Version: 2008
  • On GameSpot: So-called 'Halo killer' gets 23 to life

January 2, 2007 4:00 AM PST

Newsmaker: What threats does Skype face?

See all Newsmakers

(continued from previous page)

Some security experts have predicted that Skype could be used as a way for hackers to remotely control networks of compromised computers, botnets. Have you seen that happen?
Sauer: I haven't, but you can certainly use Skype for application-to-application messaging. I'm not going to say you can't do that, but we have not seen instances of that happening. We do think that the Skype client has sufficient controls to prevent things like auto spreading because of the current authorization model. For example, I can't send you a file unless you've authorized it.

Have you seen any proof-of-concepts of malicious software that targets Skype?
Sauer: We've had some security researchers share concepts of things in the past. They were just simple ideas that we agreed not to disclose.

Some folks see Skype itself as a security threat, especially in businesses with controlled environments. Skype can find its way outside of the corporate firewalls even if IT people try to hammer it shut. Is Skype a security threat?
Sauer: That's what the most recent copy of our network administrator guide and Skype 3.0 is all about. It's trying to provide controls that let IT administrators run their networks the way that they want to.

A lot of administrators have objected to users coming in and installing Skype on a desktop. One place like that is eBay, it was amusing when we had the acquisition.

A lot of administrators have objected to users coming in and installing Skype on a desktop. One place like that is eBay, it was amusing when we had the acquisition. I came out and popped in to talk to the IT people who where all stunned because they were trying to keep Skype out. eBay has been a really good learning opportunity for us about how a business that is not Skype would use Skype in their business. One of the things that eBay expressed was a strong desire to be able to push out policies and allow those policies to be.

You touched upon encryption, which people and even certain countries are concerned about because they want to control what kind of communication goes on. How do you deal with that, have you ever caved and given anybody the encryption keys to Skype?
Sauer: Since we don't have the encryption keys, therefore we can't give them to somebody.

So even you can't listen on my Skype calls?
Sauer: The way that Skype works is that the people who are communicating communicate on a secure channel between themselves with keys that are generated by them and not generated by Skype.

So the answer to the question--if even you can't listen on somebody's Skype calls--is...?
Sauer: What we say to that is that we provide a safe communications experience. I'm not going to tell you that we can or can't listen in to that.

And you don't provide government, or any agency or any company, a way that they could listen in on Skype conversations.
Sauer: We don't.

Skype is offering more paid services, such as SkypeOut for calls to regular phones. Recently I've heard complaints from Skype users who had their credit card payments declined, even though their card was good. Are you experiencing a fraud increase?
Sauer: Anybody who sells nontangible goods with value is a target for fraudsters. I've had friends of mine contact me about this very sort of thing. We don't publish how we do it, but it is our protection mechanism. I'm not going to tell you what our precise method of protecting credit cards is, but I will say that if you're going to use the same credit card on a bunch of accounts, it's probably not going to work.

Is there an increase in fraud? Is it a major concern for you?
Jackson: It's a concern because it's a pain in the ass. We have an antifraud algorithm to trap the people who are cheating us, but it traps a lot of good users as well. It is a very fine balance that does affect the business itself because we're declining a lot of good transactions and pissing regular users off.

Rounding out Skype and security, what is your major concern, what keeps you up at night?
Sauer: The thing that keeps me up at night is our future development activity. We have a lot of new initiatives. We talked about things like adding the ability to send money to Skype. These are new areas that bring with them new consumer risks, so we have to work closely within our engineering teams to make sure we have total buy-in on how we're going to do something so that we don't mis-engineer anything.

More Newsmakers

Previous page
Page 1 | 2

See more CNET content tagged:
Kurt Sauer, Skype, chief security officer, security vulnerability, security

Add a Comment (Log in or register) (11 Comments)
  • prev
  • 1
  • next
security and media
by n3td3v January 2, 2007 4:59 AM PST
what roles do the media play in the security community? can the media infulence hackers and script kiddies into a trend or to make a trend more trendy, and therefore, be researched? this is the question i've always wondered. i have forever been under the impression the media have a huge infulence in whats going on in the underground. i would say this stuff and the media say their only reporting on whats going on, but i don't 100% believe its as clear vut as that. i've seen many instances of both cnet news and securityfocus news push a certain subject. the media need their headlines and advertising revenue for normal news headlines, but when its security news then i think the media should be extra responsible in not raising issues which don't need to be suggested to the underground of hackers. it is basically "hey hackers, we need our headlines, heres some background information from X company security expert now go hack them"... is basically the thought i go away with every time these kind of articles appear. i can't be the only person who reads the media and get the "we want to infulence the hackers" impression.
Reply to this comment
I agree
by Dachi January 2, 2007 5:43 AM PST
With the exception of say MS, who is always under the spotlight anyway, I would agree that articles like this touting a company?s extensive security measures/code auditing etc. really only serves to make the software a more lucrative platform to attack.
View reply
crime hasn't changed, neither has mass media brainwashing
by jabbotts January 2, 2007 7:58 AM PST
In short; my observation has been that mass media informs the end users who are the last people to know about a security threat. Anyone who would use a secirity threat for profit already knew about it long ago.

In long; crime is crime, it's not different if it's with a crowbar or keyboard. If your reading about something in the media, it's quite likely that the "underground" knew about it months ago. A news article on security threats doesn't instigate criminal activity, it notifies the lesser computer-literate end users who are usually the last to know.

My example of this is bump keys. A modern day skeliton key that can be made from a blank in about three ours of work and open any lock the blank fits into. The name "bump key" being derived from the tapping motion used to free the lock droppers so it opens. If you where in the criminal underground on the more educated side, I'm guessing you knew a year or more ago about this. If you where a geek online, you've seen the video of how to make and use bump keys around six months or more ago when it was going around the net. If you where a local news reporter, you published an article or news item on bump keys in the last six months (tv news did a spot one a slow news day four months ago or so). If you are the average home owner, you didn't have a clue until the mass media published or had a tv spot. Even then, it was one quick "oh, by the way" report in the scare segment of the broadcast.

The media told the public nothing they didn't already know. In this instance, the media told the security research and criminal communities nothing they didn't already know. If a flaw in Skype is found, it'll be nothing the security community didn't already know.

Media sways the general public. Look at how many americans believed Iraq had bio and nuclear weapons hidden away somewhere. Who where the people that continualy asked for evidence of this before invading a country over it's oil resources?

Among "underground" communities, there is generally a distain of mass media's lies and government BS in generall. There was nothing in the article blatantly challenging toward the hackers, secirty auditors or criminals other than that Skype is not currently known to be vaulterable and that the developers are using some good FOSS development processes even if they are not releaseing the source under GPL or any of the other hundred free software licenses.

Your use of "Hacker" when you actually ment computer enabled criminal is rather inaccurate. Criminals seek profit from any activity that provides high return with low effort. Hackers seek to further understand computer systems and push the limits of what can be done with them. Hackers and criminals use the same techniques with the difference being that the criminal now uses, for profit, what the Hacker originally discovered out of curiousity.

Using the term "Hacker" in this instance is pandoring to the media. "Quick, use the boogieman word of the month, we have to scare some readers in to clicking on the article. I know, put Hacker in the title and copy, that'll scare the hell out of anyone who doesn't actually know about the history of computers."

With a l33tsp33k alias like "n3td3v" you should really have a better grasp of this stuff. But then, l33tsp33k in normal conversation/writing is more of a ScriptKiddie thing.

My question has always been; how much do antivirus companies pay developers to build new viruses for them to gaurd against?
View reply
Skype threats?
by malis61 January 2, 2007 7:25 AM PST
Well their security chief may not admit to a problem, but there has to be some reason why when we downloaded Skype on to my computer, I ended up with one of those "Registry" malware infections and a serious boot problem, and had to actually use that last resort Restore function.
Reply to this comment
Not likely
by xcgeek January 2, 2007 7:34 AM PST
No offense, but if Skype did contain malware, THAT would be huge news, and skype would be make instant enemies with every single one of their users - something no legit company would risk. Isn't it more likely you got that malware from somewhere else, or perhaps a false positive.
View reply
Jajah.com is better than Skype
by hutchike January 2, 2007 9:46 AM PST
I use www.jajah.com because it calls your real home phone and makes the connection. I find the call quality is much better than Skype. When Skype can improve its connection quality, I might return to it.
Reply to this comment
Screw IT
by solrosenberg May 5, 2008 7:02 PM PDT
Corporate IT doesn't like Skype and other "consumer" applications because quite frankly they WORK and are easy to use, unlike the "enterprise software" crap IT guys use to justify their excessive salaries.
Reply to this comment
Screw newbies
by Ryo Hazuki January 12, 2007 10:37 AM PST
Yes, screw with the people responsable for keeping PC's around the world up and running, avoiding them (and others) to get infected.
That's a wise ideoligy.
(11 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

eBay (-2.17%) -0.53 23.94
Dow Jones Industrials (1.17%) 120.77 10,465.61
S&P 500 (1.14%) 12.49 1,108.12
NASDAQ (1.39%) 29.89 2,174.49
CNET TECH (1.25%) 19.70 1,594.58
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right