A couple days ago I quoted Andy's blog where he discussed a Skype security issue whereby callers in a Skype conference could hear an incoming caller leaving a voice message vis Skype new SAM (Skype Answering Machine) feature. Well, that set off a firestorm of controversy, including Unbound Spiral blog asking for Andy to reprint a retraction claiming it wasn't a security issue but rather a known bug. Semantics? Further he claimed some industry VoIP pundits - myself inclded - did not perform any fact checking before quoting Andy's blog.
Well, here are my thoughts on the matter.
In my Skype Security issue blog entry, I was merely reporting Andy’s Skype experience on being able to eavesdrop on the other parties in a Skype call. But I have to agree with Andy on this one. Overhearing a person’s conversation is a security flaw any way you slice or dice it. Unless Skype proactively warns users with a splash screen saying “WARNING: While in a conference call an incoming call may be able to eavesdrop on your conference. We are working on fixing this bug” it IS a security issue. If it looks like a duck, quacks like a duck, it is a duck.
Now since Unbound Spiral mentions this Skype software is "beta" and is listed in the "known Skype bugs", perhaps Andy should have known about the issue and put it in context in his blog entry. But honestly, who reads the "known issues" when installing beta software? I install software all the time and very rarely read the "known issues" section which is often in a Read Me file. So I am sure there are hundreds if not thousands of Skype users using the beta version of SAM that are not aware that people can overhear their private conversations. That to me is much more serious than calling it a "Skype bug" - it is a security issue in my mind. It would be different if the software clearly and procactively warned the user within the software itself about eavesdropping and Skype SAM beta users then decide to proceed to use the beta software anyway.
Updated: I should point out that since this ia a third-party application not endorsed by Skype, we shouldn't necessarily place the blame entirely on Skype's shoulders. They responded to Andy's blog and stated they would start a third-party certification procedure for third-party applications.