[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

Adam Back adam at cypherspace.org
Sat Mar 23 10:04:54 EDT 2013


Was there anyone trying to use OpenPGP and/or X.509 in IM?

I mean I know many IM protocols support SSL which itself uses X.509, but
that doesnt really meaningfully encrypt the messages in a privacy sense as
they flow in the plaintext through chat server with that model.

btw is anyone noticing that apparently skype is both able to eavesdrop on
skype calls, now that microsoft coded themselves in a central backdoor, this
was initially rumoured, then confirmed somewhat by a Russian police
statement [1], then confirmed by microsoft itself in its law enforcement
requests report.  Now publicly disclosed law enforcement requests reports
are good thing, started by google, but clearly those requests are getting
info or they wouldnt be submitting them by the 10s of thousands.

http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

75,000 skype related law enforcement requests, 137,000 accounts affectd (each
call involving or more parties).

You have to wonder with that kind of mentality at microsoft (to
intentionally insert themselves into the calls, gratuitiously when it
supposedly wasnt previously architected to allow that under skype's watch),
what other nasties they've put in.  Eg routine keyword scanning?  Remote
monitoring (turn on microphone, camera?) Remote backdoor and rifling through
files on the users computer.  The source is more than closed, its coded like
a polymorphic virus with extensive anti-reverse-engineering features it
would be rather hard to tell what all it is doing, and given the apparent
lack of end to end security, basically impossible to tell what they are
doing in their servers.

I think its past time people considered switching to another IM client, an
open source one with p2p routed traffic and/or end 2 end security,
preferably with some resilience to X.509 certificate authority based
malfeasance.

I have nothing particular to hide, but this level of aggressive, no-warrant
mass-scale fishing is not cricket.  They are no doubt probably hoovering it
all up to store in those new massive Utah spook data centers in case they
want to do some post-hoc fishing also.

And clearly there are plenty of people with very legitimate reasons to hide;
given the levels justice has stooped to do these days in their legal
treatment of activists (even green activists, anti-financial crimes,
corporate ethics activists, whistleblowers) - western countries are slipping
backwards in terms of transparency and justice.

Adam

[1] http://www.itar-tass.com/en/c142/675600.html

On Sat, Mar 23, 2013 at 01:36:34PM +0000, Ben Laurie wrote:
>On 23 March 2013 09:25, ianG <iang at iang.org> wrote:
>> Someone on another list asked an interesting question:
>>
>>      Why did OTR succeed in IM systems, where OpenPGP and x.509 did not?
>
>Because Adium built it in?
>
>>
>>
>>
>> (The reason this is interesting (to me?) is that there are not so many
>> instances in our field where there are open design competitions at this
>> level.  The results of such a competition can be illuminating as to what
>> matters and what does not.  E.g., OpenPGP v. S/MIME and SSH v. secure telnet
>> are two such competitions.)


More information about the cryptography mailing list