Given commentary now appearing in the blogosphere around the speed of the response this weekend by both various blogs and also the folks at iSkoot responding to the security issue tracked on this blog, I thought I would take a moment and just capture the chronology of what did occur. (Partly to emphasize what Andy points out in his post today – that the blogosphere can help companies that join in the conversation.) Here’s what I saw – all times converted to Eastern US:
- Saturday, April 26, 2008 – 4:22am (1:22 Pacific) – PhoneBoy (Dameon Welch-Abernathy) posts his initial report of the problem.
- 4:35am – Dameon emails a group of us who write about VoIP with the URL to his story.
- 4:45am – Dameon emails the group again noting that the problem is actually worse than he originally reported because Skype credentials are exposed in the clear.
- 5:41am – I post my piece here on the VOIPSA weblog just emphasizing that we need to be cautious and confirm the issue since all of iSkoot’s material clearly states it uses SSL to prevent exactly this type of exposure. Shortly after posting, I email a reply back to the group with the URL to my piece.
- Somewhere in there Andy Abramson puts up a VoIP Watch post indicating there is an issue. (His blog, like ours here at VOIPSA, doesn’t put public timestamps on blog posts.)
- 6:51am – I send a message to “email@example.com” (listed on their website), “firstname.lastname@example.org”, and the email address of a PR contact found in their news releases pointing to all three posts (Dameon’s, Andy’s and mine). “email@example.com” bounces.
- 7:10am – Jim Courtney sends an email to the group saying he will get the information to the right people at iSkoot and get a response. Andy responds indicating he’s already been in touch with someone he knows there as well.
- Jim and Andy (and perhaps others) work their connections to get information to people. Several of us are communicating with each other via Skype chat.
- 1:39pm – Dameon posts a tcpdump packet capture clearly showing a Skype username (“insecure-user”) and password (“insecure-password”) in the clear.
- 4:34pm – iSkoot CEO Mark Jacobstein leaves a comment to the post here stating unequivocally that they always use SSL. Because we moderate comments and I was traveling all day, it is not actually published to the site until around 7:50pm. (The time shown on the comment is actually GMT/UTC, which we apparently have this blog set to use – and which we’ll be fixing in the future.)
- Evening – Various conversations continue via email and Skype chat. I now started communicating directly with Mark as well saying this didn’t make sense. At 9:36 pm, Mark replies to an email of mine saying he was having his CTO look into it because something was definitely not right.
- Sunday, April 27, 2008, 10:46 am – Alec Saunders publishes a post on his blog noting the issue, the mitigating circumstances and the larger issue that people use the same password on too many sites and that a crack of your Skype password could lead to exploitation on other sites.
- Around 4:00 pm – Mark Jacobstein sends email messages to several of us stating that there is a problem with the Symbian version (but not the others), that they’ve pulled it down and will be pushing out a fix soon.
- 4:20 pm – Jim Courtney posts to Skype Journal that the issue has been resolved and a fix is on its way.
- 5:19 pm – Jim posts a reply to the post here relaying Mark’s statement.
- 6:03 pm – Dameon publishes a post stating that issue will be fixed.
- Monday, April 28, early morning – Andy posts on VoIP Watch about the resolution as I do on Disruptive Telephony. Other blog posts start to appear pointing to the issue and resolution.
iSkoot CEO Mark Jacobstein also indicated that a public statement will come from them at some point as well (but is not yet visible on their site or blog). If there were other posts during this timeframe from other bloggers that I missed in there, my apologies… I’m just reporting what I personally saw. (And feel free to send me a link to add.)
What’s interesting to note from this timeline is that it was about 36 hours – on a weekend – from the time of the initial published report by Dameon to the first published report by Jim that the issue had been resolved.
Mark Jacobstein and his team at iSkoot certainly deserve kudos for the speed of their response but its also important to note that part of this came about because iSkoot had previously engaged with the blogosphere. They had worked with Jim Courtney at Skype Journal as well as Andy Abramson at VoIP Watch. Because of those relationships – as well as the communication within the circle of us who write about VoIP online – iSkoot was able to quickly be brought into the issue and get engaged with confirming the problem and working on a resolution. Note, too, that this previous engagement obviously left a positive view because the focus was on trying to confirm the issue and resolve it. There was no animosity or malicious publication, i.e. you could see with a company that people hate where someone could really spin this negatively.
There are some other lessons out of all of this, some related to this blog, that I will write about separately. Meanwhile, I just thought capturing this would provide a view into how the blogosphere can respond to an issue in a way that helps a company.
I’m just glad to know that the issue was not across all their products and is on the way to being fixed.
skype, iskoot, security, voip, voip security, phoneboy, skype security
Pingback: Voice of VOIPSA » Blog Archive » Are your Skype username and password completely exposed if you use iSkoot?
Pingback: SMS Text News » Archives » iSkoot’s Symbian hole and the blogosphere to the rescue
Pingback: How the blogoshpere can help companies improve: iSkoot | Jonathan MacDonald.com