Skype Addresses Visibility Concerns

An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"

Will skype even work after net neutrality ends?

[Billly+Gates]

After all the teleco's have a vested interest to mod all VOIP calls to force you to get cell phones. Unless you pay them an extra fee of course.

Not to sound trollish but I would have sold stock immediately after the bill became law in the senate.

Don't allow it...

[locokamil]

The gist of this article seems to be that unless you're doing complete content analysis on incoming packets, you aren't going to be able to detect Skype: it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.

Skype isn't a security risk...

[cperciva]

... caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

Re:Skype isn't a security risk...

[eonlabs]

I don't think that the security risk here is a digital one. It sounds more like te fact that you have un-monitorable, un-obstructed communication that is also untraceable and indistiguishable from generic traffic without significant effort. Insert the 9/11 big brother freaks who are obsessed with watching every move anyone makes and you'll start seeing laws against software coded in that fashion. Skype happened across a great way to whisper.

Re:Skype isn't a security risk...

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

What a load of crap. This whole argument is premised on the notion that some elite cabal of sysadmins should control what everyone does on the network, because normal users are stupid and will screw stuff up. Maybe everyone should just use dumb clients plugged into the IT department's servers.

The real reason these folks have a bug up their ass is that they have found themselves in the position of having to explain to the dollars and cents committee why the $50,000 application level firewall they purchased doesn't prevent people from using Skype. Especially if they are using Skype in lieue of, say, the metered phone service that they can bill for (like at a University).

The security argument is basically this: "We allow protocols like email, because we can monitor email for viruses and therefor are able to protect our users. We can't do that with Skype." Balony. You can't do it for email either, unless you have magic decryption powers. Ditto for web traffic. All the bandaids people put on email gateways and such are just that, bandaids. They don't address the root cause of most security problems in the slightest.

As we move into a future where more and more applications are built on web services protocols, we can only expect to see more applications stuffing their traffic through port 80 and (gasp) 443. I'm a network admin myself, and I really do wish I could do network magic that would protect everyone from everything. I can't. But I sure as hell don't want the solution to be that everyone has to expose every thing that they ever do on the network, so that I could ostensibly monitor the traffic and stomp every malicious packet. That would truly be terrible security.

I'm very concerned that...

... software written to secure my communication is now being called a security risk as though the software is bad rather than the users of it. I rather enjoy secure communication.

Seems like a matter of framing the debate.

[Sheetrock]

Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.

Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.

Block it at the desktop?

[Kaenneth]

It's extra security for everyone when everyone uses encryption, someone sniffing the network wouldn't be able to tell a critical e-mail from a snippet of voice... Not being able to identify the data is the real reason 'Net Neutrality' is assured.

Since it's a good thing that the data can't be identified (in some ways) how about having your users, in a business setting, not run as Administrator on the desktop machines? Just disallow the installation of IP telephony applications, not as a policy, but as an account restriction.

Better yet, do it before the next worm ravages your network.

Re:Top Level Problems

[epiphani]

I'm worried about allowing software on to the network that I can't monitor and disable at will.

And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.

Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".

You can bet what their responce would be.

Re:blocking skype is easy

[gnuman99]

You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Re:ports

[atrus]

You can proxy the SSL handshake, and check that it is in fact a valid handshake. Unless you do something really sneaky (install custom CA on corporate machines, generate certificate for each website visited by user which is signed by your custom key), you can't intercept any of the data communication of SSL. My proposal was that a layer7 filter can look for SSL handshakes at the beginning of every port 443 connection. If it doesn't see one after X packets, kill the connection.

Rate limiting.

[Craig+Davison]

Why not rate-limit outgoing TCP port 443? If Skype needs 100 kbps over a connection to maintain unbroken voice output, limit each connection to 50 kbps. You could also limit it to bursts of traffic - full speed for 0.5 second at a time, then 4.5 seconds at 50 kbps. Real HTTPS (small outgoing requests and large incoming responses) would still be responsive under these conditions.

Hooray for Sneaky

[saihung]

One important reason that Skype should be sneaky is so people using the software under corrupt/abusive regimes can continue to do so without easy interference on the part of the government. In comparison to your intranet's security, the security of dissidents wins.

Skype isn't doing anything wrong here

[TorKlingberg]

This is the natural response to to the unnecessary port-blocking that seems to be used everywhere now. Many places block every port except for the few you need for web surfing, so everything runs on port 80. It's sad because it negates the point of ports in the first place.

In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.

Re:Skype isn't doing anything wrong here

[DoninIN]

Well... In what context? If the users on my corporate network aren't "satisfied" with just web surfing.. Is this some kind of problem? I mean hey, don't let me get in the way of their voice chatting, game playing IMing and P2P file sharing, 'cause hey we're just paying them to hang around the office for a few hours a day, not for actually accomplishing anything. Now in other contexts you may be correct, but for the most part I'm suspicious of my corporate users even using the web, much less anything else to connect to the internet, they need e-mail to do their jobs. Some of them need the web sometimes. We have a rather nice phone system. So why would they need skype?

Re:Skype isn't doing anything wrong here

[NateTech]

Maybe the only reason they need Skype (or any other "frivolous" application) is to ward off the depression that set in years ago that they were working for a company that would hire someone as short-sighted about humans as you to run their network?

No, seriously... treat your end-users like humans, not slaves. You have such a huge "us" vs "them" mentality going already, you're probably too far gone to realize that you're overhead.

If all your users REALLY need is e-mail and web browsers, I'm sure there's an outsourcing company ready to take over your company's IT job for a fraction of what they pay you. Bank on it.

Do you spend every single minute at your job "producing" something? Do you ever stop to think about anything? (Well, I suppose that's debateable considering your knee-jerk response of "turn off the evil Internet connections".)

Humans interact. Humans do other things besides crank out the same useless shit all day long. And if wage-slaves (not humans) are what you want for end-users, eventually you and the company will get exactly what you wanted -- and your company will be lifeless and dead, and if you're not a utility, a natural monopoly, or some other giant, you'll fold.

All this crap about Skype being the security risk... Answer this one: Do you think Skype's a bigger risk on a Mac vs. on a PC? How about on a locked-down Linux box you secured and set up for the end-user?

If the answer is "yes, they're different" in any way -- you've analyzed the root-cause security problem incorrectly from a purely engineering/scientific standpoint. Root-cause of security problems isn't Skype. Or any other application that talks on Port 80 or 443, or whatever.

The fact that there's a big giant untrusted network everyone's plugged into just so they can basically send e-mail (also untrusted, hideously un-authenticated, and a much larger security problem than a stupid streaming audio application), and it's an utter mess of people so anonymous that they feel the can get away with anything -- so they do. Add in the world's worst security model (Microsoft desktop OS's that still need 3rd party apps to protect them from basic things with hourly updates), and yeah...

Skype chatters are definitely such a huge problem you should spent lots of company time and resources working on it.

Ah - now we're getting to it. You're wasting company time looking into it in the first place aren't you? If all your users need is e-mail and web-browsing, why aren't kiosk-like machines already deployed? Why give them a full-blown OS to begin with?

You just keep telling yourself that working on this particular problem is worthwhile. And you'll continue being more unproductive than those Skyper's who are talking to Aunt Tilly while they're working late to finish their real work. When IT gets off it's ass and REALLY fixes the security issues in networks and computers and companies finally realize what that REALLY costs to do... well, you probably won't have a job because a pile of paper, a pencil, and a good filing system in a filing cabinet room will start to look damn cost-effective.

Go ahead, set policy, cut 'em off. Be an ass. It won't help the underlying security problems you already have one little bit. Every over-bearing arm-chair security analyst in an IT support role who gets cocky about wanting to cut everyone off SHOULD GET THEIR WISH GRANTED INSTANTLY. They'd be out of a job, or working in the filing cabinet room with everyone else, and have a boss who thinks taking a break from the filing cabinet room should be measured with a stopwatch as you exit the room.

Treat people like people. Work WITH your co-workers who are your CUSTOMERS not people to be leered at, looked down upon, or otherwise belittled like you have here. I hope that if tomorrow I could post your message on paper for all your end-users to see, they would not say, "No surprises there. He's always been an ass." I hope you're better than that, and not just superficially when y

One man's security hole...

...is another's ticket to freedom.

If Corporate firewalls can't block Skype, neither can China's.

Re:blocking skype is easy

[LordLucless]

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.

On par with 'Client-side security'

[megaditto]

Let me be the first to state the obvious:

Corporate Security should not rely on well-behaving of fourth-party applications/protocols.

Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.

Re:blocking skype is easy

[gkhan1]

NAT is a wonderful technology. First of all it really solves the issue with IP-addresses running low beautifully (and saying "well, IPv6 would work even better!" are lousy arguments, it will take an enourmous amount of time before IPv6 is fully implemented, probably atleast a decade). Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!

Secondly, it's the most important thing ever to happen to internet security. Bar none. Due to how the NAT protocol works (by mapping ports based on outgoing requests), it works as a cheap very good hardware firewall. All the stupid windows exploits that works by looking for unsecure services with open ports is not a problem anymore. A person behind a NAT-router is completly stealthed and invisible to the outside world. The only remaining way to get into someones computer is if someone actually downloads the software themself or if they're using IE. Either way, they're probably to stupid to run a software firewall (which would protect them) (and yes, I love to use singular they, in case you were wondering ;)

Third, it's also great if you share your internet connection with several other computers (either at home or in a corporate environment). Old style hubs would simply broadcast incoming data to all computers in the local network. NAT doesn't do that, it maps local IPs to ports and only transmits to them. Which means that if you don't want every single person on your local network being able to read your email or know that you browsed to men-seeking-men.com, NAT works perfectly.

I'm guessing you are critizingNAT because at one point you wanted to run some software that required you act as a server and you were to dumb to figure out how to open a port? That must be it since it's really the only downside to NAT. Well, that's being solved too. More and more people are learning how to open ports easily (maybe you'll learn someday too!), and even better, software is learning how to do it automatically using either UPnP or getting help from third party servers to do it (that is, the two computers who wishes to talk to eachother connects to a third party server who informs them of the others IP and currently open port, that way the port is already mapped to the correct local IP so the two computers can connect. This is the trick that Skype, amongs others, are using).

Long story short, NAT is an amazing technology. Very soon the mapping ports issue won't even be a problem when all routers support UPnP and software takes advantage of it. Long story even shorter: you're dead wrong.

Wrong focus

[andrewman327]

If companies want to keep data safe, they need to worry more about their employees and less about obscure ways that said employees might be able to smuggle data out of the network. In my job I have access to files that should not leave the office. I know this, therefore I do not remove them from the office. However, I still have full access to everything on a specific database. If I really wanted to, just like any other employee, I could find a way to get the records out without using Skype. There are cases of credit company employees stealing personal info, and they did not need Skype to do it!

Non-problem?

[xenobyte]

Excuse me, but I really can't see the problem. In every corporate setup I've ever seen all employees have a phone sitting on their desk. Almost all these phones are fully connected to the outside world, i.e. lines out are not restricted. It really doesn't matter which phone or communication device that are used - secrets will get out regardless if someone is bent on doing so, and Skype isn't anything special in that regard.

Sure monitoring is easier on wired phones but the main concern must be to contain secrets, i.e. prevent the leak. Finding out that it happened and who did it is also interesting but that would help only in damage control and punishment, not in prevention. In these days where cell phones and other wireless devices are everywhere, focus must be on preventing access to the secrets, not preventing communication of the secrets to the outside world - because this last option borders on the almost impossible.