Friday, March 24, 2006

There's a hole in my bucket

A Palladium Club mega-uber value reader named Fred with a valid claim to credibility on security issues writes in with some added perspective on my Skype post from a couple of days ago (which has generated a staggering amount of traffic). His observations:

"When they say 'TCP communications use the same RC4 stream twice', that's really important. That means Skype committed a cryptographic mortal sin. Voice content is protected by a different part of Skype and is still as safe as it ever was, but this means that the researchers can read Skype's signalling traffic, which means they can tell a firewall administrator how to block Skype.

When they talk about 'checksummers', 'debugger traps' and so on, what they mean is that Skype went to thorough and unusual lengths to keep people from figuring out exactly what Skype does. No need for conspiracy theories, though, Skype might simply want to prevent anyone from making a Skype clone.

A Skype clone is a lot closer now if the researchers are right when they say about their project 'It can assemble Skype packets and speak Skype'. Nobody's been able to interoperate with Skype before that I know of. You could build your own Skype network.

The other point is that it is theoretically technically possible for the operator of a Skype-like network to intercept the voice part of a call. If Skype is too honest to do that, would the operators of a cloned Skype-like network be equally honest?"

No comments: