[VOIPSEC] Soft Phone Vulnerabilities

[Henry Sinnreich]

Hi Ari,

Jon Callas has just given better arguments than I could have done:

Quoting Jon Callas:

"I think you're completely missing my point.

The point is that whatever we may not like about Skype, it is not worse and
often better than the alternatives.

if you say that you're going to disallow Skype because it's doing stuff on
the network that you don't control, I think that's silly, because if you ban
Skype, they'll use a mobile phone. You have less knowledge and control on
the GSM network, and the cryptography is known to suck so badly it can be
broken in realtime.

If you're going to ban Skype because it's running on a PC that could have
malware, it ignores software issues on mobile phones and software issues on
other VOIP phones. We are switching our local infrastructure over to Cisco
VOIP phones, which are also at the bottom -- software.

If you're going to ban Skype because it's VOIP and VOIP is inherently less
secure than POTS, then that is the best reason I know of to ban it. The
argument has its own problems, but it's a better argument than many I've
heard.

If you want to complain that Skype isn't documented as well as we'd like,
then I am with you. However, the more I learn about Skype the better it
looks. Its architecture is pretty good, if eccentric in places. They have
their own anti-malware defenses built in. Yeah, it has bugs. My Nokia 6230
also has bugs, and in trying to get those fixed, Cingular has told me to
call Nokia who tell me to talk to Cingular. I can't download a new mobile.

If you're worried about the security of running Skpye on a PC, it's a valid
complaint, but it's a complaint applicable Gizmo, EyeBeam, etc.  
The problem isn't a *Skype* problem. it's a problem with running VOIP on a
PC.

There are other reasonable complaints about Skype, such as that if everyone
started using it, it might soak up the entire net connection. That is also a
good complaint, but not one that is a Skype issue, but a VOIP issue.

Most of the complaints I hear about Skype are just not logical.  
They're like the hysteria around banning iPods from the workplace because
people can steal data on them. If you want to ban iPods because you don't
like people listening to music, fine. But state your reason. If you are
worried about data escaping on mobile storage, fine. However, iPods are
merely one way to get data, and not even the best one if you're a thief.

Similarly, most of the complaints I hear about Skype are not unique to
Skype. Skype is not the only closed system. Skype is not the only system
beyond my control. Skype is not the only VOIP system.

So I'll repeat my question -- what are the problems with Skype that are
unique to Skype? I have my answers to this question (which I haven't stated
at all). I'm not a Skype fan. But I'm not an enemy, either. The more I see
of it, the more I am willing to tolerate it, and that in itself makes grumpy
because I think they should just hire some people to come out with an Inside
Skype book. Heck, they could present it at some $1000/day conference and I'd
be there in a heartbeat."

Cheers :-)>

Henry

-----Original Message-----
From: Ari Takanen [mailto:voipsa at codenomicon.com] 
Sent: Thursday, June 08, 2006 12:59 PM
To: Henry Sinnreich
Cc: 'Jon Callas'; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities

My favourite topic! Hello all again!

With the danger of annoying people by again advertising with research
conducted by us here in Oulu/Finland (OUSPG, PROTOS, Codenomicon), I
would like to add some comments on the discussion: