Skype Security and Privacy Concerns 128
CDMA_Demo writes "Scott Granneman at Security Focus is discussing the security and privacy issues thanks to eBay's acquisition of Skype. Says the help section on Skypke's website: 'Skype uses AES (Advanced Encryption Standard), also known as Rijndael, which is used by U.S. Government organizations to protect sensitive, information. Skype uses 256-bit encryption, which has a total of 1.1 x 1077 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1024 bit RSA to negotiate symmetric AES keys. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.' Scott Granneman debates that since Skype is owned by eBay and is closed source, we have no way of verifying this claim. Further, from the article: 'At the CyberCrime 2003 conference, Joseph E. Sullivan, Director of Compliance and Law Enforcement Relations for eBay, had this to say to a group of law enforcement officials: 'I know from investigating eBay fraud cases that eBay has probably the most generous policy of any internet company when it comes to sharing information.' This raises interesting questions about how Skype and eBay together will try to avert cyber criminals from using security flaws in either system to their advantage.'"
Skype vs eBay (Score:5, Interesting)
So I kind of doubt he'll actively be doing stuff to endanger peoples privacy.
It's worth mentioning that he left Kazaa BEFORE they became known as an adware-bloated software.
Re:Is there even a coherent thought here? (Score:5, Interesting)
It seems to me what the world (or at least tinfoil hatters and others, like lawyers and accountants, who handle confidential information) needs now is either
Re:Isn't that the way ... (Score:5, Interesting)
Or do they have wiggle room and claim that its produced offshore and therefore isn't exported from the US, even though its now owned by a US company? I doubt that will go down well with the powers-that-be, because (among other things) that will just encourage US companies to offshore all their products-with-crypto work to get around the regulations.
Simple answer to this one (Score:1, Interesting)
Verifying it (Score:3, Interesting)
With all the talented people out there, I'm sure SOMEONE (dvd jon?) could easily test out the encryption strength. I doubt anyone would even notice if you do it to your own account and your own friends on the other side of the call.
Re:Is there even a coherent thought here? (Score:3, Interesting)
A modest re-write to operate on TCP instead of modems should be quite straightforward.
Re:Concerns? (Score:2, Interesting)
Think about this: eBay now has access to personal info of Skype users. SOMEONE faxes a fake request for info from eBay and given the ease with which they give away personal info, someone's personal details from Skype are disclosed. That "SOMEONE" is the cyber criminal we are talking about! Skype's security is questionable in the first place, but now that eBay is involved, things may get worse. In case you read the article eBay can gladly hand over the following info to anyone: Of course, this just seems like another classic case of Slashdot-entitlement: "Waah, waah, I'm a criminal, I steal credit card numbers, I trade child pornography
Read the article.
Re:Isn't that the way ... (Score:3, Interesting)
That's been happening already, lots of multinational companies do their crypto work in Europe and then send the finished product to the US division, because once it's in the US you can't get it out again.