A couple days ago I quoted Andy's blog where he discussed a Skype security issue whereby callers in a Skype conference could hear an incoming caller leaving a voice message vis Skype new SAM (Skype Answering Machine) feature. Well, that set off a firestorm of controversy, including Unbound Spiral blog asking for Andy to reprint a retraction claiming it wasn't a security issue but rather a known bug. Semantics? Further he claimed some industry VoIP pundits - myself inclded - did not perform any fact checking before quoting Andy's blog.
Well, here are my thoughts on the matter.
In my Skype Security issue blog entry, I was merely reporting Andy’s Skype experience on being able to eavesdrop on the other parties in a Skype call. But I have to agree with Andy on this one. Overhearing a person’s conversation is a security flaw any way you slice or dice it. Unless Skype proactively warns users with a splash screen saying “WARNING: While in a conference call an incoming call may be able to eavesdrop on your conference. We are working on fixing this bug” it IS a security issue. If it looks like a duck, quacks like a duck, it is a duck.
Now since Unbound Spiral mentions this Skype software is "beta" and is listed in the "known Skype bugs", perhaps Andy should have known about the issue and put it in context in his blog entry. But honestly, who reads the "known issues" when installing beta software? I install software all the time and very rarely read the "known issues" section which is often in a Read Me file. So I am sure there are hundreds if not thousands of Skype users using the beta version of SAM that are not aware that people can overhear their private conversations. That to me is much more serious than calling it a "Skype bug" - it is a security issue in my mind. It would be different if the software clearly and procactively warned the user within the software itself about eavesdropping and Skype SAM beta users then decide to proceed to use the beta software anyway.
Updated: I should point out that since this ia a third-party application not endorsed by Skype, we shouldn't necessarily place the blame entirely on Skype's shoulders. They responded to Andy's blog and stated they would start a third-party certification procedure for third-party applications.
Technorati
Del.icio.us
Slashdot
Digg
twitter
The only person with a problem is the person who bought the screwed up SAM answering machine. It was the machine that messed up the mix in sound signals.
Skype offered its API for developers to build apps. Anyone who uses one of these third party apps (or SAM in this case) bears the risk of any problems.
As a service to its customers, Skype might form a process to certify products to be used with their software. This would make Skype more at fault if this product had been certified.
True. It is a third-party product, so I guess we shouldn't be overly harsh with Skype. But then again, what if someone intentionally builds a third-party Skype app that gives them "back door" access to the audio stream to listen in? The fact that this third-party SAM app offered "eavesdroping capability" using the Skype API accidentally, is still a bit scary. I suppose you could fault the user for using untrusted third-party applications. But everyone seemed to be writing about Skype Answering Machine (SAM) so it seemed safe & harmless enough.
I like your suggestion of someone "certifying" third-party Skype applications.
I just read Andy's blog where Skype responded.
Looks like they are going to start an "Authorized by Skype" developers certification program to insure their users' security.
Hey Tom, I believe the main point here is that anyone can intentionally put a device on their own phone that can thwart any attempt to secure it by the original service provider, in this case Skype. In other words, I could go attach a device or tamper with my own phone and cause it to be insecure. Is that Skype's fault. No way.
I think the big lesson here is SAM is a scam.
God Bless,
Rick
Along the lines of Skype voicemail, Skype is soon to introduce a voicemail product of their own. Let's be glad, in this case.
Also, along the lines of security, Skype's thorn in the flesh is still their supernode firewall bypass to create a session (call). This is the big security hole in Skype today. A hacker can ride the tails of the supernode signal right into the firewall and on into the internal network. This has nothing to do with the encrypted messages, but rather the call setup by the supernodes.
God Bless,
Rick
Tom,
I think we all agree this type of behavior whether with Skype or other softphones is a secuity flaw. I added additional perspective after Andy commented on my post. http://www.henshall.com/blog/archives/001079.html#8629
Trust that adds some clarity.
Hey Tom and Andy!
This is mud slinging at its best.
You must be filled with fear to make facts disapear.
This is not Skype. This is a Window Environment issue. (Microsoft)
Quit being silly.
Regards,
Bill
I have been using SAM Voicemail with Skype and it works great. This 'bug' has never reared its head in my use, and if it did I would not cry but probably send an email to SAM to let them know.
WHY??? Does Skype not have htis feature built in, would be my primary question? Also SAM Voicemail may not be perfect but it is a great addition to the FREE software that is available and I have to THANK people for putting the time into doing all the work for OUR BENEFIT before I even concider calling them Scamers?