[Clips] Is Skype a haven for criminals?
From a law enforcement point of view, digital communication is a two-edged sword. On the one hand, it allows for the simple collection, sorting, and
--- begin forwarded text
Delivered-To: clips@philodox.com
Date: Sun, 19 Feb 2006 22:58:24 -0500
To: Philodox Clips List
http://arstechnica.com/news.ars/post/20060217-6206.html
Is Skype a haven for criminals?
2/17/2006 1:10:55 PM, by Nate Anderson
From a law enforcement point of view, digital communication is a two-edged sword. On the one hand, it allows for the simple collection, sorting, and processing of massive amounts of information (such as in the FBI's Carnivore system), but on the other hand, it is much easier for users to encrypt their communications with almost unbreakable codes. Now that VoIP calls are becoming commonplace, governments around the world are struggling to adapt to the new technology, and Skype has found itself under extra scrutiny.
<snip>
The FCC ruled last year that VoIP providers need to offer backdoors into their systems for wiretapping reasons, but Skype isn't based in the US and so is not subject to the rule. It is subject to the EU's new Data Retention Directive, though, which may require them to retain call logs and decryption keys for a period of time. If so, real-time monitoring of Skype calls would still be out, but after-the-fact review of recorded calls from people of interest might well be possible for the government.
My understanding is that encryption between Skype users is through remote key generation and key exchange and that any intermediaries (including Skype) don't have the necessary key information to decrypt the data streams. Can anyone support or refute this assertion? Steve
Thus spake Steve Schear (s.schear@comcast.net) [09/03/06 13:48]: : My understanding is that encryption between Skype users is through remote : key generation and key exchange and that any intermediaries (including : Skype) don't have the necessary key information to decrypt the data : streams. Can anyone support or refute this assertion? While I have no key insights into how Skype encryption is handled -- aside from the fact that most crypto-knowledgable communities view it skeptically -- I /do/ know they've stated they will fully comply with any wiretapping request, and declined to comment further on what exactly that meant. Personally, I'm holding out for zFone and ZRTP. - Damian
At 11:04 PM 3/9/2006, Damian Gerow wrote:
Thus spake Steve Schear (s.schear@comcast.net) [09/03/06 13:48]: : My understanding is that encryption between Skype users is through remote : key generation and key exchange and that any intermediaries (including : Skype) don't have the necessary key information to decrypt the data : streams. Can anyone support or refute this assertion?
While I have no key insights into how Skype encryption is handled -- aside from the fact that most crypto-knowledgable communities view it skeptically -- I /do/ know they've stated they will fully comply with any wiretapping request, and declined to comment further on what exactly that meant.
I believe it means they will comply with wiretapping requests of calls that touch the public switched network. Steve
Thus spake Steve Schear (s.schear@comcast.net) [10/03/06 19:57]: : >While I have no key insights into how Skype encryption is handled -- aside : >from the fact that most crypto-knowledgable communities view it skeptically : >-- I /do/ know they've stated they will fully comply with any wiretapping : >request, and declined to comment further on what exactly that meant. : : I believe it means they will comply with wiretapping requests of calls that : touch the public switched network. Anything to support that? They /do/ claim that there are no back doors within the code. And the quote I was thinking of is: "Skype 'cooperates fully with all lawful requests from relevant authorities.'" http://www.mercurynews.com/mld/mercurynews/business/13889705.htm?template=co... What we infer from that is meaningless: so long as they continue to make vague comments about their call security and what they'll comply with, and so long as their crypto remains closed, I'm not exactly filled with warm fuzzies over their product. However, no matter what your approach (the trusting or the paranoid), it's all speculation. So long as their crypto /does/ remain closed -- and they've given nobody any reason to believe it will be anything but -- we'll have a hard time telling just how good it actually is. Like I said, I'm waiting for Zfone and ZRTP.
At 07:07 PM 3/10/2006, Damian Gerow wrote:
Thus spake Steve Schear (s.schear@comcast.net) [10/03/06 19:57]: : >While I have no key insights into how Skype encryption is handled -- aside : >from the fact that most crypto-knowledgable communities view it skeptically : >-- I /do/ know they've stated they will fully comply with any wiretapping : >request, and declined to comment further on what exactly that meant. : : I believe it means they will comply with wiretapping requests of calls that : touch the public switched network.
They /do/ claim that there are no back doors within the code. And the quote I was thinking of is:
However, no matter what your approach (the trusting or the paranoid), it's all speculation. So long as their crypto /does/ remain closed -- and they've given nobody any reason to believe it will be anything but -- we'll have a hard time telling just how good it actually is.
Like I said, I'm waiting for Zfone and ZRTP.
One way to provide some measure of protection is to proxy Skype, for example from with a VPN. At least they won't be able to ID your IP address. If both parties are inside the VPN all the better. Steve
Thus spake Steve Schear (s.schear@comcast.net) [11/03/06 01:47]: : One way to provide some measure of protection is to proxy Skype, for : example from with a VPN. At least they won't be able to ID your IP : address. If both parties are inside the VPN all the better. I would beg to differ, but that's not a conversation for cypherpunks. To address your original question, a link to a page containing a plethora of information about Skype was just posted to another mailing list I watch: http://www1.cs.columbia.edu/~salman/skype/ Depending on the paper you read, the security seems sound. Specifically: http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf Traditional warnings and caveats about studies sponsored by ${COMPANY} proving ${COMPANY}'s products are secure/fast/etc. should be heeded.
participants (3)
-
Damian Gerow
-
R. A. Hettinga
-
Steve Schear