Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype Addresses Visibility Concerns

Posted by ryuzaki0 on from the slow-on-the-uptake dept.

An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"

11 of 188 comments (clear)

  1. Don't allow it... by locokamil · · Score: 5, Insightful

    The gist of this article seems to be that unless you're doing complete content analysis on incoming packets, you aren't going to be able to detect Skype: it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

    That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.

  2. Skype isn't a security risk... by cperciva · · Score: 5, Insightful

    ... caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.

    The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

    The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

    --
    Tarsnap: Online backups for the truly paranoid
  3. Seems like a matter of framing the debate. by Sheetrock · · Score: 4, Insightful

    Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.

    Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  4. Re:Top Level Problems by epiphani · · Score: 5, Insightful

    I'm worried about allowing software on to the network that I can't monitor and disable at will.

    And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.

    Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".

    You can bet what their responce would be.

    --
    .
  5. Rate limiting. by Craig+Davison · · Score: 4, Insightful

    Why not rate-limit outgoing TCP port 443? If Skype needs 100 kbps over a connection to maintain unbroken voice output, limit each connection to 50 kbps. You could also limit it to bursts of traffic - full speed for 0.5 second at a time, then 4.5 seconds at 50 kbps. Real HTTPS (small outgoing requests and large incoming responses) would still be responsive under these conditions.

    --
    Hands in my pocket
  6. Hooray for Sneaky by saihung · · Score: 4, Insightful

    One important reason that Skype should be sneaky is so people using the software under corrupt/abusive regimes can continue to do so without easy interference on the part of the government. In comparison to your intranet's security, the security of dissidents wins.

  7. Skype isn't doing anything wrong here by TorKlingberg · · Score: 4, Insightful

    This is the natural response to to the unnecessary port-blocking that seems to be used everywhere now. Many places block every port except for the few you need for web surfing, so everything runs on port 80. It's sad because it negates the point of ports in the first place.

    In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.

  8. One man's security hole... by Anonymous Coward · · Score: 4, Insightful

    ...is another's ticket to freedom.

    If Corporate firewalls can't block Skype, neither can China's.

  9. Re:blocking skype is easy by LordLucless · · Score: 4, Insightful

    Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

    Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.

    --
    Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  10. On par with 'Client-side security' by megaditto · · Score: 4, Insightful

    Let me be the first to state the obvious:

    Corporate Security should not rely on well-behaving of fourth-party applications/protocols.

    Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.

    --
    Obama likes poor people so much, he wants to make more of them.
  11. Wrong focus by andrewman327 · · Score: 4, Insightful

    If companies want to keep data safe, they need to worry more about their employees and less about obscure ways that said employees might be able to smuggle data out of the network. In my job I have access to files that should not leave the office. I know this, therefore I do not remove them from the office. However, I still have full access to everything on a specific database. If I really wanted to, just like any other employee, I could find a way to get the records out without using Skype. There are cases of credit company employees stealing personal info, and they did not need Skype to do it!

    --
    Information wants a fueled airplane waiting at the hangar and no one gets hurt.