Forgot your password?
typodupeerror

Skype Addresses Visibility Concerns 188

Posted by ScuttleMonkey
from the slow-on-the-uptake dept.
An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"
This discussion has been archived. No new comments can be posted.

Skype Addresses Visibility Concerns

Comments Filter:
  • ports (Score:3, Interesting)

    by 56ker (566853) on Wednesday July 05, 2006 @07:25PM (#15663692) Homepage Journal
    Well wouldn't it just be possible to block the ports Skype uses on a corporate network?
    • Re:ports (Score:5, Informative)

      by houseofzeus (836938) on Wednesday July 05, 2006 @07:28PM (#15663702) Homepage
      Because as a last resort I believe it will use 443, so you would have to block SSL as well. That's why packet inspection is required.
      • Re:ports (Score:5, Informative)

        by baadger (764884) on Wednesday July 05, 2006 @07:38PM (#15663747)
        s/SSL/HTTPS/;
      • by megaditto (982598) on Wednesday July 05, 2006 @10:08PM (#15664355)
        Let me be the first to state the obvious:

        Corporate Security should not rely on well-behaving of fourth-party applications/protocols.

        Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.
      • In a year or two, any reasonably priced firewall will do sufficient packet inspection to identify and (block/allow) Skype. It's not that hard.

        Of course, corporate IT departments still using 1999 technology will still have 1999 problems, and Skype won't be high on the list.
    • Re:ports (Score:5, Informative)

      by Oriumpor (446718) on Wednesday July 05, 2006 @07:29PM (#15663705) Homepage Journal
      Skype started using the default option "Use port 443 and port 80 for incoming connections" Unless you do layer 7 (basically content based) filtering of those packets you can't see them from regular web traffic.
    • Re:ports (Score:5, Informative)

      by ThinkingInBinary (899485) <thinkinginbinary.gmail@com> on Wednesday July 05, 2006 @07:30PM (#15663708) Homepage

      No. The whole point of the article is that Skype purposefully intends to be invisible and sneaky. The reason is that it makes it easier to run Skype on firewalled and/or NATted networks, either at home or at work. Many home users have convoluted NAT setups, and most don't have the expertise (or reason) to poke holes in the firewall. Skype likes to advertise that it offers Internet phone service that "just works", so they need to make it work on every network. That may mean using random ports, using ports intended for other protocols, tunneling to remote servers or through peers, or other things that can be interpreted as resourceful or sneaky, depending on your point of view.

      • Re:ports (Score:3, Interesting)

        by DigiShaman (671371)
        Which is why I use Skype to talk to my girlfriend located in China. The connection is encrypted for both voice and file transfer. Can't trust what's being filtered through the "Great Firewall of China" you know...
        • Exactly the same here. Do you also usually have frequent dropouts and/or hangups and often quite some lag? I never used skype except to China, and don't know how reliable it is expected to work, and what the expected quality is.
          I think we have to redial at least 5 times per hour because the connection simply dropped or we can't hear the other person anymore. We both use the Linux version on Ubuntu btw.
          • I call Korea from Europe, and the connection drops only very occasionally. Quality is good, provided you give it enough bandwidth to work with (turn down those torrents).
          • Lately, we haven't had any problems with dropouts for a few months now. I'm not sure exactly what the problem was, but I suspected packet loss between our connection. In fact, I suspect it was her ISP and/or cable modem connection to the ISP. She's always complaining of a slow connection and other issues when using her internet connection for other reasons.

            Currently, we're both using the latest version of Skype (v2.5) for WinXP. Maybe this new version contains extra "stealth" to get past all the layers of f
  • by Billly Gates (198444) on Wednesday July 05, 2006 @07:30PM (#15663709) Journal
    After all the teleco's have a vested interest to mod all VOIP calls to force you to get cell phones. Unless you pay them an extra fee of course.

    Not to sound trollish but I would have sold stock immediately after the bill became law in the senate.
  • Its ok! (Score:4, Funny)

    by vancondo (986849) on Wednesday July 05, 2006 @07:32PM (#15663722) Homepage
    No Problem! They promise to DO NO EVIL!

    ..Oh, Thats not them?

    well, maybe if we asked them nicely?

  • by Anonymous Coward on Wednesday July 05, 2006 @07:36PM (#15663744)
    Skype has done a pretty good job of creating a protocol that works in almost all situations, unlike SIP or many other VOIP technologies. You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

    However, if you want to block skype, it is very easy. Have a look at reports [grok.org.uk] using openbsd & squid.

    Or do a quick search with google.
    • by gnuman99 (746007) on Wednesday July 05, 2006 @08:14PM (#15663878)

      You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

      Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

      • by LordLucless (582312) on Wednesday July 05, 2006 @10:01PM (#15664326)
        Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

        Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.
      • NAT is a wonderful technology. First of all it really solves the issue with IP-addresses running low beautifully (and saying "well, IPv6 would work even better!" are lousy arguments, it will take an enourmous amount of time before IPv6 is fully implemented, probably atleast a decade). Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!

        Secondly, it's the most important thing ever to happen to internet security. Bar none. Due to how the NAT protocol works (by mappin

        • NAT is a wonderful technology.

          You're crazy, right?

          First of all it really solves the issue with IP-addresses running low beautifully

          Not really - it temporarilly works around the problem and causes an enormous mess at the same time by breaking the peer-to-peer nature of the Internet. To some extent it's prolonged the problem because it has reduced the pressure to take decisive action and switch to IPv6.

          it will take an enourmous amount of time before IPv6 is fully implemented

          I'm not sure what you mean by "ful
    • Nifty trick, that- problem is, like the Great Firewall of China, it has the potential of collateral damage. That guy in the linked article was just lucky that nobody needed anything more than DNS mediated web surfing. It's a hack, and naught else.
  • Don't allow it... (Score:5, Insightful)

    by locokamil (850008) on Wednesday July 05, 2006 @07:39PM (#15663754) Homepage
    The gist of this article seems to be that unless you're doing complete content analysis on incoming packets, you aren't going to be able to detect Skype: it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

    That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.

    • by dj245 (732906) on Wednesday July 05, 2006 @08:55PM (#15664046) Homepage
      I may have a personal gripe here, but the network admin at my university has a thing for any program except web browsers. Huge tracts of ports are simply blocked off because people set their IRC programs to use those ports. All the popular ports of the Bittorrent programs, every obscure port that some worm uses (he even blocked 443, SSL when he heard a worm used it, but mass complaining removed the block).

      It is good that skype uses common ports that can't be blocked without huge reprocussions or fancy expensive packet inspectors. There are bastards out there who would be happy if all their users only used cloned-on-reboot machines with only a web browser. The internet is more than a big blue E (or a big red O)
    • it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

      I'm currently sitting behind a university proxy where the only open ports are 1080, 8080 and the LimeWire ports. Go Figure.
  • by cperciva (102828) on Wednesday July 05, 2006 @07:40PM (#15663762) Homepage
    ... caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.

    The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

    The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.
  • Top Level Problems (Score:5, Interesting)

    by nbannerman (974715) on Wednesday July 05, 2006 @07:44PM (#15663778)
    I have a very simple policy; if a user wants something on a machine that is outside the core software I support, they have to get my permission.

    This policy lasted all of 5 minutes during a meeting with the Senior Leadership Team, who completely ignored what I said and told me, in no uncertain terms, that Skype was going on their laptops.

    Personally, whilst I understand that Skype want to be sneaky by design, I'm worried about allowing software on to the network that I can't monitor and disable at will. And as the discussion here has already mentioned, disabling 80 really is not an option.
    • by epiphani (254981) <epiphani@ d a l . net> on Wednesday July 05, 2006 @08:01PM (#15663833)
      I'm worried about allowing software on to the network that I can't monitor and disable at will.

      And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.

      Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".

      You can bet what their responce would be.
      • by nbannerman (974715)
        Good point. Of course, if I used Skype, then I'd probably have a different viewpoint.

        But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network. In the personal case, you can install what you like and you want your ISP to allow whatever you deem fit. In my case, I want to block certain software, and my ISP (in this case, my local education authority) to allow anything I deem fit.
        • This problem wouldn't have existed if people like you didn't block everything you don't know. I'm at uni dorm network I'm right now. Whoever set it up must have takes the safe route and blocks everything except port 80, 22 and whatever. Skype works great. ICQ and MSN work too, but not as stable.

          Please understand that the internet is not only for grandmas web surfing.
          • Please understand that the internet is not only for grandmas web surfing.
            The internet is for whatever your TOS say it is for. If your ISP (or uni) provides you with internet service with explicit instructions not to run certain services, you are not authorized to run those services. If you wish to run those services, pay for the extra bandwidth that you will be using. Their enforcement capabilities have been notoriously bad, but that doesn't make leeching proper.
        • But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network.

          I always find corporate networks overblock to the detriment of its users. Need to run SSH to get an informaiton packet from a remote computer? Sorry, only Admins can SSH. Need to FTP files from your home server where you were doing some work over the weekend? Sorry, no ftp. Need to use AOL instant messenger to harvest viruses? Of course AOL is OK, the pre
      • Depends on your admin I guess.. mine investigated an issue of consistantly stuttering performance in Skype and it went away within a few days (packet analysis traffic shaping?). My torrents on the other hand...
    • ", whilst I understand that Skype want to be sneaky by design"

      I don't think that skype wants to be sneaky by design so much as they want to work by design. Skype works on any connection, on any network on any machine.
    • Send them a document that says that the presence of unauthorized, uncontrolled software on the network may be putting the entire enterprise at risk, and that they need to sign off on it and absolve you from any blame when the network and all the orginazitions data is gone. Request they give you a paper copy, with a post-it to explain there won't be any electronic copies of anything after the electronic apocalypse. Be sure and sing your note, "have a nice day" Seriously. You can never be paranoid enough. Wh
    • Having spent most of my career as an IS/IT guy, with the last 12 or so as an IT security
      guy for a large company, I can certainly sympathize with the "if I don't support it, you
      can't run it" attitude.

      But in a company full of knowledge workers, I can't see how to make this actually workable.
      I don't see how a person, or group of people, could possibly evaluate every piece of
      software that some hardware/software/whatever developer wants to run on their
  • Eh... (Score:3, Informative)

    by realmolo (574068) on Wednesday July 05, 2006 @07:50PM (#15663797)
    If you run a corporate network and DO NOT have a firewall that does "full content inspection", then you aren't doing your job very well. Or your boss is cheap AND stupid.

    Buy a Fortigate (or Packeteer, or whatever, but Fortigates are good and cheap) and configure the BUILT-IN filter for Skype traffic. Problem solved.

  • by Sheetrock (152993) on Wednesday July 05, 2006 @07:51PM (#15663801) Homepage Journal

    Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.

    Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.

  • by Kaenneth (82978) on Wednesday July 05, 2006 @07:56PM (#15663817) Homepage Journal
    It's extra security for everyone when everyone uses encryption, someone sniffing the network wouldn't be able to tell a critical e-mail from a snippet of voice... Not being able to identify the data is the real reason 'Net Neutrality' is assured.

    Since it's a good thing that the data can't be identified (in some ways) how about having your users, in a business setting, not run as Administrator on the desktop machines? Just disallow the installation of IP telephony applications, not as a policy, but as an account restriction.

    Better yet, do it before the next worm ravages your network.
  • Traffic shaping (Score:3, Interesting)

    by Zygfryd (856098) on Wednesday July 05, 2006 @08:08PM (#15663864)
    As the admin of a small ISP's Linux routers I'd welcome very much the ability to classify Skype traffic. We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage). The current l7-filter protocol definition doesn't work for skypeout traffic and it's not very pretty in general. When Skype decides to offer a conntrack helper or at least l7-filter definitions for their convoluted encrypted protocols I might consider suggesting it to our clients. At the moment we advise them to use other VoIP solutions.
    • We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage).

      Why do you hate network neutrality?

      Who made you in charge of deciding that a P2P connection is garbage and a gaming connection is not?

  • by AK Marc (707885) on Wednesday July 05, 2006 @08:21PM (#15663905)
    The most effective firewalling technique I've seen was a proxy set up as an internal host, the firewall blocking all traffic other than the firewall or other explicitly approved hosts. Then log all attempts through the firewall and audit those machines. No outbound packets would be send except from approved hosts, everything proxied and logged, all failures and direct connections logged, and nothing allowed in except to the approved hosts. Simple, effective, and pissed off everyone that wanted to run anything they shouldn't.
  • Rate limiting. (Score:5, Insightful)

    by Craig Davison (37723) on Wednesday July 05, 2006 @08:29PM (#15663929)
    Why not rate-limit outgoing TCP port 443? If Skype needs 100 kbps over a connection to maintain unbroken voice output, limit each connection to 50 kbps. You could also limit it to bursts of traffic - full speed for 0.5 second at a time, then 4.5 seconds at 50 kbps. Real HTTPS (small outgoing requests and large incoming responses) would still be responsive under these conditions.

    • Somehow I doubt users will agree to let that happen. HTTPS is used by more and more sites and I don't think anyone would want their https web sites restricted to modem speeds.
    • Re:Rate limiting. (Score:4, Interesting)

      by petermgreen (876956) <plugwash@@@p10link...net> on Wednesday July 05, 2006 @09:16PM (#15664149) Homepage
      your going to have to go a lot lower than that to kill skype, standard PSTN voice channels use 64kbps GSM uses 14.4kbps and i bet some modern codecs can go even lower. It may still be feasible though.

      it would also hurt file uploads and downloads over https (e.g. https based webmail apps) of course you may view that as a good thing and could possiblly avoid it by only limiting connections that had both sigificant upload and download (but then your increasing the complexity again).
  • Hooray for Sneaky (Score:5, Insightful)

    by saihung (19097) on Wednesday July 05, 2006 @08:32PM (#15663945)
    One important reason that Skype should be sneaky is so people using the software under corrupt/abusive regimes can continue to do so without easy interference on the part of the government. In comparison to your intranet's security, the security of dissidents wins.
    • Anyone relying on the sneakiness of skype is in for a world of hurt. Skype traffic may be hard to detect automatically, but it is almost trivial to detect with a little human analysis.
  • by TorKlingberg (599697) on Wednesday July 05, 2006 @08:50PM (#15664031)
    This is the natural response to to the unnecessary port-blocking that seems to be used everywhere now. Many places block every port except for the few you need for web surfing, so everything runs on port 80. It's sad because it negates the point of ports in the first place.

    In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.
    • by DoninIN (115418) <don.middendorf@gmail.com> on Wednesday July 05, 2006 @10:26PM (#15664425) Homepage
      Well... In what context? If the users on my corporate network aren't "satisfied" with just web surfing.. Is this some kind of problem? I mean hey, don't let me get in the way of their voice chatting, game playing IMing and P2P file sharing, 'cause hey we're just paying them to hang around the office for a few hours a day, not for actually accomplishing anything. Now in other contexts you may be correct, but for the most part I'm suspicious of my corporate users even using the web, much less anything else to connect to the internet, they need e-mail to do their jobs. Some of them need the web sometimes. We have a rather nice phone system. So why would they need skype?
      • Maybe the only reason they need Skype (or any other "frivolous" application) is to ward off the depression that set in years ago that they were working for a company that would hire someone as short-sighted about humans as you to run their network?

        No, seriously... treat your end-users like humans, not slaves. You have such a huge "us" vs "them" mentality going already, you're probably too far gone to realize that you're overhead.

        If all your users REALLY need is e-mail and web browsers, I'm sure there's an
      • Each person's immediate manager should be responsible for his productivity. The IT staff should not be the productivity police.
    • At Tech-Ed last year I went to a security session by Jesper Johansson - He's Microrosoft's senior security strategy guy. He's very smart and an excellent presenter. Anyway, he called HTTP "UFTP".
      After everyone wondered what he was talking about, he explained - Universal Firewall Transversal Protocol
  • by Anonymous Coward on Wednesday July 05, 2006 @08:50PM (#15664032)
    ...is another's ticket to freedom.

    If Corporate firewalls can't block Skype, neither can China's.
  • But hey, it makes me like using it all the more. I regularly used encrypted IM clients, or SSH tunnels to use instant messaging, now I'm extra stealthy and I didn't even know!
  • I wish someone would make a peer-to-peer file sharing program that is just as hard to block.
    • It's a bit harder then that. Whilst you could probably make a p2p program appear like skype does protocol wise, analysis of the traffic patterns of a skype conferance look very much like normal activity whereas a p2p program connects to many different hosts and generally hogs bandwidth and is therefore easier to spot.
  • after all the wiretaps, phone bugs, analyzing phone records and whatever else the NSA has gone through, they find out the terrorists are using Skype to communicate?
  • Newsflash! (Score:3, Funny)

    by Progman3K (515744) on Wednesday July 05, 2006 @10:51PM (#15664535)
    Companies are afraid of what their employees might say over a phone, what they might put in an envelope or carry out of the building.
    • Companies are afraid of what their employees might say over a phone, ...

      But I wonder: Of these companies that are trying to block Skype for security reasons, how many are also blocking outside phone calls? I've never seen a company do that.

      I suspect that it's the old "There's a computer involved; we must throw out everything we know and relearn everything from scratch." I hope nobody tells them that their cell phones contain a computer. If they find out, they'll have to block cell phone access, too.
  • Wrong focus (Score:5, Insightful)

    by andrewman327 (635952) on Thursday July 06, 2006 @01:12AM (#15665066) Homepage Journal
    If companies want to keep data safe, they need to worry more about their employees and less about obscure ways that said employees might be able to smuggle data out of the network. In my job I have access to files that should not leave the office. I know this, therefore I do not remove them from the office. However, I still have full access to everything on a specific database. If I really wanted to, just like any other employee, I could find a way to get the records out without using Skype. There are cases of credit company employees stealing personal info, and they did not need Skype to do it!
  • I see many people saying that it is a good thing that it can not be blocked. Understand that you can also send files by skype.
    So all I have to do is write a virus that uses skype to send a package with skype.

    The other person gets the program with Skype. If you use something like LISA, you could even let it talk to the other person.

    Filtering solution [grok.org.uk]

  • Non-problem? (Score:2, Insightful)

    by xenobyte (446878)
    Excuse me, but I really can't see the problem. In every corporate setup I've ever seen all employees have a phone sitting on their desk. Almost all these phones are fully connected to the outside world, i.e. lines out are not restricted. It really doesn't matter which phone or communication device that are used - secrets will get out regardless if someone is bent on doing so, and Skype isn't anything special in that regard.

    Sure monitoring is easier on wired phones but the main concern must be to contain sec
  • by sentientbrendan (316150) on Thursday July 06, 2006 @04:22AM (#15665568)
    to allow your peer to peer software to be blocked.

    Really, I don't understand why more companies offering peer to peer software haven't made their traffic use common ports and do NAT piercing. I'm sure this will be a trend in the future.

    The fact is that the current model of blocking all traffic until it is commonly used enough that it has to be let through causes some serious problems for uses and businesses marketing networked software. If administers must allow ranges of ports before software can be used, then it makes it difficult to bring software to market. Users are often prevented from using new software that administrators are unaware of.

    Additionally, although blocking all incoming ports has obvious security benefits, blocking all outgoing ports except well known ports is pretty iffy. It's not like there aren't plenty of security vulnerabilities in client applications running on port 80... There's nothing about forcing users to keep all their traffic on port 80 that stops them from using an outdated version of internet explorer. Obviously if you think can force someone to use a recent version of some browser or another and no other, you are locking down their boxes entirely and blocking off peer to peer traffic etc, is a non issue.

    Making it easy to rate limit certain kinds of traffic is an obvious reason for having traffic on seperate ports, but frankly I see no real benefit on rate limiting specific kinds of traffic over simply rate each ip address on the network.

    Some network admins seem to think they can derive what software is critical for someone to use a priori. It may be the case that on some networks http is the only critical software used, but it is my impression that admins seem to assume that this is every network, when the reality is that most schools, workplaces, and public facilities have users who will need to access something like CVS, ftp, skype, aim on the spur of the moment, and their network will utterly fail them because their admins either didn't anticipate the need, or decided that it wasn't a "legitimate" use of the network (as if they could tell ahead of the time what purpose some protocol was going to be used for).

Assembly language experience is [important] for the maturity and understanding of how computers work that it provides. -- D. Gries

Working...