As a result of an email exchange I have had with Mark Jacobstein, he set his developers to work today (Sunday) and came back with the following statement:

“Unfortunately, it turns out that Dameon was right. We’re not sure how, but a non-production Symbian build ended up on the site, and it had this bug. We’re pulling the build and fixing the bug and will be doing a forced upgrade to every Symbian user as soon as possible. We also checked all the other builds, and they’re all fine (Windows Mobile, Blackberry, J2ME, etc.)”

Dameon’s and your diligence are appreciated by all; also kudos to iSkoot for addressing the issue so promptly such that we can all be assured of the security integrity of iSkoot going forward (even if one had to do handstands combined with backflips to find the security bug).

Thank you for commenting here and providing a response from iSkoot. Your statement is consistent with what is on your website, what is in past interviews and, quite frankly, what I would expect for you to do.

However, Dameon has now posted a tcpdump packet capture showing a Skype username and password ( http://www.phoneboy.com/2244/proof-of-iskoot-passing-credentials-in-the-clear ). If it were SSL-encrypted there is no way he should be seeing this.

Something is not right here - and probably the best step for all involved would be for you and Dameon to be directly in contact and sort this out. I will send you contact information via email.

Thanks again for your comment,
Dan

P.S. Regarding the use of WiFi, as far as I understand Dameon is running your *regular* program on his dual-mode Nokia phone. Your program uses his phone’s *data connection*, which would normally be the carrier network unless he is in range of a WiFi hotspot in which case his phone flips to use WiFi for the data connection. This should be transparent to you and as far as I know an SSL connection would work identically across either data connection.

I’d like to reassure you and our users that our clients absolutely utilize SSL encryption and that nothing with respect to our security measures–which iSkoot regards with utmost importance–has changed in our recent client releases. As indicated on our website, the user’s password is stored on the handset only, and any time this information is sent to the server it is 100% SSL encrypted. We never store passwords to the server.

Additionally, please note that iSkoot does not have a WiFi client available on the market. Our clients utilize the mobile voice and data channels only, and users cannot utilize iSkoot over WiFi. If users are running a mobile Skype client via WiFi, they are not using publicly available iSkoot product. I can also assure if we did release a WiFi client to market, our security measures would be no less stringent - we always employ SSL encryption.

Best regards,

Mark Jacobstein, CEO
iSkoot Inc.