Some security experts have predicted that Skype could be used as a way for hackers to remotely control networks of compromised computers, botnets. Have you seen that happen?
Sauer: I haven't, but you can certainly use Skype for application-to-application messaging. I'm not going to say you can't do that, but we have not seen instances of that happening. We do think that the Skype client has sufficient controls to prevent things like auto spreading because of the current authorization model. For example, I can't send you a file unless you've authorized it.
Have you seen any proof-of-concepts of malicious software that targets Skype?
Sauer: We've had some security researchers share concepts of things in the past. They were just simple ideas that we agreed not to disclose.
Some folks see Skype itself as a security threat, especially in businesses with controlled environments. Skype can find its way outside of the corporate firewalls even if IT people try to hammer it shut. Is Skype a security threat?
Sauer: That's what the most recent copy of our network administrator guide and Skype 3.0 is all about. It's trying to provide controls that let IT administrators run their networks the way that they want to.
A lot of administrators have objected to users coming in and installing Skype on a desktop. One place like that is eBay, it was amusing when we had the acquisition. I came out and popped in to talk to the IT people who where all stunned because they were trying to keep Skype out. eBay has been a really good learning opportunity for us about how a business that is not Skype would use Skype in their business. One of the things that eBay expressed was a strong desire to be able to push out policies and allow those policies to be.
You touched upon encryption, which people and even certain countries are concerned about because they want to control what kind of communication goes on. How do you deal with that, have you ever caved and given anybody the encryption keys to Skype?
Sauer: Since we don't have the encryption keys, therefore we can't give them to somebody.
So even you can't listen on my Skype calls?
Sauer: The way that Skype works is that the people who are communicating communicate on a secure channel between themselves with keys that are generated by them and not generated by Skype.
So the answer to the question--if even you can't listen on somebody's Skype calls--is...?
Sauer: What we say to that is that we provide a safe communications experience. I'm not going to tell you that we can or can't listen in to that.
And you don't provide government, or any agency or any company, a way that they could listen in on Skype conversations.
Sauer: We don't.
Skype is offering more paid services, such as SkypeOut for calls to regular phones. Recently I've heard complaints from Skype users who had their credit card payments declined, even though their card was good. Are you experiencing a fraud increase?
Sauer: Anybody who sells nontangible goods with value is a target for fraudsters. I've had friends of mine contact me about this very sort of thing. We don't publish how we do it, but it is our protection mechanism. I'm not going to tell you what our precise method of protecting credit cards is, but I will say that if you're going to use the same credit card on a bunch of accounts, it's probably not going to work.
Is there an increase in fraud? Is it a major concern for you?
Jackson: It's a concern because it's a pain in the ass. We have an antifraud algorithm to trap the people who are cheating us, but it traps a lot of good users as well. It is a very fine balance that does affect the business itself because we're declining a lot of good transactions and pissing regular users off.
Rounding out Skype and security, what is your major concern, what keeps you up at night?
Sauer: The thing that keeps me up at night is our future development activity. We have a lot of new initiatives. We talked about things like adding the ability to send money to Skype. These are new areas that bring with them new consumer risks, so we have to work closely within our engineering teams to make sure we have total buy-in on how we're going to do something so that we don't mis-engineer anything.
Play video
There are currently no comments for this post.