[VOIPSEC] Soft Phone Vulnerabilities

Henry Sinnreich henry at pulver.com
Wed Jun 7 17:25:18 CDT 2006 

I believe Jon has touched the key issue - Skype is useful and no more risky
that the PSTN (if you give away a secret) or mobile phones.

This reminds us the LAN and PC were introduced into the enterprise
 _in spite_ of the IT organization. IT at that time just liked the big blue
mainframe (still a good product BTW) and SNA/DECnet. IP was an adventure :-)

Thanks, Henry

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Jon Callas
Sent: Wednesday, June 07, 2006 3:52 PM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities


On 7 Jun 2006, at 7:44 AM, FOUCHE Nicolas ROSI/DAS wrote:

>
> Ok with that. I'm just saying that Skype isn't a security model  
> like you said.
> But you must admit that it's hard to control P2P. Enterprises like  
> control what occurs in their network. That's mean to know what flow  
> goes where. P2P don't ensure that... And particularly Skype which  
> we don't know many thing.
>

At the risk of sounding like I'm defending Skype, which I'm not, I am  
not sure I understand the exact problem with it.

In my company, we pay for mobile phones. Some employees have mobile  
phones issued by the company and paid directly, but most simply  
expense their mobile bills.

In the case of the latter, we have no control and little visibility  
into what the employee is doing. (I am one of the former, and the  
company has more visibility into my phone use than I do.) What's the  
difference between someone expensing their mobile bill and using  
Skype, from a security and control aspect? Especially when one of the  
things we let people expense is a data plan?

What's the real problem with Skype? By that I mean what problem  
exists with it that does not exist with some other system.

(Incidentally, my opinion as CSO on Skype use is that it may be used  
so long as nothing is said that would require an NDA. In other words,  
I consider it a less secure phone than POTS.)

	Jon

-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d
	



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list