[asterisk-biz] magicjack?

Trixter aka Bret McDanel trixter at 0xdecafbad.com
Sat Feb 27 09:10:00 CST 2010 

On Sat, 2010-02-27 at 09:54 -0500, Dave Veilleux wrote:
> Here is a snip from devojrx7 on www.fox16.com..


that appears to be FUD which is spread by either a malcontent or an
uninformed user (or both?).  The softphone they use embeds internet
explorer to render the banner ads it displays and such.  Since IE is
used by many users for other things there is on occasion some data
within the IE memory space such as browser history.  This data is not
actually sent by anything I have seen to magicjack.  

With that said, I do believe that magicjack does monitor what you call
so they can display ads relevant to that.  For example if you call a
pizza delivery number expect to start seeing pizza adverts in their
client.  This is totally different from "stealing your private data"
since you implicitly are requesting that the telephone number you call
be sent to the provider you are sending the call through.

A good understanding of what it is they actually sell shows they are
profitable without having to resort to stealing data, and wouldnt the
theft of data be a crime or at least appear in the TOS?  With the sue
happy nature of people if their claim of signing up 250,000 people per
week to the service is even  remotely true surely someone somewhere
would have noticed this and filed a class action lawsuit, the most
preferred by lawyers since they tend to make out really well.

For reference, google voice is free, ebay is $3/month (or are they $5
now?) the $1.70 (with a 12 month prepayment) a month magic jack charges
does not seem too off the wall.  They do have money since they bought
tigerjet (makers of the chip in their dongle) and softjoys (maker of
sjphone, their softphone) and are owned by the same shell company that
owns ymax (a clec).  This money would not put them out of the league of
ebay (which at one time was free to call) or google in this sphere of
technology.

When I used IDA pro to figure out the nonce details I did not see any
theft of data, I did not see anything that was sent that was not
required to be sent to authorize the account, place the call or request
only a banner image from them.  fiddler2 makes it easy to see what is
sent (the "dbkey" http variable contains a username, password and other
stuff in a hash, its format is not terribly difficult to figure out).


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

More information about the asterisk-biz mailing list