Skype handing over more chat data to law enforcement

Microsoft received a patent for "legal intercept" on VoIP calls last year.

Read the whole story

 

[AxMi-24]

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

You can't really blame MS for that, as a large US company they are going to cooperate with warrants, and cooperating without warrants is still a very grey area right now until we get more case-law. If you want secure internet communication, use end to end encryption, period, there are dozens of options.

What other options are there? I've been looking and there is nothing that is even remotely user friendly. Skype supports login from many locations at the same time and all chat and history gets synced to all computers. Just that is unique and makes it by far best IM.
Add encryption (even with this new stuff it's by far better than anyone else as others have no encryption what so ever).

I would love to switch to something safe but there is just nothing.

 

[sporkwitch]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

Would you bet your life on that statement? Because, I know for a fact that everything can be intercepted with a warrant or ...

Let me know how useful the intercepted data is in 2050 when they break the encryption on it. I didn't say anything about interception, I was talking about access, as in to the plaintext content, not the ciphertext.

They don't have to break the encryption. Lawful Access provisioning requires that the data is handled to the law enforcing agencies in a readable format with a warrant. Under US laws, the company rejecting to provide this is liable and trust me no company wants to be in that position. I know this for a fact because I work in this field.
Whatever you hear that company A or Company B does not provide data, etc. to the law enforcing agencies is very far from the truth[/quo..te]
You don't seem to understand how Skype work(s/ed). Calls are encrypted end to end, with a one-time key generated at call start, which was passed directly between parties, not via skype supernodes or servers as a middle man. Skype was quite literally incapable of providing what governments wanted without completely reworking things and destroying its security integrity.

So yes, any intercepted comms would have to be cracked, hence my post. Now that they're in the US since MSFT owns them, the government can force such changes (and they already started them by switching from supernodes to centrally-controlled MSFT servers.)

 

[Bob.Brown]

They don't have to break the encryption. Lawful Access provisioning requires that the data is handled to the law enforcing agencies in a readable format with a warrant. Under US laws, the company rejecting to provide this is liable and trust me no company wants to be in that position. I know this for a fact because I work in this field. {snip}

If I'm doing something nefarious, you can bet your sweet ass they'll have to break encryption. In fact, anyone reading this could use my public key to encrypt a message that would be very difficult to break.

... although the NSA is rumored to have over half the computing power in the world...


edit: added italics

 

[sporkwitch]

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

You can't really blame MS for that, as a large US company they are going to cooperate with warrants, and cooperating without warrants is still a very grey area right now until we get more case-law. If you want secure internet communication, use end to end encryption, period, there are dozens of options.

What other options are there? I've been looking and there is nothing that is even remotely user friendly. Skype supports login from many locations at the same time and all chat and history gets synced to all computers. Just that is unique and makes it by far best IM.
Add encryption (even with this new stuff it's by far better than anyone else as others have no encryption what so ever).

I would love to switch to something safe but there is just nothing.

Jabber supports all of that and more, with amazing control and routing options. That's why I asked about the voice and video abilities earlier.

Mumble is also a potential option, assuming a trusted server and proper settings to control access and prevent recording.

 

[Deleted member 338050]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

Would you bet your life on that statement? Because, I know for a fact that everything can be intercepted with a warrant or ...

Let me know how useful the intercepted data is in 2050 when they break the encryption on it. I didn't say anything about interception, I was talking about access, as in to the plaintext content, not the ciphertext.

They don't have to break the encryption. Lawful Access provisioning requires that the data is handled to the law enforcing agencies in a readable format with a warrant. Under US laws, the company rejecting to provide this is liable and trust me no company wants to be in that position. I know this for a fact because I work in this field.
Whatever you hear that company A or Company B does not provide data, etc. to the law enforcing agencies is very far from the truth[/quo..te]
You don't seem to understand how Skype work(s/ed). Calls are encrypted end to end, with a one-time key generated at call start, which was passed directly between parties, not via skype supernodes or servers as a middle man. Skype was quite literally incapable of providing what governments wanted without completely reworking things and destroying its security integrity.

So yes, any intercepted comms would have to be cracked, hence my post. Now that they're in the US since MSFT owns them, the government can force such changes (and they already started them by switching from supernodes to centrally-controlled MSFT servers.)

Right... you know better than me

 

[AxMi-24]

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

Thanks to ZRTP and SRTP, you can use the Jingle extension of XMPP to allow encrypted voice and video chat.

The only good client for Windows seems to be Jitsi. Jitsi also supports OTR for chat encryption.

What about for operating systems that don't suck?

Seems to work on osx and linuxes. I assume that you could get it running on freebsd too with some luck. Not sure what other OS you could mean.

 

[AxMi-24]

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

You can't really blame MS for that, as a large US company they are going to cooperate with warrants, and cooperating without warrants is still a very grey area right now until we get more case-law. If you want secure internet communication, use end to end encryption, period, there are dozens of options.

What other options are there? I've been looking and there is nothing that is even remotely user friendly. Skype supports login from many locations at the same time and all chat and history gets synced to all computers. Just that is unique and makes it by far best IM.
Add encryption (even with this new stuff it's by far better than anyone else as others have no encryption what so ever).

I would love to switch to something safe but there is just nothing.

Jabber supports all of that and more, with amazing control and routing options. That's why I asked about the voice and video abilities earlier.

Mumble is also a potential option, assuming a trusted server and proper settings to control access and prevent recording.

None of jabber clients supports loging in from different locations at the same time and syncing them all. I've been looking for that feature for a long time. I'm also not the only one.

 

[rasilon]

Hang on a minute.

Surely that patent means no other entity/company can perform a legal wiretap without licensing the patent from MS ?

That can't be right.

 

[sporkwitch]

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

You can't really blame MS for that, as a large US company they are going to cooperate with warrants, and cooperating without warrants is still a very grey area right now until we get more case-law. If you want secure internet communication, use end to end encryption, period, there are dozens of options.

What other options are there? I've been looking and there is nothing that is even remotely user friendly. Skype supports login from many locations at the same time and all chat and history gets synced to all computers. Just that is unique and makes it by far best IM.
Add encryption (even with this new stuff it's by far better than anyone else as others have no encryption what so ever).

I would love to switch to something safe but there is just nothing.

Jabber supports all of that and more, with amazing control and routing options. That's why I asked about the voice and video abilities earlier.

Mumble is also a potential option, assuming a trusted server and proper settings to control access and prevent recording.

None of jabber clients supports loging in from different locations at the same time and syncing them all. I've been looking for that feature for a long time. I'm also not the only one.

I'll concede that for sent messages, but by default (unless the sender or user set it differently) all messages to you will go to all clients, and there's no prohibition (unless set server-side) on logging in multiple simultaneous clients.

 

[SirMarth01]

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

Thanks to ZRTP and SRTP, you can use the Jingle extension of XMPP to allow encrypted voice and video chat.

The only good client for Windows seems to be Jitsi. Jitsi also supports OTR for chat encryption.

What about for operating systems that don't suck?

Jitsi works on Windows, Mac OS X, and Linux. (Wikipedia claims BSD support, but I've found no reference to such on the official website.)

Edit: Didn't notice AxMi-24's comment until after I sent.

 

[sporkwitch]

Right... you know better than me

On this subject, apparently, I do, as it's been a thorn in the side of the US government for years.

 

[AxMi-24]

Prior to MSFT buying it, Skype was one of the easiest, most prominent, and most secure options available. Despite countless attempts, no government was able to get the backdoor access they kept requesting. This changed with the buyout, like I said it would.

You can't really blame MS for that, as a large US company they are going to cooperate with warrants, and cooperating without warrants is still a very grey area right now until we get more case-law. If you want secure internet communication, use end to end encryption, period, there are dozens of options.

What other options are there? I've been looking and there is nothing that is even remotely user friendly. Skype supports login from many locations at the same time and all chat and history gets synced to all computers. Just that is unique and makes it by far best IM.
Add encryption (even with this new stuff it's by far better than anyone else as others have no encryption what so ever).

I would love to switch to something safe but there is just nothing.

Jabber supports all of that and more, with amazing control and routing options. That's why I asked about the voice and video abilities earlier.

Mumble is also a potential option, assuming a trusted server and proper settings to control access and prevent recording.

None of jabber clients supports loging in from different locations at the same time and syncing them all. I've been looking for that feature for a long time. I'm also not the only one.

I'll concede that for sent messages, but by default (unless the sender or user set it differently) all messages to you will go to all clients, and there's no prohibition (unless set server-side) on logging in multiple simultaneous clients.

That's the thing. I have at all times at least 4 skype clients running. Sometimes even more and it's actually nice to have everything synced properly no matter where I am.

This is something that is just very hard to give up. Not to mention that making the people I communicate with to use something that is PITA to configure is a no go. Skype is simple and until now was exceptionally secure system.

 

[Deleted member 338050]

Right... you know better than me

On this subject, apparently, I do, as it's been a thorn in the side of the US government for years.

From Wikipedia which is public knowledge:

On each login session, Skype generates a session key from 192 random bits. The session key is encrypted with the hard-coded login server's 1536-bit RSA key to form an encrypted session key. Skype also generates a 1024-bit private/public RSA key pair. An MD5 hash of a concatenation of the user name, constant string ("\nSkyper\n") and password is used as a shared secret with the login server. The plain session key is hashed into a 256-bit AES key that is used to encrypt the session's public RSA key and the shared secret. The encrypted session key and the AES encrypted value are sent to the login server.
On the login server side, the plain session key is obtained by decrypting the encrypted session key using the login server's private RSA key. The plain session key is then used to decrypt the session's public RSA key and the shared secret. If the shared secret match, the login server will sign the user's public RSA key with its private key. The signed data is dispatched to the super nodes.
Upon searching for a buddy, a super node will return the buddy's public key signed by Skype. The SC will authenticate the buddy and agree on a session key by using the mentioned RSA key.

Skype was asked several times if they can and do provide means of wiretapping and Skype's spokesmen always rejected to comment. Skype did argue that they are not telecom company hence they are excluded from the wiretapping laws but that does not mean they can't/don't do it.

 

[Biggiesized]

So what forms of video communication AREN'T cracked/intercepted yet?

 

[kheptril]

Uninstalled!

 

[dlux]

So what forms of video communication AREN'T cracked/intercepted yet?

[crickets]

 

[AxMi-24]

So what forms of video communication AREN'T cracked/intercepted yet?

None that are easy to use or support features that skype supports. Seems that open source community is not interested in anything that actually works well. There are bunch of encryption standards and communication standards and all that stuff but nothing that is in any way user friendly.

 

[pjladyfox]

Don't forget Uncle George "Dubya," most of the true dangers right now got their start when his regime was in charge; the current one just pulled 180's and fought to protect those unconstitutional changes that they swore they'd repeal if elected.

Yeah, almost forgot about good 'ole "Dubya" the man who went to court to win his election or the other goodies we're still dealing with. -_-

Beginning?!?

Were you, by any chance, in a coma for the past twenty or so years?

(Hell, let's go back to the McCarthy era for some refreshers on how it's done.)

No, more along the lines of did not wish to get jumped by the apologists who think our government has'nt been slowly eroding our freedoms evidence to the contrary. And then giving us wonderful replies like "what have you got to hide" or "what r u a p3d0?" while praising Daddy Obama. >.>

I am just going on the fact that if the feds want to listen to my skype convos, then they are more than welcome. I am a law abiding tax paying citizen, and I never, ever had any expectation of true privacy across any electronic medium. I keep hearing these increased cries about no privacy, and then those people go off and tweet and post on facebook everything about their lives.

So which is it you don't mind giving up your privacy or you're saying because everyone else is you may as well?

Nobody, and I do mean NOBODY, should be so free with trusting their government. And for those who think we should really either failed to pay attention in school, ate paste during class, or all of the above. Not that I'm saying that's what happened in your case mind you just that I really have a hard time understanding why someone would be so, well, naieve that their government is really that trustworthy.

 

[jpcg]

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

Thanks to ZRTP and SRTP, you can use the Jingle extension of XMPP to allow encrypted voice and video chat.

The only good client for Windows seems to be Jitsi. Jitsi also supports OTR for chat encryption.

What about for operating systems that don't suck?

Go to their Website. They are also supported (Mac OS and some Linux have precompiled packages)

Edit: Sadly it runs on Java, I won't install it/can't try it out. (Mac OS X 10.8)

 

[Carbon Fibre]

Never really used Skype, it appears no more for me. No law existent with unlimited warrants have the right to trespass private info like this, period. Nothing like good SSL encrypted messaging of the old time.

 

[kot_matroskin]

Dont worry they will only harrass you if you are a threat to the banksters and other ruling elites (i.e. Wikileaks like scenario), or if you demonstrate a clear ability to think for yourself. As it has always been.

 

[Wolvenmoon]

My knee jerk reaction to this was to start telling my friends I would no longer be using Skype to send text messages.

My calculated response is to say to Google secure instant messaging, "Trillian OTR", "Pidgin OTR", and profit. Trillian connects to Skype - there's no reason to be Microsoft's well behaved bratling, you can encrypt your instant messaging done over Skype and it is not hard to grab a virtualized OpenVPN Linux box, toss a Mumble server on it, and roll your own voice chats.


Couldn't one always just start suing everyone involved if one find's out they've been victimized?

 

[Postulator]

So I should stop running my drug and prostitution rings over skype?

As well as discussion personal relationships, business deals, or anything that you don't want the world to know.

Why are so many idiots insistent that only criminals should be scared by governments taking away basic human rights and liberties?

 

[Postulator]

I would be interested to know how you all would feel in the event some major terrorist plot was thwarted because of lawful wiretapping on a skype call.

Absolutely amazed.

 

[Revolution11]

I would be interested to know how you all would feel in the event some major terrorist plot was thwarted because of lawful wiretapping on a skype call.

Absolutely amazed.

What I want to ask kleinma is which kinds of terrorists use skype to plan attacks? There are far better methods to communicate.

Ignoring the fact that most plots have been stopped by user stupidity (the terrorists), or by human intelligence and tips, not wiretapping.

 

[sporkwitch]

[snip]

So yeah, still not seeing private keys leaving local machines (though I apparently was mistaken about passing it through the login server; I suspect this is a more recent change with the abandonment of supernodes, though, as it seems to contradict Skype's prior statements on the topic).

In any case, we're still not looking at something that would grant police access without either A) a trojan on the client machine of a call participant, or B) cracking the encryption. This site has 1024-bit RSA keys having an expected life of about 7 years (in 2003). Even if we cut that down to 1 month, that's still sufficient to eliminate casual evesdropping use, and doing it after the fact would be difficult to explain or justify even in the current political climate. That's not to say that it might not be done someday, but all the factors combine to make it very unlikely that eavesdropping would be possible; at least not until MSFT joyously ensures they have access to the private keys, and either reports intermediate nodes or routes calls through their servers instead of direct peer-to-peer (this latter is unlikely, since they don't even do this for non-"Party" XBL voice chat).

Go to their Website. They are also supported (Mac OS and some Linux have precompiled packages)

Edit: Sadly it runs on Java, I won't install it/can't try it out. (Mac OS X 10.8)

Was on my tablet at the time, checking wasn't particularly practical.

 

[atlana]

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

I believe this is something you're looking for, it was even recommended by the TOR bigwigs: https://jitsi.org/index.php/Main/Features

 

[William Topping]

I would be interested to know how you all would feel in the event some major terrorist plot was thwarted because of lawful wiretapping on a skype call.

I wouldn't be congratulating my loss of privacy and freedom because the police caught some really thick terrorist.

 

[William Topping]

Why are so many idiots insistent that only criminals should be scared by governments taking away basic human rights and liberties?

They believe that if you have something to hide then you must be guilty of something.

They would be the kind "just following orders" whilst putting on the black armband and snitching on their parents.

 

[lucianarmasu]

This is the part where I say "I told you so." The US has been trying to get this access for years, without success, because they weren't an american company. As soon as the MSFT buyout was announced, this is the exact result I'd said would happen. Now it has. This is why I stopped any real use of skype the day the purchase was approved.

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

Exactly. No wonder Microsoft made a crazy bid of double the one of the next competitor. They know they will be getting their billions back by selling access to their Skype users to NSA/the Government.

http://www.theregister.co.uk/2009/02/12 ... pe_pwnage/

 

[sporkwitch]

This is the part where I say "I told you so." The US has been trying to get this access for years, without success, because they weren't an american company. As soon as the MSFT buyout was announced, this is the exact result I'd said would happen. Now it has. This is why I stopped any real use of skype the day the purchase was approved.

Does jabber have a compatible voice or video protocol? I'm liking the vision of a mesh future with directly routed comms and end-to-end encryption.

Exactly. No wonder Microsoft made a crazy bid of double the one of the next competitor. They know they will be getting their billions back by selling access to their Skype users to NSA/the Government.

http://www.theregister.co.uk/2009/02/12 ... pe_pwnage/

Honestly, I keep forgetting that they're allowed to charge for the extra-legal (and even legal) access. The potential to actively profit from kowtowing to government hadn't occurred to me, I just saw the US finally getting what they want as a side-effect of the purchase.

 

[BadassSailor]

Oh, YAY, more breach of privacy by a corporation. Oh america, how wonderful you aren't.

 

[idonthaveaname]

[snip]

So yeah, still not seeing private keys leaving local machines

It doesn't matter. The public keys are distributed and signed (and this is the important part) by the central servers. The chain of trust ends with Skype themselves. That combined with the software being closed and extremely obfuscated means that if Skype wanted to they could easily mount a MITM attack on an individual user and the likelihood of anybody noticing is slim to none. This has always been the case.

So, Skype can (and has always been able to) effectively snoop on any user if they wanted to or if they were forced to by some means.

 

[sporkwitch]

[snip]

So yeah, still not seeing private keys leaving local machines

It doesn't matter. The public keys are distributed and signed (and this is the important part) by the central servers. The chain of trust ends with Skype themselves. That combined with the software being closed and extremely obfuscated means that if Skype wanted to they could easily mount a MITM attack on an individual user and the likelihood of anybody noticing is slim to none. This has always been the case.

So, Skype can (and has always been able to) effectively snoop on any user if they wanted to or if they were forced to by some means.

You have no clue how PKIs work, do you? They're called public keys for a reason: you give them to everyone and their mother, so that they can send things securely to you so only you can decrypt it. Sign it with your private key, and they can use your public key to verify that it was in fact you that sent it.

Without the private key, you must crack the encryption on anything sent using your public key, which would take significantly longer than obtaining a warrant (generally), thus serving the purpose of protecting our right to privacy. The only thing Skype can do with your public key is send you encrypted data that you could then open. It doesn't grant skype the ability to open anything encrypted with your public key and read its contents; that requires your private key.

For more information about PKE, check out wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography

 

[igor.levicki]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

And what about legal businesses who use Skype for collaboration? Their trade secrets and confidential information now being available to the government and maybe to other competing companies if they "give a donation" to the right person or party?

 

[sporkwitch]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

And what about legal businesses who use Skype for collaboration? Their trade secrets and confidential information now being available to the government and maybe to other competing companies if they "give a donation" to the right person or party?

Well, you've got the "look at all your shit" clause in the Windows EULA that's already giving MSFT access to all that, and §215 I think it is of the PATRIOT ACT which grants government warrantless access to "business records."

 

[jdale]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

And what about legal businesses who use Skype for collaboration? Their trade secrets and confidential information now being available to the government and maybe to other competing companies if they "give a donation" to the right person or party?

Well, you've got the "look at all your shit" clause in the Windows EULA that's already giving MSFT access to all that, and §215 I think it is of the PATRIOT ACT which grants government warrantless access to "business records."

Citation needed....

It actually says 7. "b. Use of Information. Microsoft may use the computer information, accelerator information, search suggestions information, error reports, and Malware reports to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software."

There is some potential for sharing although not content of your hard drive, etc. ("Computer information" is defined in 7.a. and very limited.) I don't think that resembles what you are saying.

Actual Windows 7 EULA: download.microsoft.com/Documents/UseTerms/Windows%207_Professional_English_b7a7153f-1a6c-498c-9350-c86926bb1aa9.pdf

 

[sporkwitch]

Any criminal who conducts business over Skype pretty much deserves to get caught. There are dozens of communication methods that the police probably don't even know exist, if you use one that's popular and centralized, you are dumb.

And what about legal businesses who use Skype for collaboration? Their trade secrets and confidential information now being available to the government and maybe to other competing companies if they "give a donation" to the right person or party?

Well, you've got the "look at all your shit" clause in the Windows EULA that's already giving MSFT access to all that, and §215 I think it is of the PATRIOT ACT which grants government warrantless access to "business records."

Citation needed....

It actually says 7. "b. Use of Information. Microsoft may use the computer information, accelerator information, search suggestions information, error reports, and Malware reports to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software."

There is some potential for sharing although not content of your hard drive, etc. ("Computer information" is defined in 7.a. and very limited.) I don't think that resembles what you are saying.

Actual Windows 7 EULA: download.microsoft.com/Documents/UseTerms/Windows%207_Professional_English_b7a7153f-1a6c-498c-9350-c86926bb1aa9.pdf

Prior version wasn't quite so restricted, though even the definition given can be abused just as much as the "business records" line in the PATRIOT ACT.

 

[idonthaveaname]

[snip]

So yeah, still not seeing private keys leaving local machines

It doesn't matter. The public keys are distributed and signed (and this is the important part) by the central servers. The chain of trust ends with Skype themselves. That combined with the software being closed and extremely obfuscated means that if Skype wanted to they could easily mount a MITM attack on an individual user and the likelihood of anybody noticing is slim to none. This has always been the case.

So, Skype can (and has always been able to) effectively snoop on any user if they wanted to or if they were forced to by some means.

You have no clue how PKIs work, do you? They're called public keys for a reason: you give them to everyone and their mother, so that they can send things securely to you so only you can decrypt it. Sign it with your private key, and they can use your public key to verify that it was in fact you that sent it.

Without the private key, you must crack the encryption on anything sent using your public key, which would take significantly longer than obtaining a warrant (generally), thus serving the purpose of protecting our right to privacy. The only thing Skype can do with your public key is send you encrypted data that you could then open. It doesn't grant skype the ability to open anything encrypted with your public key and read its contents; that requires your private key.

For more information about PKE, check out wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography

Either you misunderstood me or you're the one who has no clue how PKI works. Yes, they are public but if you cannot reliably authenticate the public key it is useless. In a PKI the public key is signed by a certificate authority which is the way of saying that public key A really belongs to entity B. If that certificate authority is not trustworthy then the whole system collapses. In this case Skype is that authority so you have to trust them to only sign a user's key if they have already verified (using the user's password) that the key belongs to the user. Otherwise a MITM attack becomes trivial.

For more info on MITM see https://en.wikipedia.org/wiki/Man-in-the-middle_attack

 

[sporkwitch]

[snip]

So yeah, still not seeing private keys leaving local machines

It doesn't matter. The public keys are distributed and signed (and this is the important part) by the central servers. The chain of trust ends with Skype themselves. That combined with the software being closed and extremely obfuscated means that if Skype wanted to they could easily mount a MITM attack on an individual user and the likelihood of anybody noticing is slim to none. This has always been the case.

So, Skype can (and has always been able to) effectively snoop on any user if they wanted to or if they were forced to by some means.

You have no clue how PKIs work, do you? They're called public keys for a reason: you give them to everyone and their mother, so that they can send things securely to you so only you can decrypt it. Sign it with your private key, and they can use your public key to verify that it was in fact you that sent it.

Without the private key, you must crack the encryption on anything sent using your public key, which would take significantly longer than obtaining a warrant (generally), thus serving the purpose of protecting our right to privacy. The only thing Skype can do with your public key is send you encrypted data that you could then open. It doesn't grant skype the ability to open anything encrypted with your public key and read its contents; that requires your private key.

For more information about PKE, check out wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography

Either you misunderstood me or you're the one who has no clue how PKI works. Yes, they are public but if you cannot reliably authenticate the public key it is useless. In a PKI the public key is signed by a certificate authority which is the way of saying that public key A really belongs to entity B. If that certificate authority is not trustworthy then the whole system collapses. In this case Skype is that authority so you have to trust them to only sign a user's key if they have already verified (using the user's password) that the key belongs to the user. Otherwise a MITM attack becomes trivial.

For more info on MITM see https://en.wikipedia.org/wiki/Man-in-the-middle_attack

And yet we have sufficient steps in the process that was linked that such validation is possible, or at least was before moving to the server model that undermined the whole thing. That was part of the point of generating them on a per-session basis and routing them directly between the participants, rather than through servers or super-nodes: minimize the chance of a MITM.