more on Skype security evaluation

[David Farber <dave () farber net>]

Begin forwarded message:

From: Laurent GUERBY <laurent () guerby net>
Date: October 25, 2005 9:45:20 AM EDT
To: dave () farber net
Cc: Ip Ip <ip () v2 listbox com>
Subject: Re: [IP] more on Skype security evaluation


> From: Lauren Weinstein <lauren () vortex com>
> [...]
> Naturally, the code is expected to continue its evolution.  But the
> intractable problem with proprietary crypto systems is that even if
> we know what they are doing today, we don't necessarily have any way
> to figure out what they're doing tomorrow, either in terms of
> accidental or purposeful weaknesses. [...]

No need for new versions: the build process used for Skype real release
could compile sources other than the audited sources, the audit could
have missed a hidden "thread" in some obscured source part getting the
user secret key / passphrase while it's still in memory and shipping it
somewhere (or storing it for later uses - obviously not having observed
odd behaviour now does not mean there is no possible activation of odd
behaviour), etc...

Proprietary software vendors will never ever be able to reach security
and trust levels offered to users by true open source sofware where
anyone can see the code and build his own binary with his own compiler
setup (yes I read "Reflections on Trusting Trust" :) or use one from the
most trusted amongst open source packaging companies competing on ...
trust.

Laurent

PS: gnomemeeting over openvpn does work for me.



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/