[IP] more on Skype security evaluation

To: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Skype security evaluation
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 24 Oct 2005 07:23:45 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <200510232256.j9NMupqB004518@xxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx

Begin forwarded message:

From: Lauren Weinstein <lauren@xxxxxxxxxx>
Date: October 23, 2005 6:56:50 PM EDT
To: dave@xxxxxxxxxx
Cc: lauren@xxxxxxxxxx
Subject: Re: [IP] Skype security evaluation

Dave,

The cited report appears to confirm what we reasonably would have
expected -- that Skype has done a good job in their implemenation,
and that apparently nothing nefarious is going on.

However, the conundrum is represented by this very short excerpt:

   1.1 Caveats

   This report represents a four-month evaluation. A
   longer evaluation effort might uncover problems not yet seen.
   The Version 1.3 code base was evaluated.
   *** The code base continues to evolve beyond that snapshot. ***
   [emphasis added]

Naturally, the code is expected to continue its evolution.  But the
intractable problem with proprietary crypto systems is that even if
we know what they are doing today, we don't necessarily have any way
to figure out what they're doing tomorrow, either in terms of
accidental or purposeful weaknesses.

Yes, in theory Skype could release a new independent security
audit of their code to accompany each new release, but this is
hardly a practical solution.

This is why proprietary encryption systems should be avoided,
especially since high-quality, open alternatives now exist.

--Lauren--
Lauren Weinstein
lauren@xxxxxxxx or lauren@xxxxxxxxxx or lauren@xxxxxxxx
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

 - - -

Begin forwarded message:

From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: October 23, 2005 9:48:37 AM EDT
To: cryptography@xxxxxxxxxxxx
Subject: Skype security evaluation

Skype has released an external security evaluation of its product; you
can find it at http://www.skype.com/security/files/2005-031%20security
%20evaluation.pdf
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see
http://www.skype.com/security/files/2005-031%20security%
20evaluation.pdf.sig)

The author of the report, Tom Berson, has been in this business formany

years; I have a great deal of respect for him.

         --Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] DSLP: Future of TV: SBC's Closing the Net
Next by Date: [IP] Breathalyzers and Open Source
Previous by thread: [IP] DSLP: Future of TV: SBC's Closing the Net
Next by thread: [IP] Breathalyzers and Open Source
Index(es):
- Date
- Thread