Slashdot Mirror
Research Group Pushes to Ban Skype
cowmix writes "Hot on the heals of Skype being purchased by Ebay, a research group called Info-Tech just put out a recommendation to its customers that all corporations should ban the use of Skype on their networks. The reports sites a laundry list of issues it feels plagues Skype, most of which will have a familiar ring (ie the normal anti-IM and P2P talking points). Will this cool Skype's rapid progress into the business arena?"
Will this cool Skype's rapid progress into the business arena?"
Not if a first post on slashdot links to http://www.skype.com/
This seems to be happening frequently. There was a push to ban Skype in Aussie-land recently. Seems rather typical, but I doubt the bad press will have too much effect on Skype's momentum. Any business considering Skype as a solution would've disregarded such issues already.
Skype is not standards-compliant true
allowing it and any vulnerability to pass through corporate firewalls. false - true of any software
Skype's encryption is closed source and prone to man-in-the-middle attacks. true - one has no cyptographic assurance that there is no MITM with Skype
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service. false
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk. FUD
The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
false - lots of businesses use VoIP
Comments Armstrong, "The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Armstrong, you misspelled Windows.
This slashdot-related signature is a stub. You can help kihjin by expanding it.
Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs
Well no shit, sherlock. If a company feels that IM software (such as AIM or MSN) is a security risk, then of course they should consider Skype a security risk. It's called consistency. This is really a non-issue. New messaging program comes out (which in a way, is what Skype is), companies that ban other messaging programs add it to their ban list. Those that don't ban messaging programs, don't.
This is pretty much a non-article. And it won't slow the proliferation of Skype in the business world, because I doubt companies that banned other IM programs, really needed Info-Tech to tell them to add Skype to the list (I'm sure Info-Tech is just doing it to be consistent as well).
Uninnovate - Only the finest in engineering.
Approximately 17 million registered Skype users are using the service for business purposes," says Armstrong. "Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network.
Wait. So just by having a policy, Skype becomes unhackable? That's incredible. I never knew that a policy (no matter what the policy was) could work so well. Perhaps if all businesses developed a policy like "No computer shall have Windows installed on it" then the amount of hacking businesses suffer from would drop dramatically. All because someone created a document.
Thanks Info-Tech. You just saved my business!
P.S. I was being sarcastic. Although creating a policy banning Windows WOULD decrease the amount of hacking that occurs.
- Skype is not standards-compliant, allowing it and any vulnerability to
/.ers)
pass through corporate firewalls.
And how would this be different if Skype was standards compliant?
- Skype's encryption is closed source and prone to man-in-the-middle
attacks. There are also some unanswered questions about how well the
keys are managed.
Ooh.. closed source is evil! By this logic, Info-Tech should recommend banning Windows (to the delight, I'm sure, of many
- Enterprises using Skype risk a communication barrier with countries
and institutions that have already banned the service.
Is this a joke? I dunno about you, but I haven't seen any companies completely give up.. what's that thing?.. the telephone in favour of Skype..
Skype is a useful tool. That's all I've got to say about that.
I am the maverick of Slashdot
One of the services they offer are VOIP comparisons for 200 dollars, Of their twelve endorsed vendors Skype is nowhere on the list. http://www.infotech.com/Products%20and%20Services/ Vendor%20and%20Software%20Selection/VoIP.aspx
Now lets not give this poor piece of press release any more credence then it deserves, It may be on yahoo's page but its only the equivalent of a company making a mock news story about themselves.
Web Developers: Celebrate to our roots! Animated Gifs and Tiled Backgrounds, dont let our history die!
Countries don't ban Skype because of security issues; they ban it to prevent competition with the phone monopoly.
-mkb
I think it's turtles all the way down:
d own
http://en.wikipedia.org/wiki/Turtles_all_the_way_
The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability.
1> Has there BEEN any vulnerabilities reported? If not, let's not get carried away and say that the vulnerabilities in Skype (and there ARE vulnerabilities. It's a piece of software that uses the internet, OF COURSE there's vulnerabilities) are easy to use until they've been reported.
2> Will Info-Tech be recommending the banning of Windows anytime soon? After all, any mediocre hacker can take advantage of a Windows vulnerability.
"Companies that are already banning peer-to-peer applications, such as instant messaging, should add Skype to its list of unsanctioned software programs,"
As stated elsewhere, if you're banning those, you'll be banning this. Plain consistency.
"Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."
How does this differ to email and internet acceptable use policies? Its another service like everything else, even the same as your telephone. My company would kill me for making massive STD calls, thats acceptable use. A properly configured network isn't going to magically let a hacker in either, setting a policy doesn't change this.
Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
Windows isn't standards compliant, IE most definatley isn't and has a lot more vulnerabilities against its name. Short of the Skype servers being compromised, I don't see this as an issue.
Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
Who here has seen Microsoft or RSA's implementation of security? MITM attacks occur on any platform, people trust entire network security (including remote access) on closed source encryption...
Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
Well there is the good ole telephone to use to communicate, but if I can get a cheap international call I'm going to use it do you think?
Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
Well if I run packet sniffers to track these things I believe thats more than enough 'auditing' to get me through compliance laws. Logging everything in its entirety should be enough...can you do that with a regular telephone easily?
The question of whether VoIP calls constitute a business record is a legal quagmire.
Throwing Skype into the communications mix further clouds the issue.
No the point is that it hasn't been legally tested. The same issue was there for telephones and now thats been tested nobody has any issues with it. New technology has these, you'll find most companies get over it."The bottom line is that even a mediocre hacker could take advantage of a Skype vulnerability. If you are going to use Skype within enterprise, manage it as you would any other IT service: with policy and diligence."
Manage it like any other IT service. Thats just common sense. A mediocre hacker can take advantage of an IE vulnerability...just wait, THEY HAVE! Oh no, lets not use IE either because its a security vulernability that has been REPEATEDLY demonstrated. Err, damn. If you don't manage your resources, any resource, you're setting yourself up for failure.
Now we do use it in our enterprise to keep in contact with each other. The fact that I don't have to be in the office to get in contact with system administrators, network administators, other programmers and the people I work with. Its pure text, but it allows us to do voice. We'd pay through the roof for some of the things that Skype has saved us. One of our senior managers left the country and we got back in touch with him over an issue using Skype. We had a longish call at little to no expense where it would have cost us an arm and a leg to make an international call. This is a non issue for us, it may scare people (FUD, who else does that..) but at the end of the day, VoIP is here to stay.
On a closing note, how does VoIP effect companies that internally are pure VoIP then bridge to the normal PSTN? Does that mean all their calls are worthless even though externally it looks like a normal switch? I think not...
I always wondered where this setting was...
All of the points in the article were valid points.
Not even close to all of the points were valid points. Not even half of them made any sense! And you can't even call TFA an article, it's a friggin' press release.
VOIP, closed source and NAT traversal are hardly anything that your typical business spends any time worrying about. In fact, VOIP, closed source software and NAT traversal is standard operating procedure for most companies (or at least 2 of 3 of them).
This sounds like a direct attack on skype
r ticle.php/3563226 gets relased at virtually the same time.
Replace the word skype with virtually any other software and the article would still be valid.
I feel sick when i read such articles and I feel even sicker when an article like this http://www.enterprisenetworkingplanet.com/netsp/a
I am not a conspiracy theory kind of guy, but why the sudden noise about skype's insecure desgin using the http protocol to work over NAT at the same time that Microsoft and Cisco find a way for SIP to work "securely" over NAT?
Call me paranoid but I find this very weird!
OK, so Skype ISN'T OSS...
So, where'is the best OSS counterpart to Skype?
And [for us] where's something, preferably OSS,
that does IM & VoIP as well as Skype on a closed LAN?
We don't want to lose INTRA-office voice & text contact
whenever the Internet is unavailable or bandwidth to it
is low (eg, in Australia's Outback, & we DON'T want to
pay high Satellite rates to get what we want here
What are our options?
TIA
As a network administrator the idea of Skype being used for business purposes is a problem where this use is required to traverse the firewall.
Why ?
Well, I (and probably many others) operate major firewalls on the basis of 'anything not explicitly permitted is denied'. Skype is a concern, because due to the closed source nature of the product and the absence of any independant reliable auditing I cannot say with any assurance exactly what Skype is capable of.
Yes - I have read the manual, but there is no reason to believe that what the documentation provided states is the complete story.
The next position you would responsibly take is that you accept the use of Skype, but manage it appropriately, preferably within a security policy (human readable paper) that end users read and agree to. The idea here is that you educate and inform your users of whatever risks there are, and do the best you can to manage those risks.
Now, to manage anything you need to be able to measure and monitor it. Skype is a problem here, as it's P2P technology, the use of relativly high grade encryption, routing and tunnelling make it extremely to manage and monitor.
Now slow down there bucko - I'm not talking about VOIP - I'm just talking about Skype. Many firewalls provide proxies to allow the management and monitoring of VOIP traffic (eg SIP, H323, etc). Skype is a different beast, anda far toougher nut to crack from a management perspective than more standards based VOIP technologies.
VOIP looks good. It is something that can be managed on the same basis as HTTP.
As a network manager I'm against Skype. If a problem appears (eg some nasty exploit) then it's going to be like pulling bamboo out of the garden. The only safe method to isolate an organisation is effectively to cut the link to the Internet.
More standards compliant technologies such as SIP are far more attractive. Not only can they be managed in the same way as other more traditional protocols, they have a range of vendors suporting it, both open and closed source implementations are availble.
Skype is a weed.
- Neither is MS Office (or several other MS products), Adobe Photoshop etc.
- So are several other encryppiton schemes... and a man in the middle attack is in fact easiest to make on a POTS, just connect a speaker to the wire.
- Use SkypeOut, POTS or a cell phone ?
- That seems to be the mantra now : encapsulate everything in HTTP
- Busuness record ? if it is not on paper or other approved medium it is not a valid record... and btw. VoIP on a Cisco CallManager is strictly speaking still just VoIP, so I presume that several large banks have the same problem ?
No, I do not defend Skype, I do however attack Info-Tech's lack of sanity !!...in enterprise environments.
1. Even if it is VoIP, it is desentralised. Businesses that implement VoIP generally use so with IP-telephones and IP-telephone centrals. They implement it as they did with old telephones. This makes the calls cheaper, but do not add the flexibility as a software based VoIP solution do.
2. It contains Chat and File Transfer (IM and P2P), causing a knee-jerk reaction to ban it. Both the hacker/pirate/illegal distribution of music, movies and applications, but also uncontrolled transfer of internal confidential information with no audit trail. Even if *we* know that any unfaithful worker can find other ways to steal information, it is a CMA (Cover My A**) procedure among the security folks.
3. The established telecommunication community fight against it, of course. It will eradicate their soft and cushy market. They will be demoted to Layer 1 and 2 communication providers and ruin everything they have worked to do the last 20 years... to spread out and be telecommunication services providers -- not just a provider of commodity products.
Mix these factors together, and you will have a strong lobby for banning Skype.
//Cartoon
And they are outlined in great length here.