[VOIPSEC] Soft Phone Vulnerabilities
David MENTRE
mentre at tcl.ite.mee.com
Fri Jun 9 03:05:54 CDT 2006
Hello,
Jon Callas a écrit :
> So are you then saying that if someone buys one of these new devices
> that does Skype, but is not a general-purpose computer it would be okay?
Partially. Skype on a separate network would at least not endanger my
network and its computers.
But I don't imply that the phone communication themselves would be more
secure. Being on a separate network or not, the internal working of
Skype is unknown.
[ about Skype ]
> Actually, that's been documented rather well.
Could you point me to such documentation?
> My point is that the alternative to Skype -- a cell phone -- doesn't
> have better security.
We agree on that. If I understood correctly, you think Skype is better
than cell phones. I think they are both crap, but not for the same
reasons. Cell phones are crap because you must trust your telco company
and you have no control of the terminal and its working. Skype is crap
because, even if it runs on your computer, you have no more knowledge on
its internal working.
>> - no possible[2] review of code (at least compared to Free Software
>> products);
>>
>
> Nice little footnote there. It saves me from making a cheap crack
> about OpenSSH.
Or GnuPG. But at one point, even after several years, those bugs are
spotted and fixed rather quickly.
> The point is that whatever we may not like about Skype, it is not
> worse and often better than the alternatives.
I think it is worse: you have no control on its working (like cell
phones) but it can endanger your network (see recent use of Skype for
port scanning but the EADS's guys).
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
I think we can do better software than Skype. That's what this
mailing-list is all about, after all.
Yours,
david
--
David MENTRE <mentre at tcl.ite.mee.com> - Research engineer
Mitsubishi Electric ITE-TCL / European Telecommunication Research Lab
Phone: +33 2 23 45 58 29 / Fax: +33 2 23 45 58 59
http://www.mitsubishi-electric-itce.fr
More information about the Voipsec
mailing list