[IP] more on Skype security evaluation
Begin forwarded message:
From: Laurent GUERBY <laurent@xxxxxxxxxx>
Date: October 25, 2005 9:45:20 AM EDT
To: dave@xxxxxxxxxx
Cc: Ip Ip <ip@xxxxxxxxxxxxxx>
Subject: Re: [IP] more on Skype security evaluation
From: Lauren Weinstein <lauren@xxxxxxxxxx>
[...]
Naturally, the code is expected to continue its evolution. But the
intractable problem with proprietary crypto systems is that even if
we know what they are doing today, we don't necessarily have any way
to figure out what they're doing tomorrow, either in terms of
accidental or purposeful weaknesses. [...]
No need for new versions: the build process used for Skype real release
could compile sources other than the audited sources, the audit could
have missed a hidden "thread" in some obscured source part getting the
user secret key / passphrase while it's still in memory and shipping it
somewhere (or storing it for later uses - obviously not having observed
odd behaviour now does not mean there is no possible activation of odd
behaviour), etc...
Proprietary software vendors will never ever be able to reach security
and trust levels offered to users by true open source sofware where
anyone can see the code and build his own binary with his own compiler
setup (yes I read "Reflections on Trusting Trust" :) or use one from the
most trusted amongst open source packaging companies competing on ...
trust.
Laurent
PS: gnomemeeting over openvpn does work for me.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/