I think it's misleading to insinuate that security is an absolute, but, again, you're missing my point. I'm not telling anyone to use Skype. I'm saying that the added security didn't come at a cost to usability.
> for the NSA to intercept everyone's messages while it was more distributed would have required releasing a version update and waiting for the supernodes to pick it up, but that's not a high bar.
I would say that your bar is very high, then. This would defeat nearly everything that exists and is in use today.
Also, there's probably no one in the world that can actually defend themselves against the NSA if the NSA is determined to know what they, specifically, are doing.
What added security? I didn't say it's impossible to be easy and as safe as older versions of skype (which is to say, not very). I said it's impossible to be easy and safe. (In particular, you need some kind of key fingerprint checking, and no-one's found an effective, user-friendly way to do that).
> I would say that your bar is very high, then. This would defeat nearly everything that exists and is in use today.
It wouldn't defeat GPG, or OTR-based systems used in reasonably popular open-source clients.
> Also, there's probably no one in the world that can actually defend themselves against the NSA if the NSA is determined to know what they, specifically, are doing.
Sure. But let's look at a realistic threat model, and at what's actually happened: the NSA did intercept all communications channels run by individual providers, including skype. The NSA was prepared to demand these providers deploy new backdoors into software they distributed that didn't currently have them, as we saw with lavabit and RSA, and when lavabit refused they were shut down. The NSA were not terribly effective at compromising open, respected standards (they did succeed in getting a broken algorithm standardized, but the main reason this wasn't noticed is that hardly anyone was using it, and even then questions were being raised in the crypto community), and did not compromise GPG or similar open-source projects. Nor did they tap users of those systems indirectly by compromising their email clients or similar. Observe that Snowden, with inside knowledge, chose to use PGP to communicate with journalists, and this did in fact provide sufficient security.
Meaningful security is possible. Skype isn't it.
Until you consider where GPG and OTR are used, e.g. Enigmail or Pidgin, addons or clients which both autoupdate or ask to be updated.
There are very, very, very few pieces of software that either don't need to be updated, or can't trivially be backdoored by the vendor itself through updates.
You keep going back to "Skype didn't have security"--and I can't tell if you're trolling, or what--but you can't seriously harp on it for auto-updating. So does Chrome, and it's lauded for auto-updates (the downside of not updating is obviously that security issues aren't fixed, arguably a much bigger risk than the vendor backdooring the software in later updates.)
