[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

ianG iang at iang.org
Sun Mar 24 07:03:43 EDT 2013

Hi Adam,

Replying to this one because there's one part I haven't grokked yet:

On 23/03/13 17:04 PM, Adam Back wrote:
> Was there anyone trying to use OpenPGP and/or X.509 in IM?
> I mean I know many IM protocols support SSL which itself uses X.509, but
> that doesnt really meaningfully encrypt the messages in a privacy sense as
> they flow in the plaintext through chat server with that model.

Right.  The threat is always on the node.  In which I have a tiny doubt...

Now, from the combined comments of other posters I draw that the key 
factor in OTR's success was that it uses some form of ADH and doesn't 
use persistent public keys at all.  This then allowed an immediate 
startup into secure mode, and consequently a clean and usable UI.

I can see this working directly peer to peer, because (as I claim) the 
threat is always on the node.  But if the IM world typically mediates 
its messages, or its startup keyex, via servers, this means there is one 
easy place with which to conduct any MITMs -- the servers.

Are we saying then that the threat on the servers has proven so small 
that in practice nobody's bothered to push a persistent key mechanism? 
Or have I got this wrong, and the clients are doing p2p exchange of 
their ephemeral keys, thus dispersing the risk?

> btw is anyone noticing that apparently skype is both able to eavesdrop on
> skype calls, now that microsoft coded themselves in a central backdoor,
> this
> was initially rumoured, then confirmed somewhat by a Russian police
> statement [1], then confirmed by microsoft itself in its law enforcement
> requests report.

Rest is gossip:

Right.  For my own part, I fully expected that when Microsoft purchased 
Skype in 2011, it was only a matter of time before it was backdoored. 
That link [1] seems to confirm it.

(Before Skype was purchased, the intel agencies had attack kits that 
would replace either Skype or OS hooks on the victim's PC.  But this 
involves an invasive attack on the victim's PC which could perhaps have 
been prevented by someone who was paranoid enough.  The new backdoor 
solution is far better for the intel people.)

> Now publicly disclosed law enforcement requests reports
> are good thing, started by google, but clearly those requests are getting
> info or they wouldnt be submitting them by the 10s of thousands.
> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
> 75,000 skype related law enforcement requests, 137,000 accounts affectd
> (each
> call involving or more parties).
> You have to wonder with that kind of mentality at microsoft (to
> intentionally insert themselves into the calls, gratuitiously when it
> supposedly wasnt previously architected to allow that under skype's watch),
> what other nasties they've put in.  Eg routine keyword scanning?  Remote
> monitoring (turn on microphone, camera?) Remote backdoor and rifling
> through
> files on the users computer.  The source is more than closed, its coded
> like
> a polymorphic virus with extensive anti-reverse-engineering features it
> would be rather hard to tell what all it is doing, and given the apparent
> lack of end to end security, basically impossible to tell what they are
> doing in their servers.

IMHO, it's not Microsoft that has ever been special in this respect.  It 
is all large companies that have a large invasive government. 
Unfortunately, once a company has made its bed in a country, the side 
deals are inevitable.

> I think its past time people considered switching to another IM client, an
> open source one with p2p routed traffic and/or end 2 end security,
> preferably with some resilience to X.509 certificate authority based
> malfeasance.
> I have nothing particular to hide, but this level of aggressive, no-warrant
> mass-scale fishing is not cricket.  They are no doubt probably hoovering it
> all up to store in those new massive Utah spook data centers in case they
> want to do some post-hoc fishing also.
> And clearly there are plenty of people with very legitimate reasons to
> hide;
> given the levels justice has stooped to do these days in their legal
> treatment of activists (even green activists, anti-financial crimes,
> corporate ethics activists, whistleblowers) - western countries are
> slipping
> backwards in terms of transparency and justice.

And people like us.



> Adam
> [1] http://www.itar-tass.com/en/c142/675600.html
> On Sat, Mar 23, 2013 at 01:36:34PM +0000, Ben Laurie wrote:
>> On 23 March 2013 09:25, ianG <iang at iang.org> wrote:
>>> Someone on another list asked an interesting question:
>>>      Why did OTR succeed in IM systems, where OpenPGP and x.509 did not?
>> Because Adium built it in?
>>> (The reason this is interesting (to me?) is that there are not so many
>>> instances in our field where there are open design competitions at this
>>> level.  The results of such a competition can be illuminating as to what
>>> matters and what does not.  E.g., OpenPGP v. S/MIME and SSH v. secure
>>> telnet
>>> are two such competitions.)

More information about the cryptography mailing list