Skype Addresses Visibility Concerns 188
An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"
ports (Score:3, Interesting)
Re:ports (Score:5, Informative)
Re:ports (Score:5, Informative)
Re:ports (Score:2, Funny)
On par with 'Client-side security' (Score:4, Insightful)
Corporate Security should not rely on well-behaving of fourth-party applications/protocols.
Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.
Re:ports (Score:2)
Of course, corporate IT departments still using 1999 technology will still have 1999 problems, and Skype won't be high on the list.
Re:ports (Score:5, Informative)
Re:ports (Score:4, Interesting)
Unless Skype does a basic SSL negotiation too
Re:ports (Score:5, Informative)
Re:ports (Score:2)
Re:ports (Score:3, Insightful)
Re:ports (Score:2)
Re:ports (Score:2)
Re:ports (Score:2, Informative)
We just tell the filter which traffic to allow, and which to prevent (based on our Corporate security policy).
Re:ports (Score:2)
PARENT IS TALKING OUT OF HIS ASS (Score:2)
Re:ports (Score:3, Interesting)
I have a post below that references a PDF from Black Hat Europe 2006 called "Silver Needle in the Skype". The authors hacked Skype (the PDF explains how they did it) and exploited a buffer overrun to make it execute their own code. They gave a demonstration where they had a Python script craft a packet that caused a Skype client to launch the MS calculator. Obviously this was a trivial exercise, but it was done to prove a point.
By crafting some simple UDP packets, they were also able to get Skype clients
Re:ports (Score:2)
Re:ports (Score:4, Interesting)
Re:ports (Score:2)
Re:ports (Score:5, Informative)
No. The whole point of the article is that Skype purposefully intends to be invisible and sneaky. The reason is that it makes it easier to run Skype on firewalled and/or NATted networks, either at home or at work. Many home users have convoluted NAT setups, and most don't have the expertise (or reason) to poke holes in the firewall. Skype likes to advertise that it offers Internet phone service that "just works", so they need to make it work on every network. That may mean using random ports, using ports intended for other protocols, tunneling to remote servers or through peers, or other things that can be interpreted as resourceful or sneaky, depending on your point of view.
Re: (Score:3, Interesting)
Re:ports (Score:2)
I think we have to redial at least 5 times per hour because the connection simply dropped or we can't hear the other person anymore. We both use the Linux version on Ubuntu btw.
Re:ports (Score:2)
Re: (Score:2)
Will skype even work after net neutrality ends? (Score:3, Insightful)
Not to sound trollish but I would have sold stock immediately after the bill became law in the senate.
Re:Will skype even work after net neutrality ends? (Score:2)
Methinks you need a refresher course in How Our Legislature Works [wikipedia.org].
Re:Will skype even work after net neutrality ends? (Score:2)
Re:Will skype even work after net neutrality ends? (Score:2)
Being outside US jurisdiction stops Skype, Inc. (or whatever its legal embodiment is called) from being sued or otherwise attacked directly, but that doesn't mean that they can just blithely ignore whatever goes on in one of the worlds largest markets.
The demise of network neutrality -- if it happens,
Its ok! (Score:4, Funny)
well, maybe if we asked them nicely?
Re:Its ok! (Score:2)
http://investor.google.com/conduct.html [google.com]
Re:Its ok! (Score:2)
Not that I'm a real fan of Skype (I work for a VoIP company, so they're a competitor).
blocking skype is easy (Score:5, Informative)
However, if you want to block skype, it is very easy. Have a look at reports [grok.org.uk] using openbsd & squid.
Or do a quick search with google.
Re:blocking skype is easy (Score:4, Insightful)
You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.
Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)
Re:blocking skype is easy (Score:5, Insightful)
Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.
Re:blocking skype is easy (Score:3, Insightful)
NAT is a wonderful technology. First of all it really solves the issue with IP-addresses running low beautifully (and saying "well, IPv6 would work even better!" are lousy arguments, it will take an enourmous amount of time before IPv6 is fully implemented, probably atleast a decade). Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!
Secondly, it's the most important thing ever to happen to internet security. Bar none. Due to how the NAT protocol works (by mappin
Re:blocking skype is easy (Score:2)
You're crazy, right?
First of all it really solves the issue with IP-addresses running low beautifully
Not really - it temporarilly works around the problem and causes an enormous mess at the same time by breaking the peer-to-peer nature of the Internet. To some extent it's prolonged the problem because it has reduced the pressure to take decisive action and switch to IPv6.
it will take an enourmous amount of time before IPv6 is fully implemented
I'm not sure what you mean by "ful
Re:blocking skype is easy (Score:2)
I do agree that it is a hack, but it's an awesome hack at that. And while it is true that in the super-strictest theoretical sense, it counters TCP/IP philosophy, I'd rather have a technology that solves the ip-problem with out any pains and which provides mindnumbingly good security for people who don't even know what a firewall is.
And by the way, what point did the grand-parent (now grand-grand-parent) make? I couldn't see any except him saying "NAT suXXZor d00d!"
Re:blocking skype is easy (Score:2, Interesting)
1. IPv6 is coming along plenty well, thank you.
Are you high? When was the last time you were assigned an IPv6 address by your ISP? When was the last time ANYONE was assigned an IPv6 address? When was the last time you connected with an IPv6 address on the internet?
2. Yes, NAT sort of works like a cheap hardware firewall. So does a cheap hardware (or free software) firewall.
True, but that is just one of the many benefits of a NAT router. So you don't need a hardware firewall. A free software firewall
Re:blocking skype is easy (Score:2)
This is a very academic argument with virtually no practical relevance. First off, if you haven't specifically asked for it (that, set up a server on your computer or requested the traffic by, say, going to a webpage), then no, you shouldn't be able to reach me.
Actually, no its not. Its a very practical arguments. One of the features touted by Skype when it was
NAT is not the problem nor a security solution (Score:2)
A stateful firewall watches for TCP handshakes, UDP packets and other such things and records them in a connection-tracking table. It can then make use of this table to make decisions about whether to forward packets. The most common configuration is not to forward packets that are not for an established connection. You can also configure it not to forward incoming TCP handshakes, thus preventing the outside world from reaching you.
NAT is built on top of this mechanism. The NAT software just intercepts pac
Re:NAT is not the problem nor a security solution (Score:2)
An important thing to remember is that many NATs don't actually do this, and this is one reason why they are no substitute for a real stateful firewall. Because NATs aren't designed with security in mind they often take the easy way out - create an entry in the translation table when *any* outgoing packet is seen, and remove the entry after an idle timeout. This means that they may well reverse-NAT traffic long after a connection has actually ended because the
Re:blocking skype is easy (Score:2)
Are you high? When was the last time you were assigned an IPv6 address by your ISP? When was the last time ANYONE was assigned an IPv6 address? When was the last time you connected with an IPv6 address on the internet?
Google's assigned IPv6 block (2^96 addresses) [arin.net]
US gov't has mandate all Federal Backbones be IPv6 by June 2008 [networkworld.com]
IPv6 enabled products [ipv6-to-standard.org]
Get connected [ipv6day.org]
No need to get defensive just because you're stuck in the IPv4 backwaters.
Re:blocking skype is easy (Score:2)
Umm... I have an IPv6 address...
When was the last time you connected with an IPv6 address on the internet?
I do this very frequently, every day.
True, but that is just one of the many benefits of a NAT router. So you don't need a hardware firewall.
Err... you're advocating buying a device that provides poor security because that means you don't have to buy a device that provides better security? From a cost point of view, what is the difference (infac
Re:blocking skype is easy (Score:2)
Don't allow it... (Score:5, Insightful)
That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.
Unauthorized campus use (Score:5, Interesting)
It is good that skype uses common ports that can't be blocked without huge reprocussions or fancy expensive packet inspectors. There are bastards out there who would be happy if all their users only used cloned-on-reboot machines with only a web browser. The internet is more than a big blue E (or a big red O)
Re:Don't allow it... (Score:2)
I'm currently sitting behind a university proxy where the only open ports are 1080, 8080 and the LimeWire ports. Go Figure.
Skype isn't a security risk... (Score:5, Insightful)
The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.
The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.
Re:Skype isn't a security risk... (Score:5, Funny)
Re:Skype isn't a security risk... (Score:2)
Re:Skype isn't a security risk... (Score:2)
Re:Skype isn't a security risk... (Score:3, Insightful)
Re:Skype IS a security risk (Score:2)
Top Level Problems (Score:5, Interesting)
This policy lasted all of 5 minutes during a meeting with the Senior Leadership Team, who completely ignored what I said and told me, in no uncertain terms, that Skype was going on their laptops.
Personally, whilst I understand that Skype want to be sneaky by design, I'm worried about allowing software on to the network that I can't monitor and disable at will. And as the discussion here has already mentioned, disabling 80 really is not an option.
Re:Top Level Problems (Score:5, Insightful)
And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.
Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".
You can bet what their responce would be.
Re:Top Level Problems (Score:3, Interesting)
But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network. In the personal case, you can install what you like and you want your ISP to allow whatever you deem fit. In my case, I want to block certain software, and my ISP (in this case, my local education authority) to allow anything I deem fit.
Re:Top Level Problems (Score:3)
Please understand that the internet is not only for grandmas web surfing.
Re:Top Level Problems (Score:2)
Re:Top Level Problems (Score:2)
I always find corporate networks overblock to the detriment of its users. Need to run SSH to get an informaiton packet from a remote computer? Sorry, only Admins can SSH. Need to FTP files from your home server where you were doing some work over the weekend? Sorry, no ftp. Need to use AOL instant messenger to harvest viruses? Of course AOL is OK, the pre
Re:Top Level Problems (Score:2)
Re:Top Level Problems (Score:3, Interesting)
I don't think that skype wants to be sneaky by design so much as they want to work by design. Skype works on any connection, on any network on any machine.
Re:Top Level Problems (Score:2)
Re:Top Level Problems (Score:2, Interesting)
guy for a large company, I can certainly sympathize with the "if I don't support it, you
can't run it" attitude.
But in a company full of knowledge workers, I can't see how to make this actually workable.
I don't see how a person, or group of people, could possibly evaluate every piece of
software that some hardware/software/whatever developer wants to run on their
Eh... (Score:3, Informative)
Buy a Fortigate (or Packeteer, or whatever, but Fortigates are good and cheap) and configure the BUILT-IN filter for Skype traffic. Problem solved.
Seems like a matter of framing the debate. (Score:5, Insightful)
Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.
Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.
Block it at the desktop? (Score:3, Insightful)
Since it's a good thing that the data can't be identified (in some ways) how about having your users, in a business setting, not run as Administrator on the desktop machines? Just disallow the installation of IP telephony applications, not as a policy, but as an account restriction.
Better yet, do it before the next worm ravages your network.
Traffic shaping (Score:3, Interesting)
Re:Traffic shaping (Score:2)
Why do you hate network neutrality?
Who made you in charge of deciding that a P2P connection is garbage and a gaming connection is not?
Re:Traffic shaping (Score:2)
Re:Traffic shaping (Score:2, Informative)
Blocking is easy, even if not convenient (Score:5, Informative)
Re:Blocking is easy, even if not convenient (Score:2)
Rate limiting. (Score:5, Insightful)
Re:Rate limiting. (Score:2)
Re:Rate limiting. (Score:4, Interesting)
it would also hurt file uploads and downloads over https (e.g. https based webmail apps) of course you may view that as a good thing and could possiblly avoid it by only limiting connections that had both sigificant upload and download (but then your increasing the complexity again).
Re:Rate limiting. (Score:2)
Re:Rate limiting. (Score:2)
Re:Rate limiting. (Score:2)
Hooray for Sneaky (Score:5, Insightful)
Re:Hooray for Sneaky (Score:2)
Skype isn't doing anything wrong here (Score:5, Insightful)
In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.
Re:Skype isn't doing anything wrong here (Score:4, Insightful)
Re:Skype isn't doing anything wrong here (Score:2, Insightful)
No, seriously... treat your end-users like humans, not slaves. You have such a huge "us" vs "them" mentality going already, you're probably too far gone to realize that you're overhead.
If all your users REALLY need is e-mail and web browsers, I'm sure there's an
Re:Skype isn't doing anything wrong here (Score:2)
Re:Skype isn't doing anything wrong here (Score:2)
After everyone wondered what he was talking about, he explained - Universal Firewall Transversal Protocol
One man's security hole... (Score:4, Insightful)
If Corporate firewalls can't block Skype, neither can China's.
First I'd heard of "stealthiness" (Score:2)
I LIKE skype for being so hard to block (Score:2)
Re:I LIKE skype for being so hard to block (Score:2)
Wouldn't it be something if, (Score:2, Interesting)
Newsflash! (Score:3, Funny)
Re:Newsflash! (Score:2)
But I wonder: Of these companies that are trying to block Skype for security reasons, how many are also blocking outside phone calls? I've never seen a company do that.
I suspect that it's the old "There's a computer involved; we must throw out everything we know and relearn everything from scratch." I hope nobody tells them that their cell phones contain a computer. If they find out, they'll have to block cell phone access, too.
Wrong focus (Score:5, Insightful)
Re: (Score:2)
Re:I understand the concerns. (Score:2)
Re: (Score:2)
Non-problem? (Score:2, Insightful)
Sure monitoring is easier on wired phones but the main concern must be to contain sec
It doens't really make sense (Score:4, Interesting)
Really, I don't understand why more companies offering peer to peer software haven't made their traffic use common ports and do NAT piercing. I'm sure this will be a trend in the future.
The fact is that the current model of blocking all traffic until it is commonly used enough that it has to be let through causes some serious problems for uses and businesses marketing networked software. If administers must allow ranges of ports before software can be used, then it makes it difficult to bring software to market. Users are often prevented from using new software that administrators are unaware of.
Additionally, although blocking all incoming ports has obvious security benefits, blocking all outgoing ports except well known ports is pretty iffy. It's not like there aren't plenty of security vulnerabilities in client applications running on port 80... There's nothing about forcing users to keep all their traffic on port 80 that stops them from using an outdated version of internet explorer. Obviously if you think can force someone to use a recent version of some browser or another and no other, you are locking down their boxes entirely and blocking off peer to peer traffic etc, is a non issue.
Making it easy to rate limit certain kinds of traffic is an obvious reason for having traffic on seperate ports, but frankly I see no real benefit on rate limiting specific kinds of traffic over simply rate each ip address on the network.
Some network admins seem to think they can derive what software is critical for someone to use a priori. It may be the case that on some networks http is the only critical software used, but it is my impression that admins seem to assume that this is every network, when the reality is that most schools, workplaces, and public facilities have users who will need to access something like CVS, ftp, skype, aim on the spur of the moment, and their network will utterly fail them because their admins either didn't anticipate the need, or decided that it wasn't a "legitimate" use of the network (as if they could tell ahead of the time what purpose some protocol was going to be used for).
Re:as a skype user..... (Score:2, Interesting)
We have resident security program on each PC. Nobody knows exactly what this program is doing, I guess this program is killing Skype process on startup of skype. But this was true only for recent versions of skype. Old versions were running well, for example 1.2.0.48. I guess they did not detect older skype binaries. But recently older version also has problems. It starts, but it never connects. So I guess our co