[VOIPSEC] Soft phone as trojan horse

[mailinglist]

> I don't get your point. What operating system are you using 
> if I may ask. Pray you do not respond with MS lest you want 
> others to laugh. If a vendor of anything chooses not to 
> publish their methods and codes you have the choice of not 
> using them. Obviously you would "hope" that a bonafide 
> corporation would not stoop that low, although realistically 
> this occurs frequently (most just never hear about it... MS 
> Remote Desktop anyone?). One would hope as an IT person, 
> security engineer, network engineer, etc., that updates would 
> be assessed by the admins, heaven knows how many updates on 
> machines sometimes have a habit of breaking things (Sun 
> Updates, Windows Updates, Linux Updates, they're all prone to 
> break things at times.)

The point is: If you are using a unknown protocol, there is no one (who you
can trust) who can cross check if that tool is doing something bad.

For example. Skype protocol is still a secret. How can you tell they are not
abusig their user database? Ok they are big company now, but they started
very small and hungry and maybe there are still backdoors open.

If you publish a SIP soft phone that is doing dirty things, it is much more
likely that someone sits down and checks what this phone is actually
transporting out of your computer. Because he can do that.

The exposure on MS platforms is definitevely higher. But it does not mean
that the other platforms are more safe. AFAIK skype/yahoo & Co are available
not only for Windows.

Christian