Terrorists don't let terrorists use Skype

Tyler Durden camera_lumina at hotmail.com
Thu Jan 27 08:14:39 PST 2005 

Well, I think Skype is also truly Peer to Peer, no? It doesn't go through 
some centralized switch or server. That means it can only be monitored at 
the endpoints, even when it's unencrypted.
-Emory






>From: Eugen Leitl <eugen at leitl.org>
>To: cypherpunks at al-qaeda.net
>Subject: Terrorists don't let terrorists use Skype
>Date: Thu, 27 Jan 2005 15:02:56 +0100
>
>From: Adam Shostack <adam at homeport.org>
>Date: Tue, 11 Jan 2005 10:48:12 -0500
>To: David Wagner <daw-usenet at taverner.CS.Berkeley.EDU>
>Cc: cryptography at metzdowd.com
>Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
>From owner-cryptography+eugen=leitl.org at metzdowd.com  Thu Jan 27 01:04:39
>2005
>User-Agent: Mutt/1.4.2i
>
>On Mon, Jan 10, 2005 at 08:33:41PM -0800, David Wagner wrote:
>| In article <41E07994.5060004 at systemics.com> you write:
>| >Voice Over Internet Protocol and Skype Security
>| >Simson L. Garfinkel
>|
> >http://www.soros.org/initiatives/information/articles_publications/articles/
>security_20050107/OSI_Skype5.pdf
>|
>| >Is Skype secure?
>|
>| The answer appears to be, "no one knows".  The report accurately reports
>| that because the security mechanisms in Skype are secret, it is 
>impossible
>| to analyze meaningfully its security.  Most of the discussion of the
>| potential risks and questions seems quite good to me.
>|
>| But in one or two places the report says things like "A conversation on
>| Skype is vastly more private than a traditional analog or ISDN telephone"
>| and "Skype is more secure than today's VoIP systems".  I don't see any
>| basis for statements like this.  Unfortunately, I guess these sorts of
>| statements have to be viewed as blind guesswork.  Those claims probably
>| should have been omitted from the report, in my opinion -- there is
>| really no evidence either way.  Fortunately, these statements are the
>| exception and only appear in one or two places in the report.
>
>The basis for these statements is what the other systems don't do.  My
>Vonage VOIP phone has exactly zero security.  It uses the SIP-TLS
>port, without encryption.  It doesn't encrypt anything.  So, its easy
>to be more secure than that.  So, while it may be bad cryptography, it
>is still better than the alternatives.  Unfortunately.
>
>Adam
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>
>----- Forwarded message from Peter Gutmann <pgut001 at cs.auckland.ac.nz> 
>-----
>
>From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
>Date: Wed, 12 Jan 2005 05:00:29 +1300
>To: daw-usenet at taverner.CS.Berkeley.EDU
>Cc: cryptography at metzdowd.com
>Subject: Re: Simson Garfinkel analyses Skype - Open Society Institute
>
>David Wagner <daw at cs.berkeley.edu> writes:
>
> >>Is Skype secure?
> >
> >The answer appears to be, "no one knows".
>
>There have been other posts about this in the past, even though they use
>known
>algorithms the way they use them is completely homebrew and horribly
>insecure:
>Raw, unpadded RSA, no message authentication, no key verification, no 
>replay
>protection, etc etc etc.  It's pretty much a textbook example of the 
>problems
>covered in the writeup I did on security issues in homebrew VPNs last year.
>
>(Having said that, the P2P portion of Skype is quite nice, it's just the
>  security area that's lacking.  Since the developers are P2P people, 
>that's
>  somewhat understandable).
>
>Peter.
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>----- End forwarded message -----
>--
>Eugen* Leitl <a href="http://leitl.org">leitl</a>
>______________________________________________________________
>ICBM: 48.07078, 11.61144            http://www.leitl.org
>8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>http://moleculardevices.org         http://nanomachines.net
>
>[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the cypherpunks-legacy mailing list