On May 18, 2013, at 6:49 AM, Adam Back <a...@cypherspace.org> wrote:
> On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote: >> On 05/17/2013 04:19 AM, Eugen Leitl wrote: >>> It is unreasonable for an closed source product by a commercial >>> vendor to go any other way [putting backdoors in security products] >> Makes perfect sense. as its sometimes required by law, >> other times required to keep the users safe or companies away from legal >> harm. > > Well that seems like a bold and controversial claim to me, maybe with its > own liability and legal implications! > > Would you expect microsoft IIS web server to contain an SSL backdoor? Or > microsoft VPN client? Or cisco? A lot of businesses and individuals are > relying on these things to do what is advertised. Not doing what is > advertised can itself get companies in trouble, in many jurisdictions. > Skype has/had as a differentiator that it was end2end encrypted, it is my > impression that a number of people used it for that purpose. > Adam > there are numerous other IM systems that are server centric and do a lot of work to look for and filter "bad" urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc. the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. i would give microsoft the benefit of the doubt. however, as a company with operations in numerous countries, and subject to pressures from numerous governments, it would help a lot if microsoft were more transparent about what jurisdictions have access to what traffic (in real time or retained), how keys are managed, and the differences between clients and client versions, rather than continuing to simply publish tom berson's valiant and completely outdated review of (i believe) a no longer supported client. it may in fact be true that a human rights worker using the intl skype client and in the middle east is safer from their govt's intrusions than someone who is a POI to US LE. (but the chinese human rights worker who made the bad choice to use the Tom client which speaks their language seems to have about as much safety as carrying a big sign on Tianenmen Square). > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
