thank you mangle, i couldnt have said it better.   

I can only imagine a few reasons why anyone would defend this program (because I could really care less about the prog. itself)...one is that theyre affiliated with the company somehow, two is that the possibility of someone actually receiving or filtering their calls is stirring fear within them,  and three is that they just like to argue for status, or credibility.  This is a free program, where are they getting the funding to make it crack proof from the gov.? I'm sure the gov. knows about it, and If you have something to hide, to the extent that you're going encrypt your phone calls, then I guarentee that some entity in the gov. is curious to know what those calls are about, especially these days.  I doubt most of the calls people make are about their follies at the bar last weekend.

i hope they paid you to say that, because that was excessive.  it's naive to think that the government's capabilities with computing stretch as fas as you and i would like to think.  why would the government make it public that their top secret information is 256 bit encrypted....sounds like fairy dust to me. it would be like declassifying the paint used on a stealth fighter.  i wouldn't expect them to decrypt your calls unless they had good reason to.  i certainly wouldn't expect them to listen in on everyone.  it doesn't take much though, you seem to be, after all, a big part of antipolygraph.org..which is working against the gov.'s intentions in some ways isn't it?

if i had that evidence i probably wouldn't be able to give it to you, because it wouldn't be public knowledge...and who cares what that sheet said, they can print anything they want to keep our security safe.  anything that the general public knows in the states, is known in the world. wouldn't you rather let everyone think you have a pea shooter, when you really have a cannon?

you can't accept the fact that ive made some good points, and maybe im eating your credibility to sell your anal puckering techniques to pothead-would be government employees. hey, "ive got some jargon that no one will  understand and make me sound credible".  common sense and good logic isn't enough.  great marketing with the cnss policy.  skype, this wonderful free program that you love so dearly, is as good as the best technology our country has to provide for our national security.  tools...

What an interesting discussion I found while I googled for some info on evaluation of Skype's security.

For those searching for some kind of evaluation as I was, better overviews can be found at:

http://www.security-forums.com/forum/viewtopic.php?t=24098&postdays=0&postorder=...

(in particular see Justin's reply)

and 

http://www.securiteam.com/securityreviews/6K00M2ABFM.html


As for this discussion:

Actually, I think the troll may have made at some good points, whether intentionally or unintentionally, and of course in a very oblique and sometimes offensive manner.

The first issue is whether AES itself is vulnerable. The fact that it appears to be so widely trusted and used, by a variety of different "users", technical, corporate and government,  is surely a sign that it works, at least for most purposes. There is no point in evaluating in detail the maths behind it, unless you are willing to put in real effort at becoming proficient (which I for one am not). The fact that it is "open source", and that it has been put forward and scrutinised in academic journals as well as on the internet, without any weaknesses being found, does add to credibility (but I am going off vague and half-remembered second hand rpeorts that no weaknesses have been found). But, by analogy with the Enigma saga (which I think the troll did hint at), it would seem to be possible that there could be a solution to these mathematical encryption schemes, that is held by a few intellectual elites (which all the rest of the mathematicians, even though they are very good, don't know about). Still for practical purposes, it makes sense to assume we have an unbreakable encryption. (The problem of casual snoops and criminals decrypting AES would seem to be allmost impossible, even if at the very highest level the government is playing the double bluff game).


The second, more important issue for Skype specifically, is whether Skype's implementation of AES is robust. Here, we would be able definitely to turn the trolls "point" regarding open source against him. The fact that third parties (such as Justin at the security forum), that we can trust to greater or lesser degrees, cannot look at the implementation because it is poorly documented and not open source, greatly reduces the trust in the product. 

But here also, the senior member George has misled slightly, and in some sense has been complicit with the marketing spin of Skype, because he did not point out clearly enough this key weakness of Skype, even though he introduced it as using "strong encryption". Indeed, he only referred to the benefits of open source with regard to AES itself, and missed the opportunity to criticise Skype for not being open source (although he did, albeit briefly, mention the possiblility that their implementation might be inadequate). We only have Skype's word for its efficiency (and they may even have put a deliberate backdoor into the implementation, although points about why they would want to do this and how it would be hard for them to harvest traffic on a large scale are valid). There are a lot of users of Skype, but they seem to be mainly "users" in the consumer sense of the word, and it hasn't been subject to much scrutiny from the corporates or open source community. Given how many users it has got, and given how it hypes the "strong encryption", AES standard, maybe it is time some public spirited techie reverse engineered it and documented the results.

There has been a recent bug fix to fix a buffer overflow in Skype, which in fairness was posted on their site (this does not link to encrytion implementation directly, but if an app allows another to take complete control of your pc, then any enryption is potntially rendered ineffective even if it is a good implementation, aside from all the other problems you will have). 

For me, I think I will go ahead and use skype anyway. I don't particularly want random people to be able to hear my conversations, and I am not convinced that Skype will prevent it, but free, reasonable quality phone calls sound too good to ignore. Maybe even a poorish enryption implementation will provide a similar level of security to POTS, becuase it would still require some effort and skill to eavesdrop, unlike with entirely unencrypted traffic.

Hey Compscigeek,

You can easily prove George wrong...

Just factor his public key and post the two prime numbers that created it.

Course I expect to die of old age first.

With Skype's acquisition by eBay, it may be less secure. Presumably, as a U.S.-owned company, Skype will become subject to the provisions of the USA Patriot Act, under which the FBI, by issuing a "National Security Letter" (no court order required), may demand customer information from telephone companies, Internet service providers, bookstores, and even public libraries. The recipient of a National Security Letter is prohibited from informing the customer that his information has been provided to the government.

PGP developer Philip Zimmermann, whom the U.S. Government once sought to criminally prosecute for making strong encryption publicly available, is working on a secure VoIP application that is presently called zFone. Unlike Skype, zPhone's source code will be made public for peer review.

You can now use Skype to make free calls within the US and Canada through the end of 2006:

http://news.com.com/2100-7352_3-6072256.html