Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Skype Security and Privacy Concerns

Zonk posted more than 8 years ago | from the conversations-can-hurt dept.

Security 128

CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

cancel ×

128 comments

1.1 x 1077 keys? (4, Funny)

TrevorB (57780) | more than 8 years ago | (#13625383)

All that new CSS and no superscripts?

Re: 1.1 x 1077 keys? (1)

Xarius (691264) | more than 8 years ago | (#13625459)

Not even so much as shift+6!

^_^

News For Trolls (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13625482)

What else do you expect from Slash-tot!

Re: 1.1 x 1077 keys? (1, Informative)

Anonymous Coward | more than 8 years ago | (#13625907)

Who uses 1024 bit RSA to secure 256 bit AES? You need about 3000 bit RSA keys for the same equivalent time to break 256 AES. 1024 bit RSA isn't even really considered "very secure" anymore, mostly "sorta secure, for the time being"

Isn't that the way ... (5, Insightful)

gregduffy (766013) | more than 8 years ago | (#13625392)

[since it] is closed source, we have no way of verifying this claim

isn't that the way with all closed source software?

Re:Isn't that the way ... (4, Interesting)

DarkHelmet433 (467596) | more than 8 years ago | (#13625592)

However, the real interesting thing is how does eBay, a US company, get around the US export restrictions? eg: it's been mentioned that 128 bit AES is the limit that you can get export approval for. Given skype's 256 bit AES, will eBay have to weaken it when they release it after the ownership transfer is complete?

Or do they have wiggle room and claim that its produced offshore and therefore isn't exported from the US, even though its now owned by a US company? I doubt that will go down well with the powers-that-be, because (among other things) that will just encourage US companies to offshore all their products-with-crypto work to get around the regulations.

Re:Isn't that the way ... (0)

Anonymous Coward | more than 8 years ago | (#13625886)

Why the hell is there a limit on the strength of crypto that can be used? Please someone tell me it's not because the government is paranoid about 'terrorist information' (or similar) being kept hidden from them with uberstrong crypto?

Re:Isn't that the way ... (0)

Anonymous Coward | more than 8 years ago | (#13626388)

yup, something like that

Re:Isn't that the way ... (2, Insightful)

DarkHelmet433 (467596) | more than 8 years ago | (#13626495)

Precisely that. Supposedly they want to limit how long it takes them to crack an encrypted conversation between terrorists, foreign agents, etc etc. However, the big hole in that argument is that the assumption that terrorists are outside the US is false, as is the assumption that they can only use US provided tools to communicate.

Anyway, you can bet that the moment a 'person of interest' holds a skype conversation after eBay is at the helm, that the crypto strength will become an 'issue'.

Re:Isn't that the way ... (1)

Antique Geekmeister (740220) | more than 8 years ago | (#13626646)

The keys are not held by the user: the keys are held by Skype, and are thus perfectly amenable to a Skype controlled man-in-the-middle monitoring. By opening their capabilities to monitoring by US law enforcement, and by getting US Department of Commerce approval for its use and export to non-restricted countries, I'm sure that the relevant federal agencies are falling over themselves to make Skype or another similarly tappable system the de facto standard.

Remember, unless you're the only one who owns the keys, your communications are not secure from anyone who can steal or borrow or liberate with a foolishly granted warrant the keys to your communications. And federal handling of telephone privacy has been horrible, as demonstrated by the FBI history if mis-handled wiretaps and political monitoring.

It's not as bad as countries where all foreign phone calls are automatically monitored by a secret policeman, but with computer technologies similar to the Carnivore email monitoring system, it's a big problem for privacy.

Re:Isn't that the way ... (1)

Guspaz (556486) | more than 8 years ago | (#13626910)

Personally I'd be happy with 128-bit AES, as it is still way more secure than protocols such as the one that MSN Messenger uses.

I've personally been using SimpLite [secway.fr] , a free tool that can seamlessly encrypt MSN messenger traffic (with versions for YIM, ICQ, and AIM) by acting as a local SOCKS proxy that understands the protocol. It uses 2048-bit RSA keys with AES 128-bit encryption.

Reverse Engineer Skype Protocol (1)

n01 (693310) | more than 8 years ago | (#13626311)

Does anybody know of an effort of somebody to reverse engineer the proprietary protocol? After all, they managed to do this with Kazaa.
Or is just about everybody happy with the it is (running under Linux, too) and the possibility to control it via the API?
Just wanted to know.
Cheers, Florian

GNAA PLEDGES TO SUPPORT KATRINA VICTIMS (0, Troll)

JismTroll (588456) | more than 8 years ago | (#13625399)

GNAA pledges aid to Katrina victims
GNAA pledges aid to Katrina victims
Associated Press, September 11 2005

In an early-morning press conference, reclusive GNAA president timecop declared that the Gay Nigger Association of America will contribute to hurricane Katrina disaster relief efforts. He issued a statement describing the efforts being undertaken to rush relief to New Orleans' former residents, many of whom are black, gay, or both. "My heart tears at the sight of so many flooded niggers", timecop said.

The GNAA is contributing a currently-unknown quantity of sperm, intended to prevent starvation and malnutrition. The sperm is to be delivered this Monday to shelters across the nation. "We are having a non-stop wankathon. I believe we can do this, I believe in my niggas. We will not fail to feed NOLA's hungry refugees." Many have reporters present at the conference questioned the nutritional value of the semen being collected, eliciting angry stares and lip-licking from their host. timecop did not directly answer the questions, saying "Who the hell are you? I don't see you vigorously beating off to save the niggers!"

The next item on the list was free wireless internet spanning the Southern Louisiana region, allowing access to GNAA's Lastmeasure [nimp.org] online service. Lastmeasure is provided free of charge. It is widely touted as "better than FEMA" in the charitable relief field. Lastmeasure surpasses FEMA's disaster aid service by being accessible to any graphical browser on any operating system [slashdot.org] . Lastmeasure will be the only website available, as all other http requests will be redirected. This measure is intended to minimize use of GNAA.net wireless for other than disaster-relief LM. The conference ended with an emotional outburst from GNAA president timecop, crying out, "so many dead, rotting black shits".



About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [mugshots.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America and the World! You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!
  • First, you have to obtain a copy of GAYNIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it. You can download the movie [idge.net] (~130mb) using BitTorrent.
  • Second, you need to succeed in posting a GNAA First Post [wikipedia.org] on slashdot.org [slashdot.org] , a popular "news for trolls" website.
  • Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today! Upon submitting your application, you will be required to submit links to your successful First Post, and you will be tested on your knowledge of GAYNIGGERS FROM OUTER SPACE.

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is NiggerNET, and you can connect to irc.gnaa.us as our official server. Follow this link [irc] if you are using an irc client such as mIRC.

If you have mod points and would like to support GNAA, please moderate this post up.

.________________________________________________.
| ______________________________________._a,____ | Press contact:
| _______a_._______a_______aj#0s_____aWY!400.___ | Gary Niger
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ | gary_niger@gnaa.us [mailto]
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ | GNAA Corporate Headquarters
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ | 143 Rolloffle Avenue
| ________"#,___*@`__-N#____`___-!^_____________ | Tarzana, California 91356
| _________#1__________?________________________ |
| _________j1___________________________________ | All other inquiries:
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ | Enid Al-Punjabi
| ____!4yaa#l___________________________________ | enid_al_punjabi@gnaa.us [mailto]
| ______-"!^____________________________________ | GNAA World Headquarters
` _______________________________________________' 160-0023 Japan Tokyo-to Shinjuku-ku Nishi-Shinjuku 3-20-2

Copyright (c) 2003-2005 Gay Nigger Association of America [www.gnaa.us]

Re:GNAA PLEDGES TO SUPPORT KATRINA VICTIMS (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13626198)

Does /. have any mechanism for deleting such offensive posts?

Re:GNAA PLEDGES TO SUPPORT KATRINA VICTIMS (0)

Anonymous Coward | more than 8 years ago | (#13627199)

Yes, I find your suggestions of difficult to implement censorship offensive and was downright mortified at your choice of bold formatting in presenting it. Oh how I wish there was a way to delete it so I could never have to see anything that would make me realise other people have differing opinions and senses of humour.

wow (0, Redundant)

gcnaddict (841664) | more than 8 years ago | (#13625407)

1184.7 keys will be hella-easy to crack... thats not too secure now is it? :P

Re:wow (0)

Anonymous Coward | more than 8 years ago | (#13625466)

You beat me to it by one second. If only I hadn't forgotten the subject on first submit.

Anm

1.1 x 1077 possible keys (2, Funny)

Anm (18575) | more than 8 years ago | (#13625414)

I think I can manage to brute force 1185 keys by hand, let alone with a computer. (Guess the <super> tag didn't copy into the text input very well.)

Anm

Re:1.1 x 1077 possible keys (2, Funny)

big.iron.wiz (773525) | more than 8 years ago | (#13625441)

With all those keys in your hand, would'nt there be a problem typing the code needed to crack the safe?

Re:1.1 x 1077 possible keys (2, Funny)

mysqlrocks (783488) | more than 8 years ago | (#13625451)

How long would it take 50,000 monkeys at 50,000 typewriters to crack this?

Re:1.1 x 1077 possible keys (1)

jatemack (870255) | more than 8 years ago | (#13625548)

at 1 key per second, 149 Trillion years.

Re:1.1 x 1077 possible keys (2, Informative)

jatemack (870255) | more than 8 years ago | (#13625580)

Actually, here is the break down..
  • 128-bit key = 3.4 x 1038 keys
  • 192-bit key = 6.2 x 1057 keys
  • 256-bit key = 1.1 x 1077 keys

AES-128 has 1021 more keys than DES-56
At one DES key recover per second, AES key recovery would take 149 trillion years.

Re:1.1 x 1077 possible keys (1)

slavemowgli (585321) | more than 8 years ago | (#13625578)

The tag is called <sup>, actually.

Re:1.1 x 1077 possible keys (1)

Anm (18575) | more than 8 years ago | (#13626021)

I stand corrected.

OK, that's it (4, Funny)

ObjetDart (700355) | more than 8 years ago | (#13625433)

I'm switching back to my regular phone.

Oh, wait...

one word : audit (4, Insightful)

alexandreracine (859693) | more than 8 years ago | (#13625435)

They could make some code audit by independent security firms, but will they? (Yes, but only if they are very serius about security)

Re:one word : audit (3, Insightful)

trime (733350) | more than 8 years ago | (#13625652)

That requires you to trust the independent security firm. Maybe you do, maybe not. Depends how thick the tinfoil is; if you have several layers then you're able to check open software for yourself. If you have just one layer then you might consider agreement among several other trusted individuals to be good enough. If you don't know what I'm talking about then probably you'd probably be happy to take ebay's word for it anyway, and it doesn't matter.

The point is that a closed review by a closed company for closed software, you're unlikely to get any additional trust from me.

Good encryption or not.. (4, Informative)

lightyear4 (852813) | more than 8 years ago | (#13625440)


Good encryption or not, I'd be more worried about the recent moves of the FCC to allow law enforcement virtual wiretap access. Our freedoms have eroded enough as of late, and it is disconcerting to say the very least. Here is the relevant link from the article [fcc.gov] and from the eff [eff.org]

Re:Good encryption or not.. (1)

tyler_larson (558763) | more than 8 years ago | (#13625483)

Good encryption or not, I'd be more worried about the recent moves of the FCC to allow law enforcement virtual wiretap access.

The FCC considers skype an instant messanger service that happens to do voice. Hence, 911 and wiretapping laws do not apply.

"happens to do voice" (1)

^Z (86325) | more than 8 years ago | (#13625696)

This might not last for very long, as Skype's voice traffic increases. Can FCC re-qualify Skype?

BTW, do you mean that law enforcement would not be able to wiretap text-based IMs should it need that? "Hey terrorists, just use icq / aim / skype IM to share plans, the authorities aren't going to look!" -- did anybody use this rhetoric yet?

Re:Good encryption or not.. (0)

Anonymous Coward | more than 8 years ago | (#13625603)

Our freedoms have eroded enough as of late

They haven't eroded, they were given away. If people would stop voting people like Maxine Waters, Barbara Boxer and Orrin Hatch into power things would be a lot better for everything. This is what the people want, this is what the people get. Live with it.

Re:Good encryption or not.. (1)

ae (16342) | more than 8 years ago | (#13626475)

Good encryption or not, I'd be more worried about the recent moves of the FCC to allow law enforcement virtual wiretap access.

Encryption is exactly what we should worry about. As long as there is good end-to-end encryption, it doesn't matter how much the authorities want to listen in on your conversation. Wiretap access will do them no good, unless you have really powerful enemies and NSA knows things the public doesn't, in which case you're out of luck anyway.

Is there even a coherent thought here? (4, Insightful)

Ingolfke (515826) | more than 8 years ago | (#13625456)

This post has to be one of the dumbest I've ever read. Because Skype's protocol isn't public and e-Bay shares information (whatever the hell that means) there's supposed to be some specific concerns because the two are now joined? I can see either point standing on its own as a potentially interesting topic, but how does verifying whether or not a piece of software actually uses the encryption schemes it says it does and a corporate policy to share information (note that would be information that is not encrypted and intended to be shared) tie together?

Re:Is there even a coherent thought here? (2, Insightful)

Sorthum (123064) | more than 8 years ago | (#13625489)

No, there's really no link between the two. It's akin to saying Windows is owned by Microsoft, and Microsoft sells information to marketers, so anything you type is being tracked by advertisers.

(Let's leave spyware out of my poor simple analogy)

Re:Is there even a coherent thought here? (1)

geniusj (140174) | more than 8 years ago | (#13625493)

If you'd read the article, you'd see that this 'summary' isn't a very good one.

Re:Is there even a coherent thought here? (0)

Anonymous Coward | more than 8 years ago | (#13625600)

Slashdot stories are edited by the management before they are posted on the site, isn't it?

Re:Is there even a coherent thought here? (5, Insightful)

Anonymous Coward | more than 8 years ago | (#13625543)

Ok, well let me try to spell this out:

Company A says they encrypt -- good for privacy. If anyone had data collected, it will be encrypted and thus a bit more meaningless. We cannot verify if Company A is telling the truth. Maybe there's encryption, maybe there's not. Not good for absolute privacy.

Company B readily shares information with others. Not good for privacy at all.

Company B purchases Company A -- so B, with its reputation to piss away your privacy now has a product that may or may not protect your privacy.

With the way B has conducted business, it may be implied that A isn't trustworthy, regardless of wheter they do encryption or not...simply because at the hands of B, your data isn't sacred.

Almost like a Microsoft buying Claria or something.

Re:Is there even a coherent thought here? (4, Interesting)

temojen (678985) | more than 8 years ago | (#13625575)

There are dual-recipient encryption systems. Scype could be using one to store the session key so Law Enforcement (with or without a warrant) can decrypt intercepted communications. Or just encrypting the session keys twice.

It seems to me what the world (or at least tinfoil hatters and others, like lawyers and accountants, who handle confidential information) needs now is either
  1. A serverless, point-to-point, TLS with client key authentication Capable VOIP protocol, with multiple implementations, some of which are open source, or
  2. IPSEC protected SIP or H.323

Re:Is there even a coherent thought here? (2, Informative)

Anonymous Coward | more than 8 years ago | (#13625672)

Like Phil Zimmerman's upcoming not yet released zFone [philzimmermann.com] ?

Great, who cares? (2, Insightful)

Sycraft-fu (314770) | more than 8 years ago | (#13625701)

How is it different than the PSTN? The FBI has the capability, essentially, to dial a phone number and listen in on it. They need a warrant of course, but they can easily tap phone lines.

If you depend on a communications provider to keep you data secure, espically from law enforcement, you are pretty naive. If you need to keep people out, you need to set up your own end-to-end encryption. Only then can you be sure (or at least reasonably sure) that no one is listening in. You should assume that the phone company, your ISP, their ISP, etc all can and do monitor what you do. If it is something that is important they don't see, encrypt it. Don't have them encrypt it, YOU encrypt it.

Now please don't mistake me for saying that they should monitor you, or should be allowed to, I'm not. What I'm saying is if you are doing something that is sensitive enough that if they found out it would be problematic (like financial information or something) then encrypt it.

Whenever I access servers at work, I do it via SSH, or some other similar encrypted method. Why? Well it would be a problem if someone at the ISP got the root password, they could do a lot of damage and we might never even know. They shouldn't be monitoring me like that, but it is too important to trust them with, I take it in my own hands.

Re:Great, who cares? (1)

rainman_bc (735332) | more than 8 years ago | (#13625739)


How is it different than the PSTN? The FBI has the capability, essentially, to dial a phone number and listen in on it. They need a warrant of course, but they can easily tap phone lines.


Not since the patriot act they haven't needed a warrant.

Can you back that up? (1)

Sycraft-fu (314770) | more than 8 years ago | (#13625816)

Please quote the relivant section of the Patriot act (in it's current, as passed form) along with the relivant title code info so peopel can look it up? I'm asking this in honesty, I neither believe you or disbelieve you on this, I simply want proof. I find that most people are like me and have a very poor idea what's actully covered under the Patriot act. This leads to a great deal of innacurate and sometimes outright false information about it.

So please point me to the relivant section so I can have a look myself.

Re:Can you back that up? (1)

rainman_bc (735332) | more than 8 years ago | (#13625908)

Very well... Here's one [techtarget.com]

google is your friend [google.ca]

That's not what I asked for (1)

Sycraft-fu (314770) | more than 8 years ago | (#13625976)

I want the language from the act itself. I don't want to hear what someone claims it says, I want to know what it actually says. Also, according to what you linked, they do need a warrant. The standard has been lowered from what it used to be, but a warrant is still required. I know where to find the bill, same place you find all that kind of stuff, The Library of Congress, specifically their Thomas server (thomas.loc.gov). The relivant link is http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.316 2 [loc.gov] : which has the bill in it's orignal forms, and as passed in to law.

What I'm asking you, since you are the claimiant, is to point to me where in there it has a "no-warrant wiretap" provision. I don't know, I admit this, I was unaware of such a provision. I wouldn't know where to look in teh act and don't feel like reading all of it. Since you claim to know of this provision, I'm asking you to show me where it is, so I can see for myself. If it is in there, it's probably somewhere in Title II.

Re:That's not what I asked for (1)

keraneuology (760918) | more than 8 years ago | (#13626526)

How about USC 18 2709 [cornell.edu]

Section 505 of the P.A.T.R.I.O.T. act makes modifications to this codified section of law which clearly allows the FBI to gather evidence on demand without a warrant.

Re:That's not what I asked for (1)

Sycraft-fu (314770) | more than 8 years ago | (#13626855)

Yes, that's the kind of thing I was asking for. Links (or references) to relivant laws. So, from the look of it what they can get without a warrant is name, address, length of service, and usage records. Doesn't look like they can actually tap the line itself without a warrant. Or at least I can't see any reference to taps made in either the title code or the bill. From, the look of it the title code you linked to is already updated to match with the patroit act.

So to me it looks like the no-warrant portion is for records, not for an actual tap. Presumably the idea is to get the records, and then look for something that'd give probable cause for a warrant for a tap.

Re:That's not what I asked for (0)

Anonymous Coward | more than 8 years ago | (#13627233)

Ever heard of echelon, carnivore, dcs1000... These systems are in place and allow them to tap whatever they so decide!

Re:Great, who cares? (1)

cpt kangarooski (3773) | more than 8 years ago | (#13625810)

you need to set up your own end-to-end encryption. Only then can you be sure (or at least reasonably sure) that no one is listening in.

Well, what you can be reasonably sure about is that they aren't decrypting it. Listening to either endpoint with bugs or mics or whatnot still works. Remember, in this sort of situation, law enforcement is the attacker, and attackers can always try to go around the barriers you set up, rather than trying to go through them.

Re:Great, who cares? (1)

idlake (850372) | more than 8 years ago | (#13627151)

Whenever I access servers at work, I do it via SSH, or some other similar encrypted method. Why? Well it would be a problem if someone at the ISP got the root password, they could do a lot of damage and we might never even know. They shouldn't be monitoring me like that, but it is too important to trust them with, I take it in my own hands.

If you don't trust your ISP to some degree, you're in trouble; it would be easy for them to conduct man-in-the-middle attacks on your ssh sessions unless you transport your host keys by some other means. Ssh is useful, but primarily against listening, not against someone who has control of the network.

Re:Great, who cares? (1)

temojen (678985) | more than 8 years ago | (#13627219)

unless you transport your host keys by some other means.

Or know the fingerprint, which I do.

Re:Is there even a coherent thought here? (2, Interesting)

Antique Geekmeister (740220) | more than 8 years ago | (#13626711)

PGPPhone had this high level of end-to-end security almost 20 years ago. It used on RSA, which still had a valid patent, but the PGP web of trust is pretty good and you can always generate your own new PGP keys and publish only the public part.

A modest re-write to operate on TCP instead of modems should be quite straightforward.

Re:Is there even a coherent thought here? (1)

Kadin2048 (468275) | more than 8 years ago | (#13627332)

I believe Phil Zimmermann is doing you one better. (He's the guy who did PGPhone, back in the day.) His zPhone [philzimmermann.com] project is an end to end encryption system for IP telephony, using the RTP or SIP protocols. According to the site, it will work in unencrypted mode with a regular device, and do transparent encryption with another zPhone-capable one.

So if it actually materializes -- and I think it will, Zimmermann has pretty much always delivered the goods to the community in the past -- it'll be a whole lot better than just an update of PGPhone. And the source is going to be open for community review, unlike some past versions of PGP when it was owned by NAI.

As a sidenote, they're currently looking for a better name for the final product than 'zPhone.' The winner gets recognition, lifetime licenses for themselves and 10 friends, and their PGP key signed by Zimmermann. Pretty sweet deal.

Re:Is there even a coherent thought here? (1)

JourneyExpertApe (906162) | more than 8 years ago | (#13627002)

2. IPSEC protected SIP or H.323

How about IWQRTZ protected DEY or U.6298? Or if that doesn't work, you could always reverse the polarity in the dilithium crystals.

Re:Is there even a coherent thought here? (1)

temojen (678985) | more than 8 years ago | (#13627209)

People who have a clue about the subject know what I was talking about.

Re:Is there even a coherent thought here? (1)

Geoffreyerffoeg (729040) | more than 8 years ago | (#13625664)

I can see either point standing on its own as a potentially interesting topic

Don't suggest it! They'll dupe it twice!

Actually, and in all seriousness, why do the editors post related stories together or not even split stories? Won't multiple articles give them more traffic?

Re:Is there even a coherent thought here? (0)

Anonymous Coward | more than 8 years ago | (#13626775)

I hate when people who don't "get it" get modded up because they don't "get it". Oh well...

Nasrudin walked into a teahouse and declaimed, "The moon is more useful than the sun." "Why?", he was asked. "Because at night we need the light more."

sorry you don't get it (1)

idlake (850372) | more than 8 years ago | (#13627127)

Security is one of Skype's selling points. The fact that there is no way to verify it, no way to audit the code, no way to check for a back door means that you can't rely on Skype security: you just don't know. Given the background of the company and its founder, it also seems doubtful that a lot of security expertise went into the product.

And the fact that eBay has been willing to work closely with law enforcement means that they may well put in back doors even if they aren't already there.

Bottom line: if you want secure communications, don't use closed source, use something you can audit.

Re:sorry you don't get it (1)

Kadin2048 (468275) | more than 8 years ago | (#13627365)

I'm not necessarily saying you're wrong about Skype making security a selling point, but I do think that there's a difference between a company's advertising and marketing rhetoric, and what people actually use it for. I don't know anyone who actually uses Skype for "security." I'm sure there are some people out there, but I'm willing to bet it's pretty rare. And those people are dumb.

Most people use Skype because it's a lot cheaper than the regular phone company, and doesn't require a monthly service fee like "real" VOIP service like Vonage does. It's a great way to talk to friends across the country, and a lot better implemented than the various IM services' voice chat features. It also seems to work its way through firewalls and NAT routers better than the IM service voice protocols do, too, although I can't figure out why.

Skype may hype its own allegedly secure protocol, but in reality I doubt it's a selling point. What sells is the price -- free or at least very cheap -- and the fact that it just works out of the box without any more setup than AIM. To most users the security is an afterthought, and I doubt that if it disappeared tomorrow that many of them would really care.

If the perceived 'secureness' of Skype does anything at all for most users, it just serves to counteract the general vague uneasiness that many people have with security over the internet in general. It provides them a sense that their internet phone is now as secure as their conventional phone, without really understanding how secure or insecure that really is. (Given that many people's conventional phones involve a low power, unencrypted FM radio transmitter, so that any idiot in the neighborhood with a RadioShack scanner can listen in, this isn't saying much.) In short, it's like a kind of "wired equivalent privacy" for internet telephony.

If a government, large corporation, big NGO (or really anyone with an IT department) was using Skype for secure communications, they're insane. There are real 'secure' alternatives out there, sure none that are easy to use probably, but they offer real protection. Security shouldn't be a selling point for Skype to anyone with half a brain or a job to defend. In that, I think we are in absolute agreement.

almost enough... (0, Flamebait)

B3AST! (916930) | more than 8 years ago | (#13625462)

Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message
almost enough so that the 12 year old IM whores will have their own separate key!!!

there is a more interesting question (3, Funny)

toby (759) | more than 8 years ago | (#13625485)

This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.

What about "how eBay will try to help over-enthusiastic law enforcement deprive users of privacy"?

Nah. Could never happen in a "freedom" loving country!

Did you flunk Calculus? (0)

Anonymous Coward | more than 8 years ago | (#13626134)

You forgot the "for varying and inconsistent values of freedom" part. ;)

Skype vs eBay (4, Interesting)

lordsilence (682367) | more than 8 years ago | (#13625499)

According to Zennström (co-founder of Kazaa and Skype) whose company skype recently got bought by eBay, Skype will still be run as a separate company by him as the head.

So I kind of doubt he'll actively be doing stuff to endanger peoples privacy.
It's worth mentioning that he left Kazaa BEFORE they became known as an adware-bloated software.

Re:Skype vs eBay (0)

Anonymous Coward | more than 8 years ago | (#13625723)

That's kind of like buying a car and never driving it. I'm pretty sure Ebay is buying Skype because they think it will help their core business, and you can bet that includes telling Skype what to do and when to do it.

Re:Skype vs eBay (1)

rockola (240707) | more than 8 years ago | (#13626267)

i According to Zennström (co-founder of Kazaa and Skype) whose company skype recently got bought by eBay, Skype will still be run as a separate company by him as the head.

If Zennström no longer holds a controlling interest in Skype (if he ever did), he's not necessarily privy to information as to what will happen to Skype when the dust settles.

I will not trust American Company (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#13625509)

Having been using Skype for a long time. Skype always promised anonymity for their users.
Now, that Ebay bought it I will have hard time relaying my trust to them.
Plus, federal agencies will be pressing hard to comply with CALEA and they will get what they want.

Skype as we know it, is gone...

Where's the DCMA? (1, Offtopic)

AsmCoder8088 (745645) | more than 8 years ago | (#13625522)

Well, here goes my karma, but I think that in light of what the article mentions Skype and employees are going to have argue this over the DCMA.

We should all hope that Skype employees win the suit, because like it or not we're going to have to fess up when it comes time to reconsider the DCMA.

It all boils down to privacy protection; the employees and RIAA/MPAA are likely going to have a time with each other here!

Re:Where's the DCMA? (3, Informative)

generic-man (33649) | more than 8 years ago | (#13625601)

Dear Asm,

I can assure that the Dutch Country Music Association [www.dcma.nl] is not involved with this acquisition.

(Perhaps you mean DMCA)

Sincerely,
Kimo von Oelhoffen
President, Dutch Country Music Association

Rub those elbows (5, Insightful)

MonGuSE (798397) | more than 8 years ago | (#13625527)

Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.

Another words we help you guys out in law enforcement alot when we shouldn't so please don't step in and bother us when you should. Its a win, win we can both screw the little people at the same time.

Re:Rub those elbows (0)

Anonymous Coward | more than 8 years ago | (#13625572)

"Another words"?

French Benefits?

I would of said the same (1)

uptoeleven (845032) | more than 8 years ago | (#13625673)

but it would of definately anoyyed you...

tee hee - sorry

Re:Rub those elbows (0)

Anonymous Coward | more than 8 years ago | (#13625812)

Alright, the ownness is on him to use correct grammere. Else he'll run up against the statue of limitations.

Now excuse me while I kiss this guy.

Re:Rub those elbows (1, Informative)

Anonymous Coward | more than 8 years ago | (#13625922)

Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.'

Bull-fucking-shit. The company I work for found a piece of stolen hardware ($20,000+) listed on Ebay that we IDed with a very, very high probability belonged to our company (we had photos, serial numbers, etc). The seller was local to us, and the equipment was in a configuration that our vendor specified was NEVER ordered by any other client in the entire country (easily verified visually from the photos posted by the seller) .

Ebay was of absolutely, 100% no fucking help whatsoever. They wouldn't do shit without a court order, not even for the cops investigating our case (and we didn't have a whole lot of time because the auction was close to ending by the time we found out about it).

We finally managed to get the gear back through our own internal investigations and with some clever work by our employees, but with no thanks to, and no help from Ebay.

So I think what they're saying here is that if the Feds ask on the most flimsy of pseudo-evidence, and it involves invading a user's privacy, they'll happily spill everything in a moment's notice.

If however, you are someone trying to get your stolen goods back, Ebay will do everything possible to prevent you, or the police investigating your case getting any information at all.

Re:Rub those elbows (1)

alienw (585907) | more than 8 years ago | (#13627114)

Simple. Just put in a huge bid in the last few minutes and win the auction. Then you pretty much have the guy's name and address. Most of these people think they are invincible because they are on the internet.

Re:Rub those elbows (1)

Antique Geekmeister (740220) | more than 8 years ago | (#13626730)

You mean someone actually investigates Ebay fraud cases? *HAH*. Only when the victim's name shows up in the paper or it's many hundreds of thousands of dollars, or the Ebay phishing spammers would have been out of business 2 years ago.

Way too many people get ripped off via Ebay, especially via credit card fraud. The credit card companies often write it off as a loss and make it good for the legitimate customers ripped off, but it's still massive amounts of fraud, and they simply don't investigate modest thefts.

attackers use the easy way. the fbi will too. (0)

Anonymous Coward | more than 8 years ago | (#13625533)

take openssl for example. an attacker will not sit and try to break the
encryption. that is too hard. what they will do is find a bug in openssl
and own the webserver. much easier.

the fbi will simply do the same thing in a different way. why break
the encryption when a court order will get what they need?

if you really have something that needs to be kept private, you are
going to use skype? hah.

anyway, i did not bother reading the article. i just know, from the attackers
perspective, you do not pick the hardest way.

Bad description (0)

Anonymous Coward | more than 8 years ago | (#13625586)

AES256 when the keys are negotiated with a 1024 bit RSA key...yeah that's really necessary.

In any case after reading TFA it seems that wasn't the author's point (slashdot descriptions misleading??, never!). Skype is insecure b/c there's no reason to trust the designers of the protocol or that the implementors got it right. And since neither is open to security reviews it's probably chalk full of side channels waiting to be discovered. And how much information do they log about user calls? That could be just as damaging.

Why not Diffie Hellman (2, Informative)

grahamsz (150076) | more than 8 years ago | (#13626126)

Seems odd to use RSA to negotiate a private key. Obviously it can be implemented securely that way, but it sounds like someone chasing buzzwords.

RSA suggests that the client is preprogrammed with the server's public key, and perhaps their key-exchange involves the client making up the key, encrypting it with the servers public key and sending it to the server. In which case a trojan client might easily be made to connect to a man in the middle.

Re:Why not Diffie Hellman (1)

Bert690 (540293) | more than 8 years ago | (#13627130)

Not odd at all... many common TLS/SSL modes involve RSA based session key establishment. There is no man in the middle risk if implemented properly.

Simple answer to this one (1, Interesting)

FishandChips (695645) | more than 8 years ago | (#13625612)

Simple answer: don't use Skype if security is an issue. Plenty of other providers. Now that Ebay have got their hands on Skype, chances are it will be sent right downmarket anyway.

Skype also opens up port 80 and 443 by default (0)

Anonymous Coward | more than 8 years ago | (#13625631)

leaving a nice big security hole

Are you sure? (1)

lullabud (679893) | more than 8 years ago | (#13625724)

I just tested it and only saw TCP port 54045 open.

Like Clockwork (1)

ThinkFr33ly (902481) | more than 8 years ago | (#13625680)

Seems to me that anytime something gets too popular or mainstream the Slashdot crowd starts to turn on it. Google. Skype.

What's next? Microsoft?

Re:Like Clockwork (0)

Anonymous Coward | more than 8 years ago | (#13626384)

It's not so much about being popular as being bought by Ebay. Ebay is a company that has a history of ignoring its customers' privacy and freely giving up information to LEOs without a subpoena. Do you perhaps see a problem with such a practice when it owns a VOIP service?

Hannity Found Dead at Age 48 (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13625706)

I know this might be off-topic, but I just heard some sad news on talk radio -- TV/radio host Sean Hannity was found dead in his hotel room last night after a book signing. The coroner has not yet officially ruled it a suicide, but apparently thats what its going to be ruled. Rumor is that he hanged himself but this isnt confirmed.

I'm sure everyone in the Slashdot community will mourn his passing -- even if you didnt agree with him, theres no denying his contributions to popular culture. Truly an American icon.

Skypke's website (2, Funny)

kherrick (843877) | more than 8 years ago | (#13625763)

I love Skypke. I wish everyone used Skypke.

Re:Skypke's website (1)

WilliamSChips (793741) | more than 8 years ago | (#13626174)

Does The Chekt [hrwiki.org] use Skypke?

Skype and privacy (1)

biraneto2 (910162) | more than 8 years ago | (#13625781)

Besides the security implementation... somehow a friend of mine was blocking someone from a company we were working for. This person created a conference and in the conference room appeared a message saying that for privacy settings of the user he would not be able to be added to participate. Besides of the should and shouldn't of his deeds, the skype way of privacy itself delated him and may have ended costing him his job (he was fired 1 month after the incident).

eBay's pattern (1)

Blobomatic (449030) | more than 8 years ago | (#13625837)

When eBay acquired PayPal, eBay executives worried about long-term legal questions surrounding Internet betting. Even though it represented nearly 8% of PayPal's revenue, they decided to no longer facilitate payments for online gambling sites.

Will eBay fold under US government pressure to provide a backdoor for eavesdropping on Skype calls? Mark my words, unfortunately, "YES".

Verifying it (2, Interesting)

SamMichaels (213605) | more than 8 years ago | (#13625925)

Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim.

With all the talented people out there, I'm sure SOMEONE (dvd jon?) could easily test out the encryption strength. I doubt anyone would even notice if you do it to your own account and your own friends on the other side of the call.

1024 bit is inadequate (4, Insightful)

cameldrv (53081) | more than 8 years ago | (#13625935)

If you're actually worried about the government listening in, 1024 bit RSA is inadequate. Adi Shamir published a paper describing a device that for $1.1 million could crack 1024 bit RSA. You can bet that the NSA has a better device than that.

Re:1024 bit is inadequate (1)

EaglesNest (524150) | more than 8 years ago | (#13626760)

I might be willing to concede that 1024 bit may be inadequate if you're a target of the NSA. If you're a run-of-the-mill criminal, though, I can't imagine that your local police department or even the FBI will have acccess to the hardware and knowledge to break the encryption.

Re:1024 bit is inadequate (1)

cameldrv (53081) | more than 8 years ago | (#13627355)

I'm sure the NSA and the FBI cooperate in these sorts of cases. If the government is after you, and they have the capability to crack your crypto, they're going to do it. There have been numerous news stories about the FBI being able to crack various crypto. It never specifies the method, but I wouldn't be surprised if some of them were direct attacks on RSA. The machines are cheap enough that it is also possible that NSA built the FBI a machine to do the cracking. Certainly the FBI's budget is big enough to get that in there.

Concerns? (0, Flamebait)

Tomchu (789799) | more than 8 years ago | (#13625956)

This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.

Umm ... what? How does it raise questions? If some cyber criminal is plotting something with his buddies over Skype, I don't care WHAT eBay does or HOW they do it -- it's criminals we're talking about.

Of course, this just seems like another classic case of Slashdot-entitlement: "Waah, waah, I'm a criminal, I steal credit card numbers, I trade child pornography ... BUT DAMNIT I STILL DESERVE THE RIGHT TO UNMONITORED E-MAIL/IM CONVERSATIONS!1!11!!~"

Re:Concerns? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#13626874)

Umm ... what? How does it raise questions? If some cyber criminal is plotting something with his buddies over Skype, I don't care WHAT eBay does or HOW they do it -- it's criminals we're talking about.

Think about this: eBay now has access to personal info of Skype users. SOMEONE faxes a fake request for info from eBay and given the ease with which they give away personal info, someone's personal details from Skype are disclosed. That "SOMEONE" is the cyber criminal we are talking about! Skype's security is questionable in the first place, but now that eBay is involved, things may get worse. In case you read the article eBay can gladly hand over the following info to anyone:
  • Full name
  • User ID
  • Email address
  • Street address
  • State
  • City
  • ZIP code
  • Phone number
  • Country
  • Company
  • Password
  • Secondary phone number
  • Gender
  • Shipping information (including name, street address, city, state, ZIP)
  • Bidding history on an item
  • Items for sale
  • Feedback left about the user
  • Bidding history
  • Prices paid for items
  • Feedback rating
  • Chat room and bulletin board posts
Of course, this just seems like another classic case of Slashdot-entitlement: "Waah, waah, I'm a criminal, I steal credit card numbers, I trade child pornography ... BUT DAMNIT I STILL DESERVE THE RIGHT TO UNMONITORED E-MAIL/IM CONVERSATIONS!1!11!!~"

Read the article.

eBay has pretty bad security actually (3, Insightful)

saskboy (600063) | more than 8 years ago | (#13625958)

In the 3 years I've been using eBay, I know of several security breaches, one of which allowed people to access an administration interface through the web, giving them access to personal information of nearly anyone using the eBay message boards [which shares login information with the main site].

I'd trust eBay with security [and PayPal with fairness] about as far as I can throw it.

Keeping criminals out (1)

bman08 (239376) | more than 8 years ago | (#13626137)

One awesome way to avert cyber criminals (as well as non cyber criminals?) from using ebay and skype is to talk constantly about how willing ebay and skype are to hand over anything and everything that law enforcement asks for. I'm not even a criminal and I don't want to use ebay and skype. The plan's working!

don't trust ebay, paypal, or skype (0)

Anonymous Coward | more than 8 years ago | (#13626297)

Both, ebay and paypal have already very bad reputations. Paypal is even suspected of working with third parties on scamming people of their money. At this point I would not trust skype either. Afterall they repeatedly refused inquiries to verify the security of their proprietory protocol. Fortunately SIP has become the standard VoIP protocol and offers better quality than skype.

Introduction to VoIP Security (1)

cciRRus (889392) | more than 8 years ago | (#13627266)

For those interested to know more about the security issues associated to VoIP, you may wish to read this article [itmanagersjournal.com] . I think [ccirrus.per.sg] it's a great article as it talked about the three important aspects of VoIP security: confidentiality, availability and integrity.

Business will help government. Don't trust them. (1)

jbn-o (555068) | more than 8 years ago | (#13627285)

This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.

Look at what Yahoo! did to the alleged Chinese "spy"—work with the Chinese government to release information posted online via Yahoo! servers. Reporters without Borders was surprised how easy it was for Shih Dao (forgive my misspelling) to be caught, but it turns out that Yahoo! handed the Chinese government information on this reporter that was widely miscited as a spy after the reporter used Yahoo!'s hosting service to report on censorship activity. Fairness and Accuracy in Reporting's radio program "Counterspin" has a report on this [fair.org] that is worth listening to (about 6 minutes and 40 seconds into the file). Unfortunately this is only available in proprietary and patent-encumbered formats, but perhaps it airs on a local radio station near you.

Sounds like black PR ! (1)

petermp (891968) | more than 8 years ago | (#13627469)

The whole article sounds like black PR to me ! GoogleTalk has NO encryption at all and is closed source too. Does that make it more private ? Everyday I see praises for Google and bad things about their compaetitors(e.g Yahoo, Skype).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...