
Like a poker game, the silence is a great tell.
:wink:
Why? In my opinion either NSA long ago broke the encryption or Skype gave them a back door key. Loose lips sink ships so why disturb the honeypot?
Like a poker game, the silence is a great tell.
:wink:
[quote=Ocelot]Skype has existed for 2.5 years. During this time no United States government official has, to my knowledge, publicly expressed an opinion that Skype is a threat to national security.[/quote]
Actually the former Director of Homeland Security, Tom Ridge, has expressed a lament that VOIP encryption (which we have to assume means Skype) is a problem for them. What he means by the lament is that both the Constitution and the encryption itself impose obstacles that he sees no way around. He wouldn't be complaining if he already had a way to beat it. His only solution is to eliminate VOIP encryption altogether, and that would require a change in the Constitution which he knows is not going to happen.
As to your premise, that Skype would be a threat to national security without a "back door", that also is mere conjecture. The weapon of encryption has always been viewed two ways. On the one hand it allows criminals, terrorists, and totalitarian forces to attack the institutions of a free democracy, and on the other hand it can enable the forces for freedom and commerce to overwhelm them. The politics in Washington these days is absolutely on the side of freedom fighters.
Actually the former Director of Homeland Security, Tom Ridge, has expressed a lament that VOIP encryption (which we have to assume means Skype) is a problem for them. What he means by the lament is that both the Constitution and the encryption itself impose obstacles that he sees no way around. He wouldn't be complaining if he already had a way to beat it. His only solution is to eliminate VOIP encryption altogether, and that would require a change in the Constitution which he knows is not going to happen.
As to your premise, that Skype would be a threat to national security without a "back door", that also is mere conjecture. The weapon of encryption has always been viewed two ways. On the one hand it allows criminals, terrorists, and totalitarian forces to attack the institutions of a free democracy, and on the other hand it can enable the forces for freedom and commerce to overwhelm them. The politics in Washington these days is absolutely on the side of freedom fighters.
[quote=garnet_stone]Actually the former Director of Homeland Security, Tom Ridge, has expressed a lament that VOIP encryption (which we have to assume means Skype) is a problem for them. What he means by the lament is that both the Constitution and the encryption itself impose obstacles that he sees no way around. He wouldn't be complaining if he already had a way to beat it. His only solution is to eliminate VOIP encryption altogether, and that would require a change in the Constitution which he knows is not going to happen.[/quote]
I'm not saying this to argue, but I've seen you mention that encryption is protected by the constitution on more than one occasion. Is this your interpretation of the constitution or has this been upheld in a court of law?
It seems to me that since encryption is not expressly protected in the constitution it is up to the courts to regulate it how they see fit. It would be their job to interpret the constitution to decide what it says about encryption. Perhaps this precedent already exists and I am unaware of it.
But even if it does, that can be changed. The constitution says we have a right to bear arms, but that doesn't mean you can have a missile in your basement. Even though you may have the right to encryption, you may not have the right to all encryption or backdoor free encryption. It's all up to interpretation by the courts IMO.
I'm not saying this to argue, but I've seen you mention that encryption is protected by the constitution on more than one occasion. Is this your interpretation of the constitution or has this been upheld in a court of law?
It seems to me that since encryption is not expressly protected in the constitution it is up to the courts to regulate it how they see fit. It would be their job to interpret the constitution to decide what it says about encryption. Perhaps this precedent already exists and I am unaware of it.
But even if it does, that can be changed. The constitution says we have a right to bear arms, but that doesn't mean you can have a missile in your basement. Even though you may have the right to encryption, you may not have the right to all encryption or backdoor free encryption. It's all up to interpretation by the courts IMO.
[quote=granger]I'm not saying this to argue, but I've seen you mention that encryption is protected by the constitution on more than one occasion. Is this your interpretation of the constitution or has this been upheld in a court of law?
It seems to me that since encryption is not expressly protected in the constitution it is up to the courts to regulate it how they see fit. It would be their job to interpret the constitution to decide what it says about encryption. Perhaps this precedent already exists and I am unaware of it.
But even if it does, that can be changed. The constitution says we have a right to bear arms, but that doesn't mean you can have a missile in your basement. Even though you may have the right to encryption, you may not have the right to all encryption or backdoor free encryption. It's all up to interpretation by the courts IMO.[/quote]
Of course you are correct to say that it's up to interpretation, but when you read the Constitution, you cannot help but notice that there is a "right to bear arms". It doesn't specify only small arms, or only arms for self protection or for sport or for hunting food. The operative principle in US law is not the weapon itself, but rather using the weapon for committing [potential] crime, including threatening your neighbor. A big weapon that has a legitimate purpose and does not impose a threat may be legal to carry, but knitting needles in another situation can be prohibited.
As for encryption, it has been in court on several occasions going back more than 10 years, so not only is there precedent, but there are now lots of specific regulations (getting progressively weaker, not stronger). Here's one reference that you may find helpful... http://rechten.uvt.nl/koops/cryptolaw/index.htm. If I may over-simplify, weak encryption is legal in a very broad way. Strong encryption is legal for an American to own and use, but it is not always legal for export. Because Skype is not an American creation, it has always been legal for an American to use it, but if it had been "invented" in America it might have been (at one time at least) illegal. This may sound like backwards logic, but it's true. The US Government tried (many years ago) to make good encryption illegal for Americans but failed.... and one reason is that they concluded encryption would bring more good than harm. The EU has come to similar conclusions. To my knowledge (and I have NOT studied the subject thorougly), the only countries that disagree are totalitarian.
It seems to me that since encryption is not expressly protected in the constitution it is up to the courts to regulate it how they see fit. It would be their job to interpret the constitution to decide what it says about encryption. Perhaps this precedent already exists and I am unaware of it.
But even if it does, that can be changed. The constitution says we have a right to bear arms, but that doesn't mean you can have a missile in your basement. Even though you may have the right to encryption, you may not have the right to all encryption or backdoor free encryption. It's all up to interpretation by the courts IMO.[/quote]
Of course you are correct to say that it's up to interpretation, but when you read the Constitution, you cannot help but notice that there is a "right to bear arms". It doesn't specify only small arms, or only arms for self protection or for sport or for hunting food. The operative principle in US law is not the weapon itself, but rather using the weapon for committing [potential] crime, including threatening your neighbor. A big weapon that has a legitimate purpose and does not impose a threat may be legal to carry, but knitting needles in another situation can be prohibited.
As for encryption, it has been in court on several occasions going back more than 10 years, so not only is there precedent, but there are now lots of specific regulations (getting progressively weaker, not stronger). Here's one reference that you may find helpful... http://rechten.uvt.nl/koops/cryptolaw/index.htm. If I may over-simplify, weak encryption is legal in a very broad way. Strong encryption is legal for an American to own and use, but it is not always legal for export. Because Skype is not an American creation, it has always been legal for an American to use it, but if it had been "invented" in America it might have been (at one time at least) illegal. This may sound like backwards logic, but it's true. The US Government tried (many years ago) to make good encryption illegal for Americans but failed.... and one reason is that they concluded encryption would bring more good than harm. The EU has come to similar conclusions. To my knowledge (and I have NOT studied the subject thorougly), the only countries that disagree are totalitarian.
Once again we come to one of the primary points of open source: Is it wise to trust the statements of a corporation with regards to its product? There could either be programming and design errors (bugs or bad implementations), or there could be openings placed there for specific purposes (backdoors).
Since skype seems to have taken particular pains to make understanding/hacking the program difficult, we are left with relying upon third party analysis. Skype has commissioned at least one analysis, other researchers have also looked at skype. Some things have been found and fixed, but it still comes down to trusting a corporate entity. This is not uncommon, but still far from an optimal situation. Corporate entities have both political pressure (look at Google in China) and financial pressure (govt lawsuits are expensive even if you are right).
I think a look at the history of governments and communication companies, shows that they leave a lot to be desired with their "we don't eavesdrop" credibility. James Bamford chronicles this in _The puzzle palace_ This goes from RCA giving telegraph tapes to the spy agency of the day to modern day Echelon (which doesn't really require much collusion).
In the US the fourth amendment says that people are to be secure in their persons, papers and effects from the govt, and the fifth amendment is supposed to protect self incrimination, but sometimes I wonder how long that will be the case with encryption keys or passphrases. If I understand correctly, currently in the UK, it is a significant criminal offense to not turn over encryption keys or passphrases.
I use skype frequently and recommend it frequently to others. It is currently the best out there. It offers by default encryption, no other program in large circulation does that. And it is starting to make encryption a "must have" in internet communication rather than an odd addon for geeky paranoid types. But when an open source skype alternative appears I will probably use and recommend it instead simply over the trust issue. Skype is not verifiably secure in a serious sense of the word. The internet offers an opportunity to make the transmission of communication quite secure, much more than without the internet. Skype has taken significant philosophical steps toward that end, but they have decided to consciously not take one of the most important steps, "Trust, but verify"
rearden
Since skype seems to have taken particular pains to make understanding/hacking the program difficult, we are left with relying upon third party analysis. Skype has commissioned at least one analysis, other researchers have also looked at skype. Some things have been found and fixed, but it still comes down to trusting a corporate entity. This is not uncommon, but still far from an optimal situation. Corporate entities have both political pressure (look at Google in China) and financial pressure (govt lawsuits are expensive even if you are right).
I think a look at the history of governments and communication companies, shows that they leave a lot to be desired with their "we don't eavesdrop" credibility. James Bamford chronicles this in _The puzzle palace_ This goes from RCA giving telegraph tapes to the spy agency of the day to modern day Echelon (which doesn't really require much collusion).
In the US the fourth amendment says that people are to be secure in their persons, papers and effects from the govt, and the fifth amendment is supposed to protect self incrimination, but sometimes I wonder how long that will be the case with encryption keys or passphrases. If I understand correctly, currently in the UK, it is a significant criminal offense to not turn over encryption keys or passphrases.
I use skype frequently and recommend it frequently to others. It is currently the best out there. It offers by default encryption, no other program in large circulation does that. And it is starting to make encryption a "must have" in internet communication rather than an odd addon for geeky paranoid types. But when an open source skype alternative appears I will probably use and recommend it instead simply over the trust issue. Skype is not verifiably secure in a serious sense of the word. The internet offers an opportunity to make the transmission of communication quite secure, much more than without the internet. Skype has taken significant philosophical steps toward that end, but they have decided to consciously not take one of the most important steps, "Trust, but verify"
rearden
[quote=rearden2077]In the US the fourth amendment says that people are to be secure in their persons, papers and effects from the govt, and the fifth amendment is supposed to protect self incrimination, but sometimes I wonder how long that will be the case with encryption keys or passphrases. If I understand correctly, currently in the UK, it is a significant criminal offense to not turn over encryption keys or passphrases.[/quote]
You can't turn over what is not in your posession. Skype has taken pains to make sure that they never come into real posession of keys. Doesn't this adequately address the UK situation?
[quote=rearden2077]I use skype frequently and recommend it frequently to others. It is currently the best out there. It offers by default encryption, no other program in large circulation does that. And it is starting to make encryption a "must have" in internet communication rather than an odd addon for geeky paranoid types. But when an open source skype alternative appears I will probably use and recommend it instead simply over the trust issue. [/quote]
If the important feature in encryption is being always on and running in default mode with no setup, then I really question whether whether any open source product will ever compare with Skype.
[quote=rearden2077]Skype is not verifiably secure in a serious sense of the word. The internet offers an opportunity to make the transmission of communication quite secure, much more than without the internet. Skype has taken significant philosophical steps toward that end, but they have decided to consciously not take one of the most important steps, "Trust, but verify"[/quote]
I agree completely that Skype is not, as of today, at the point of "Trust but verify. But it seems farther along in that direction (toward openness) today than it was a year ago. Right direction.... long way to go.
You can't turn over what is not in your posession. Skype has taken pains to make sure that they never come into real posession of keys. Doesn't this adequately address the UK situation?
[quote=rearden2077]I use skype frequently and recommend it frequently to others. It is currently the best out there. It offers by default encryption, no other program in large circulation does that. And it is starting to make encryption a "must have" in internet communication rather than an odd addon for geeky paranoid types. But when an open source skype alternative appears I will probably use and recommend it instead simply over the trust issue. [/quote]
If the important feature in encryption is being always on and running in default mode with no setup, then I really question whether whether any open source product will ever compare with Skype.
[quote=rearden2077]Skype is not verifiably secure in a serious sense of the word. The internet offers an opportunity to make the transmission of communication quite secure, much more than without the internet. Skype has taken significant philosophical steps toward that end, but they have decided to consciously not take one of the most important steps, "Trust, but verify"[/quote]
I agree completely that Skype is not, as of today, at the point of "Trust but verify. But it seems farther along in that direction (toward openness) today than it was a year ago. Right direction.... long way to go.
[quote=rearden2077]If I understand correctly, currently in the UK, it is a significant criminal offense to not turn over encryption keys or passphrases.
rearden[/quote]
The British are idiots anyway; their country is being turned into an Orwellian state but there's little or no resistance from the masses.
I've long argued that such a law is against the Bill of Rights or Constitution since it forces people to incriminate themselves. I'm pretty sure there's also a U.N. convertion which forbids this.
rearden[/quote]
The British are idiots anyway; their country is being turned into an Orwellian state but there's little or no resistance from the masses.
I've long argued that such a law is against the Bill of Rights or Constitution since it forces people to incriminate themselves. I'm pretty sure there's also a U.N. convertion which forbids this.
[quote=garnet_stone]
You can't turn over what is not in your posession. Skype has taken pains to make sure that they never come into real posession of keys. Doesn't this adequately address the UK situation?[/quote]
You just won't listen, do you? Read my posts again and again until you figure it out. Hang them on the wall in your bathroom so you can look at them again and again. I'm not going to spell it out for you again.
You can't turn over what is not in your posession. Skype has taken pains to make sure that they never come into real posession of keys. Doesn't this adequately address the UK situation?[/quote]
You just won't listen, do you? Read my posts again and again until you figure it out. Hang them on the wall in your bathroom so you can look at them again and again. I'm not going to spell it out for you again.
[quote=garnet_stone]It's an unfair, paranoid, and clueless conjecture to compare Skype's encryption to Lotus or NSAkey where adding a back door was indeed simple. I just don't think there will ever be a Skype back door. Schneier and other security experts will be proven correct: Skype is the end of eavesdropping. This is making other VOIP players really mad.... because many of them will be unable to compete.... so it's no wonder they try to belittle the usefullness, effectiveness, and legality of Skype encryption.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.[/quote]
People forget that although 256bit AES is probably secure, the 1024bit RSA which is used to encrypt and send the AES keys to the other user probably isn't. This will enable intelligence agencies to break it and grab the AES key which they can then use to listen in on the conversation. People have claimed that far bigger RSA keys (as long as 16.000bits) are needed to get the same level of encryption strength as AES.
But let's not underestimate the importance of metadata (who you're talking to, when, and location) in criminal investigations. It would be fairly simple for Skype to start gathering metadata (and pass it on to investigators). Although Skype may not want to do it, I'd be shocked if they were not ultimately required. Actually, I'm shocked that they are not gathering metadata already, because Skype could use it internally for demographics, patterning traffic, and generally improving the service.[/quote]
People forget that although 256bit AES is probably secure, the 1024bit RSA which is used to encrypt and send the AES keys to the other user probably isn't. This will enable intelligence agencies to break it and grab the AES key which they can then use to listen in on the conversation. People have claimed that far bigger RSA keys (as long as 16.000bits) are needed to get the same level of encryption strength as AES.
[quote=BigPilot]People forget that although 256bit AES is probably secure, the 1024bit RSA which is used to encrypt and send the AES keys to the other user probably isn't. This will enable intelligence agencies to break it and grab the AES key which they can then use to listen in on the conversation. People have claimed that far bigger RSA keys (as long as 16.000bits) are needed to get the same level of encryption strength as AES.[/quote]
You make a valid but largely irrelevant point. Everything is breakable and it's obvious that a large RSA key is more secure than a small one. However, the privacy issues in the post Skype era are not really related to the ability to force open a targeted conversation. They're about gathering and correlating massive amounts of metadata. The days of eavesdropping will end because Skype, even with a small RSA key that might be breakable, is secure enough to simply end all efforts. Remember that encryption is NOT the only security feature of Skype. P2P can by itself make it quite difficult to find a "target" in the first place. VOIP eavesdropping is a thing of the past thanks to Skype.
You make a valid but largely irrelevant point. Everything is breakable and it's obvious that a large RSA key is more secure than a small one. However, the privacy issues in the post Skype era are not really related to the ability to force open a targeted conversation. They're about gathering and correlating massive amounts of metadata. The days of eavesdropping will end because Skype, even with a small RSA key that might be breakable, is secure enough to simply end all efforts. Remember that encryption is NOT the only security feature of Skype. P2P can by itself make it quite difficult to find a "target" in the first place. VOIP eavesdropping is a thing of the past thanks to Skype.
In terms of winners and losers, the key to VoIP privacy at the end of the day may boil down to a VHS-v-Betamax kind of decision. The best encryption may not be the eventual winner. Rather, the first "easy to use" system in the market is most likley to win. That is Skype.
Also, listen to Phil Zimmerman, the author of PGP: "The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum. To move all of our phone calls from the PSTN to the internet seems foolish without protecting it."
How anyone can use VOIP without encryption is beyond my comprehension.
Also, listen to Phil Zimmerman, the author of PGP: "The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum. To move all of our phone calls from the PSTN to the internet seems foolish without protecting it."
How anyone can use VOIP without encryption is beyond my comprehension.
[quote=garnet_stone][quote=BigPilot]People forget that although 256bit AES is probably secure, the 1024bit RSA which is used to encrypt and send the AES keys to the other user probably isn't. This will enable intelligence agencies to break it and grab the AES key which they can then use to listen in on the conversation. People have claimed that far bigger RSA keys (as long as 16.000bits) are needed to get the same level of encryption strength as AES.[/quote]
You make a valid but largely irrelevant point. Everything is breakable and it's obvious that a large RSA key is more secure than a small one. However, the privacy issues in the post Skype era are not really related to the ability to force open a targeted conversation. They're about gathering and correlating massive amounts of metadata. The days of eavesdropping will end because Skype, even with a small RSA key that might be breakable, is secure enough to simply end all efforts. Remember that encryption is NOT the only security feature of Skype. P2P can by itself make it quite difficult to find a "target" in the first place. VOIP eavesdropping is a thing of the past thanks to Skype.[/quote]
You're claiming that the Skype encryption makes dragnet searches impossible but that's not necessarily true IMHO. The NSA has huge financial resources and even if it takes them a couple of seconds to break a message it will still allow them to catalogue and classify all the communications on the Internet, it will merely cost them more money (of which they don't have a lack of, I might add).
All encryption can theoretically be broken but in my opinion it should and can be made infeasible to do so. The 256 bits AES used by Skype is infeasible to crack, but the 1024 bits RSA may well take only seconds to break. This would mean that the AES protection is broken by the weakness of the RSA encryption. It also means that Skype's claim of AES 256 bits gives people a false sense of security.
You make a valid but largely irrelevant point. Everything is breakable and it's obvious that a large RSA key is more secure than a small one. However, the privacy issues in the post Skype era are not really related to the ability to force open a targeted conversation. They're about gathering and correlating massive amounts of metadata. The days of eavesdropping will end because Skype, even with a small RSA key that might be breakable, is secure enough to simply end all efforts. Remember that encryption is NOT the only security feature of Skype. P2P can by itself make it quite difficult to find a "target" in the first place. VOIP eavesdropping is a thing of the past thanks to Skype.[/quote]
You're claiming that the Skype encryption makes dragnet searches impossible but that's not necessarily true IMHO. The NSA has huge financial resources and even if it takes them a couple of seconds to break a message it will still allow them to catalogue and classify all the communications on the Internet, it will merely cost them more money (of which they don't have a lack of, I might add).
All encryption can theoretically be broken but in my opinion it should and can be made infeasible to do so. The 256 bits AES used by Skype is infeasible to crack, but the 1024 bits RSA may well take only seconds to break. This would mean that the AES protection is broken by the weakness of the RSA encryption. It also means that Skype's claim of AES 256 bits gives people a false sense of security.
Zimmerman released his Zfone SIP add on beta in the last few days. It is available for linux and Mac with XP planned in mid April.
It is an interesting concept in that it sits in the SIP stream and encrypts. It is not a phone application itself. He is also submitting and RFC for his ZRTP protocol (I guess an alternative to the older SRTP which Sipura and snom use).
I guess for more skype security you could set things up to use ipsec, ssh or even use some proxy anonymizers or even tor. I haven't tried any of those except ipsec and the proxy performance would probably stink. Turning on OE IPsec on windows did show ipsec connections between the skyping machines.
So you can make skype more secure by having more skypers turn on OE IPsec and use a common CA. say Thawte Freemail or cacert.org
http://en.wikipedia.org/wiki/Opportunistic_encryption
http://slashdot.org/~cronscript/journal/131319
"They" may even have your skype session keys, but if that is ipsec packaged and you are p2p, then it doesn't do "them" any good.
rearden
It is an interesting concept in that it sits in the SIP stream and encrypts. It is not a phone application itself. He is also submitting and RFC for his ZRTP protocol (I guess an alternative to the older SRTP which Sipura and snom use).
I guess for more skype security you could set things up to use ipsec, ssh or even use some proxy anonymizers or even tor. I haven't tried any of those except ipsec and the proxy performance would probably stink. Turning on OE IPsec on windows did show ipsec connections between the skyping machines.
So you can make skype more secure by having more skypers turn on OE IPsec and use a common CA. say Thawte Freemail or cacert.org
http://en.wikipedia.org/wiki/Opportunistic_encryption
http://slashdot.org/~cronscript/journal/131319
"They" may even have your skype session keys, but if that is ipsec packaged and you are p2p, then it doesn't do "them" any good.
rearden
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.