On Thu, May 16, 2013 at 3:52 PM, Adam Back a...@cypherspace.org wrote:
So when I saw this article
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
I was disappointed the rumoured skype backdoor is claimed to be real, and
that
Indeed, it seems that Skype lost their privacy mojo somewhere between
eBay and Microsoft. It's slightly unfair to blame Microsoft for the
dirty deed itself, but one must ask: are we saying that M$ would have
done any different, and did the then-owners know they had to prepare
anyway?
On 2013-07-15 09:34:46 +0300 (+0300), ianG wrote:
Indeed, it seems that Skype lost their privacy mojo somewhere
between eBay and Microsoft.
[...]
I still don't understand where it ever got privacy mojo to start
with, even before eBay. Skype was written by the authors of KaZaA.
Anyone remember
On 15-07-13 14:59, Jeremy Stanley wrote:
On 2013-07-15 09:34:46 +0300 (+0300), ianG wrote:
Indeed, it seems that Skype lost their privacy mojo somewhere
between eBay and Microsoft.
[...]
I still don't understand where it ever got privacy mojo to start
with, even before eBay. Skype was
From the new Washington Post Article
According to a separate “User’s Guide for PRISM Skype Collection,” that
service can be monitored for audio when one end of the call is a
conventional telephone and for any combination of “audio, video, chat, and
file transfers” when Skype users connect by
On 26/05/13 03:31 AM, James A. Donald wrote:
On 2013-05-26 2:13 AM, Eric S Johnson wrote:
Sauer: We answer to this question: We provide a safe communication
option available. I will not tell you whether we can listen to it or not.
In other words, no evidence there, either.
Oh come on. We
I missed that one--do you have a URL? (I don't know German.)
Sure, here is the translated quote from Kurt Sauer, head of the security
division of Skype:
ZDNet: What is the answer to my question, even if you can not listen to
Skype calls?
Sauer: We answer to this question: We provide a safe
Also adding to the evidence there was this story in which minutes were
leaked from an Austrian counter terrorism meeting that stated that skype
has a backdoor that helps the Austrian government listen to communications:
At a meeting with representatives of ISPs and the Austrian regulator on
Sauer: We answer to this question: We provide a safe communication option
available. I will not tell you whether we can listen to it or not.
In other words, no evidence there, either.
(NB the question is do we have evidence. Not are we inclined to suspect,
based on our intuition / religion
Sauer: We answer to this question: We provide a safe communication option
available. I will not tell you whether we can listen to it or not.
In other words, no evidence there, either.
(NB the question is do we have evidence. Not are we inclined to suspect,
based on our intuition / religion
Dear Eric,
Eric S Johnson:
Sauer: We answer to this question: We provide a safe communication option
available. I will not tell you whether we can listen to it or not.
In other words, no evidence there, either.
There is also no useful definition of safe. Does that include secure?
Does
On 19/05/13 22:41 PM, Jacob Appelbaum wrote:
This patent by Microsoft may be of interest to those looking into Skype,
automated interception and probably many other kinds of interception -
note that this is not just a matter of recording, it in fact *tampers*
with the data:
Aspects of the
On 2013-05-26 2:13 AM, Eric S Johnson wrote:
Sauer: We answer to this question: We provide a safe communication
option available. I will not tell you whether we can listen to it or not.
In other words, no evidence there, either.
Oh come on. We will not tell you tells us.
Does anyone on this list honestly doubt that intelligence agencies are
intercepting and reading skype given both public statements by skype,
the various news reports about governments state they are doing it,
and the 200 year history of agencies and communication companies
working together?
Is
At a minimum, it's is there any evidence--at all--other than guessing /
suspicions / assumptions / presumptions / paranoia? It need not be a
religious or ideological discussion; it need not be based on I believe it's
happening or I don't believe it's happening--just, is there any evidence
The
It seems like there is this new narrative in some peoples minds about all
companies backdoor everything and cooperate with law enforcement with no
questions asked, what do you expect. I have to disagree strongly with this
narrative to combat this narrative displacing reality! I've seen several
Danilo Gligoroski danilo.gligoro...@gmail.com wrote:
1. Indeed these discussions among the security community
2. Eventually some contacts with journalists will help the cause (one live
demonstration on some security/crypto conference like Usenix, Black Hat,
Crypto, ... will do the job).
3. I
On Thu, May 23, 2013 at 09:38:18AM +0200, David Adamson wrote:
Danilo Gligoroski danilo.gligoro...@gmail.com wrote:
1. Indeed these discussions among the security community
2. Eventually some contacts with journalists will help the cause (one live
demonstration on some security/crypto
On Mon, May 20, 2013 at 1:50 PM, Mark Seiden m...@seiden.com wrote:
On May 20, 2013, at 1:18 PM, Nico Williams n...@cryptonector.com wrote:
Corporations are privacy freaks. I've worked or consulted for a
number of corporations that were/are extremely concerned about data
exfiltration.
this
Jitsi is XMPP or SIP. For the text-part, they have built-in support for
OTR. Otherwise, there is no end-to-end secrecy as far as I know.
For voicecalls, they have something similar, with some shared-secret
verification which is validated using the text-channel, which is best
secured with OTR I
They have implemented ZRTP for end to end security. It works with a
diffie hellman key exchange, while protecting against man-in-the-middle
attackers by comparing Short Authentication Strings (SAS). When you know
the voice of the other person you can exclude Eve.
see
can someone give a few lines of explanation on how the Retained shared
Secret (RS) is used in ZRTP?
second, is it possible for an attacker to force an RS validation error
(e.g. simulating network connection error by having a router drop
packets) and then MiTM the DH handshake?
the SAS is only 4
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
About the SAS:
ZRTP uses a so called Hash Commitment with traditional Hashes before
generating SAS values for voice comparison.
See http://zfone.com/docs/ietf/rfc6189bis.html#HashCommit
The use of hash commitment in the DH exchange constrains the
On 2013-05-23 3:28 AM, Florian Weimer wrote:
* Adam Back:
If you want to claim otherwise we're gonna need some evidence.
https://login.skype.com/account/password-reset-request
This is impossible to implement with any real end-to-end security.
Skype's claim was that it was end to end,
Sorry for the top posting.
Many company are using private social network these days. As usual
someone internal to the organization has the right to record and sniff
also the private traffic. Don't like ? Well, you can always use
services as scrumbls. Perhaps not so secure from a nsa wiretap but
On 2013-05-22 5:00 PM, yersinia wrote:
Sorry for the top posting.
Many company are using private social network these days. As usual
someone internal to the organization has the right to record and sniff
also the private traffic. Don't like ? Well, you can always use
services as scrumbls.
This presupposes custom malware written for the specific target.
Not always. It presumes that someone may pack a binary just for a single
target - this is however an automated process for lots of malware packages.
Highly customized spearphish attacks are unlikely to be detected, but
ianG wrote:
Skype made their reputation as being free and secure (e2e) telephony.
The latter was something that many people bought into. It is now the
largest telco in the world, by minutes, in no small part because people
enjoyed both security as well as free calls to their friends.
Cops just don't put that much work in.
On 2013-05-22 5:41 PM, Jacob Appelbaum wrote:
Yes, yes they do:
http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/
That governments attempt to spy on people is not evidence that they any
good at
On 22.05.2013 10:45, James A. Donald wrote:
This tells me that not that the police are super terrific hackers who
produced customized malware for each person's computer, but that they
are your mother.
... your mother, with a bit of monetary power to simply purchase the
knowledge and the tools
James A. Donald:
Cops just don't put that much work in.
On 2013-05-22 5:41 PM, Jacob Appelbaum wrote:
Yes, yes they do:
http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/
That governments attempt to spy on people is not evidence
On May 22, 2013, at 5:59 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
James A. Donald:
Cops just don't put that much work in.
On 2013-05-22 5:41 PM, Jacob Appelbaum wrote:
Yes, yes they do:
On Wed, May 22, 2013 at 10:07 AM, Mark Seiden m...@seiden.com wrote:
On May 22, 2013, at 5:59 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
James A. Donald:
http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/
That governments attempt to
So, the review is not invalid. And, even when Skype changes its
model, the review remains valid.
There are now features that are incompatible with the design sketched
in the report, such as user password recovery and call forwarding.
The key management never was end-to-end, and we'd view that
You know thats the second time you claimed skype was not end2end secure.
Did you read the skype independent security review paper that Ian posted a
link to?
http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf
It is cleary and unambiguously claimed that skype WAS end
* Adam Back:
If you want to claim otherwise we're gonna need some evidence.
https://login.skype.com/account/password-reset-request
This is impossible to implement with any real end-to-end security.
___
cryptography mailing list
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
we recently wrote a small section about skype with some references:
http://sufficientlysecure.org/uploads/skype.pdf
Interesting references (from 2005, 2006):
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf
I dont think your inference is necessarily correct. With reference to the
Berson report, consider the skype RSA keypair was for authentication only
(authenticating ephemeral key-exchange as described in the paper). The
public RSA key is certified by skype as belonging to your identity. They
Indeed it was understood that skype's coding was described as akin to a
polymorphic virus. However it was also considered that this was for
business reasons to make it difficult for competing products to interoperate
at the codec, and protocol level.
I notice that those two papers do NOT make
On 20/05/13 21:02 PM, Adam Back wrote:
The user, encrypted with their password. Its roamable but the keys were
end2end encrypted with the user password. The independent audit skype paid
for of their crypto design is probably still online.
By Tom Berson, 2005. I do not know the gentleman but
On 21/05/13 10:17 AM, ianG wrote:
http://download.skype.com/share/security/2005-031%20security%20evaluation.pdf
Just because it is a superlative example of a clear statement, here is
what Tom said about their Security Policy:
1.2 Security Policy
A Security Policy defines what “security”
On Tue, 21 May 2013 14:17:02 +1000
James A. Donald jam...@echeque.com wrote:
Police install malware by black bagging, and by the same methods as
botnets. Both methods are noticeable.
I do not think the following scenario is terribly far-fetched:
Suppose the police want to target a grad
On 2013-05-22 4:20 AM, Benjamin Kreuter wrote:
On Tue, 21 May 2013 14:17:02 +1000
James A. Donald jam...@echeque.com wrote:
Police install malware by black bagging, and by the same methods as
botnets. Both methods are noticeable.
I do not think the following scenario is terribly far-fetched:
I was inspecting Skype terms and condition
http://www.skype.com/en/legal/tou/#15
[...]We will process your personal information, the traffic data and
the content of your communication(s) in accordance with our Privacy
Policy:http://www.skype.com/go/privacy.;
i think we are having a misunderstanding here.
any sort of opt-in or opt out doesn't work in the account takeover scenario,
which is
very common these days.
the bad guy will always have a relationship through the buddy list, which is
exactly
why they are using taken over accounts.
the
Mark Seiden:
i think we are having a misunderstanding here.
any sort of opt-in or opt out doesn't work in the account takeover scenario,
which is
very common these days.
the bad guy will always have a relationship through the buddy list, which is
exactly
why they are using taken over
On 19/05/13 00:29 AM, Ethan Heilman wrote:
Actually I think that was the point, as far as anyone knew and from the last
published semi-independent review (some years ago on the crypto list as I
recall) it indeed was end2end secure.
Skype has never claimed it is end to end secure ...
I
[3] E.g., as John reported, a clear case of non-intelligence low-bar
availability for a routine prosecution of some random journeyman level
scumbags. John, if you're still suffering our questions, was your case
civil or criminal?
Criminal, US vs. Christopher Rad.
On Fri, May 17, 2013 at 6:06 AM, Ben Laurie b...@links.org wrote:
On 17 May 2013 11:39, d...@geer.org wrote:
Trust but verify is dead.
Maybe for s/w, but not everything:
http://www.links.org/files/CertificateTransparencyVersion2.1a.pdf
Which requires s/w. Infinite loop detected.
:)
More
On 20 May 2013 17:35, Nico Williams n...@cryptonector.com wrote:
On Fri, May 17, 2013 at 6:06 AM, Ben Laurie b...@links.org wrote:
On 17 May 2013 11:39, d...@geer.org wrote:
Trust but verify is dead.
Maybe for s/w, but not everything:
(i know that at least jake and ian understand all the nuances here, probably
better than me.)
bus still, i would like you to consider, for a moment, this question:
suppose there were a service that intentionally wanted to protect recipients of
communications
from malicious traffic? when i
On Mon, May 20, 2013 at 12:08 PM, Mark Seiden m...@seiden.com wrote:
any mechanism to do this (that i could think of, anyway) presents a possible
risk to
those communicants who want no attributable state saved about their
communication.
either these are privacy freaks (not intended
On Sat, May 18, 2013 at 3:15 PM, Adam Back a...@cypherspace.org wrote:
Actually I think that was the point, as far as anyone knew and from the last
published semi-independent review (some years ago on the crypto list as I
recall) it indeed was end2end secure. Many IM systems are not end2end so
On Mon, May 20, 2013 at 12:22 PM, Jeffrey Walton noloa...@gmail.com wrote:
The original Skype homepage (circa 2003/2004) claims the service is
secure: Skype calls have excellent sound quality and are highly
secure with end-to-end encryption.
On Mon, May 20, 2013 at 1:30 PM, Nico Williams n...@cryptonector.com wrote:
On Mon, May 20, 2013 at 12:22 PM, Jeffrey Walton noloa...@gmail.com wrote:
The original Skype homepage (circa 2003/2004) claims the service is
secure: Skype calls have excellent sound quality and are highly
secure with
James A. Donald:
On 2013-05-20 7:49 PM, Mark Seiden wrote:
i think we are having a misunderstanding here.
any sort of opt-in or opt out doesn't work in the account takeover
scenario, which is
very common these days.
No one on my buddy list has been taken over, or if they have, they took
On Tue, May 21, 2013 at 10:46:55AM +1000, James A. Donald wrote:
On 2013-05-20 7:49 PM, Mark Seiden wrote:
i think we are having a misunderstanding here.
any sort of opt-in or opt out doesn't work in the account takeover scenario,
which is
very common these days.
No one on my buddy list
On Mon, May 20, 2013 at 8:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
James A. Donald:
...
Zombie computers are seldom of high value.
Some malware is designed to keep people communicating, under heavy
watch; it is not always designed to abuse a system the traditional
manner befitting
James A. Donald:
No one on my buddy list has been taken over, or if they have, they
took care of it before I noticed.
On 2013-05-21 10:55 AM, Jacob Appelbaum wrote:
That is - how would they notice and if they were being logged, how would
*you* notice on your end?
I would notice, because
James A. Donald:
James A. Donald:
No one on my buddy list has been taken over, or if they have, they
took care of it before I noticed.
On 2013-05-21 10:55 AM, Jacob Appelbaum wrote:
That is - how would they notice and if they were being logged, how would
*you* notice on your end?
I
On 2013-05-21 3:08 AM, Mark Seiden wrote:
(i know that at least jake and ian understand all the nuances here, probably
better than me.)
bus still, i would like you to consider, for a moment, this question:
suppose there were a service that intentionally wanted to protect recipients of
On 2013-05-21 4:50 AM, Mark Seiden wrote:
you can advise whatever you fancy, but skype, google, microsoft are unlikely
to agree to any such thing unless your client is a Really Big company who
pays them a lot of money. and why should they even bother their lawyers?
pretty much, their service Is
Gmail only keeps in the clear what you leave in the clear.
s/a hostile act/less useful to power users than filter but notify
On Mon, May 20, 2013 at 8:48 PM, James A. Donald jam...@echeque.com wrote:
On 2013-05-21 3:08 AM, Mark Seiden wrote:
(i know that at least jake and ian understand all
On 2013-05-21 12:41 PM, Jacob Appelbaum wrote:
James A. Donald:
James A. Donald:
No one on my buddy list has been taken over, or if they have, they
took care of it before I noticed.
On 2013-05-21 10:55 AM, Jacob Appelbaum wrote:
That is - how would they notice and if they were being logged,
To the best of my knowledge in Russia (no, I'm not Russian nor have lived
there so I'm not 100% sure) you need to submit a copy of the private key if
you are operating a website providing encryption on their territory to
allow for legal intercept.
They also have other provisions about wiretapping
Krassimir Tzvetanov:
To the best of my knowledge in Russia (no, I'm not Russian nor have lived
there so I'm not 100% sure) you need to submit a copy of the private key if
you are operating a website providing encryption on their territory to
allow for legal intercept.
They also have other
Hi John,
On 18/05/13 03:49 AM, John Levine wrote:
Maybe we will see subpoenas or public hearings for Microsoft and their
Skype.
For what? Skype has kept chat logs for years, and the government
routinely subpoenas them.
Is that a fact? As far as I know, Skype is e2e secure. So Skype
!
-Original Message-
From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of
John Levine
Sent: Saturday, May 18, 2013 2:49 AM
To: cryptography@randombit.net
Cc: dani...@item.ntnu.no
Subject: Re: [cryptography] skype backdoor confirmation
Maybe we will see subpoenas or public
On Sat, May 18, 2013 at 9:49 AM, Adam Back a...@cypherspace.org wrote:
On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote:
On 05/17/2013 04:19 AM, Eugen Leitl wrote:
It is unreasonable for an closed source product by a commercial
vendor to go any other way [putting backdoors in
As far as I know, Skype is e2e secure.
It hasn't got end-to-end key management, so it can't be end-to-end
secure against the network operator.
___
cryptography mailing list
cryptography@randombit.net
On May 18, 2013, at 6:49 AM, Adam Back a...@cypherspace.org wrote:
On Fri, May 17, 2013 at 04:52:07AM -0400, bpmcontrol wrote:
On 05/17/2013 04:19 AM, Eugen Leitl wrote:
It is unreasonable for an closed source product by a commercial
vendor to go any other way [putting backdoors in security
On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote:
...
there are numerous other IM systems that are server centric and do a lot of
work
to look for and filter bad urls sent in the message stream.
this is intended to be for the benefit of the users in filtering spam,
Actually I think that was the point, as far as anyone knew and from the last
published semi-independent review (some years ago on the crypto list as I
recall) it indeed was end2end secure. Many IM systems are not end2end so
for skype to benefit from the impression that they still are end2end
Actually I think that was the point, as far as anyone knew and from the last
published semi-independent review (some years ago on the crypto list as I
recall) it indeed was end2end secure.
Skype has never claimed it is end to end secure in fact they have
hinted many times that they can and do
except bad guys will always opt of having their content inspected.
so it just doesn't work in this case.
On May 18, 2013, at 10:46 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, May 18, 2013 at 1:24 PM, mark seiden m...@seiden.com wrote:
...
there are numerous other IM systems that
Jeffrey Walton wrote:
* Scan IM messages for dangerous content from people you don't know.
This means company will read (and possibly retain) some of your
messages to determine if some (or all) of the message is dangerous.
….
Give an choice, it seems like selection two is a good
On Sat, May 18, 2013 at 5:38 PM, mark seiden m...@seiden.com wrote:
except bad guys will always opt of having their content inspected.
Right, that's why it becomes the receiver's option for unknown senders.
If there's an existing relationship between the sender and receiver, I
imagine the rates
On Sat, May 18, 2013 at 5:40 PM, mark seiden m...@seiden.com wrote:
opt *out* of… (obviously)
Not possible in many cases. I don't like IM but I have to use it on
occasions for my job.
Ditto for license agreements from handset manufacturers, carriers,
operating systems, business software and the
On May 18, 2013, at 2:51 PM, Ed Stone t...@synernet.com wrote:
Jeffrey Walton wrote:
* Scan IM messages for dangerous content from people you don't know.
This means company will read (and possibly retain) some of your
messages to determine if some (or all) of the message is dangerous.
Obviously a secret is no secret the person sending it is not on your
buddy list.
Conversely, it should not be possible to inspect messages if the person
sending it is on your buddy list.
___
cryptography mailing list
cryptography@randombit.net
I was a technical expert in a pump and dump spam trial last fall,
and a large part of the evidence was Skype chat logs among the members
of the spamming group.
Who provided the chat logs? Were they provided by Skype or where they
provided by one or the other members? The reason I ask is
At the risk of sounding rude, crude, and yellow-pressish, I'd like to
provide this link
http://www.themoscownews.com/russia/20130314/191336455/FSB-Russian-police-could-tap-Skype-without--court-order.html
If software has a soul, Skype's is long since sold.
Sincerely yours,
Jane
On Sun, May
On 05/17/2013 04:19 AM, Eugen Leitl wrote:
On Fri, May 17, 2013 at 10:26:07AM +0300, ianG wrote:
Is it unreasonable for us to expect Skype to go another way? Are we
asking too much?
It is unreasonable for an closed source product by a commercial
vendor to go any other way.
Makes perfect
I do wonder, can we reasonably expect that integrity of open
source software today? I'm not blaming anyone, let me explain:
The threat of forking or noticing any wrong doing was probably
enough in previous years. But these days, software is much
bigger, back doors are much subtler, and
On 17 May 2013 11:39, d...@geer.org wrote:
I do wonder, can we reasonably expect that integrity of open
source software today? I'm not blaming anyone, let me explain:
The threat of forking or noticing any wrong doing was probably
enough in previous years. But these days, software is much
Maybe we will see subpoenas or public hearings for Microsoft and their
Skype.
For what? Skype has kept chat logs for years, and the government
routinely subpoenas them. I was a technical expert in a pump and dump
spam trial last fall, and a large part of the evidence was Skype chat
logs among
86 matches
Mail list logo