Research Group Pushes to Ban Skype 196
cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
Not if (Score:4, Funny)
Not if a first post on slashdot links to http://www.skype.com/ [skype.com]
Re:Not if (Score:5, Funny)
Re:Not if (Score:5, Interesting)
Likewise we have groups like "The Yankee Group" and what have you endorsing cheesy TCO studies for Windows and stuff.
So the dog has spoken, at the end of the day the question remains, who the hell fracking cares?
Re:Not if (Score:5, Informative)
Re:Not if (Score:5, Funny)
Comment removed (Score:2)
Re:Not if (Score:4, Interesting)
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
So follow our advice, ban it and create a communications barrier first?
Seriously though, isn't Skype bad? Close source, uses your bandwidth for other users. If it becomes the dominant standard surely that leaves it open to being milked for all it's worth by eBay?
Re:Not if (Score:3, Interesting)
Skype isn't a monopoly (yet), but it obviously would like to be one at some time in the future - what business wouldn't? And it's putting all the right pieces in place to be just as evil a monopoly as Microsoft.
Re:Not if (Score:2)
nohow
and by the way what the hell is undetectable and untraceable mean ?????
They meant you could not sniff it? Listen to it? Or see if it is installed on a computer?
I am not affiliated to skype in any way, but since the telco charger $1+
not secure or secure, my windows box is a throw-away installation, some poo hits the fan and I copy an image and back up and kicking
Re:Not if (Score:2)
If Skype can build up a near-monopoly with a their current product and pricing, they will be in a good position to do something very different in the future.
Re:Not if (Score:2)
The bottom line is that companies that use it are going to save money and be more competitive, beating out the companies that don't. Unless that changes, they'll accept any of the mentioned risks even if the report was 100% true (which it's obviously not.)
Sounds Familiar (Score:4, Interesting)
Half-truths (Score:5, Interesting)
allowing it and any vulnerability to pass through corporate firewalls. false - true of any software
Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk. FUD
The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
false - lots of businesses use VoIP
Re:Half-truths (Score:2, Insightful)
Hmm, should this be false too? Tom Berson from Anagram laboratories examined skype and wrote:
Read the whole article at http://www.skype.com/security/files/2005-031%20se
Re:Half-truths (Score:3, Interesting)
Re:Half-truths (Score:2, Insightful)
I particularly like this one. Can anyone think of any communications product that would not risk a communication barrier with countries and institutions that had banned the service?
I can - Skype. If you need to call Fred Smith at Acme Corp, who has banned Skype, then you can call him on Skype Out, or pick up a standard telephone (assuming your company or country has not banned or obsoleted them
Re:Half-truths (Score:3, Insightful)
Internet Explorer is not standards-compliant (well, the big thing is that they don't actively work to be standards-compliant), but I don't see "research firms" calling for a ban on that.
Re:Half-truths (Score:2)
If you are a call center with 200 employees, go the Voip standards or Voice over frame relay way....
if you are a company of 10, making 10 overseas calls a day, and having a few partners of the same size; skype is a good solution for saving on outgoing calls, equipment and similar
Besides: in a company where users use their favourite programs? Usears should not be able to install ANYTHING themselves, so your idea is dead from the beginning....
Now on to explorer: you sure can fetch pages from webservers, but sometimes it is just pure luck if they show up the same way as in any other "standards compliant" browser,
unless it has been tested on IE fr workarounds, and have several lines like
if($browser == "IExplorer") do_something_of_a_nasy_hack_to_appear_normally();
Re:Half-truths (Score:2)
So if one is willing to a) trust Tom Berson and b) willing to trust Skype that they actually ship and do what they showed to Tom Berson - then you have some level of assurance.
Dw.
Re:Half-truths (Score:2)
Wait... if you talk try talking to a country that has banned Skype, you can't talk to them? No way! Oh, because you can't reach them, banning it on your side improves things? No - Fucking Duh.
Proprietary software is untrustworthy. (Score:2)
However, one could raise comparable practical problems with any other proprietary program, such as those running many businesses today. That doesn't make Skype any better (in for a penny in for a pound doesn't make foolish behavior sensible) it means that businesses should run exclusively free software.
Re:Half-truths (Score:3, Interesting)
You *can* change the ringtone you know
Re:Half-truths (Score:2)
Interesting then how the Linux version runs fine on FreeBSD (which does somethign a lot closer to OSS and not ALSA) and how it is being an utter pain on my FC4 based system with ALSA.. I have wondered so far if it supports ALSA at all.. Not to mention there uis a Windows version around.. so at any rate, a bit more then Linux/ALSA eh?
Audio is poor quality: only 8KHz 1 channel 8 bit sampling.
Oh it is? on a crappy 28k8 line it indeed is. Sound quality is not anywhere near 'hifi', but on a decent connection it is pretty good. Not as good as a nice clear phoneline, a lot better then the typical mobile phone however.
Encryption not turned on by default.
Interesting, maybe you have another program calling itself Skype then.. because I cannot turn it off in the version I use here, let alone it being off by default.
User interface uses harsh, unfriendly colours.
Compared to what? It shines compared to kphone, but hey, it could use some improvement indeed.
The ringing sound is kind of loud, and surprises you when you're not expecting it because you forgot to set your status to not interrupt you
As someone else pointed out, you can replace it.
Alternatively, you could turn down the volume a bit
Re:Half-truths (Score:2)
Skype is for windows as well as a few other OS's, but does NOT support alsa (but they recently said they were wokring on it in the skype linux forum)
For audio it uses one of two codecs, decided at the time the call is placed, and none of them are that bad. I would put the quality quite a bit better than any 'nice clear phone line' since the bandwidth is much higher.
The troll is obviously someone who uses and likes skype, hes just having a bit of fun with you guys.
Re:Half-truths (Score:5, Informative)
Only Linux/ALSA is supported.
Windows, Linux and MacOS is supported. On Linux, Skype uses OSS, not ALSA. ALSA support is in the works.
Audio is poor quality: only 8KHz 1 channel 8 bit sampling.
Audio quality scales with available bandwith/cpu power. Skype dynamically switches codecs depending on the available resources.
Encryption not turned on by default.
Really? [skype.com] All Skype calls are encrypted end-to-end by default - Skype to PSTN calls are encrypted until it reaches the PSTN network.
User interface uses harsh, unfriendly colours.
Subjective. The Linux version can easily be themed through QT, as it is dynamically linked to your QT library.
The ringing sound is kind of loud, and surprises you when you're not expecting it because you forgot to set your status to not interrupt you.
Not only can you change the default ring tone, you can download free ringtones from the Skype website...
So... What was the problem again?
Comment removed (Score:3, Interesting)
Re:Valid Points (Score:5, Insightful)
Not even close to all of the points were valid points. Not even half of them made any sense! And you can't even call TFA an article, it's a friggin' press release.
VOIP, closed source and NAT traversal are hardly anything that your typical business spends any time worrying about. In fact, VOIP, closed source software and NAT traversal is standard operating procedure for most companies (or at least 2 of 3 of them).
Did this research group forget something? (Score:4, Funny)
Armstrong, you misspelled Windows.
Re:Did this research group forget something? (Score:2)
PLEASE CREATE ROOT PASSWORD:
Hmmm....[ENTER]
Re:unpatched known vulnerabilities, a big MS probl (Score:2)
An unpatched system is an unpatched system, doesn't matter the OS release.
Non-issue really (Score:5, Insightful)
Well no shit, sherlock. If a company feels that IM software (such as AIM or MSN) is a security risk, then of course they should consider Skype a security risk. It's called consistency. This is really a non-issue. New messaging program comes out (which in a way, is what Skype is), companies that ban other messaging programs add it to their ban list. Those that don't ban messaging programs, don't.
This is pretty much a non-article. And it won't slow the proliferation of Skype in the business world, because I doubt companies that banned other IM programs, really needed Info-Tech to tell them to add Skype to the list (I'm sure Info-Tech is just doing it to be consistent as well).
Follow the money (Score:2)
The difference is... (Score:2)
Re:The difference is... (Score:2)
BTW, it is somewhat possible to see the traffic traversing the network. The Skype traffic seems to be based on STUN. The firewall can't block it, but the IDS is able to pick it up.
The best method I know of for stopping this traffic is to use a multi-pronged approach. Start with a corporate policy against IM, unauthorized VoIP, etc. Use IDS and/or firewall logs to see someone using the software. After detection, turn the person in to mgt./HR for policy violations and have them terminated. After a few people become examples, this behaviour will decrease immensely. It sounds heavy-handed, but there are industries that cannot risk disclosure of data (think HIPAA and GLBA).
Re:keep digging, Watson. (Score:2)
I completely disagree with the comment that, "There is zero value added by closing IM, Skpe[sic] and other holes in the M$ strainer." Using that logic, why even worry about closing any inbound or outbound ports in the firewall? Why even have one? Don't let your dislike of MS software cloud your judgement concerning other products.
Key word - "recommendation" (Score:2, Insightful)
Research? (Score:5, Insightful)
Recursive Loop (Score:2)
Re:Recursive Loop (Score:3, Funny)
http://en.wikipedia.org/wiki/Turtles_all_the_way_
Re:Research? (Score:2)
Re:Research? (Score:3, Insightful)
I'm sorry, I think they misspelled "It provides a service cheaper than the establishment, and someone would be losing money".
For instance, the company that manages Phone, Ethernet, and Cable (yes, one company does all three) in the apartment where I live has a policy that you can't use Skype or any other homebrew voip technology. They say it affects the quality of their network and introduces security risks. What the reality is is they don't want to purchase more bandwidth, and they already sell telephone service, so they don't want you to be able to skirt their fees.
Re:Research? (Score:2)
-
The power of documentation? (Score:5, Funny)
Wait. So just by having a policy, Skype becomes unhackable? That's incredible. I never knew that a policy (no matter what the policy was) could work so well. Perhaps if all businesses developed a policy like "No computer shall have Windows installed on it" then the amount of hacking businesses suffer from would drop dramatically. All because someone created a document.
Thanks Info-Tech. You just saved my business!
P.S. I was being sarcastic. Although creating a policy banning Windows WOULD decrease the amount of hacking that occurs.
Flawed analysis (Score:5, Insightful)
pass through corporate firewalls.
And how would this be different if Skype was standards compliant?
- Skype's encryption is closed source and prone to man-in-the-middle
attacks. There are also some unanswered questions about how well the
keys are managed.
Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many
- Enterprises using Skype risk a communication barrier with countries
and institutions that have already banned the service.
Is this a joke? I dunno about you, but I haven't seen any companies completely give up.. what's that thing?.. the telephone in favour of Skype..
Skype is a useful tool. That's all I've got to say about that.
Re:Flawed analysis (Score:2)
Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many
You forgot the "and prone to man in the middle attacks" part. Closed source code by itself isn't dangerous, but man in the middle attacks are. I'm guessing it Skype was open source, anyone could implement a skype server, so the "man in the middle" would be the business itself, thus there being no man in the middle.
Nice try though.
Re:Flawed analysis (Score:2)
Yes, they're stretching the definition of "standard" to include "closed and proprietary but already reverse-engineered".
(It's fun to watch a nannybox salesman get quiet when you ask about encrypted Jabber and VOIP latency.)
Amen.Re:Flawed analysis (Score:2)
So how come phones haven't been banned yet?
Re:Flawed analysis (Score:3, Insightful)
The idea is that before something becomes a standard, it has been used for years, and most vulnerabilities have been found. Plus, lots of people have seen how it works, so more people can discover vulnerabilities and patch them. Yeah, if someone finds a new one, it's no different, and they phrased that incorrectly.
Ooh.. closed source is evil!No, but closed source encryption most definitely is. If your corporation is counting on skype's encryption to secure their calls, but they don't know how that encryption work, and no one has looked at the code to make sure it's well implemented, how do you know it's not fundamentally flawed and it will be hacked tomorrow? How do you know some unscrupulous skype employee hasn't written in a vulnerability on purpose (without skype's knowledge) so that he can decrypt calls he wants to?
Paranoid? Yeah, but when dealing with security and encryption, you're supposed to be paranoid.
Skype is a useful tool. That's all I've got to say about that.Yeah, banning it is an overreaction. Corporations just need to be aware of the problems and work around them. Have firewall layers. Open up the skype ports for the workstations, but keep the file servers behind a second firewall that blocks those ports so that any vulnerabilities don't affect them. Go ahead and use Skype and its encryption, but don't count on it for anything that you wouldn't wish to get out into the open. As with any tool, you just need to be aware of what the dangers are. Computers connected to the internet can be hacked and infected by viruses. Ban the internet at your corporation!!!
Re:Flawed analysis (Score:2, Insightful)
Ooh.. closed source is evil! By this logic, Info-Tech should recommend
banning Windows (to the delight, I'm sure, of many
What Info-Tech means by "closed source" is in fact "proprietary algorithm". The usual stance amongst cryptography researchers is that proprietary algorithms must be avoided at any price because they have not been cryptanalyzed as much as standard algorithms, so they have higher chances of being flawed. It would be much better if Skype replaced its algo by AES for example.
You're incorrect about the crypto issues (Score:2)
Steve Bellovin reported to the cryptography mailing list thatc urity%20evaluation.pdf [skype.com]c urity%20evaluation.pdf.sig [skype.com])
Skype has released an external security evaluation of its product; you
can find it at
http://www.skype.com/security/files/2005-031%20se
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see
http://www.skype.com/security/files/2005-031%20se
The author of the report, Tom Berson, has been in this business for many
years; I have a great deal of respect for him.
Re:You're incorrect about the crypto issues (Score:2)
There are open ways to implement a distributed SIP protocol, see
http://www.gizmoproject.com/ [gizmoproject.com]
I am not using a distributed, closed source protocol which is coming from one of inventors of original spyware.
Re:You're incorrect about the crypto issues (Score:2)
From wikipedia:
In November 2001, the court ordered Kazaa's owners to take steps to prevent its users from violating copyrights or else pay a heavy fine. Consumer Empowerment responded by selling the Kazaa application to a complicated mesh of offshore companies, primarily Sharman Networks, headquartered in Australia and incorporated in Vanuatu.
Re:You're incorrect about the crypto issues (Score:2)
Nowadays companies feeding the worst spyware to people _had to_ remove spyware from their bundles as it became a security concern even NSA cares about. Of course, their PR department works very fine, now they brag about being "spyware free!".
I am always concerned about the practices of companies _before_ users (and some developers!) became aware of what those "extra apps" do! I know a few developers who did not have a clue what "gator" etc did, they tricked them it provides "advertising banner only".
Kazaa was never a "clean" and trust-able application.
If you dare http://www.oldversion.com/program.php?n=kazaa [oldversion.com] (note for people can't stand without clicking a link, I AM LINKING HIGHLY POSSIBLE SPYWARE!)
Re:You're incorrect about the crypto issues (Score:2)
Diffie-Hellman vs. RSA (Score:2)
Diffie-Hellman _does_ require MITM protection, and you can either implement that using digital signatures (RSA is just fine here) or password-hash approaches between the client and Skype's authentication server. Whit Diffie likes DH with RSA signatures, and that's probably what Skype should have done.
Re:Flawed analysis (Score:2)
From the site:
"Skype uses AES (Advanced Encryption Standard) - also known as Rijndel - which is also used by U.S. Government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 10^77 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are certified by Skype server at login."
So, assuming the skype server has not been compromised, and the implementation isnt horribly wrong somehow...skype is neither vulnerable to man in the middle attacks, nor is it using any kind of weak or propriatary encryption.
Re:Flawed analysis (Score:3, Interesting)
It wouldn't. Until someone reported the vulnerability and it got fixed. This tends to happen very slowly with closed-source software. The same problem exists in Windows and any other closed-source software.
Skype is a useful tool. That's all I've got to say about that.
How about saying this: the phone system is useless unless everyone can talk to everyone else. If Skype could rise to a dominant position in the market - and what business isn't trying to do that - they would have a stranglehold on the market by virtue of their use of secret proprietory technology. No-one could inter-operate with them, except on their own terms.
We've seen how bad this is in the computer software market. Do we want to set off down the same slippery slope in the telephone market?
Bogus and Disingenuous at that (Score:2)
pass through corporate firewalls.
Skype doesn't comply with many of the popular standards, and it is designed to pass through firewalls fairly aggressively, including NAT traversal, which most of the standards-compliant VOIP protocols aren't very good at. But those are separate issues, and should be dealt with honestly. Beating them up for these problems separately is a much much stronger case than mashing them together incorrectly. And way too many applications need to be built to cooperate with firewalls, but instead are being built to work around them because the firewalls don't play well with others either.
attacks. There are also some unanswered questions about how well the
keys are managed.
It *is* closed source, and there *are* serious questions. That doesn't mean they're prone to man-in-the-middle attacks, except attacks from Skype's own presence server - but traditional telco services can be attacked by bribing or subpoenaing the phone company, and newer VOIP services appear to have more vulnerabilities than Skype because the US is convincing their vendors to build in wiretap support.
and institutions that have already banned the service.
There are people you want to talk to who don't use Skype for various reasons, but that just means you call them the old-fashioned way, or use SkypeOut to make a telco call to them if it's cheaper than your regular telco rates. Doesn't mean you should ban using Skype for calling people who do use it. If there are any countries that ban Skype, it's either because their monopoly telco doesn't like low-priced competition or because they want to wiretap their subjects' calls and Skype isn't helping them; there's no good reason to cooperate with that. There are institutions who've done the knee-jerk conservative paranoia ban on Skype for security reasons, but one of the largest concerns has been that Skype's supernodes can let outsiders use some of their resources in ways they don't understand well enough to trust. SkypeOut lets you call them for cheap, which isn't quite as good as free.
If your organization has a legal obligation to record what phone calls your users make, and possibly to record the calls themselves, then yes, Skype is probably not currently for you. Very few businesses and not many governments are in this position, and telling everybody that they shouldn't use it because some kinds of users really shouldn't is disingenuous and tacky. But if you're only doing the recording for accounting purposes, so you can make sure that Department X pays for its fair share of the company phone bill, you simply don't need to do that for Skype calls.
No, it doesn't further cloud the issue, even though your SkypeOut phone bill is separate from your local telco bill and long distance bill and calling card bills and employees' cellphone bills. If your organization needs to record its telephone calls for regulatory reasons, Skype might not be for you, but as with the previous bullet item, that's not very common, and waving your hands in the air to scare people is disingenuous
Disclaimer: I work for a telecom company that provides many different kinds of traditional and VOIP voice and data services, not including Skype, and this is my personal opinion from several decades of professional experience, not an official position of my employer.
Re:Flawed analysis (Score:3, Interesting)
Skype is a useful tool. That's all I've got to say about that.
No it is not. Not for our business, where I already provide everyone with a phone system employees can use to call anyone free of charge. As long as it is business related.
If the company needs to save money by using VoIP (which we actually already do), we will make the decision centrally. It is not a decision for every random employee.
If the purpose of installing Skype is to make non-business related calls, then it is quite obvious why companies would like to prevent that.
Vast government powers (Score:2)
Reasons to ban Skype:
3. Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Entire countries can ban the use of Skype?
Before I make a knee-jerk comment about totalitarian/nanny-state governments, could I turn in another knee-jerk direction and first suggest that such governments turn their nationwide-banning attention to Windows?
Re:Vast government powers (Score:5, Insightful)
Re:Vast government powers (Score:2, Interesting)
Agreed. I'm in pakistan. The major telecom, PTCL, which in effect controls nearly all net bandwidth in the country, has banned ISP's from adopting/adapting any sort of VOIP solution. Skype still works though.
Re:Vast government powers (Score:2)
Re:Vast government powers (Score:2)
Re:Vast government powers (Score:3, Funny)
Info-Tech, No conflict of interest there... (Score:5, Informative)
Now lets not give this poor piece of press release any more credence then it deserves, It may be on yahoo's page but its only the equivalent of a company making a mock news story about themselves.
Nope (Score:3, Interesting)
Businesses will decide to use or not use Skype based on one thing...and that article ain't it. They will make their decision based on the simple question does it save them money. If it does, they'll adopt it. If it doesn't, they won't.
Mediocre Hacker? (Score:4, Insightful)
1> Has there BEEN any vulnerabilities reported? If not, let's not get carried away and say that the vulnerabilities in Skype (and there ARE vulnerabilities. It's a piece of software that uses the internet, OF COURSE there's vulnerabilities) are easy to use until they've been reported.
2> Will Info-Tech be recommending the banning of Windows anytime soon? After all, any mediocre hacker can take advantage of a Windows vulnerability.
Re:Mediocre Hacker? (Score:2)
Yes, and Skype even has a web page dedicated to describing them:
http://www.skype.com/security/bulletins.html [skype.com]
And all of the listed vulnerabilities there have been fixed.
Re:Mediocre Hacker? (Score:2)
Ban skype-on-windows for security reasons (Score:2)
Run skype on something less mainstream, like freebsd or unix, and the chance of a worm exploiting your box is significantly smaller.
same for the email client, the word processor, flash (an attack for flash's latest patch is out in the field now), etc. etc. Any program that processes data from untrusted sources is a security risk, but windows turns it into a security reality.
Maybe MS should make an add of that
"you see a buffer overflow, we see a network of zombie systems"
Lets review every point (Score:3, Interesting)
"Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs,"
As stated elsewhere, if you're banning those, you'll be banning this. Plain consistency.
"Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."
How does this differ to email and internet acceptable use policies? Its another service like everything else, even the same as your telephone. My company would kill me for making massive STD calls, thats acceptable use. A properly configured network isn't going to magically let a hacker in either, setting a policy doesn't change this.
Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Windows isn't standards compliant, IE most definatley isn't and has a lot more vulnerabilities against its name. Short of the Skype servers being compromised, I don't see this as an issue.
Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
Who here has seen Microsoft or RSA's implementation of security? MITM attacks occur on any platform, people trust entire network security (including remote access) on closed source encryption...
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Well there is the good ole telephone to use to communicate, but if I can get a cheap international call I'm going to use it do you think?
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Well if I run packet sniffers to track these things I believe thats more than enough 'auditing' to get me through compliance laws. Logging everything in its entirety should be enough...can you do that with a regular telephone easily?
The question of whether VoIP calls constitute a business record is a legal quagmire.
Throwing Skype into the communications mix further clouds the issue.
No the point is that it hasn't been legally tested. The same issue was there for telephones and now thats been tested nobody has any issues with it. New technology has these, you'll find most companies get over it."The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Manage it like any other IT service. Thats just common sense. A mediocre hacker can take advantage of an IE vulnerability...just wait, THEY HAVE! Oh no, lets not use IE either because its a security vulernability that has been REPEATEDLY demonstrated. Err, damn. If you don't manage your resources, any resource, you're setting yourself up for failure.
Now we do use it in our enterprise to keep in contact with each other. The fact that I don't have to be in the office to get in contact with system administrators, network administators, other programmers and the people I work with. Its pure text, but it allows us to do voice. We'd pay through the roof for some of the things that Skype has saved us. One of our senior managers left the country and we got back in touch with him over an issue using Skype. We had a longish call at little to no expense where it would have cost us an arm and a leg to make an international call. This is a non issue for us, it may scare people (FUD, who else does that..) but at the end of the day, VoIP is here to stay.
On a closing note, how does VoIP effect companies that internally are pure VoIP then bridge to the normal PSTN? Does that mean all their calls are worthless even though externally it looks like a normal switch? I think not...
Bandwidth (Score:2, Interesting)
I wish at least, it would have an indicator of how much bandwidth it is consuming, or has consumed over a given time. Unfortunately it doesn't. I can also see why this could be a concern to corporate offices.
Re:Bandwidth (Score:2)
Skype has a guide [skype.com] for network administrators, and there's also this analysis [columbia.edu] of the Skype protocol.
Petty and un-ethical! (Score:4, Insightful)
Replace the word skype with virtually any other software and the article would still be valid.
I feel sick when i read such articles and I feel even sicker when an article like this http://www.enterprisenetworkingplanet.com/netsp/a
I am not a conspiracy theory kind of guy, but why the sudden noise about skype's insecure desgin using the http protocol to work over NAT at the same time that Microsoft and Cisco find a way for SIP to work "securely" over NAT?
Call me paranoid but I find this very weird!
Re:Petty and un-ethical! (Score:2, Interesting)
Last week, Microsoft purchased media-streams.com to add VoIP capabilities to its applications and servers. The acquisition fits in with Microsoft's plan to integrate e-mail, IM, SMS, voice and conferencing services. In August, Microsoft bought Teleo, a developer of VoIP, PSTN termination and click-to-call technology, which can be used to bring VoIP to the IM space.
So the obvious next plant would be to get rid of skype, no?
OT: WANTED: Skype functionality on an isolated LAN (Score:4, Insightful)
OK, so Skype ISN'T OSS...
So, where'is the best OSS counterpart to Skype?
And [for us] where's something, preferably OSS,
that does IM & VoIP as well as Skype on a closed LAN?
We don't want to lose INTRA-office voice & text contact
whenever the Internet is unavailable or bandwidth to it
is low (eg, in Australia's Outback, & we DON'T want to
pay high Satellite rates to get what we want here
What are our options?
TIA
Re:OT: WANTED: Skype functionality on an isolated (Score:2, Insightful)
You can buy proper phone handsets, or use softphones. You use a product like Asterix to link things together like Skype's server do.
Again, look at SIP
Asterisk, SIP systems and older H.323. (Score:3)
If connections to the old phone networks are important, your choices are either to use a gateway box that converts VOIP to telco and connect it to a telco trunk (typically Asterisk PBX or a Cisco router with VOIP), or else use a service that will accept VOIP connections outbound to the PSTN and maybe inbound PSTN calls to you. SkypeOut and SkypeIn are Skype's answer to this, but there are a half-dozen wellknown companies that at least handle the outbound calls.
Skype does two technical things particularly well, which helps account for their popularity (they also market well):
Skype vs. Firewalls (Score:2)
There are companies making firewalls that do deeper packet inspection to detect things like Skype, because *everybody* does the Port 80/443 wrapper approach, but it's still an arms race. Of course, there are people like Dan Kaminsky doing tricks like tunnels-over-DNS, which are cute but really really abusive, e.g. getting multi-megabit/sec video to run over DNS requires splattering DNS requests across thousands of domains, but in practice most of the tunnel systems work just fine on standard protocols.
There are companies and universities that worry that Skype users are providing services to outsiders, because of Skype's supernode system for letting people behind overly tight firewalls get out, but the supernodes can only provide service to outsiders if they're outside the firewall, so that's mainly a university problem, not a corporate problem (or at least, not a problem for the kinds of corporations that worry about Skype penetrating their firewalls.)
Re:OT: WANTED: Skype functionality on an isolated (Score:2)
It's not very Off topic anyway.
They made World standard SIP protocol distributed in an open source way.
Support is plain amazing, they replied to my crash report (which _I_ included my mail) in 20 minutes which shocked me.
I wonder if
A funny fact which I can't stand without saying is, I wanted to make sure Skype is coming from Kazaa, not iMesh and clicked
http://www.kazaa.com/us/products/ [kazaa.com]
Shows a turkish betting ad in their product page. Um, betting in foreign sites is kind of "grey" matter in Turkey which many banks won't allow.
No, reason is not our islamic wannabe govt. It is that, there is already a betting service in Turkey which is bound by law and governed perfectly. What I understand is, Kazaa did not change at all. Always dark stuff...
Yea, use Skype people, PROTECT YOUR FREEDOM! with a company invented mass spyware.
Think About it (Score:3, Interesting)
Why ?
Well, I (and probably many others) operate major firewalls on the basis of 'anything not explicitly permitted is denied'. Skype is a concern, because due to the closed source nature of the product and the absence of any independant reliable auditing I cannot say with any assurance exactly what Skype is capable of.
Yes - I have read the manual, but there is no reason to believe that what the documentation provided states is the complete story.
The next position you would responsibly take is that you accept the use of Skype, but manage it appropriately, preferably within a security policy (human readable paper) that end users read and agree to. The idea here is that you educate and inform your users of whatever risks there are, and do the best you can to manage those risks.
Now, to manage anything you need to be able to measure and monitor it. Skype is a problem here, as it's P2P technology, the use of relativly high grade encryption, routing and tunnelling make it extremely to manage and monitor.
Now slow down there bucko - I'm not talking about VOIP - I'm just talking about Skype. Many firewalls provide proxies to allow the management and monitoring of VOIP traffic (eg SIP, H323, etc). Skype is a different beast, anda far toougher nut to crack from a management perspective than more standards based VOIP technologies.
VOIP looks good. It is something that can be managed on the same basis as HTTP.
As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.
More standards compliant technologies such as SIP are far more attractive. Not only can they be managed in the same way as other more traditional protocols, they have a range of vendors suporting it, both open and closed source implementations are availble.
Skype is a weed.
Re:Think About it (Score:2, Insightful)
Wrong! - That would be overkill and will only serve as an unsubstantiated threat to bully people into not using Skype without posting a serious argument.
Get real, people. All Skype's ports are well documented and easily verifiable and any serious organization has a central firewall, so just block all traffic on these ports there and Skype is dead. I can do that using just one line of pf-rule so it really isn't hard at all.
You can even go a step futher and block everything except whitelisted ports, maybe even linked to specific IP's. This way there will be no backdoors regardless of how many trojans stupid lusers install on their Windoze boxes. We have used this for years and the few vira that made it though mailscanners were all harmless when it came to external access. Sure the boxes needed a re-install just to be safe but no hackers gained entry, nor was a single spam ever sent out (smtp is of course only allowed to the corporate mailservers (running FreeBSD), and only they can send and receive from the outside world).
No, this article has but one purpose: Scaring management from abandoning expensive big business-run communications in favour of cheaper/free alternatives. The security implications of Skype are no worse than any other closed-source software, the most common OS being one of the worst in itself.
Self boosting via the media (Score:2, Insightful)
WTF... (Score:4, Insightful)
- Neither is MS Office (or several other MS products), Adobe Photoshop etc.
- So are several other encryppiton schemes... and a man in the middle attack is in fact easiest to make on a POTS, just connect a speaker to the wire.
- Use SkypeOut, POTS or a cell phone ?
- That seems to be the mantra now : encapsulate everything in HTTP
- Busuness record ? if it is not on paper or other approved medium it is not a valid record... and btw. VoIP on a Cisco CallManager is strictly speaking still just VoIP, so I presume that several large banks have the same problem ?
No, I do not defend Skype, I do however attack Info-Tech's lack of sanity !!reasonable (Score:2)
What are the properties that make Skype dangerous? It's not standards-compliant, doesn't permit application-level proxies, its encryption is closed source, and it can't be audited in the way that many corporations are required to audit communications.
If you want to make personal calls from work, use your cell phone. And if you are looking for a VoIP solution for your business, go with something standards-compliant and (preferably) open source instead of Skype.
Re:reasonable (Score:2)
What are the properities that make Windows dangerous? It's not standards-compliant, uses closed source encryption.
The only one that doesn't apply to most other packages is the audting of communications. And even then, when you are using encrypted mail clients, and encrypted IM clients, god knows what goes in and out.
And yes, many corporations sign/encrypted e-mails by default.
Skype is no worse than any other closed source solution. Closed source e-mail servers do weird things. Closed source operating systems sometimes have inexplicable behavior.
And a closed-source VoIP solution will do weird things, too.
You accept these risks, you attempt to mitigate them as best as possible, and you move onwards.
Why not just ban human interaction altogether? (Score:2, Insightful)
I mean, why don't we ban the use of telephones, cell phones, fax machines, minute taking during meetings, and any contact with your colleagues and customers? I mean, are those devices fully compliant to the pseudo-security mumbo jumbo that these people pretend to affect IM and VOIP? I mean, that's what people do right? Block me from IM, and I SMS my friend, relatives, associates and customers from my mobile. Block me from Skype and I'll just pick up the phone or my mobile.
Could somebody please stop the insanity, and just write up a worldwide memo that people are just not to be trusted? And that any conversations or interactions with other people cannot be permitted without a lawyer and a permanent record. Oh wait a sec, and that record must be reviewed and signed off by all parties with all the relavent disclaimers attached to ensure that nobody's views are deemed accurate?
So should the same apply to Windows? (Score:2)
>- Skype is not standards-compliant, allowing it and any vulnerability
Dito Windows
>- Skype's encryption is closed source
Dito Windows
If those are good reasons for banning Skype, maybe we can apply them to Windows, Office document formats...
Banning skype (Score:2)
So was this researched and paid by M$???
If Skype is banned - then there will just pop up a lot of other alternatives. And one good thing with Skype is that it actually helps in the informal but important communication in companies.
By the same logic used against Skype - about any software should be banned.
Why Skype is not popular (Score:3, Insightful)
1. Even if it is VoIP, it is desentralised. Businesses that implement VoIP generally use so with IP-telephones and IP-telephone centrals. They implement it as they did with old telephones. This makes the calls cheaper, but do not add the flexibility as a software based VoIP solution do.
2. It contains Chat and File Transfer (IM and P2P), causing a knee-jerk reaction to ban it. Both the hacker/pirate/illegal distribution of music, movies and applications, but also uncontrolled transfer of internal confidential information with no audit trail. Even if *we* know that any unfaithful worker can find other ways to steal information, it is a CMA (Cover My A**) procedure among the security folks.
3. The established telecommunication community fight against it, of course. It will eradicate their soft and cushy market. They will be demoted to Layer 1 and 2 communication providers and ruin everything they have worked to do the last 20 years... to spread out and be telecommunication services providers -- not just a provider of commodity products.
Mix these factors together, and you will have a strong lobby for banning Skype.
There are two simple reasons why Skype use is bad (Score:5, Informative)
Uh? sure.. (Score:3, Interesting)
- Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Skype is difficult to bloick unless you have a 'pass only what I know and approved' type of firewall setup, which youy should have anyway if such things are a concern, in other words, BS argument.
- Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
There are questions indeed about the encryption implementation. I find it interesting that on one side this tech research group claims that noone can look at how it owrks, and on the other side they make a claim about how it works (or actually fails).
- Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
In other news, companies risk a communications barrier with countries not implementing a surface mail system, or a telephony system etc etc. Yes, from choices there may come limitations.. But it is not like using Skype prevents you using a normal phone or such.. In other words, more BS.
- Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Maybe... but I think that tech research or whatever they are called just did not look very well..
- The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
Ok.. and now they owe me a new keyboard. This one is just too good to be true.
Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Sure, even a mediacore hacker can break it easily, but a payed for research group cannot figure out how the encryption is implemented.
Mr. Armstrong, you are full of shit.
Yes, there are issues with Skype, and I'd indeed advice peopel to consider if they want to use it at all. That is even related to one of the points Armstron and company are making, the closed source nature of it, and it being non-standard. The first major issue is privacy. Ebay has shown to not care shit about people and their privacy, and since we cannot verify what they are doing with Skype, there is a reason I believe to distrust Skype now. It not using standards makes it harder to integrate into an organisation that already has a telecommunications infrastructure, and hence it is just not very suitable there.
Skype has raised the bar (Score:2)
Excuse the pun, but you can't unring a bell.
Corporations already have private voice nets (Score:2)
--dave
Re:Please, let's ban something (Score:2)
Please, let's ban something that allows tens of thousands of people to talk to their friends and relatives in other countries without bringing cash to the big companies.
To be honest, why should businesses care? Unless they REALLY want that customer happiness, and will do ANYTHING to get it, Skype is just another distraction. Anyone making phone calls to home (in all likelihood) will be making local phone calls. I think most businesses will accept having to pay for those.
Also, phones tend to be pretty cheap to plug in, whereas Skype requires a computer, and unless each employee has one computer all to themselves, then you need to buy a "phone computer" which does nothing but run skype, which is a fair bit more expensive. Sure perhaps EVENTUALLY you'll save money on local phone calls, but chances are you'll have to replace the computer by the time you do. Also, Skype is only free if people only ring up other Skype users. So money will have to be spent on non-Skype phone calls, which lessens the amount of money saved by using Skype.
Re:Please, let's ban something (Score:2)
Where I work, an international call to anyone but a client would be noticed and questioned, and the person sacked for doing so. It would be pretty damn stupid to make a personal INTERNATIONAL call at work.
but nog can do so using the equipment they already own.
Unless that equipment is being used for something else. Places where it's a "1 computer per worker" environment would be able to use Skype no problem. But where my friend works its 3 computers for numerous people. And the computers are being used to display information so they can go around and do what it tells us to do. No-one should be using the computer, because that would place them in the way of the information, and would hinder people trying to do their job. Such environments (and I doubt my friend's work is unique in this regard) would need a computer that didn't display any important information, to have Skype.
I don't see how banning Skype makes the world a better place.
No-one's talking about banning Skype completely. Merely a recommendation was made for businesses to implement a policy banning the use of Skype on work computers, as it posed a security risk. And Skype can pose a security risk.
Re:Please, let's ban something (Score:2)
Re:Ban this! (Score:2)
Re:grammer natzi! (Score:2, Funny)
Amateur.