[VOIPSEC] skype vulnerability testing

[Rodney Thayer]

(just now joined this list - some folks have suggested off and on
that I should follow this list, finally got around to it when someone
pointed out there were comments on the Pro's and Con's of Skype piece
I did with Jim for Network World.)

I started checking out Skype vulnerabilities.  I was actually going to
look at the protocols, but then I found the Windows app was brittle.  This
is a problem because it will teach the attack community how to use soft
phones as an attack vector.  Horrible things I've caught skype doing:

   turning on the microphone when it's supposed to be 'ringing the phone'

   not hanging up when the user hits hangup and keeping the microphone open

   not hanging up after a user leaves a message, thus dumping a recording in
   the voice mail of the non-available call receipient of the caller's office
   conversation

   bad defaults and information privacy leakage problems in the UI

I never actually got around to attacking the protocol.  I also saw the crypto
analysis by Berson and have heard there are identifiable flaws based on that
analysis of the crypto.

And of course they themselves must think there are Skype issues since they've
been modifying the system significantly over the past couple of months, including
re-implementing the password scheme.

I've not "reported" any of this stuff since I can't get a reproducible test
case.  On the other hand, giving public talks on this (at PhreakNIC, in Network
World) doesn't exactly count as keeping it a secret that I looked at the thing.