Research Group Pushes to Ban Skype 196
cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
Non-issue really (Score:5, Insightful)
Well no shit, sherlock. If a company feels that IM software (such as AIM or MSN) is a security risk, then of course they should consider Skype a security risk. It's called consistency. This is really a non-issue. New messaging program comes out (which in a way, is what Skype is), companies that ban other messaging programs add it to their ban list. Those that don't ban messaging programs, don't.
This is pretty much a non-article. And it won't slow the proliferation of Skype in the business world, because I doubt companies that banned other IM programs, really needed Info-Tech to tell them to add Skype to the list (I'm sure Info-Tech is just doing it to be consistent as well).
Key word - "recommendation" (Score:2, Insightful)
Research? (Score:5, Insightful)
Flawed analysis (Score:5, Insightful)
pass through corporate firewalls.
And how would this be different if Skype was standards compliant?
- Skype's encryption is closed source and prone to man-in-the-middle
attacks. There are also some unanswered questions about how well the
keys are managed.
Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many
- Enterprises using Skype risk a communication barrier with countries
and institutions that have already banned the service.
Is this a joke? I dunno about you, but I haven't seen any companies completely give up.. what's that thing?.. the telephone in favour of Skype..
Skype is a useful tool. That's all I've got to say about that.
Re:Vast government powers (Score:5, Insightful)
Mediocre Hacker? (Score:4, Insightful)
1> Has there BEEN any vulnerabilities reported? If not, let's not get carried away and say that the vulnerabilities in Skype (and there ARE vulnerabilities. It's a piece of software that uses the internet, OF COURSE there's vulnerabilities) are easy to use until they've been reported.
2> Will Info-Tech be recommending the banning of Windows anytime soon? After all, any mediocre hacker can take advantage of a Windows vulnerability.
Re:Flawed analysis (Score:3, Insightful)
The idea is that before something becomes a standard, it has been used for years, and most vulnerabilities have been found. Plus, lots of people have seen how it works, so more people can discover vulnerabilities and patch them. Yeah, if someone finds a new one, it's no different, and they phrased that incorrectly.
Ooh.. closed source is evil!No, but closed source encryption most definitely is. If your corporation is counting on skype's encryption to secure their calls, but they don't know how that encryption work, and no one has looked at the code to make sure it's well implemented, how do you know it's not fundamentally flawed and it will be hacked tomorrow? How do you know some unscrupulous skype employee hasn't written in a vulnerability on purpose (without skype's knowledge) so that he can decrypt calls he wants to?
Paranoid? Yeah, but when dealing with security and encryption, you're supposed to be paranoid.
Skype is a useful tool. That's all I've got to say about that.Yeah, banning it is an overreaction. Corporations just need to be aware of the problems and work around them. Have firewall layers. Open up the skype ports for the workstations, but keep the file servers behind a second firewall that blocks those ports so that any vulnerabilities don't affect them. Go ahead and use Skype and its encryption, but don't count on it for anything that you wouldn't wish to get out into the open. As with any tool, you just need to be aware of what the dangers are. Computers connected to the internet can be hacked and infected by viruses. Ban the internet at your corporation!!!
Re:Valid Points (Score:5, Insightful)
Not even close to all of the points were valid points. Not even half of them made any sense! And you can't even call TFA an article, it's a friggin' press release.
VOIP, closed source and NAT traversal are hardly anything that your typical business spends any time worrying about. In fact, VOIP, closed source software and NAT traversal is standard operating procedure for most companies (or at least 2 of 3 of them).
Petty and un-ethical! (Score:4, Insightful)
Replace the word skype with virtually any other software and the article would still be valid.
I feel sick when i read such articles and I feel even sicker when an article like this http://www.enterprisenetworkingplanet.com/netsp/a
I am not a conspiracy theory kind of guy, but why the sudden noise about skype's insecure desgin using the http protocol to work over NAT at the same time that Microsoft and Cisco find a way for SIP to work "securely" over NAT?
Call me paranoid but I find this very weird!
OT: WANTED: Skype functionality on an isolated LAN (Score:4, Insightful)
OK, so Skype ISN'T OSS...
So, where'is the best OSS counterpart to Skype?
And [for us] where's something, preferably OSS,
that does IM & VoIP as well as Skype on a closed LAN?
We don't want to lose INTRA-office voice & text contact
whenever the Internet is unavailable or bandwidth to it
is low (eg, in Australia's Outback, & we DON'T want to
pay high Satellite rates to get what we want here
What are our options?
TIA
Re:Flawed analysis (Score:2, Insightful)
Ooh.. closed source is evil! By this logic, Info-Tech should recommend
banning Windows (to the delight, I'm sure, of many
What Info-Tech means by "closed source" is in fact "proprietary algorithm". The usual stance amongst cryptography researchers is that proprietary algorithms must be avoided at any price because they have not been cryptanalyzed as much as standard algorithms, so they have higher chances of being flawed. It would be much better if Skype replaced its algo by AES for example.
Re:Half-truths (Score:2, Insightful)
Hmm, should this be false too? Tom Berson from Anagram laboratories examined skype and wrote:
Read the whole article at http://www.skype.com/security/files/2005-031%20se
Re:Half-truths (Score:2, Insightful)
I particularly like this one. Can anyone think of any communications product that would not risk a communication barrier with countries and institutions that had banned the service?
I can - Skype. If you need to call Fred Smith at Acme Corp, who has banned Skype, then you can call him on Skype Out, or pick up a standard telephone (assuming your company or country has not banned or obsoleted them
Re:OT: WANTED: Skype functionality on an isolated (Score:2, Insightful)
You can buy proper phone handsets, or use softphones. You use a product like Asterix to link things together like Skype's server do.
Again, look at SIP
Self boosting via the media (Score:2, Insightful)
Re:Half-truths (Score:3, Insightful)
Internet Explorer is not standards-compliant (well, the big thing is that they don't actively work to be standards-compliant), but I don't see "research firms" calling for a ban on that.
WTF... (Score:4, Insightful)
Re:Think About it (Score:2, Insightful)
Wrong! - That would be overkill and will only serve as an unsubstantiated threat to bully people into not using Skype without posting a serious argument.
Get real, people. All Skype's ports are well documented and easily verifiable and any serious organization has a central firewall, so just block all traffic on these ports there and Skype is dead. I can do that using just one line of pf-rule so it really isn't hard at all.
You can even go a step futher and block everything except whitelisted ports, maybe even linked to specific IP's. This way there will be no backdoors regardless of how many trojans stupid lusers install on their Windoze boxes. We have used this for years and the few vira that made it though mailscanners were all harmless when it came to external access. Sure the boxes needed a re-install just to be safe but no hackers gained entry, nor was a single spam ever sent out (smtp is of course only allowed to the corporate mailservers (running FreeBSD), and only they can send and receive from the outside world).
No, this article has but one purpose: Scaring management from abandoning expensive big business-run communications in favour of cheaper/free alternatives. The security implications of Skype are no worse than any other closed-source software, the most common OS being one of the worst in itself.
Why not just ban human interaction altogether? (Score:2, Insightful)
I mean, why don't we ban the use of telephones, cell phones, fax machines, minute taking during meetings, and any contact with your colleagues and customers? I mean, are those devices fully compliant to the pseudo-security mumbo jumbo that these people pretend to affect IM and VOIP? I mean, that's what people do right? Block me from IM, and I SMS my friend, relatives, associates and customers from my mobile. Block me from Skype and I'll just pick up the phone or my mobile.
Could somebody please stop the insanity, and just write up a worldwide memo that people are just not to be trusted? And that any conversations or interactions with other people cannot be permitted without a lawyer and a permanent record. Oh wait a sec, and that record must be reviewed and signed off by all parties with all the relavent disclaimers attached to ensure that nobody's views are deemed accurate?
Why Skype is not popular (Score:3, Insightful)
1. Even if it is VoIP, it is desentralised. Businesses that implement VoIP generally use so with IP-telephones and IP-telephone centrals. They implement it as they did with old telephones. This makes the calls cheaper, but do not add the flexibility as a software based VoIP solution do.
2. It contains Chat and File Transfer (IM and P2P), causing a knee-jerk reaction to ban it. Both the hacker/pirate/illegal distribution of music, movies and applications, but also uncontrolled transfer of internal confidential information with no audit trail. Even if *we* know that any unfaithful worker can find other ways to steal information, it is a CMA (Cover My A**) procedure among the security folks.
3. The established telecommunication community fight against it, of course. It will eradicate their soft and cushy market. They will be demoted to Layer 1 and 2 communication providers and ruin everything they have worked to do the last 20 years... to spread out and be telecommunication services providers -- not just a provider of commodity products.
Mix these factors together, and you will have a strong lobby for banning Skype.
Re:Research? (Score:3, Insightful)
I'm sorry, I think they misspelled "It provides a service cheaper than the establishment, and someone would be losing money".
For instance, the company that manages Phone, Ethernet, and Cable (yes, one company does all three) in the apartment where I live has a policy that you can't use Skype or any other homebrew voip technology. They say it affects the quality of their network and introduces security risks. What the reality is is they don't want to purchase more bandwidth, and they already sell telephone service, so they don't want you to be able to skirt their fees.
Re:Half-truths (Score:1, Insightful)
It's no worse than PSTN, where anyone with a pair of aligator clips can intercept your call with stone age equipment.