Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Security and Privacy Concerns

Posted by Zonk on from the conversations-can-hurt dept.

CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"

11 of 128 comments (clear)

  1. Isn't that the way ... by gregduffy · · Score: 5, Insightful

    [since it] is closed source, we have no way of verifying this claim

    isn't that the way with all closed source software?

    1. Re:Isn't that the way ... by DarkHelmet433 · · Score: 2, Insightful

      Precisely that. Supposedly they want to limit how long it takes them to crack an encrypted conversation between terrorists, foreign agents, etc etc. However, the big hole in that argument is that the assumption that terrorists are outside the US is false, as is the assumption that they can only use US provided tools to communicate.

      Anyway, you can bet that the moment a 'person of interest' holds a skype conversation after eBay is at the helm, that the crypto strength will become an 'issue'.

  2. one word : audit by alexandreracine · · Score: 3, Insightful

    They could make some code audit by independent security firms, but will they? (Yes, but only if they are very serius about security)

    --
    No sig for now.
    1. Re:one word : audit by trime · · Score: 3, Insightful

      That requires you to trust the independent security firm. Maybe you do, maybe not. Depends how thick the tinfoil is; if you have several layers then you're able to check open software for yourself. If you have just one layer then you might consider agreement among several other trusted individuals to be good enough. If you don't know what I'm talking about then probably you'd probably be happy to take ebay's word for it anyway, and it doesn't matter.

      The point is that a closed review by a closed company for closed software, you're unlikely to get any additional trust from me.
  3. Is there even a coherent thought here? by Ingolfke · · Score: 4, Insightful

    This post has to be one of the dumbest I've ever read. Because Skype's protocol isn't public and e-Bay shares information (whatever the hell that means) there's supposed to be some specific concerns because the two are now joined? I can see either point standing on its own as a potentially interesting topic, but how does verifying whether or not a piece of software actually uses the encryption schemes it says it does and a corporate policy to share information (note that would be information that is not encrypted and intended to be shared) tie together?

    1. Re:Is there even a coherent thought here? by Sorthum · · Score: 2, Insightful

      No, there's really no link between the two. It's akin to saying Windows is owned by Microsoft, and Microsoft sells information to marketers, so anything you type is being tracked by advertisers.

      (Let's leave spyware out of my poor simple analogy)

    2. Re:Is there even a coherent thought here? by Anonymous Coward · · Score: 5, Insightful

      Ok, well let me try to spell this out:

      Company A says they encrypt -- good for privacy. If anyone had data collected, it will be encrypted and thus a bit more meaningless. We cannot verify if Company A is telling the truth. Maybe there's encryption, maybe there's not. Not good for absolute privacy.

      Company B readily shares information with others. Not good for privacy at all.

      Company B purchases Company A -- so B, with its reputation to piss away your privacy now has a product that may or may not protect your privacy.

      With the way B has conducted business, it may be implied that A isn't trustworthy, regardless of wheter they do encryption or not...simply because at the hands of B, your data isn't sacred.

      Almost like a Microsoft buying Claria or something.

  4. Rub those elbows by MonGuSE · · Score: 5, Insightful

    Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.

    Another words we help you guys out in law enforcement alot when we shouldn't so please don't step in and bother us when you should. Its a win, win we can both screw the little people at the same time.

  5. Great, who cares? by Sycraft-fu · · Score: 2, Insightful

    How is it different than the PSTN? The FBI has the capability, essentially, to dial a phone number and listen in on it. They need a warrant of course, but they can easily tap phone lines.

    If you depend on a communications provider to keep you data secure, espically from law enforcement, you are pretty naive. If you need to keep people out, you need to set up your own end-to-end encryption. Only then can you be sure (or at least reasonably sure) that no one is listening in. You should assume that the phone company, your ISP, their ISP, etc all can and do monitor what you do. If it is something that is important they don't see, encrypt it. Don't have them encrypt it, YOU encrypt it.

    Now please don't mistake me for saying that they should monitor you, or should be allowed to, I'm not. What I'm saying is if you are doing something that is sensitive enough that if they found out it would be problematic (like financial information or something) then encrypt it.

    Whenever I access servers at work, I do it via SSH, or some other similar encrypted method. Why? Well it would be a problem if someone at the ISP got the root password, they could do a lot of damage and we might never even know. They shouldn't be monitoring me like that, but it is too important to trust them with, I take it in my own hands.

  6. 1024 bit is inadequate by cameldrv · · Score: 4, Insightful

    If you're actually worried about the government listening in, 1024 bit RSA is inadequate. Adi Shamir published a paper describing a device that for $1.1 million could crack 1024 bit RSA. You can bet that the NSA has a better device than that.

  7. eBay has pretty bad security actually by saskboy · · Score: 3, Insightful

    In the 3 years I've been using eBay, I know of several security breaches, one of which allowed people to access an administration interface through the web, giving them access to personal information of nearly anyone using the eBay message boards [which shares login information with the main site].

    I'd trust eBay with security [and PayPal with fairness] about as far as I can throw it.

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.