Research Group Pushes to Ban Skype 196
cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
Sounds Familiar (Score:4, Interesting)
Half-truths (Score:5, Interesting)
allowing it and any vulnerability to pass through corporate firewalls. false - true of any software
Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk. FUD
The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
false - lots of businesses use VoIP
Re:Not if (Score:5, Interesting)
Likewise we have groups like "The Yankee Group" and what have you endorsing cheesy TCO studies for Windows and stuff.
So the dog has spoken, at the end of the day the question remains, who the hell fracking cares?
Comment removed (Score:3, Interesting)
Nope (Score:3, Interesting)
Businesses will decide to use or not use Skype based on one thing...and that article ain't it. They will make their decision based on the simple question does it save them money. If it does, they'll adopt it. If it doesn't, they won't.
Re:Valid Points (Score:1, Interesting)
Lets review every point (Score:3, Interesting)
"Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs,"
As stated elsewhere, if you're banning those, you'll be banning this. Plain consistency.
"Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."
How does this differ to email and internet acceptable use policies? Its another service like everything else, even the same as your telephone. My company would kill me for making massive STD calls, thats acceptable use. A properly configured network isn't going to magically let a hacker in either, setting a policy doesn't change this.
Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Windows isn't standards compliant, IE most definatley isn't and has a lot more vulnerabilities against its name. Short of the Skype servers being compromised, I don't see this as an issue.
Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
Who here has seen Microsoft or RSA's implementation of security? MITM attacks occur on any platform, people trust entire network security (including remote access) on closed source encryption...
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Well there is the good ole telephone to use to communicate, but if I can get a cheap international call I'm going to use it do you think?
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Well if I run packet sniffers to track these things I believe thats more than enough 'auditing' to get me through compliance laws. Logging everything in its entirety should be enough...can you do that with a regular telephone easily?
The question of whether VoIP calls constitute a business record is a legal quagmire.
Throwing Skype into the communications mix further clouds the issue.
No the point is that it hasn't been legally tested. The same issue was there for telephones and now thats been tested nobody has any issues with it. New technology has these, you'll find most companies get over it."The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Manage it like any other IT service. Thats just common sense. A mediocre hacker can take advantage of an IE vulnerability...just wait, THEY HAVE! Oh no, lets not use IE either because its a security vulernability that has been REPEATEDLY demonstrated. Err, damn. If you don't manage your resources, any resource, you're setting yourself up for failure.
Now we do use it in our enterprise to keep in contact with each other. The fact that I don't have to be in the office to get in contact with system administrators, network administators, other programmers and the people I work with. Its pure text, but it allows us to do voice. We'd pay through the roof for some of the things that Skype has saved us. One of our senior managers left the country and we got back in touch with him over an issue using Skype. We had a longish call at little to no expense where it would have cost us an arm and a leg to make an international call. This is a non issue for us, it may scare people (FUD, who else does that..) but at the end of the day, VoIP is here to stay.
On a closing note, how does VoIP effect companies that internally are pure VoIP then bridge to the normal PSTN? Does that mean all their calls are worthless even though externally it looks like a normal switch? I think not...
Bandwidth (Score:2, Interesting)
I wish at least, it would have an indicator of how much bandwidth it is consuming, or has consumed over a given time. Unfortunately it doesn't. I can also see why this could be a concern to corporate offices.
Re:Not if (Score:3, Interesting)
Skype isn't a monopoly (yet), but it obviously would like to be one at some time in the future - what business wouldn't? And it's putting all the right pieces in place to be just as evil a monopoly as Microsoft.
Re:Petty and un-ethical! (Score:2, Interesting)
Last week, Microsoft purchased media-streams.com to add VoIP capabilities to its applications and servers. The acquisition fits in with Microsoft's plan to integrate e-mail, IM, SMS, voice and conferencing services. In August, Microsoft bought Teleo, a developer of VoIP, PSTN termination and click-to-call technology, which can be used to bring VoIP to the IM space.
So the obvious next plant would be to get rid of skype, no?
Think About it (Score:3, Interesting)
Why ?
Well, I (and probably many others) operate major firewalls on the basis of 'anything not explicitly permitted is denied'. Skype is a concern, because due to the closed source nature of the product and the absence of any independant reliable auditing I cannot say with any assurance exactly what Skype is capable of.
Yes - I have read the manual, but there is no reason to believe that what the documentation provided states is the complete story.
The next position you would responsibly take is that you accept the use of Skype, but manage it appropriately, preferably within a security policy (human readable paper) that end users read and agree to. The idea here is that you educate and inform your users of whatever risks there are, and do the best you can to manage those risks.
Now, to manage anything you need to be able to measure and monitor it. Skype is a problem here, as it's P2P technology, the use of relativly high grade encryption, routing and tunnelling make it extremely to manage and monitor.
Now slow down there bucko - I'm not talking about VOIP - I'm just talking about Skype. Many firewalls provide proxies to allow the management and monitoring of VOIP traffic (eg SIP, H323, etc). Skype is a different beast, anda far toougher nut to crack from a management perspective than more standards based VOIP technologies.
VOIP looks good. It is something that can be managed on the same basis as HTTP.
As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.
More standards compliant technologies such as SIP are far more attractive. Not only can they be managed in the same way as other more traditional protocols, they have a range of vendors suporting it, both open and closed source implementations are availble.
Skype is a weed.
Re:Flawed analysis (Score:3, Interesting)
It wouldn't. Until someone reported the vulnerability and it got fixed. This tends to happen very slowly with closed-source software. The same problem exists in Windows and any other closed-source software.
Skype is a useful tool. That's all I've got to say about that.
How about saying this: the phone system is useless unless everyone can talk to everyone else. If Skype could rise to a dominant position in the market - and what business isn't trying to do that - they would have a stranglehold on the market by virtue of their use of secret proprietory technology. No-one could inter-operate with them, except on their own terms.
We've seen how bad this is in the computer software market. Do we want to set off down the same slippery slope in the telephone market?
Re:Half-truths (Score:3, Interesting)
Re:Vast government powers (Score:2, Interesting)
Agreed. I'm in pakistan. The major telecom, PTCL, which in effect controls nearly all net bandwidth in the country, has banned ISP's from adopting/adapting any sort of VOIP solution. Skype still works though.
Re:Half-truths (Score:3, Interesting)
You *can* change the ringtone you know
Re:Not if (Score:4, Interesting)
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
So follow our advice, ban it and create a communications barrier first?
Seriously though, isn't Skype bad? Close source, uses your bandwidth for other users. If it becomes the dominant standard surely that leaves it open to being milked for all it's worth by eBay?
Uh? sure.. (Score:3, Interesting)
- Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Skype is difficult to bloick unless you have a 'pass only what I know and approved' type of firewall setup, which youy should have anyway if such things are a concern, in other words, BS argument.
- Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
There are questions indeed about the encryption implementation. I find it interesting that on one side this tech research group claims that noone can look at how it owrks, and on the other side they make a claim about how it works (or actually fails).
- Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
In other news, companies risk a communications barrier with countries not implementing a surface mail system, or a telephony system etc etc. Yes, from choices there may come limitations.. But it is not like using Skype prevents you using a normal phone or such.. In other words, more BS.
- Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Maybe... but I think that tech research or whatever they are called just did not look very well..
- The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
Ok.. and now they owe me a new keyboard. This one is just too good to be true.
Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Sure, even a mediacore hacker can break it easily, but a payed for research group cannot figure out how the encryption is implemented.
Mr. Armstrong, you are full of shit.
Yes, there are issues with Skype, and I'd indeed advice peopel to consider if they want to use it at all. That is even related to one of the points Armstron and company are making, the closed source nature of it, and it being non-standard. The first major issue is privacy. Ebay has shown to not care shit about people and their privacy, and since we cannot verify what they are doing with Skype, there is a reason I believe to distrust Skype now. It not using standards makes it harder to integrate into an organisation that already has a telecommunications infrastructure, and hence it is just not very suitable there.
Re:Flawed analysis (Score:3, Interesting)
Skype is a useful tool. That's all I've got to say about that.
No it is not. Not for our business, where I already provide everyone with a phone system employees can use to call anyone free of charge. As long as it is business related.
If the company needs to save money by using VoIP (which we actually already do), we will make the decision centrally. It is not a decision for every random employee.
If the purpose of installing Skype is to make non-business related calls, then it is quite obvious why companies would like to prevent that.
Re:Not if (Score:1, Interesting)
http://searchopensource.techtarget.com/originalCo
http://www.groklaw.net/articlebasic.php?story=200
Now why would MS want to cloud the issues around VoIP. Could it be that they plan on entering the market?