[VOIPSEC] Soft phone as trojan horse

Michael Slavitch slavitch at gmail.com
Tue Sep 5 08:46:55 CDT 2006 

Note that I did not make this point, in fact I refuted it in another
posting.

Like this commenter said,  there are many points of egress which we already
accept.
Claiming softphones are a security breach is a red herring when you have
toolbars and plugins pre-installed from the vendor.

M


On 9/5/06, J. Oquendo <sil at infiltrated.net> wrote:
>
> Michael Slavitch wrote:
> >> When you install a soft phone on your computer, that executable has
> >> definitevely the right to access the file system of your computer and
> >> other
> >> mounted file systems. Even better, it goes nicely through your
> firewall.
> >>
> Your comment can be applied to one of the countless millions of programs
> available. From MS, to Symantec, to Dell, you name it, most can be said
> as having the capability to traverse into your machine. Bring *Nix based
> systems into discussion and we can talk about servers @ Debian getting
> owned and who knows what was backdoored.
>
>
> >> If a vendor of a soft phone does not publish the protocol, that makes
> me
> >> very sceptical. Who knows if the programmers had a bad day and put in
> some
> >> back doors "for future software upgrades" or so?
> >>
> I don't get your point. What operating system are you using if I may
> ask. Pray you do not respond with MS lest you want others to laugh. If a
> vendor of anything chooses not to publish their methods and codes you
> have the choice of not using them. Obviously you would "hope" that a
> bonafide corporation would not stoop that low, although realistically
> this occurs frequently (most just never hear about it... MS Remote
> Desktop anyone?). One would hope as an IT person, security engineer,
> network engineer, etc., that updates would be assessed by the admins,
> heaven knows how many updates on machines sometimes have a habit of
> breaking things (Sun Updates, Windows Updates, Linux Updates, they're
> all prone to break things at times.)
>
> >> This is a new way of file sharing - initated from the other side of the
> >> session! Lets go phishing and publish a new free soft phone.
> >>
> >>
> This boils down to a clueful person. "So will I download 31337
> S0phtPh0ne from this Geocities Page, or should I dl Googletalk?!"
>
> >> Am I getting this right? How much do I have to trust my soft phone
> vendor?
> >>
> >>
> >> Christian
> >>
> X Files pitch... Trust no one.
>
> --
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> sil . infiltrated @ net http://www.infiltrated.net
>
> The happiness of society is the end of government.
> John Adams
>
>

More information about the Voipsec mailing list