Slashdot Mirror
Research Group Pushes to Ban Skype
cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
Will this cool Skype's rapid progress into the business arena?"
Not if a first post on slashdot links to http://www.skype.com/
This seems to be happening frequently. There was a push to ban Skype in Aussie-land recently. Seems rather typical, but I doubt the bad press will have too much effect on Skype's momentum. Any business considering Skype as a solution would've disregarded such issues already.
Skype is not standards-compliant true
allowing it and any vulnerability to pass through corporate firewalls. false - true of any software
Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk. FUD
The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
false - lots of businesses use VoIP
Comment removed based on user account deletion
Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Armstrong, you misspelled Windows.
This slashdot-related signature is a stub. You can help kihjin by expanding it.
"The reports sites a laundry list of issues"..
should be "The report cites..."
Took me a few seconds to make sense of that sentence.
Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs
Well no shit, sherlock. If a company feels that IM software (such as AIM or MSN) is a security risk, then of course they should consider Skype a security risk. It's called consistency. This is really a non-issue. New messaging program comes out (which in a way, is what Skype is), companies that ban other messaging programs add it to their ban list. Those that don't ban messaging programs, don't.
This is pretty much a non-article. And it won't slow the proliferation of Skype in the business world, because I doubt companies that banned other IM programs, really needed Info-Tech to tell them to add Skype to the list (I'm sure Info-Tech is just doing it to be consistent as well).
A company recommended that other companies stop using a program. Big whoop, M$ has been recommending that about Linux for years. Sure it may SLOW Skype's progress, but I don't think it'll demolish it by any means. If it really does boost productivity in the corporate world, corporations are unlikely to ban it.
Uninnovate - Only the finest in engineering.
Approximately 17 million registered Skype users are using the service for business purposes," says Armstrong. "Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network.
Wait. So just by having a policy, Skype becomes unhackable? That's incredible. I never knew that a policy (no matter what the policy was) could work so well. Perhaps if all businesses developed a policy like "No computer shall have Windows installed on it" then the amount of hacking businesses suffer from would drop dramatically. All because someone created a document.
Thanks Info-Tech. You just saved my business!
P.S. I was being sarcastic. Although creating a policy banning Windows WOULD decrease the amount of hacking that occurs.
Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
There's a lot of stuff prone to MITM attacks. Nothing new here.
Your sig(k) has been stolen. There is a puff of smoke!
- Skype is not standards-compliant, allowing it and any vulnerability to
/.ers)
pass through corporate firewalls.
And how would this be different if Skype was standards compliant?
- Skype's encryption is closed source and prone to man-in-the-middle
attacks. There are also some unanswered questions about how well the
keys are managed.
Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many
- Enterprises using Skype risk a communication barrier with countries
and institutions that have already banned the service.
Is this a joke? I dunno about you, but I haven't seen any companies completely give up.. what's that thing?.. the telephone in favour of Skype..
Skype is a useful tool. That's all I've got to say about that.
I am the maverick of Slashdot
It's actually a recursive loop. "Other businesses are banning Skype because other businesses are banning skype because other businesses are banning skype because other businesses are banning skype because other businesses are banning skype..." I wonder how it got started though? I bet it was those dastardly Packet8 fellows.
Reasons to ban Skype:
3. Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Entire countries can ban the use of Skype?
Before I make a knee-jerk comment about totalitarian/nanny-state governments, could I turn in another knee-jerk direction and first suggest that such governments turn their nationwide-banning attention to Windows?
One of the services they offer are VOIP comparisons for 200 dollars, Of their twelve endorsed vendors Skype is nowhere on the list. http://www.infotech.com/Products%20and%20Services/ Vendor%20and%20Software%20Selection/VoIP.aspx
Now lets not give this poor piece of press release any more credence then it deserves, It may be on yahoo's page but its only the equivalent of a company making a mock news story about themselves.
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
Will this cool Skype's rapid progress into the business arena?
Businesses will decide to use or not use Skype based on one thing...and that article ain't it. They will make their decision based on the simple question does it save them money. If it does, they'll adopt it. If it doesn't, they won't.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Please, let's ban something that allows tens of thousands of people to talk to their friends and relatives in other countries without bringing cash to the big companies.
To be honest, why should businesses care? Unless they REALLY want that customer happiness, and will do ANYTHING to get it, Skype is just another distraction. Anyone making phone calls to home (in all likelihood) will be making local phone calls. I think most businesses will accept having to pay for those.
Also, phones tend to be pretty cheap to plug in, whereas Skype requires a computer, and unless each employee has one computer all to themselves, then you need to buy a "phone computer" which does nothing but run skype, which is a fair bit more expensive. Sure perhaps EVENTUALLY you'll save money on local phone calls, but chances are you'll have to replace the computer by the time you do. Also, Skype is only free if people only ring up other Skype users. So money will have to be spent on non-Skype phone calls, which lessens the amount of money saved by using Skype.
This particular article aside, how did Skype become the underdog? They're following the evil overlords guide to internet monopoly to the letter. Is establishing a proprietary protocol really as simple as giving a small piece of closed source software away for free? Come on, didn't ICQ teach you anything?
The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability.
1> Has there BEEN any vulnerabilities reported? If not, let's not get carried away and say that the vulnerabilities in Skype (and there ARE vulnerabilities. It's a piece of software that uses the internet, OF COURSE there's vulnerabilities) are easy to use until they've been reported.
2> Will Info-Tech be recommending the banning of Windows anytime soon? After all, any mediocre hacker can take advantage of a Windows vulnerability.
"Hot on the heals of the invention of the telephone and automated switchboard, a research group called Fud-Tech just put out a recommendation to its customers that all corporations should ban the use of telephones in their organizations. The reports sites a laundry list of issues it feels plagues the telephone, most of which will have a familiar ring (ie the normal anti-chit and anti-chat talking points). Will this cool the telephone's rapid progress into the business arena?"
Dinos shall once again rule the world.
Love over Gold.
"Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs,"
As stated elsewhere, if you're banning those, you'll be banning this. Plain consistency.
"Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."
How does this differ to email and internet acceptable use policies? Its another service like everything else, even the same as your telephone. My company would kill me for making massive STD calls, thats acceptable use. A properly configured network isn't going to magically let a hacker in either, setting a policy doesn't change this.
Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Windows isn't standards compliant, IE most definatley isn't and has a lot more vulnerabilities against its name. Short of the Skype servers being compromised, I don't see this as an issue.
Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
Who here has seen Microsoft or RSA's implementation of security? MITM attacks occur on any platform, people trust entire network security (including remote access) on closed source encryption...
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Well there is the good ole telephone to use to communicate, but if I can get a cheap international call I'm going to use it do you think?
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Well if I run packet sniffers to track these things I believe thats more than enough 'auditing' to get me through compliance laws. Logging everything in its entirety should be enough...can you do that with a regular telephone easily?
The question of whether VoIP calls constitute a business record is a legal quagmire.
Throwing Skype into the communications mix further clouds the issue.
No the point is that it hasn't been legally tested. The same issue was there for telephones and now thats been tested nobody has any issues with it. New technology has these, you'll find most companies get over it."The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Manage it like any other IT service. Thats just common sense. A mediocre hacker can take advantage of an IE vulnerability...just wait, THEY HAVE! Oh no, lets not use IE either because its a security vulernability that has been REPEATEDLY demonstrated. Err, damn. If you don't manage your resources, any resource, you're setting yourself up for failure.
Now we do use it in our enterprise to keep in contact with each other. The fact that I don't have to be in the office to get in contact with system administrators, network administators, other programmers and the people I work with. Its pure text, but it allows us to do voice. We'd pay through the roof for some of the things that Skype has saved us. One of our senior managers left the country and we got back in touch with him over an issue using Skype. We had a longish call at little to no expense where it would have cost us an arm and a leg to make an international call. This is a non issue for us, it may scare people (FUD, who else does that..) but at the end of the day, VoIP is here to stay.
On a closing note, how does VoIP effect companies that internally are pure VoIP then bridge to the normal PSTN? Does that mean all their calls are worthless even though externally it looks like a normal switch? I think not...
I always wondered where this setting was...
Hot on the heals of Skype
Sounds like they'd make a good priest or resto druid in WoW?
All of the points in the article were valid points.
Not even close to all of the points were valid points. Not even half of them made any sense! And you can't even call TFA an article, it's a friggin' press release.
VOIP, closed source and NAT traversal are hardly anything that your typical business spends any time worrying about. In fact, VOIP, closed source software and NAT traversal is standard operating procedure for most companies (or at least 2 of 3 of them).
What does Info-Tech have to gain from a decrease in Skype's popularity? Look for an ulterior motive here.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I see your point. But I see that a fair amount of people I know use Skype to talk to relative and loved ones in other countries, because all parties already have a computer and a broadband internet connection. They would have used the phone anyway, but nog can do so using the equipment they already own. So in fact they have no investment to make in hardware, but the save is substantial. E.g. a phonecall from The Netherlands to Egypt will (can) cost you 1,15 per minute. With Skype it is for free.
I believe (though I can't prove it) that the Dutch phone company KPN makes a huge profit on international calls.
Here we have a service that makes a lot of people happy (by facilitating one of the basic needs of people, communication). I don't see how banning Skype makes the world a better place.
Yes, I am the one with the legendary sig.
I love skype, and frequently use skype out to call long distance. However, I am concerned about its bandwidth (Being a peer-to-peer program). My ISP charges me per megabyte of bandwith over a certain quota; I know that several universities do this as well. Thus, I am forced to not leave skype running 24/7 like I run GAIM.
I wish at least, it would have an indicator of how much bandwidth it is consuming, or has consumed over a given time. Unfortunately it doesn't. I can also see why this could be a concern to corporate offices.
Patent: from Latin patere, to be open
I gather that if it were something like Gizmo, for which half these arguments don't even apply, they would simply try to come up with even lamer arguments to use against it.
Karma: It's all a bunch of tree-huggin' hippy crap!
Sign up with Info-Tech.
With-it companies improve customer support with IM, and communication across time-zones with Skype. Both accounts will be on my next business card.
Beer is proof that God loves us, and wants us to be happy.
They would have used the phone anyway
Where I work, an international call to anyone but a client would be noticed and questioned, and the person sacked for doing so. It would be pretty damn stupid to make a personal INTERNATIONAL call at work.
but nog can do so using the equipment they already own.
Unless that equipment is being used for something else. Places where it's a "1 computer per worker" environment would be able to use Skype no problem. But where my friend works its 3 computers for numerous people. And the computers are being used to display information so they can go around and do what it tells us to do. No-one should be using the computer, because that would place them in the way of the information, and would hinder people trying to do their job. Such environments (and I doubt my friend's work is unique in this regard) would need a computer that didn't display any important information, to have Skype.
I don't see how banning Skype makes the world a better place.
No-one's talking about banning Skype completely. Merely a recommendation was made for businesses to implement a policy banning the use of Skype on work computers, as it posed a security risk. And Skype can pose a security risk.
This sounds like a direct attack on skype
r ticle.php/3563226 gets relased at virtually the same time.
Replace the word skype with virtually any other software and the article would still be valid.
I feel sick when i read such articles and I feel even sicker when an article like this http://www.enterprisenetworkingplanet.com/netsp/a
I am not a conspiracy theory kind of guy, but why the sudden noise about skype's insecure desgin using the http protocol to work over NAT at the same time that Microsoft and Cisco find a way for SIP to work "securely" over NAT?
Call me paranoid but I find this very weird!
OK, so Skype ISN'T OSS...
So, where'is the best OSS counterpart to Skype?
And [for us] where's something, preferably OSS,
that does IM & VoIP as well as Skype on a closed LAN?
We don't want to lose INTRA-office voice & text contact
whenever the Internet is unavailable or bandwidth to it
is low (eg, in Australia's Outback, & we DON'T want to
pay high Satellite rates to get what we want here
What are our options?
TIA
Thousands of work hours are wasted when frustrated employees forget the difference between :q! and :x!, or forget to press 'i' before mouse copy-and-paste into the terminal. (fun game: guess what the first 'action' letter in that pasted block was!) So I say to the bussiness world - forget Skype, let's ban vi. anyone for?
It would be pretty damn stupid to make a personal INTERNATIONAL call at work. You are right. I was mixing up work and personal use too much.
Yes, I am the one with the legendary sig.
But nobody cared that he wrote "cites" as "sites".
...when you talk about banning AIM, MSN, Yahoo, or ICQ at a single point of entry, most firewall filtering works. To my knowledge only Juniper Netscreen and Cisco Pix even give you the option to block Skype. Skype is trickier by far and it was designed to get around corporate firewalls. Other than excessive outgoing bandwidth issues it can be hard to find and hard to stop.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
As a network administrator the idea of Skype being used for business purposes is a problem where this use is required to traverse the firewall.
Why ?
Well, I (and probably many others) operate major firewalls on the basis of 'anything not explicitly permitted is denied'. Skype is a concern, because due to the closed source nature of the product and the absence of any independant reliable auditing I cannot say with any assurance exactly what Skype is capable of.
Yes - I have read the manual, but there is no reason to believe that what the documentation provided states is the complete story.
The next position you would responsibly take is that you accept the use of Skype, but manage it appropriately, preferably within a security policy (human readable paper) that end users read and agree to. The idea here is that you educate and inform your users of whatever risks there are, and do the best you can to manage those risks.
Now, to manage anything you need to be able to measure and monitor it. Skype is a problem here, as it's P2P technology, the use of relativly high grade encryption, routing and tunnelling make it extremely to manage and monitor.
Now slow down there bucko - I'm not talking about VOIP - I'm just talking about Skype. Many firewalls provide proxies to allow the management and monitoring of VOIP traffic (eg SIP, H323, etc). Skype is a different beast, anda far toougher nut to crack from a management perspective than more standards based VOIP technologies.
VOIP looks good. It is something that can be managed on the same basis as HTTP.
As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.
More standards compliant technologies such as SIP are far more attractive. Not only can they be managed in the same way as other more traditional protocols, they have a range of vendors suporting it, both open and closed source implementations are availble.
Skype is a weed.
This is the only company that provides linux compatible voice chat client.
their site
"The leading IT research firm for midsized enterprises"
Date Registered: 1998-4-17
Info-Tech Research Group
602 Queens Avenue
London, ON (CA)
N6B 1Y8
Administrative Contact
Info-Tech Research Group
Casey McKeown
602 Queens Avenue
London
Summary:
They are 'suits' from London who charge clueless businesses a fortune for 'papers' and 'consultation documents'
Look at SIP.
You can buy proper phone handsets, or use softphones. You use a product like Asterix to link things together like Skype's server do.
Again, look at SIP
Who the hell proofreads these submissions?
Shaved Monkeys?
Thats all this article seems like is some idiotic consulting firm throwing out a big popular piece of software (skype) and talking it down, when their business is to suggest others. How pathetic can it possibly get? Every program is a security risk. Every program has the potential to be used in a way distracting from an employees work. Most programs, in most workplaces, are closed source nonsense. Stupid, article.
~oid
Some of the points they make are justifiable; some not.
... but it is hard to do all this. Saying it is not possible is incorrect; but these are likely out of reach of enterprises that do need to audit
> - Skype is not standards-compliant, allowing it and any vulnerability to
> pass through corporate firewalls.
It is true Skype is not standards-compliant. But that doesn't make it any more or less vulnerable to attacks. Following that logic, they would argue banning Internet Explorer.
> - Skype's encryption is closed source and prone to man-in-the-middle
> attacks. There are also some unanswered questions about how well the
> keys are managed.
This is quite valid (almost). Skype's security has not been throughly validated. Unless they know inner workings, it is premature to conclude Skype is prone to man-in-the-middle. It is possible for Skype to use strong symmetric key crypto (AES), but protect the symmetric key exchange with public key crypto (RSA etc); we do not know how it manages keys so it can potentially be insecure. Then again most IM networks don't use any crypto, so its not a complaint against Skype specifically. Perhaps Skype's (unverified) use of crypto could lure a user into a false sense of security and make them drop their guard and reveal secrets more freely; one possble complaint.
> - Enterprises using Skype risk a communication barrier with countries
> and institutions that have already banned the service.
This one is dumb. Stop using X because you cannot use X with other users who are not using X; therefore you shouldn't use X either. WTF!
> - Skype is undetectable, untraceable, and unauditable, putting
> organizations that are subject to compliance laws at risk.
While incorrect, there is some truth in this. Skype can be detected (i.e. who is running Skype), Skype call endpoints can be verified (article in NY Times earlier in August), Skype can be traced (at the network level)
communication.
> - The question of whether VoIP calls constitute a business record is a
> legal quagmire. Throwing Skype into the communications mix further
> clouds the issue.
Skype doesn't cloud the issue any more than throwing phones into the mix. Skype is half-way between phone calls on one end, and emails on another. Emails constitute a record, so do phone calls. Skype does constitute a record imho. Whether this record can be easily achieved is another question (see above).
- Neither is MS Office (or several other MS products), Adobe Photoshop etc.
- So are several other encryppiton schemes... and a man in the middle attack is in fact easiest to make on a POTS, just connect a speaker to the wire.
- Use SkypeOut, POTS or a cell phone ?
- That seems to be the mantra now : encapsulate everything in HTTP
- Busuness record ? if it is not on paper or other approved medium it is not a valid record... and btw. VoIP on a Cisco CallManager is strictly speaking still just VoIP, so I presume that several large banks have the same problem ?
No, I do not defend Skype, I do however attack Info-Tech's lack of sanity !!The Info-Tech website runs IIS on NT. I guess they aren't so hot on "standards-compliance" and "closed source is bad" as they say they are.
Their reasons look perfectly reasonable to me. Note that they aren't saying that VoIP or IM should all be banned, they are specifically referring to systems like Skype.
What are the properties that make Skype dangerous? It's not standards-compliant, doesn't permit application-level proxies, its encryption is closed source, and it can't be audited in the way that many corporations are required to audit communications.
If you want to make personal calls from work, use your cell phone. And if you are looking for a VoIP solution for your business, go with something standards-compliant and (preferably) open source instead of Skype.
If I was a Telecom, and Skype was going to cost me money (eg: all the calls over my network that I don't get paid for), I would say "FUD Skype!"
/. bug #926803 - Why I can post.
hmm, Skype isn't on this company's review list of their $199 voip software comparison chart?
Could this be FUD simply be because skype refused to pay them to be included? or just because skype is free?
I don't recognise the others on their list, all you can get for free is a list of vendor names (below), I'm assuming they're all propriatary and expensive as I don't recognise them offhand, though to be honest I'm not really into VoIP software.
"Info~Tech Vendor Evaluations VoIP
SalesLogix 6.1
Best Software
List of Vendors
1. AudioCodes
2. Avaya
3. Epygi
4. Integral Access
5. Mediatrix
6. Mitel
7. Multi-Tech
8. Quintum
9. TalkSwitch
10. VegaStream
11. Verilink
12. Zultys
Cisco, Nortel, and Lucent chose not to participate in this comparison, as their products are directed primarily at the carrier and large enterprise market."
pass through corporate firewalls.
Skype doesn't comply with many of the popular standards, and it is designed to pass through firewalls fairly aggressively, including NAT traversal, which most of the standards-compliant VOIP protocols aren't very good at. But those are separate issues, and should be dealt with honestly. Beating them up for these problems separately is a much much stronger case than mashing them together incorrectly. And way too many applications need to be built to cooperate with firewalls, but instead are being built to work around them because the firewalls don't play well with others either.
attacks. There are also some unanswered questions about how well the
keys are managed.
It *is* closed source, and there *are* serious questions. That doesn't mean they're prone to man-in-the-middle attacks, except attacks from Skype's own presence server - but traditional telco services can be attacked by bribing or subpoenaing the phone company, and newer VOIP services appear to have more vulnerabilities than Skype because the US is convincing their vendors to build in wiretap support.
and institutions that have already banned the service.
There are people you want to talk to who don't use Skype for various reasons, but that just means you call them the old-fashioned way, or use SkypeOut to make a telco call to them if it's cheaper than your regular telco rates. Doesn't mean you should ban using Skype for calling people who do use it. If there are any countries that ban Skype, it's either because their monopoly telco doesn't like low-priced competition or because they want to wiretap their subjects' calls and Skype isn't helping them; there's no good reason to cooperate with that. There are institutions who've done the knee-jerk conservative paranoia ban on Skype for security reasons, but one of the largest concerns has been that Skype's supernodes can let outsiders use some of their resources in ways they don't understand well enough to trust. SkypeOut lets you call them for cheap, which isn't quite as good as free.
If your organization has a legal obligation to record what phone calls your users make, and possibly to record the calls themselves, then yes, Skype is probably not currently for you. Very few businesses and not many governments are in this position, and telling everybody that they shouldn't use it because some kinds of users really shouldn't is disingenuous and tacky. But if you're only doing the recording for accounting purposes, so you can make sure that Department X pays for its fair share of the company phone bill, you simply don't need to do that for Skype calls.
No, it doesn't further cloud the issue, even though your SkypeOut phone bill is separate from your local telco bill and long distance bill and calling card bills and employees' cellphone bills. If your organization needs to record its telephone calls for regulatory reasons, Skype might not be for you, but as with the previous bullet item, that's not very common, and waving your hands in the air to scare people is disingenuous
Disclaimer: I work for a telecom company that provides many different kinds of traditional and VOIP voice and data services, not including Skype, and this is my personal opinion from several decades of professional experience, not an official position of my employer.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Steve Bellovin reported to the cryptography mailing list thatc urity%20evaluation.pdfc urity%20evaluation.pdf.sig)
Skype has released an external security evaluation of its product; you
can find it at
http://www.skype.com/security/files/2005-031%20se
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see
http://www.skype.com/security/files/2005-031%20se
The author of the report, Tom Berson, has been in this business for many
years; I have a great deal of respect for him.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
All this craziness about banning IM and VOIP services within the confines of the corporate walls is even scarier than big brother. It is big brother without any brains behind it. There are several assumptions that are just scary in the notion that employees cannot be trusted. Honestly, this is the real paranoia behind it all isn't it? That you can't trust your employees?
I mean, why don't we ban the use of telephones, cell phones, fax machines, minute taking during meetings, and any contact with your colleagues and customers? I mean, are those devices fully compliant to the pseudo-security mumbo jumbo that these people pretend to affect IM and VOIP? I mean, that's what people do right? Block me from IM, and I SMS my friend, relatives, associates and customers from my mobile. Block me from Skype and I'll just pick up the phone or my mobile.
Could somebody please stop the insanity, and just write up a worldwide memo that people are just not to be trusted? And that any conversations or interactions with other people cannot be permitted without a lawyer and a permanent record. Oh wait a sec, and that record must be reviewed and signed off by all parties with all the relavent disclaimers attached to ensure that nobody's views are deemed accurate?
From the article
>- Skype is not standards-compliant, allowing it and any vulnerability
Dito Windows
>- Skype's encryption is closed source
Dito Windows
If those are good reasons for banning Skype, maybe we can apply them to Windows, Office document formats...
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
If connections to the old phone networks are important, your choices are either to use a gateway box that converts VOIP to telco and connect it to a telco trunk (typically Asterisk PBX or a Cisco router with VOIP), or else use a service that will accept VOIP connections outbound to the PSTN and maybe inbound PSTN calls to you. SkypeOut and SkypeIn are Skype's answer to this, but there are a half-dozen wellknown companies that at least handle the outbound calls.
Skype does two technical things particularly well, which helps account for their popularity (they also market well):
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
unpatched and known (exploits) vulnerabilities are still a big MS problem: any script kiddie can use them to break into a MS program (like XP or IE) whenever he wants to. Any day, any time, you find plenty of these:
http://secunia.com/
So was this researched and paid by M$???
If Skype is banned - then there will just pop up a lot of other alternatives. And one good thing with Skype is that it actually helps in the informal but important communication in companies.
By the same logic used against Skype - about any software should be banned.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
...in enterprise environments.
1. Even if it is VoIP, it is desentralised. Businesses that implement VoIP generally use so with IP-telephones and IP-telephone centrals. They implement it as they did with old telephones. This makes the calls cheaper, but do not add the flexibility as a software based VoIP solution do.
2. It contains Chat and File Transfer (IM and P2P), causing a knee-jerk reaction to ban it. Both the hacker/pirate/illegal distribution of music, movies and applications, but also uncontrolled transfer of internal confidential information with no audit trail. Even if *we* know that any unfaithful worker can find other ways to steal information, it is a CMA (Cover My A**) procedure among the security folks.
3. The established telecommunication community fight against it, of course. It will eradicate their soft and cushy market. They will be demoted to Layer 1 and 2 communication providers and ruin everything they have worked to do the last 20 years... to spread out and be telecommunication services providers -- not just a provider of commodity products.
Mix these factors together, and you will have a strong lobby for banning Skype.
//Cartoon
And they are outlined in great length here.
There are links from InfoTech's site that pretty much lead to the truth. In a nutshell, Microsoft last week bought purchased media-streams.com, and "In August, Microsoft bought Teleo, a developer of VoIP, PSTN termination and click-to-call technology, which can be used to bring VoIP to the IM space." TFA is simply a typical FUD campaign from MS and its partners. Microsoft's implementation of VOIP with thier revamped IM in Office will, of course be safe and secure, and this is another reason why it is so important to continue in the forced upgrade cycle of proprietary software. Looks like microsoft is taking on 'eBay' as well as 'Google', not to mention the whole FOSS community.
Lets see.. they seem to be makign a couple of points...
- Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Skype is difficult to bloick unless you have a 'pass only what I know and approved' type of firewall setup, which youy should have anyway if such things are a concern, in other words, BS argument.
- Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
There are questions indeed about the encryption implementation. I find it interesting that on one side this tech research group claims that noone can look at how it owrks, and on the other side they make a claim about how it works (or actually fails).
- Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
In other news, companies risk a communications barrier with countries not implementing a surface mail system, or a telephony system etc etc. Yes, from choices there may come limitations.. But it is not like using Skype prevents you using a normal phone or such.. In other words, more BS.
- Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Maybe... but I think that tech research or whatever they are called just did not look very well..
- The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
Ok.. and now they owe me a new keyboard. This one is just too good to be true.
Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Sure, even a mediacore hacker can break it easily, but a payed for research group cannot figure out how the encryption is implemented.
Mr. Armstrong, you are full of shit.
Yes, there are issues with Skype, and I'd indeed advice peopel to consider if they want to use it at all. That is even related to one of the points Armstron and company are making, the closed source nature of it, and it being non-standard. The first major issue is privacy. Ebay has shown to not care shit about people and their privacy, and since we cannot verify what they are doing with Skype, there is a reason I believe to distrust Skype now. It not using standards makes it harder to integrate into an organisation that already has a telecommunications infrastructure, and hence it is just not very suitable there.
Skype has raised expectations for what internet telephone calls should sound like, and lowered expectations for what they should cost. Whatever the fate of Skype, its characteristics are the new standard.
Excuse the pun, but you can't unring a bell.
org.slashdot.post.SignatureNotFoundException: ewg
Feel free to ban Skype.
If I were in a business situation, I would set up an Asterisk server and get all my employees an account in a heartbeat.
Then I give them the COMPLETELY FREE AND OPEN CHOICE of absolutely any SIP compatible client (and there are tons available to be honest).
Or invest in a bunch of SIP hardware phones.
In the personal situation, I currently use Gizmo Project. Easy simple and free.
Quick google search results in: http://slashdot.org/article.pl?sid=05/09/06/134520 9&from=rss
Open Source Alternative for Skype
Posted by CmdrTaco on Tue Sep 06, '05 09:14 AM
from the open-is-better-right dept.
Software
slackah writes "OpenWengo an open source alternative to skype. It includes features such as sip calls, SMS, video conference, and automatic NAT configuration. It's still under heavy development, but it looks very promising."
--dave
davecb@spamcop.net
Unpatched and known (exploits) vulnerabilites are still a big Linux problem: any script kiddie can use them to break into a Linux program (like SSL, SMBFS) whenever he wants to. Any day, any time, you find plenty of these:
An unpatched system is an unpatched system, doesn't matter the OS release.
http://www.gizmoproject.com/
/. geeks have Kazaa installed in their machines as it's coming from same company? Right, eBay purchased them, code is still same, closed source.
It's not very Off topic anyway.
They made World standard SIP protocol distributed in an open source way.
Support is plain amazing, they replied to my crash report (which _I_ included my mail) in 20 minutes which shocked me.
I wonder if
A funny fact which I can't stand without saying is, I wanted to make sure Skype is coming from Kazaa, not iMesh and clicked
http://www.kazaa.com/us/products/
Shows a turkish betting ad in their product page. Um, betting in foreign sites is kind of "grey" matter in Turkey which many banks won't allow.
No, reason is not our islamic wannabe govt. It is that, there is already a betting service in Turkey which is bound by law and governed perfectly. What I understand is, Kazaa did not change at all. Always dark stuff...
Yea, use Skype people, PROTECT YOUR FREEDOM! with a company invented mass spyware.
If people are worried about attacks on their computers then use software like VMware and have virtual OSs to connect to the internet. Only the virtual OS would be at risk.
My main worry with Skype or any VoIP isn't so much my computer being attacked but if e-911 is required, will the regular phone companies backoff from inputting or distorting the audio from my Skype service? If they can distort the sound making it hard to hear what is being said then if someone needed to contact someone using e-911, will that be distorted or will the phone companies be able to tell that it an emergency call?
I think they're on the right track, but their reasoning isn't very good. To me, the big reasons to ban external IM and unauthorized VoIP are based solely on information disclosure. The various laws (SOX, GLBA, HIPAA, etc.) are heavily-geared towards protecting information from disclosure to unauthorized sources. Allowing external IM, where possibly sensitive information goes through someone else's servers unencrypted, and unauthorized VoIP (same reasons) can be serious risks.
I completely disagree with the comment that, "There is zero value added by closing IM, Skpe[sic] and other holes in the M$ strainer." Using that logic, why even worry about closing any inbound or outbound ports in the firewall? Why even have one? Don't let your dislike of MS software cloud your judgement concerning other products.
"It's too bad stupidity isn't painful." - A. S. LaVey
Actually, all proprietary software is unauditable. There's no way to know what the software will do in any circumstance until it does something. Believing that you have seen all the program can do is unwise. Tracing calls that go from Skype user to Skype user can only be done with the help of the Skype service provider. If Skype is uncooperative you've only got what your logs tell you. If the call is encrypted (as we're led to believe with Skype, although proprietary encryption is inherently untrustworthy for the aforementioned reason) you won't have much to go on.
However, one could raise comparable practical problems with any other proprietary program, such as those running many businesses today. That doesn't make Skype any better (in for a penny in for a pound doesn't make foolish behavior sensible) it means that businesses should run exclusively free software.
Digital Citizen
Hardly, it's quite trivial to do application-layer analysis and weed out who's using Skype.
any script kiddie can use them to break into a Linux program (like SSL, SMBFS) whenever he wants to.
OK here are critical unpatched vulnerabilities for an up-to-date XP (anyone can use these now)
http://secunia.com/product/22/
for IE:
http://secunia.com/product/11/
Now show me the same critical unpatched flaws for Linux + openSSL + smbFS + Firefox !
If you are going to say skype is a security risk then yes, it could be. But the risk of buffer overflow attacks will be higher on windows because its the juicy targets.
Run skype on something less mainstream, like freebsd or unix, and the chance of a worm exploiting your box is significantly smaller.
same for the email client, the word processor, flash (an attack for flash's latest patch is out in the field now), etc. etc. Any program that processes data from untrusted sources is a security risk, but windows turns it into a security reality.
Maybe MS should make an add of that
"you see a buffer overflow, we see a network of zombie systems"
I am surprised that all the posts I read miss the point of Skype's P2P. It's not the file transfer utility (that gets a free ride), but it's the NAT traversal itself. If you have good bandwidth and a public IP, you become the connectable server for unconnectable pairs of private IP's.
This is what makes Skype brilliant but also undesirable. Skype scales because the company doesn't have to run servers to compensate for all the broken networks of its clients, and if your network isn't broken, you host Skype's business. This is also the reason why Skype requires encryption and isn't open source; as long as I'm hosting your calls of course I'd be inclined to have me a listen.
Free phone numbers from North America for web based voice over the Internet SIP voice service recently became available. With that, does that mean phreaking or phone use like that talked about on Off The Hook, is dead now? You can literally create for yourself a new lifestyle going off the grid and mobile while the rest of the world wonders where heck you are. A future Nick Haflinger from Shockwive Rider only need to adapt for our science fiction prophet, John Brunner, to create the environment for all these numbers in flux. Personally a SIP based client with a phone number included at no cost is very preferred over Skype, no phone number and not standards complient, geez, why even go that direction?
http://www.aisnota.com/slashdot/ Welcome to Logic and the Future
There are companies making firewalls that do deeper packet inspection to detect things like Skype, because *everybody* does the Port 80/443 wrapper approach, but it's still an arms race. Of course, there are people like Dan Kaminsky doing tricks like tunnels-over-DNS, which are cute but really really abusive, e.g. getting multi-megabit/sec video to run over DNS requires splattering DNS requests across thousands of domains, but in practice most of the tunnel systems work just fine on standard protocols.
There are companies and universities that worry that Skype users are providing services to outsiders, because of Skype's supernode system for letting people behind overly tight firewalls get out, but the supernodes can only provide service to outsiders if they're outside the firewall, so that's mainly a university problem, not a corporate problem (or at least, not a problem for the kinds of corporations that worry about Skype penetrating their firewalls.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Diffie-Hellman _does_ require MITM protection, and you can either implement that using digital signatures (RSA is just fine here) or password-hash approaches between the client and Skype's authentication server. Whit Diffie likes DH with RSA signatures, and that's probably what Skype should have done.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I use Skype at work specifically b/c its chat and VOIP are encrypted, so my company can't eavesdrop and potentially use what I say against me.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
how do they know 17 million people are using it for business purposes.... unless they're listening in..! oh god!
people tend to fear what they do not understand.
I work for the Department of Redundancy Department.
Any company concerned with NAT traversal uses VPN tunnels. Trusting inherently untrustable machines beyond the protection of the company firewall is never a good idea. VPN's provide the necessary controls to limit who may use what and when.
Maybe you should look at your own links, open bugs are bad but you need to get a bit of a grip on reality. Especially when your own links that you tried to use as evidence of script kiddies being able to exploit you, doesn't back it up at all.
.mdb file in access can run other code
Unpatched Windows Exploits
Adv 8 Less critical: Allows local user with lower privileges to see additional WIFI information
Adv 9 Not critical: Long string name can hide from visibility in registry
Adv 15 Less critical: Attacker with physical access and USB device and cause a buffer overflow
Adv 26 Less critical: Private signing key visibile allowing someone to possibly calculate a man in the middle attack against remote desktop
Adv 27 Less critical: DOS attack from too large of jpeg image
Adv 29 Highly critical: Opening up a specifically crafted
Adv 40 Not critical: Local user can open the registry so many times that other can't login
IE
Adv 3 Moderately critical: Inject arbritary http requests
Adv 6 Less critical: Javascript dialog box doesn't include source location
Adv 7 Not critical: Javascript can crask browser
Adv 9 Less critical: Title bar can be overwritten in a popup
Adv 10 Not critical: You can hide the url to be cliced on in the status bar
Adv 12 Not critical: Script from internet zone can see if a script file exists by looking for certain variable
That doesn't necessarily mean that Skype shouldn't be used; just that it is insecure until known otherwise. People have been using insecure communications for many many years, though, so Skype usage is merely a short-sighted failure to take a step forward, rather than a step back.
Extremely dumb argument. If somebody has banned Skype, it's their end, not yours. Ultimately, anything that is secure, is going to have this problem. You can't have it be both secure and auditable. That's the case for Skype, POTS, or anything that is ever invented in the future. So maybe this is an argument against Skype, but it's not really a Skype-specific argument. This is true. It also totally misses the point. If employees merely even have the capability to install Skype (whether you endorse it or not) then you already had this hole wide-open. The threat is already inside the perimeter. If you don't trust your employees or if you don't have the source code to everything they run, then your employees' PCs are on the wrong side of the firewall.If this threat suddenly is a concern to you, then Skype is small potatoes -- I meant really, really small -- and you should be screaming at the top of your lungs about Microsoft applications, mainly Internet Explorer and Outlook, but probably also their word processor, spreadsheet, etc. Skype is nothing compared to the far more dangerous risks that you routinely face by allowing this stuff on company PCs. When you have eliminated the dozens of higher-priority threats, maybe then it will make sense to look pointedly at Skype. Until then, you look really silly.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Telecom is short for "Telecommunications." It may refer to the industry, or to that function in a corporation. VoIP is making this term get all fuzzy w.r.t. Data Networks, but not...
Telco is short for "Telephone Company." It can refer to your Long Distance Carrier (MCI, AT&T, Sprint, etc.) or your Local Exchange Carrier (or "LEC"), like SBC or Verizon. Luckily, the "Telco" term still works for mutants like SBC-AT&T and Verizon-MCI.
No, no... you don't need to thank me ;)
Gizmo Project
http://www.gizmoproject.com/
Its free and looks just like skype but without the bandwidth thing, well at least I was unable to find anything about it in the EULA.
Its really a bit like puh-leese being spee-alt please, or people using smiley's that look like they have just been left hooked.
You are however as correct in your usage as I was incorrect in mine and I bow in homage of your literary pedanticities.
/. bug #926803 - Why I can post.
Agreed. I didn't really even understand that point of the article; it's not like setting up a VPN is that hard these days, even a fairly dumb/understaffed/"spread-thin" IT department could put together a VPN if that was a major security concern. After all, banning Skype is only going to do you any good until the next little application that has NAT traversal comes along (and there are an increasing number that do, especially communications apps) and then you're hosed again.
This whole article is just FUD, it reads like the intended audience is ignorant middle and upper-level managers and the intent is to instill some sort of primitive idea that "Skype = bad" without any convincing explanations why. The end result I think is that a lot of system and network admins are going to be fielding a lot of questions as to "shouldn't we ban that 'skipe' thing? I've heard it could wreck our network," and have to sit down and explain why that's not true.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I'm an US expat working in Qatar, and the local ISP/Phone Monopoly, Q-Tel, has made a big hue and cry about banning Skype and other VoIP systems in the country.
So far, their banning seems to be blocking the Skype home page from systems in the country. That's it. No port blocking, no nothing. Meanwhile, the Skype software is freely available with headsets and USB handsets in most computer stores and the computer souks. And the site can be freely accessed if one uses an SSH tunnel to get around the national ISP's nannyware/firewall. All it seems to do is block the causal user at best. And they can't really do much in the way of portblocking, without interfering with the on-line gaming that's all the rage here.
"On the Internet, no one knows you're a minifig....."
There are a number of reasons skype is "bad", but there are just as many reasons why it's "good". The reasons these idiots are spouting are rubbish... "it's closed source"; well, guess what, so's Windows, and almost everything Cisco makes, and all the "corp" AV software, and most commercial IDS/IPS's... the list is never ending.
They claim it's succeptable to man-in-the-middle, yet show no research to prove it. (those that have done the research say otherwise.) A working example would be nice.
(For the record, about the only real problem with Skype is it's proprietary protocol. If it were standards compliant, it'd be a breeze to use existing VoIP technologies to bring many, many millions more nodes online. I'd love to link PBX voice interfaces to Skype, but that ain't gonna happen until they all talk the same language.)
Did I state that Windows was exploit-free? No, I did not. I merely said that just because you're using Linux (or any other non-Windows OS) doesn't mean you can let your guard down. Computer security requires being diligent on all fronts, no matter what your system is running.
When you look at the state of the world, how can you not become a radical, liberal anarchist?
get something like asterisk (theres a cd called asterisk@home that will do the work of wiping a spare box and setting up a complete asterisk system for you if you so desire).
If you wan't to call pots lines or sip users outside your company through your internet connection then find a SIP or IAX provider to handle those. Alternatively if you don't get the internet bandwidth for that then with suitable cards fitted to the pbx box you can link it to pots lines.
if you wan't to call other skype users then sadly your only real option is to use thier client app.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register