Sunday, April 27, 2008

Car buyers comparison site?

by alec on April 27, 2008

I’m looking into buying a new car, and finding the process quite frustrating.  I’ve checked out MSN auto’s and several other sites, but so far have been unable to find a site which answers a simple question.  Because our garage has one large bay and one small bay, I need to find a list of vehicles that are under 175 inches in length.  I’d like them sorted by fuel economy rating.

Has anybody seen a resource that would allow such a query?


iSkoot and passwords in the clear

by alec on April 27, 2008

I awoke yesterday morning to mail from PhoneBoy telling me that iSkoot is passing passwords in the clear, unencrypted. He put a packet-trace on his WiFi router, and used the Nokia N95 to access iSkoot via WiFi rather than the way it is more usually accessed which is over the air. This morning he has also provided a dump of the session to prove to the network geeks out there that his assertion is correct.

iSkoot should take note and encrypt that channel.  That goes without saying.  It’s an exploitable flaw.

In the meantime, I’m not worrying about it too much.  The vulnerability occurs when using iSkoot from a WiFi enabled phone (not too many of those out there, although we’d all like to see more), and when your password is being passed to the system.  In order to exploit it, a hacker would have to crack the encryption on your WiFi router, and sniff your password out of the air at the point in time you were logging in.

The biggest issue I see is that so many people use the same password on every site.  If someone were to discover your Skype password this way, you might lose whatever balance you have on your SkypeOut account, but more importanly they might also be able to compromise the security on other sites – say your bank – if you habitually reuse your password as many people do.

If you own a WiFi enabled phone and use iSkoot via WiFi:

  1. Don’t use the WiFi at a public access point.
  2. Or, if you must use iSkoot at a public access point, change the password on your Skype account to something that you don’t use anywhere else.

Perhaps the most peculiar aspect of this was Mark Jacobstein’s denial, in the comments on PhoneBoy’s blog, that passwords are being sent in the clear.  I hope to see iSkoot publicly acknowledge the issue and commit to a very fast timeline to get a fix in.  If they let this issue linger, it has the potential to damage the business that they have worked so hard to build with carriers.  That would be a shame.


Alec on LinkedIn Alec on Twitter Alec on Facebook Calliflower on Youtube RSS Feed Contact me