Re: [cryptography] skype backdoor confirmation

Sun, 26 May 2013 03:32:19 -0700 

On 26/05/13 03:31 AM, James A. Donald wrote:

On 2013-05-26 2:13 AM, Eric S Johnson wrote:


Sauer: We answer to this question: We provide a safe communication
option available. I will not tell you whether we can listen to it or not.

In other words, no evidence there, either.



Oh come on.  "We will not tell you" tells us.





This is the problem with non-disclosure.  It tells us, but what does it 
tell us?



For my money, Mr Sauer has told us that Skype is /preserving the 
option/.  He doesn't tell us who Skype is listening to or when, it is 
even worse than that:  they are preserving the option for anyone they so 
desire.  People who hold an option do so because they can benefit from 
it, because options are not free.  So Skype have decided that someone 
needs to listen, they will get a benefit, and they'll decide who that 
is, when and if [0].





The curious thing to take out of this is, for me:  how should a security 
company act?



If they act like Skype acted, people won't trust them.  So how is it 
that a security company can deliver security if they themselves cannot 
be trusted?



Consider two examples.  Apple are mostly trusted, but they never tell us 
what they do in security.  Verisign's CA model was an exercise in 
non-trust, because they told us in glorious 100page detail, and nobody 
had a clue what the deal was.  What's the difference here?



It seems to me that we should be able to determine a better way to be a 
trusted security company.  Or, maybe there is no principle to be 
extracted here, maybe the "market for security & trust" has no single way?


We've been doing this for 20 years now, and it seems we still don't know.



iang




[0] Observers may point to limitations in the ToS.  But if you need to 
point to ToS, then you are simply proving your deception.  Does anyone 
know when the ToS were changed to permit intercept and listening?  If 
they've changed ToS to permit e2e, where it wasn't permitted before, 
without telling us that e2e is over, then they've also changed them to 
permit whatever they want, and any new uses will likewise see a change.

_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography





























					Reply via email to