Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Businesses IT

Research Group Pushes to Ban Skype 196

cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
This discussion has been archived. No new comments can be posted.

Research Group Pushes to Ban Skype

Comments Filter:
  • Not if (Score:4, Funny)

    by Cruithne ( 658153 ) on Sunday November 13, 2005 @03:35AM (#14019218)
    Will this cool Skype's rapid progress into the business arena?"

    Not if a first post on slashdot links to http://www.skype.com/ [skype.com]
    • Re:Not if (Score:5, Funny)

      by Cruithne ( 658153 ) on Sunday November 13, 2005 @03:38AM (#14019227)
      If you mod parent up, Skype will become more powerful than TFA could ever imagine...
    • Re:Not if (Score:5, Interesting)

      by Gentlewhisper ( 759800 ) on Sunday November 13, 2005 @03:38AM (#14019228)
      Not to sound like a troll, but who the hell is this Info-Tech group?

      Likewise we have groups like "The Yankee Group" and what have you endorsing cheesy TCO studies for Windows and stuff.

      So the dog has spoken, at the end of the day the question remains, who the hell fracking cares?
      • Re:Not if (Score:5, Informative)

        by farker haiku ( 883529 ) on Sunday November 13, 2005 @03:56AM (#14019277) Journal
        Well, I tried to find out how legit they were by reading some of their "white papers" like their guide to securing 802.11, but the cost was 450 dollars a year [infotech.com] for membership. Heh.
        • Re:Not if (Score:5, Funny)

          by Anonymous Coward on Sunday November 13, 2005 @04:09AM (#14019316)
          If they charge a lot of money for membership, they must be good!
        • Comment removed based on user account deletion
          • Re:Not if (Score:4, Interesting)

            by Jaseoldboss ( 650728 ) on Sunday November 13, 2005 @06:42AM (#14019629) Homepage Journal
            One of the reasons:

            Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.

            So follow our advice, ban it and create a communications barrier first?

            Seriously though, isn't Skype bad? Close source, uses your bandwidth for other users. If it becomes the dominant standard surely that leaves it open to being milked for all it's worth by eBay?
      • Re:Not if (Score:3, Interesting)

        by badfish99 ( 826052 )
        Well, try replacing "Skype" by "Microsoft" in the article, and try replacing "closed-source proprietory voip protocol" by "closed-source proprietory office document format".

        Skype isn't a monopoly (yet), but it obviously would like to be one at some time in the future - what business wouldn't? And it's putting all the right pieces in place to be just as evil a monopoly as Microsoft.

        • you are right, I was immediately thinking about how skype differs from e.g. MSN messenger, or Internet Explorer ....

          nohow .....

          and by the way what the hell is undetectable and untraceable mean ?????
          They meant you could not sniff it? Listen to it? Or see if it is installed on a computer?

          I am not affiliated to skype in any way, but since the telco charger $1+ /minute for overseas calls, I am a happy individual and business user in one...

          not secure or secure, my windows box is a throw-away installation, som
    • My previous company used it extensively talking to developers and QA people in Moscow and Pakistan. The voice quality was dramatically better than regular phone lines, more reliable, and cheaper ("free" w/ internet access, and broadband is available almost everywhere now.)

      The bottom line is that companies that use it are going to save money and be more competitive, beating out the companies that don't. Unless that changes, they'll accept any of the mentioned risks even if the report was 100% true (which i
  • Sounds Familiar (Score:4, Interesting)

    by Anonymous Coward on Sunday November 13, 2005 @03:37AM (#14019223)
    This seems to be happening frequently. There was a push to ban Skype in Aussie-land recently. Seems rather typical, but I doubt the bad press will have too much effect on Skype's momentum. Any business considering Skype as a solution would've disregarded such issues already.
  • Half-truths (Score:5, Interesting)

    by Anonymous Coward on Sunday November 13, 2005 @03:38AM (#14019226)
    Skype is not standards-compliant true

    allowing it and any vulnerability to pass through corporate firewalls. false - true of any software

    Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype

    Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false

    Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk. FUD

    The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.

    false - lots of businesses use VoIP
    • Re:Half-truths (Score:2, Insightful)

      by Suomi-Poika ( 453539 )
      "Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype"

      Hmm, should this be false too? Tom Berson from Anagram laboratories examined skype and wrote:

      Skype uses a proprietary session-establishment protocol. The cryptographic purposes of this protocol are to protect against replay, to verify peer identity, and to allow the communicating peers to agree on a secret session key. The communicating peers then use their s

    • Re:Half-truths (Score:2, Insightful)

      by afaik_ianal ( 918433 )
      Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false

      I particularly like this one. Can anyone think of any communications product that would not risk a communication barrier with countries and institutions that had banned the service?

      I can - Skype. If you need to call Fred Smith at Acme Corp, who has banned Skype, then you can call him on Skype Out, or pick up a standard telephone (assuming your company or country has not banned o
    • Re:Half-truths (Score:3, Insightful)

      by xgamer04 ( 248962 )
      Skype is not standards-compliant true

      Internet Explorer is not standards-compliant (well, the big thing is that they don't actively work to be standards-compliant), but I don't see "research firms" calling for a ban on that.
    • With respect to:

      Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype

      Note that this report addresses that specifically and has been discussed at length at the various crypto mailing lists:

      This evaluation report [skype.net] (PGP signature file [skype.net]) provides a detailed review of the security framework that is incorporated into Skype products. Skype provides its users with protections against a wide range of possible att

    • I think they're reaching just a bit too far... Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.

      Wait... if you talk try talking to a country that has banned Skype, you can't talk to them? No way! Oh, because you can't reach them, banning it on your side improves things? No - Fucking Duh.

    • Actually, all proprietary software is unauditable. There's no way to know what the software will do in any circumstance until it does something. Believing that you have seen all the program can do is unwise. Tracing calls that go from Skype user to Skype user can only be done with the help of the Skype service provider. If Skype is uncooperative you've only got what your logs tell you. If the call is encrypted (as we're led to believe with Skype, although proprietary encryption is inherently untrustwor
  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Sunday November 13, 2005 @03:39AM (#14019230)
    Comment removed based on user account deletion
    • Re:Valid Points (Score:5, Insightful)

      by Spoke ( 6112 ) on Sunday November 13, 2005 @04:23AM (#14019357)
      All of the points in the article were valid points.

      Not even close to all of the points were valid points. Not even half of them made any sense! And you can't even call TFA an article, it's a friggin' press release.

      VOIP, closed source and NAT traversal are hardly anything that your typical business spends any time worrying about. In fact, VOIP, closed source software and NAT traversal is standard operating procedure for most companies (or at least 2 of 3 of them).
  • by kihjin ( 866070 ) on Sunday November 13, 2005 @03:39AM (#14019233)
    Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."

    Armstrong, you misspelled Windows.
  • Non-issue really (Score:5, Insightful)

    by aussie_a ( 778472 ) on Sunday November 13, 2005 @03:40AM (#14019237) Journal
    Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs

    Well no shit, sherlock. If a company feels that IM software (such as AIM or MSN) is a security risk, then of course they should consider Skype a security risk. It's called consistency. This is really a non-issue. New messaging program comes out (which in a way, is what Skype is), companies that ban other messaging programs add it to their ban list. Those that don't ban messaging programs, don't.

    This is pretty much a non-article. And it won't slow the proliferation of Skype in the business world, because I doubt companies that banned other IM programs, really needed Info-Tech to tell them to add Skype to the list (I'm sure Info-Tech is just doing it to be consistent as well).
    • What does Info-Tech have to gain from a decrease in Skype's popularity? Look for an ulterior motive here.
       
    • ...when you talk about banning AIM, MSN, Yahoo, or ICQ at a single point of entry, most firewall filtering works. To my knowledge only Juniper Netscreen and Cisco Pix even give you the option to block Skype. Skype is trickier by far and it was designed to get around corporate firewalls. Other than excessive outgoing bandwidth issues it can be hard to find and hard to stop.

      • Actually, IM is harder to block than one would expect. This is especially true of MSN. The system uses a number of systems for login and those IPs seem to change relatively regularly. The client will try to use the MSN-specific ports to make an outbound connection and, failing that, will fall back to port 80. The only way that I've found to block it reliably is with an IDS system that can find the signature of MSN traffic, then send TCP resets to kill the connections.

        BTW, it is somewhat possible to see
  • A company recommended that other companies stop using a program. Big whoop, M$ has been recommending that about Linux for years. Sure it may SLOW Skype's progress, but I don't think it'll demolish it by any means. If it really does boost productivity in the corporate world, corporations are unlikely to ban it.
  • Research? (Score:5, Insightful)

    by ageitgey ( 216346 ) on Sunday November 13, 2005 @03:42AM (#14019240) Homepage
    Reasons to ban Skype:
    • 3. Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
    Really? Are you serious? That's what you guys came up with? Should we ban blackberry pagers because not all employees have mobile email access and thus might face a communication barrier with those who do?
    • It's actually a recursive loop. "Other businesses are banning Skype because other businesses are banning skype because other businesses are banning skype because other businesses are banning skype because other businesses are banning skype..." I wonder how it got started though? I bet it was those dastardly Packet8 fellows.
    • I think they mean that corporations might not want to do business with a company that has insecure communications (skype). They might want to ensure that even their suppliers are keeping secret information safe.
    • Re:Research? (Score:3, Insightful)

      by zerocool^ ( 112121 )

      I'm sorry, I think they misspelled "It provides a service cheaper than the establishment, and someone would be losing money".

      For instance, the company that manages Phone, Ethernet, and Cable (yes, one company does all three) in the apartment where I live has a policy that you can't use Skype or any other homebrew voip technology. They say it affects the quality of their network and introduces security risks. What the reality is is they don't want to purchase more bandwidth, and they already sell telephone
    • In related news the French Consulate has issued a press release stating that "Enterprises using English risk a communication barrier with countries and institutions that have already banned the language."

      -
  • by aussie_a ( 778472 ) on Sunday November 13, 2005 @03:44AM (#14019246) Journal
    Approximately 17 million registered Skype users are using the service for business purposes," says Armstrong. "Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network.

    Wait. So just by having a policy, Skype becomes unhackable? That's incredible. I never knew that a policy (no matter what the policy was) could work so well. Perhaps if all businesses developed a policy like "No computer shall have Windows installed on it" then the amount of hacking businesses suffer from would drop dramatically. All because someone created a document.

    Thanks Info-Tech. You just saved my business!

    P.S. I was being sarcastic. Although creating a policy banning Windows WOULD decrease the amount of hacking that occurs.
  • Flawed analysis (Score:5, Insightful)

    by d_jedi ( 773213 ) on Sunday November 13, 2005 @03:50AM (#14019255)
    - Skype is not standards-compliant, allowing it and any vulnerability to
                  pass through corporate firewalls.

    And how would this be different if Skype was standards compliant?

            - Skype's encryption is closed source and prone to man-in-the-middle
                  attacks. There are also some unanswered questions about how well the
                  keys are managed.

    Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many /.ers)

            - Enterprises using Skype risk a communication barrier with countries
                  and institutions that have already banned the service.

    Is this a joke? I dunno about you, but I haven't seen any companies completely give up.. what's that thing?.. the telephone in favour of Skype..

    Skype is a useful tool. That's all I've got to say about that.
    • - Skype's encryption is closed source and prone to man-in-the-middle
      attacks. There are also some unanswered questions about how well the
      keys are managed.


      Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight,

    • - Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls. And how would this be different if Skype was standards compliant?

      The difference is whether you can buy a proxy that firewalls and filters the IM service. If you're a company who thinks you need to "control" IM use (legal obligation in some industries) then you can install a box that intercepts, rule-checks and forwards AIM, MSN chat, or Jabber. If you're running Skype then the nannyb

    • Re:Flawed analysis (Score:3, Insightful)

      by TrekkieGod ( 627867 )
      And how would this be different if Skype was standards compliant?

      The idea is that before something becomes a standard, it has been used for years, and most vulnerabilities have been found. Plus, lots of people have seen how it works, so more people can discover vulnerabilities and patch them. Yeah, if someone finds a new one, it's no different, and they phrased that incorrectly.

      Ooh.. closed source is evil!

      No, but closed source encryption most definitely is. If your corporation is counting on skype'

    • [...Skype's encryption is closed source...]
      Ooh.. closed source is evil! By this logic, Info-Tech should recommend
      banning Windows (to the delight, I'm sure, of many /.ers)

      What Info-Tech means by "closed source" is in fact "proprietary algorithm". The usual stance amongst cryptography researchers is that proprietary algorithms must be avoided at any price because they have not been cryptanalyzed as much as standard algorithms, so they have higher chances of being flawed. It would be much better if Skype

      • No, what they mean by "closed source" really *is* "closed source and no useful documentation on the internals or protocols". For many products, this tends to mean proprietary algorithms and a bunch of bogus junk, but that's not quite the case here. They've released some statements to the public, and had some consultants look at it under appropriate non-disclosure, and some researchers have done some reverse-engineering. They're quite explicit about the fact that they *do* use AES for the media encryptio
        • The problem is, I don't have any respect to Skype founder which is responsible for most clever, evil spyware on Earth, Kazaa.

          There are open ways to implement a distributed SIP protocol, see

          http://www.gizmoproject.com/ [gizmoproject.com]

          I am not using a distributed, closed source protocol which is coming from one of inventors of original spyware.
          • Been said once, and now i've got to say it again...the maker of skype had NOTHING to do with the kazaa you are thinking of. They sold Kazaa long before any of the spyware etc was put into it.

            From wikipedia:

            In November 2001, the court ordered Kazaa's owners to take steps to prevent its users from violating copyrights or else pay a heavy fine. Consumer Empowerment responded by selling the Kazaa application to a complicated mesh of offshore companies, primarily Sharman Networks, headquartered in Australia and
            • No, Kazaa was always adware and spyware. The current practices of any company today DOES NOT MATTER as average computer user now knows what spyware is and software giants like Microsoft offer anti spyware for free.

              Nowadays companies feeding the worst spyware to people _had to_ remove spyware from their bundles as it became a security concern even NSA cares about. Of course, their PR department works very fine, now they brag about being "spyware free!".

              I am always concerned about the practices of companies _
        • Of course they arent using diffie hellman exchange because they are using a pub/priv RSA key system to exchange the symetric AES keys. This is much more secure than a DH exchange. (not vuln to man-in-the-middle like DH can be)
          • Actually, no, RSA is *not* much more secure than DH against typical threats, because it doesn't provider Perfect Forward Secrecy. If anybody compromises your RSA private keys (e.g. steals your PC or gets a search warrant), they can crack any previous calls they've wiretapped. Depending on how they've implemented key exchange, RSA can also have MITM attacks (e.g. compromise a supernode), and I don't remember if the security analysis paper found that to be a risk or not.

            Diffie-Hellman _does_ require MITM pr

      • Actually, skype does use AES-256.

        From the site:

        "Skype uses AES (Advanced Encryption Standard) - also known as Rijndel - which is also used by U.S. Government organizations to protect sensitive information. Skype uses 256-bit encryption, which has a total of 1.1 x 10^77 possible keys, in order to actively encrypt the data in each Skype call or instant message. Skype uses 1536 to 2048 bit RSA to negotiate symmetric AES keys. User public keys are certified by Skype server at login."

        So, assuming the skype serve
    • Re:Flawed analysis (Score:3, Interesting)

      by badfish99 ( 826052 )
      - Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls. And how would this be different if Skype was standards compliant?

      It wouldn't. Until someone reported the vulnerability and it got fixed. This tends to happen very slowly with closed-source software. The same problem exists in Windows and any other closed-source software.

      Skype is a useful tool. That's all I've got to say about that.

      How about saying this: the phone system is useless unless everyone

    • The company makes the following arguments:
      • Skype is not standards-compliant, allowing it and any vulnerability to
        pass through corporate firewalls.

        Skype doesn't comply with many of the popular standards, and it is designed to pass through firewalls fairly aggressively, including NAT traversal, which most of the standards-compliant VOIP protocols aren't very good at. But those are separate issues, and should be dealt with honestly. Beating them up for these problems separately is a much much stron
    • Re:Flawed analysis (Score:3, Interesting)

      by bbn ( 172659 )

      Skype is a useful tool. That's all I've got to say about that.

      No it is not. Not for our business, where I already provide everyone with a phone system employees can use to call anyone free of charge. As long as it is business related.

      If the company needs to save money by using VoIP (which we actually already do), we will make the decision centrally. It is not a decision for every random employee.

      If the purpose of installing Skype is to make non-business related calls, then it is quite obvious why co

  • Reasons to ban Skype:

    3. Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.

    Entire countries can ban the use of Skype?

    Before I make a knee-jerk comment about totalitarian/nanny-state governments, could I turn in another knee-jerk direction and first suggest that such governments turn their nationwide-banning attention to Windows?

  • by aywwts4 ( 610966 ) on Sunday November 13, 2005 @03:54AM (#14019276)
    One of the services they offer are VOIP comparisons for 200 dollars, Of their twelve endorsed vendors Skype is nowhere on the list. http://www.infotech.com/Products%20and%20Services/ Vendor%20and%20Software%20Selection/VoIP.aspx [infotech.com]

    Now lets not give this poor piece of press release any more credence then it deserves, It may be on yahoo's page but its only the equivalent of a company making a mock news story about themselves.
  • Nope (Score:3, Interesting)

    by davmoo ( 63521 ) on Sunday November 13, 2005 @03:57AM (#14019283)
    Will this cool Skype's rapid progress into the business arena?

    Businesses will decide to use or not use Skype based on one thing...and that article ain't it. They will make their decision based on the simple question does it save them money. If it does, they'll adopt it. If it doesn't, they won't.
  • Mediocre Hacker? (Score:4, Insightful)

    by aussie_a ( 778472 ) on Sunday November 13, 2005 @04:05AM (#14019305) Journal
    The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability.

    1> Has there BEEN any vulnerabilities reported? If not, let's not get carried away and say that the vulnerabilities in Skype (and there ARE vulnerabilities. It's a piece of software that uses the internet, OF COURSE there's vulnerabilities) are easy to use until they've been reported.

    2> Will Info-Tech be recommending the banning of Windows anytime soon? After all, any mediocre hacker can take advantage of a Windows vulnerability.
    • Has there BEEN any vulnerabilities reported?

      Yes, and Skype even has a web page dedicated to describing them:
      http://www.skype.com/security/bulletins.html [skype.com]

      And all of the listed vulnerabilities there have been fixed.
    • Skype has had three published vulnerabilities this year; two very recent ones that are marked as such in the changelog, and one in March or so that was labelled as a "bugfix". Nothing ground-shattering, but there have been some, yes.
    • If you are going to say skype is a security risk then yes, it could be. But the risk of buffer overflow attacks will be higher on windows because its the juicy targets.

      Run skype on something less mainstream, like freebsd or unix, and the chance of a worm exploiting your box is significantly smaller.

      same for the email client, the word processor, flash (an attack for flash's latest patch is out in the field now), etc. etc. Any program that processes data from untrusted sources is a security risk, but windows
  • by pasamio ( 737659 ) on Sunday November 13, 2005 @04:18AM (#14019345) Homepage

    "Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs,"

    As stated elsewhere, if you're banning those, you'll be banning this. Plain consistency.

    "Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."

    How does this differ to email and internet acceptable use policies? Its another service like everything else, even the same as your telephone. My company would kill me for making massive STD calls, thats acceptable use. A properly configured network isn't going to magically let a hacker in either, setting a policy doesn't change this.

    Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.

    Windows isn't standards compliant, IE most definatley isn't and has a lot more vulnerabilities against its name. Short of the Skype servers being compromised, I don't see this as an issue.

    Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.

    Who here has seen Microsoft or RSA's implementation of security? MITM attacks occur on any platform, people trust entire network security (including remote access) on closed source encryption...

    Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.

    Well there is the good ole telephone to use to communicate, but if I can get a cheap international call I'm going to use it do you think?

    Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.

    Well if I run packet sniffers to track these things I believe thats more than enough 'auditing' to get me through compliance laws. Logging everything in its entirety should be enough...can you do that with a regular telephone easily?

    The question of whether VoIP calls constitute a business record is a legal quagmire.

    Throwing Skype into the communications mix further clouds the issue.

    No the point is that it hasn't been legally tested. The same issue was there for telephones and now thats been tested nobody has any issues with it. New technology has these, you'll find most companies get over it.

    "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."

    Manage it like any other IT service. Thats just common sense. A mediocre hacker can take advantage of an IE vulnerability...just wait, THEY HAVE! Oh no, lets not use IE either because its a security vulernability that has been REPEATEDLY demonstrated. Err, damn. If you don't manage your resources, any resource, you're setting yourself up for failure.

    Now we do use it in our enterprise to keep in contact with each other. The fact that I don't have to be in the office to get in contact with system administrators, network administators, other programmers and the people I work with. Its pure text, but it allows us to do voice. We'd pay through the roof for some of the things that Skype has saved us. One of our senior managers left the country and we got back in touch with him over an issue using Skype. We had a longish call at little to no expense where it would have cost us an arm and a leg to make an international call. This is a non issue for us, it may scare people (FUD, who else does that..) but at the end of the day, VoIP is here to stay.

    On a closing note, how does VoIP effect companies that internally are pure VoIP then bridge to the normal PSTN? Does that mean all their calls are worthless even though externally it looks like a normal switch? I think not...

  • Bandwidth (Score:2, Interesting)

    by s-orbital ( 598727 )
    I love skype, and frequently use skype out to call long distance. However, I am concerned about its bandwidth (Being a peer-to-peer program). My ISP charges me per megabyte of bandwith over a certain quota; I know that several universities do this as well. Thus, I am forced to not leave skype running 24/7 like I run GAIM.

    I wish at least, it would have an indicator of how much bandwidth it is consuming, or has consumed over a given time. Unfortunately it doesn't. I can also see why this could be a concern to
    • The bandwidth usage is due to your Skype client running as a supernode and acting as a relay for other Skype users who are behind firewalls and NATs.

      Skype has a guide [skype.com] for network administrators, and there's also this analysis [columbia.edu] of the Skype protocol.

  • by exaviger ( 928938 ) <<moc.liamg> <ta> <latnahtan>> on Sunday November 13, 2005 @04:42AM (#14019391)
    This sounds like a direct attack on skype

    Replace the word skype with virtually any other software and the article would still be valid.

    I feel sick when i read such articles and I feel even sicker when an article like this http://www.enterprisenetworkingplanet.com/netsp/ar ticle.php/3563226 [enterprise...planet.com] gets relased at virtually the same time.

    I am not a conspiracy theory kind of guy, but why the sudden noise about skype's insecure desgin using the http protocol to work over NAT at the same time that Microsoft and Cisco find a way for SIP to work "securely" over NAT?

    Call me paranoid but I find this very weird!
    • Hate replying to myself just wanted to add this:

      Last week, Microsoft purchased media-streams.com to add VoIP capabilities to its applications and servers. The acquisition fits in with Microsoft's plan to integrate e-mail, IM, SMS, voice and conferencing services. In August, Microsoft bought Teleo, a developer of VoIP, PSTN termination and click-to-call technology, which can be used to bring VoIP to the IM space.

      So the obvious next plant would be to get rid of skype, no?
  • by ivi ( 126837 ) on Sunday November 13, 2005 @04:43AM (#14019395)

      OK, so Skype ISN'T OSS...

      So, where'is the best OSS counterpart to Skype?

      And [for us] where's something, preferably OSS,
      that does IM & VoIP as well as Skype on a closed LAN?

      We don't want to lose INTRA-office voice & text contact
      whenever the Internet is unavailable or bandwidth to it
      is low (eg, in Australia's Outback, & we DON'T want to
      pay high Satellite rates to get what we want here ;-)

      What are our options?

      TIA
    • by Anonymous Coward
      Look at SIP.

      You can buy proper phone handsets, or use softphones. You use a product like Asterix to link things together like Skype's server do.

      Again, look at SIP
    • Anonymous Coward mentions SIP and Asterisk. SIP is the emerging standard for VOIP, designed by Internet type people as a followon to the older H.323, which looks too much like ugly ISDN telco standards. Asterisk is a popular SIP-based PBX implementation, and there are other open-source SIP systems as well. Pulver.com's Free World Dialup is another good source of information. But there's a lot of legacy H.323 as well, and most of the Cisco gear runs a Cisco-proprietary/prestandard protocol called "Skinny
    • http://www.gizmoproject.com/ [gizmoproject.com]

      It's not very Off topic anyway.

      They made World standard SIP protocol distributed in an open source way.

      Support is plain amazing, they replied to my crash report (which _I_ included my mail) in 20 minutes which shocked me.

      I wonder if /. geeks have Kazaa installed in their machines as it's coming from same company? Right, eBay purchased them, code is still same, closed source.

      A funny fact which I can't stand without saying is, I wanted to make sure Skype is coming from Kazaa, not i
  • Think About it (Score:3, Interesting)

    by Anonymous Coward on Sunday November 13, 2005 @04:56AM (#14019419)
    As a network administrator the idea of Skype being used for business purposes is a problem where this use is required to traverse the firewall.

    Why ?

    Well, I (and probably many others) operate major firewalls on the basis of 'anything not explicitly permitted is denied'. Skype is a concern, because due to the closed source nature of the product and the absence of any independant reliable auditing I cannot say with any assurance exactly what Skype is capable of.

    Yes - I have read the manual, but there is no reason to believe that what the documentation provided states is the complete story.

    The next position you would responsibly take is that you accept the use of Skype, but manage it appropriately, preferably within a security policy (human readable paper) that end users read and agree to. The idea here is that you educate and inform your users of whatever risks there are, and do the best you can to manage those risks.

    Now, to manage anything you need to be able to measure and monitor it. Skype is a problem here, as it's P2P technology, the use of relativly high grade encryption, routing and tunnelling make it extremely to manage and monitor.

    Now slow down there bucko - I'm not talking about VOIP - I'm just talking about Skype. Many firewalls provide proxies to allow the management and monitoring of VOIP traffic (eg SIP, H323, etc). Skype is a different beast, anda far toougher nut to crack from a management perspective than more standards based VOIP technologies.

    VOIP looks good. It is something that can be managed on the same basis as HTTP.

    As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.

    More standards compliant technologies such as SIP are far more attractive. Not only can they be managed in the same way as other more traditional protocols, they have a range of vendors suporting it, both open and closed source implementations are availble.

    Skype is a weed.

    • Re:Think About it (Score:2, Insightful)

      by xenobyte ( 446878 )
      As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.

      Wrong! - That would be overkill and will only serve as an unsubstantiated threat to bully people into not using Skype without posting a serious argument.

      Get real, people. All Skype's ports are well documented and easily verifiable and any serious organization has a centr
  • Thats all this article seems like is some idiotic consulting firm throwing out a big popular piece of software (skype) and talking it down, when their business is to suggest others. How pathetic can it possibly get? Every program is a security risk. Every program has the potential to be used in a way distracting from an employees work. Most programs, in most workplaces, are closed source nonsense. Stupid, article.
  • WTF... (Score:4, Insightful)

    by Hymer ( 856453 ) on Sunday November 13, 2005 @05:34AM (#14019498)
    from TFA :
    1. Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
    2. Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
    3. Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
    4. Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
    5. The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
    ...and what I think about them...
    1. Neither is MS Office (or several other MS products), Adobe Photoshop etc.
    2. So are several other encryppiton schemes... and a man in the middle attack is in fact easiest to make on a POTS, just connect a speaker to the wire.
    3. Use SkypeOut, POTS or a cell phone ?
    4. That seems to be the mantra now : encapsulate everything in HTTP
    5. Busuness record ? if it is not on paper or other approved medium it is not a valid record... and btw. VoIP on a Cisco CallManager is strictly speaking still just VoIP, so I presume that several large banks have the same problem ?
    No, I do not defend Skype, I do however attack Info-Tech's lack of sanity !!
  • Their reasons look perfectly reasonable to me. Note that they aren't saying that VoIP or IM should all be banned, they are specifically referring to systems like Skype.

    What are the properties that make Skype dangerous? It's not standards-compliant, doesn't permit application-level proxies, its encryption is closed source, and it can't be audited in the way that many corporations are required to audit communications.

    If you want to make personal calls from work, use your cell phone. And if you are looking
    • Their reasons for banning Skype could apply directly to most closed source software implementations without peer-review.

      What are the properities that make Windows dangerous? It's not standards-compliant, uses closed source encryption.

      The only one that doesn't apply to most other packages is the audting of communications. And even then, when you are using encrypted mail clients, and encrypted IM clients, god knows what goes in and out.

      And yes, many corporations sign/encrypted e-mails by default.

      Skype is no w
  • All this craziness about banning IM and VOIP services within the confines of the corporate walls is even scarier than big brother. It is big brother without any brains behind it. There are several assumptions that are just scary in the notion that employees cannot be trusted. Honestly, this is the real paranoia behind it all isn't it? That you can't trust your employees?

    I mean, why don't we ban the use of telephones, cell phones, fax machines, minute taking during meetings, and any contact with your col
  • From the article

    >- Skype is not standards-compliant, allowing it and any vulnerability
    Dito Windows

    >- Skype's encryption is closed source
    Dito Windows

    If those are good reasons for banning Skype, maybe we can apply them to Windows, Office document formats...
  • is not solving any problems - it just creates more problems. Skype may have some bad sides like it's not open and nobody really knows if there are security issues with it, but so far there have been a lot more security issues with Microsoft's messenger. - And Skype has anyway been quick to respond to the security issues that actually has occured.

    So was this researched and paid by M$???

    If Skype is banned - then there will just pop up a lot of other alternatives. And one good thing with Skype is that it a

  • by cartoon ( 39734 ) on Sunday November 13, 2005 @07:02AM (#14019672)
    ...in enterprise environments.

    1. Even if it is VoIP, it is desentralised. Businesses that implement VoIP generally use so with IP-telephones and IP-telephone centrals. They implement it as they did with old telephones. This makes the calls cheaper, but do not add the flexibility as a software based VoIP solution do.

    2. It contains Chat and File Transfer (IM and P2P), causing a knee-jerk reaction to ban it. Both the hacker/pirate/illegal distribution of music, movies and applications, but also uncontrolled transfer of internal confidential information with no audit trail. Even if *we* know that any unfaithful worker can find other ways to steal information, it is a CMA (Cover My A**) procedure among the security folks.

    3. The established telecommunication community fight against it, of course. It will eradicate their soft and cushy market. They will be demoted to Layer 1 and 2 communication providers and ruin everything they have worked to do the last 20 years... to spread out and be telecommunication services providers -- not just a provider of commodity products.

    Mix these factors together, and you will have a strong lobby for banning Skype.
  • by aarku ( 151823 ) on Sunday November 13, 2005 @07:12AM (#14019685) Journal
    And they are outlined in great length here [umn.edu].
  • Uh? sure.. (Score:3, Interesting)

    by SillyNickName4me ( 760022 ) <dotslash@bartsplace.net> on Sunday November 13, 2005 @07:18AM (#14019696) Homepage
    Lets see.. they seem to be makign a couple of points...


            - Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.


    Skype is difficult to bloick unless you have a 'pass only what I know and approved' type of firewall setup, which youy should have anyway if such things are a concern, in other words, BS argument.


            - Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.


    There are questions indeed about the encryption implementation. I find it interesting that on one side this tech research group claims that noone can look at how it owrks, and on the other side they make a claim about how it works (or actually fails).


            - Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.


    In other news, companies risk a communications barrier with countries not implementing a surface mail system, or a telephony system etc etc. Yes, from choices there may come limitations.. But it is not like using Skype prevents you using a normal phone or such.. In other words, more BS.


            - Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.


    Maybe... but I think that tech research or whatever they are called just did not look very well..


            - The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.


    Ok.. and now they owe me a new keyboard. This one is just too good to be true.


    Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."


    Sure, even a mediacore hacker can break it easily, but a payed for research group cannot figure out how the encryption is implemented.

    Mr. Armstrong, you are full of shit.

    Yes, there are issues with Skype, and I'd indeed advice peopel to consider if they want to use it at all. That is even related to one of the points Armstron and company are making, the closed source nature of it, and it being non-standard. The first major issue is privacy. Ebay has shown to not care shit about people and their privacy, and since we cannot verify what they are doing with Skype, there is a reason I believe to distrust Skype now. It not using standards makes it harder to integrate into an organisation that already has a telecommunications infrastructure, and hence it is just not very suitable there.

  • Skype has raised expectations for what internet telephone calls should sound like, and lowered expectations for what they should cost. Whatever the fate of Skype, its characteristics are the new standard.

    Excuse the pun, but you can't unring a bell.
  • Some of which are IP-based, although most are POTS offereings from the Telcos. Skype is just another competitor to them.

    --dave

The herd instinct among economists makes sheep look like independent thinkers.

Working...