Re: [cryptography] skype backdoor confirmation
Hi John, On 18/05/13 03:49 AM, John Levine wrote: Maybe we will see subpoenas or public hearings for Microsoft and their Skype. For what? Skype has kept chat logs for years, and the government routinely subpoenas them. Is that a fact? As far as I know, Skype is e2e secure. So Skype can't get at the chat logs without doing some form of attack. Is there any documentation on this? Court records? I was a technical expert in a pump and dump spam trial last fall, and a large part of the evidence was Skype chat logs among the members of the spamming group. Who provided the chat logs? Were they provided by Skype or where they provided by one or the other members? The reason I ask is that if there is any sensitivity in sources, the prosecutors will routinely obscure the sources. Also keep in mind that Microsoft bought Skype from eBay, so there is nothing new about it being owned by a U.S. company. Sure. This is the one thing that makes me thing that Skype can do a whole lot more than they say. I am skeptical of the situation, but we need facts. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
John Levine wrote For what? Skype has kept chat logs for years, and the government routinely subpoenas them. It depends how much scared will become the politicians and decision makers in Washington DC and Brussels from the latest publicly revealed security backdoors of Skype. Danilo! -Original Message- From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of John Levine Sent: Saturday, May 18, 2013 2:49 AM To: cryptography@randombit.net Cc: dani...@item.ntnu.no Subject: Re: [cryptography] skype backdoor confirmation Maybe we will see subpoenas or public hearings for Microsoft and their Skype. For what? Skype has kept chat logs for years, and the government routinely subpoenas them. I was a technical expert in a pump and dump spam trial last fall, and a large part of the evidence was Skype chat logs among the members of the spamming group. Also keep in mind that Microsoft bought Skype from eBay, so there is nothing new about it being owned by a U.S. company. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 9:49 AM, Adam Back a...@cypherspace.org wrote: On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote: On 05/17/2013 04:19 AM, Eugen Leitl wrote: It is unreasonable for an closed source product by a commercial vendor to go any other way [putting backdoors in security products] Makes perfect sense. as its sometimes required by law, other times required to keep the users safe or companies away from legal harm. Well that seems like a bold and controversial claim to me, maybe with its own liability and legal implications! Would you expect microsoft IIS web server to contain an SSL backdoor? Or microsoft VPN client? Or cisco? A lot of businesses and individuals are relying on these things to do what is advertised. Not doing what is advertised can itself get companies in trouble, in many jurisdictions. Skype has/had as a differentiator that it was end2end encrypted, it is my impression that a number of people used it for that purpose. Correct. It does not match a user's mental model; nor does it meet a user's expectations (to borrow from Dr. Gutmann). Cisco is kind of an odd case since it advertises its backdoors. http://www.cisco.com/web/about/security/intelligence/LI-3GPP.html. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
As far as I know, Skype is e2e secure. It hasn't got end-to-end key management, so it can't be end-to-end secure against the network operator. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On May 18, 2013, at 6:49 AM, Adam Back a...@cypherspace.org wrote: On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote: On 05/17/2013 04:19 AM, Eugen Leitl wrote: It is unreasonable for an closed source product by a commercial vendor to go any other way [putting backdoors in security products] Makes perfect sense. as its sometimes required by law, other times required to keep the users safe or companies away from legal harm. Well that seems like a bold and controversial claim to me, maybe with its own liability and legal implications! Would you expect microsoft IIS web server to contain an SSL backdoor? Or microsoft VPN client? Or cisco? A lot of businesses and individuals are relying on these things to do what is advertised. Not doing what is advertised can itself get companies in trouble, in many jurisdictions. Skype has/had as a differentiator that it was end2end encrypted, it is my impression that a number of people used it for that purpose. Adam there are numerous other IM systems that are server centric and do a lot of work to look for and filter bad urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc.the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. i would give microsoft the benefit of the doubt. however, as a company with operations in numerous countries, and subject to pressures from numerous governments, it would help a lot if microsoft were more transparent about what jurisdictions have access to what traffic (in real time or retained), how keys are managed, and the differences between clients and client versions, rather than continuing to simply publish tom berson's valiant and completely outdated review of (i believe) a no longer supported client. it may in fact be true that a human rights worker using the intl skype client and in the middle east is safer from their govt's intrusions than someone who is a POI to US LE. (but the chinese human rights worker who made the bad choice to use the Tom client which speaks their language seems to have about as much safety as carrying a big sign on Tianenmen Square). ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote: ... there are numerous other IM systems that are server centric and do a lot of work to look for and filter bad urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc.the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. Perhaps the user should be given a choice. The security dialog could have three mutually exclusive choices: * Scan IM messages for dangerous content from everyone. This means company will read (and possibly retain) all of your messages to determine if some (or all) of the message is dangerous. * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. * Don't scan IM messages for dangerous content . This means only you and the sender will read your messages. Give an choice, it seems like selection two is a good balance. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
Actually I think that was the point, as far as anyone knew and from the last published semi-independent review (some years ago on the crypto list as I recall) it indeed was end2end secure. Many IM systems are not end2end so for skype to benefit from the impression that they still are end2end secure while actually not being is the focus of this thread. Adam On Sat, May 18, 2013 at 06:52:58PM +0200, Florian Weimer wrote: As far as I know, Skype is e2e secure. It hasn't got end-to-end key management, so it can't be end-to-end secure against the network operator. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
Actually I think that was the point, as far as anyone knew and from the last published semi-independent review (some years ago on the crypto list as I recall) it indeed was end2end secure. Skype has never claimed it is end to end secure in fact they have hinted many times that they can and do listen to users conversations: Skype, Skype's local partner, or the operator or company facilitating your communication may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information. Skype will provide reasonable assistance and information to fulfill this request and you hereby consent to such disclosure. - http://www.skype.com/en/legal/privacy/#collectedInformation After Microsoft in May 2011 acquired Skype, she provided legal technology of Skype audition, says the executive director of Peak Systems Maxim Emm . Now, any subscriber can switch to a special mode in which the encryption keys that were previously generated on the phone or computer, the subscriber will be generated on the server. [..] With access to the server, you can listen to the conversation or read the correspondence. Microsoft provides the opportunity to use this technology, intelligence agencies around the world, including Russia, the expert explains. google translated from Russian http://www.vedomosti.ru/politics/news/10030771/skype_proslushivayut Skype spokesman did not deny the company's ability to intercept the communication. On the question of whether Skype could listen in on their users' communication, Kurt Sauer, head of the security division of Skype, replied evasively: We provide a secure means of communication. I will not say if we are listening in or not. - http://en.wikipedia.org/wiki/Skype_security#cite_ref-22 Local German police also appear to use malware to attack skype, so it appears that at some point in the past skype may not have been cooperating with all LE requests. - http://wikileaks.org/wiki/Skype_and_the_Bavarian_trojan_in_the_middle Pretty much as far back at the 1700's communications companies have provided backdoors to state security and intelligence agencies. This was true in the age of telegrams and telex and it is true in the age of voip. As a general rule any third party in any communication scheme is likely cooperating with all friendly intelligence agencies. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] backdoors in commercial software
On Sat, 18 May 2013, Adam Back wrote: Would you expect microsoft IIS web server to contain an SSL backdoor? Or microsoft VPN client? Or cisco? Of course they contain backdoors. It's clear from the the US political and Congressional reaction to the revelations of large-scale NSA domestic spying that the US political system strongly supports having such backdoors. The fact that various wiretap laws may appear to forbid using backdoors to snoop (or maybe even putting in the backdoors in the first place, I'm not sure) doesn't seem to have landed any ATT executives in jail yet (to put it mildly). We have a fair number of historical data points on what happens when a national government approaches a company-making-communications-equipment to ask for a backdoor. The general pattern seen for well over a century (hints: subocean telegraph cables, telegrams, Crypto AG, Peter Wright's Spycatcher) is that the company puts in the backdoor. Exceptions to this pattern are rare. A lot of businesses and individuals are relying on these things to do what is advertised. Not doing what is advertised can itself get companies in trouble, in many jurisdictions. Skype has/had as a differentiator that it was end2end encrypted, it is my impression that a number of people used it for that purpose. Yes, many people are foolish enough to believe advertising. The contrast between what the advertising says and what (little) the EULA shrink-wrap license text actually promises is IMHO quite instructive... As always in computer security, your threat model is crucial. If your threat model is shakedowns by local thugs, then Skype is probably a lot more secure than an endpoing running any flavor of Windows. If your threat model is having the NSA keyword-scan your conversation, then Skype is about as (in)secure as a phone conversation, and Skype IMs are about as (in)secure as cellphone SMSs. -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA on sabbatical in Canada starting August 2012 Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
except bad guys will always opt of having their content inspected. so it just doesn't work in this case. On May 18, 2013, at 10:46 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote: ... there are numerous other IM systems that are server centric and do a lot of work to look for and filter bad urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc.the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. Perhaps the user should be given a choice. The security dialog could have three mutually exclusive choices: * Scan IM messages for dangerous content from everyone. This means company will read (and possibly retain) all of your messages to determine if some (or all) of the message is dangerous. * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. * Don't scan IM messages for dangerous content . This means only you and the sender will read your messages. Give an choice, it seems like selection two is a good balance. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Skype backdoor confirmation
Jeffrey Walton wrote: * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. …. Give an choice, it seems like selection two is a good balance. Does that selection require that company has a list of people you DO know? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 5:38 PM, mark seiden m...@seiden.com wrote: except bad guys will always opt of having their content inspected. Right, that's why it becomes the receiver's option for unknown senders. If there's an existing relationship between the sender and receiver, I imagine the rates of malicious URLs and other content drop dramatically. In this case, the service should stop aggregating data at the user's choice. That's if they had a choice. Jeff On May 18, 2013, at 10:46 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote: ... there are numerous other IM systems that are server centric and do a lot of work to look for and filter bad urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc.the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. Perhaps the user should be given a choice. The security dialog could have three mutually exclusive choices: * Scan IM messages for dangerous content from everyone. This means company will read (and possibly retain) all of your messages to determine if some (or all) of the message is dangerous. * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. * Don't scan IM messages for dangerous content . This means only you and the sender will read your messages. Give an choice, it seems like selection two is a good balance. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
On Sat, May 18, 2013 at 5:40 PM, mark seiden m...@seiden.com wrote: opt *out* of… (obviously) Not possible in many cases. I don't like IM but I have to use it on occasions for my job. Ditto for license agreements from handset manufacturers, carriers, operating systems, business software and the like. How Corporations Affect Us Directly, http://www.polisci.ccsu.edu/trieb/ecocon.htm: The services of these companies are so necessary in conducting business - and, in fact, in just functioning - in the world today that we have to go along with their rules. Jeff On May 18, 2013, at 2:38 PM, mark seiden m...@seiden.com wrote: except bad guys will always opt of having their content inspected. so it just doesn't work in this case. On May 18, 2013, at 10:46 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote: ... there are numerous other IM systems that are server centric and do a lot of work to look for and filter bad urls sent in the message stream. this is intended to be for the benefit of the users in filtering spam, phishing, malware links, particularly those that spread virally through buddy lists of taken over accounts. sometimes these links (when believed to be malicious) are simply (and silently) not forwarded to the receiving user. this involves databases of link and site reputation, testing of new links, velocity and acceleration measurements, etc.the usual spam filtering technology. my impression is that almost all users thank us for doing that job of keeping them safe. they understand that IM is yet another channel for transmitting spam. the url filtering is aggressive enough (and unreliable enough) in some cases that you have to check with your counterparty in conversation if they got that link you just sent. so users are aware of it, if only as an annoyance. (once again, spam filtering gets in the way of productive communication) i am merely telling you how it is. obviously user expectations differ on AIM, Yahoo Messenger, etc. from those of users on Skype, some of whom believe there is magic fairy dust sprinkled on it, and that it is easier to use than something else with OTR as a plugin. Perhaps the user should be given a choice. The security dialog could have three mutually exclusive choices: * Scan IM messages for dangerous content from everyone. This means company will read (and possibly retain) all of your messages to determine if some (or all) of the message is dangerous. * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. * Don't scan IM messages for dangerous content . This means only you and the sender will read your messages. Give an choice, it seems like selection two is a good balance. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Skype backdoor confirmation
On May 18, 2013, at 2:51 PM, Ed Stone t...@synernet.com wrote: Jeffrey Walton wrote: * Scan IM messages for dangerous content from people you don't know. This means company will read (and possibly retain) some of your messages to determine if some (or all) of the message is dangerous. …. Give an choice, it seems like selection two is a good balance. Does that selection require that company has a list of people you DO know? don't know if it requires it, but it helps. it's your buddy list, contacts list, address book, which is often on their service anyway. unfortunately, the account takeover scenario means a it's less useful than one would naively hope, now that abusers routinely use taken-over accounts to circumvent such controls. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Skype backdoor confirmation
Obviously a secret is no secret the person sending it is not on your buddy list. Conversely, it should not be possible to inspect messages if the person sending it is on your buddy list. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] backdoors in commercial software
On Sat, May 18, 2013 at 5:26 PM, Jonathan Thornburg jth...@astro.indiana.edu wrote: On Sat, 18 May 2013, Adam Back wrote: Would you expect microsoft IIS web server to contain an SSL backdoor? Or microsoft VPN client? Or cisco? Of course they contain backdoors. It's clear from the the US political and Congressional reaction to the revelations of large-scale NSA domestic spying that the US political system strongly supports having such backdoors. The fact that various wiretap laws may appear to forbid using backdoors to snoop (or maybe even putting in the backdoors in the first place, I'm not sure) doesn't seem to have landed any ATT executives in jail yet (to put it mildly). ... A lot of businesses and individuals are relying on these things to do what is advertised. Not doing what is advertised can itself get companies in trouble, in many jurisdictions. Skype has/had as a differentiator that it was end2end encrypted, it is my impression that a number of people used it for that purpose. Yes, many people are foolish enough to believe advertising. The contrast between what the advertising says and what (little) the EULA shrink-wrap license text actually promises is IMHO quite instructive... Well, I'm not user how foolish someone is being (no disrespect intended). Most users don't have the expert knowledge of folks in this group; nor the expert knowledge of a lawyer to wade through the fine print. Users are just being users, and both Gutmann and Anderson have a lot to say about them in their books. In New York, Attorney General Schneiderman is questioning why the cell phones are promoting safety and security by design, yet have no (or limited) recovery capabilities [1]. The AG claims this is promoting or facilitating Apple Picking or cell phone theft, and he is investigating if its a deceptive trade practice. I think the same applies to a lot of technologies. If the technology is advertised a secure or it ensures privacy, that's what people expect. These companies are *not* advertising partially secure, partially encrypted, or partially private conversations. Would you laugh if Harley Davidson began advertising its bikes as safe? Or would you feel deceived if Volvo advertised its cars as safe but only had two rear wheel brakes, not seatbelts, and no airbags? I think the same applies to technology and use of the word secure, encrypted, and privacy. Sorry to drift off-topic. Jeff [1] http://www.informationweek.com/security/mobile/smartphone-theft-what-is-best-defense/240155038 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
I was a technical expert in a pump and dump spam trial last fall, and a large part of the evidence was Skype chat logs among the members of the spamming group. Who provided the chat logs? Were they provided by Skype or where they provided by one or the other members? The reason I ask is that if there is any sensitivity in sources, the prosecutors will routinely obscure the sources. I got them from the prosecutors. They appeared to have been provided by Skype. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
At the risk of sounding rude, crude, and yellow-pressish, I'd like to provide this link http://www.themoscownews.com/russia/20130314/191336455/FSB-Russian-police-could-tap-Skype-without--court-order.html If software has a soul, Skype's is long since sold. Sincerely yours, Jane On Sun, May 19, 2013 at 8:05 AM, John Levine jo...@iecc.com wrote: I was a technical expert in a pump and dump spam trial last fall, and a large part of the evidence was Skype chat logs among the members of the spamming group. Who provided the chat logs? Were they provided by Skype or where they provided by one or the other members? The reason I ask is that if there is any sensitivity in sources, the prosecutors will routinely obscure the sources. I got them from the prosecutors. They appeared to have been provided by Skype. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] backdoors in commercial software
Adam Back asked | Would you expect microsoft IIS web server to contain an SSL backdoor? Or | microsoft VPN client? Or cisco? I replied Of course they contain backdoors. [[...]] Adam Beck also wrote | A lot of businesses and individuals are | relying on these things to do what is advertised. Not doing what is | advertised can itself get companies in trouble, in many jurisdictions. | Skype has/had as a differentiator that it was end2end encrypted, it is my | impression that a number of people used it for that purpose. to which I responded Yes, many people are foolish enough to believe advertising. The contrast between what the advertising says and what (little) the EULA shrink-wrap license text actually promises is IMHO quite instructive... Jeffrey Walton then commented: Well, I'm not user how foolish someone is being (no disrespect intended). Most users don't have the expert knowledge of folks in this group; nor the expert knowledge of a lawyer to wade through the fine print. Users are just being users, and both Gutmann and Anderson have a lot to say about them in their books. [[...]] If the technology is advertised a secure or it ensures privacy, that's what people expect. These companies are *not* advertising partially secure, partially encrypted, or partially private conversations. You make a cogent point, and perhaps I was being a bit too harsh in writing Yes, many people are foolish enough to believe advertising. A better phrase might have been Yes, many people (are led by our culture to) unwisely believe advertising, and unwisely believe that powerful instutions (corporations and governments) pay more than lip service to individual privacy. Sorry to drift off-topic. On the contrary, I think your point is quite appropriate. ciao, -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy IUCSS, Indiana University, Bloomington, Indiana, USA on sabbatical in Canada starting August 2012 Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography