Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Skype Addresses Visibility Concerns

ScuttleMonkey posted more than 7 years ago | from the slow-on-the-uptake dept.


An anonymous reader writes "TechWorld is reporting that VoIP pioneer Skype has finally decided to buckle down from their startup mentality and address some of the concerns about the 'visibility' of Skype by network admins. From the article: 'Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program's new and evasive design: it was incredibly hard to detect using perimeter security systems. Skype's unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using "invisible" software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


ports (2, Interesting)

56ker (566853) | more than 7 years ago | (#15663692)

Well wouldn't it just be possible to block the ports Skype uses on a corporate network?

Re:ports (0)

Anonymous Coward | more than 7 years ago | (#15663701)

Skype doesn't use ports. It's that good!

Re:ports (5, Informative)

houseofzeus (836938) | more than 7 years ago | (#15663702)

Because as a last resort I believe it will use 443, so you would have to block SSL as well. That's why packet inspection is required.

On par with 'Client-side security' (4, Insightful)

megaditto (982598) | more than 7 years ago | (#15664355)

Let me be the first to state the obvious:

Corporate Security should not rely on well-behaving of fourth-party applications/protocols.

Sure, go ahead and demand that Skype's protocol be crippled to improve visibility, but the fact remains that if a random O.S.S. proggie can accidentally breach your perimeter, then your P.O.S. security will not stand up to a script-kiddie, let alone a corporate spy.

Re:ports (1)

b0r1s (170449) | more than 7 years ago | (#15664478)

In a year or two, any reasonably priced firewall will do sufficient packet inspection to identify and (block/allow) Skype. It's not that hard.

Of course, corporate IT departments still using 1999 technology will still have 1999 problems, and Skype won't be high on the list.

Re:ports (4, Informative)

Oriumpor (446718) | more than 7 years ago | (#15663705)

Skype started using the default option "Use port 443 and port 80 for incoming connections" Unless you do layer 7 (basically content based) filtering of those packets you can't see them from regular web traffic.

Re:ports (0)

Anonymous Coward | more than 7 years ago | (#15663712)

Is it possible to do layer 7 filtering on port 443?

Re:ports (3, Interesting)

atrus (73476) | more than 7 years ago | (#15663724)

You can check for the SSL negotiation messages. So if you have a stateful firewall, its not a problem.

Unless Skype does a basic SSL negotiation too :)

Re:ports (5, Informative)

vbwilliams (968304) | more than 7 years ago | (#15663872)

Already been down that road. The only way to defeat it using port 443 as well is to REQUIRE that all SSL'ed traffic pass through a device that can break down the SSL'ed traffic and look at it. You're basically setting up a man-in-the-middle scenario. If that's the case, you have two issues: 1. You need to have a way to decrypt the SSL'ed traffic on the line. That basically requires you to run certificates that YOU control on the proxy host as well as on the end-user's computer. 2. You now have a privacy issue that would become a real pain in the ass at least in the USA in many jurisdictions. Even if you established a policy that allowed let's say going to a banking site to do personal banking during approved hours, you would still have someone legally challenging a company's ability to completely take apart and read someone's supposedly private SSL session. In layman's terms, it means even if I have that padlock in the bottom right-hand corner of my browser, someone upstream who is NOT my bank can see my username and password. This is problematic from a legal standpoint...it has nothing to do with technology.

Re:ports (1)

spotter (5662) | more than 7 years ago | (#15663901)

how in the world can you proxy https WITHOUT modifying the web browser, by definition a proxy is a man in the middle and SSL/TLS is designed to prevent those attacks assuming neither end is broken (which as another posted pointed out, older (circa 2002) versions of IE were broken).

Re:ports (1)

vbwilliams (968304) | more than 7 years ago | (#15663911)

Ever heard of a transparent proxy? You don't need the settings in a browser. You can simply change the default gateway in your network, or better yet, just tell your upstream router to route any/all packets trying to leave your network to go to the internet to the upstream proxy server. All of this would be completely *transparent* to the end-user...thus the term, transparent proxy. There are howto's all over the internet to turn a Squid machine into a transparent proxy.

Re:ports (0)

Anonymous Coward | more than 7 years ago | (#15664258)

Are you paying attention at all? A transparent proxy is not a magic device to do man-in-the-middle-attacks on SSL undetected.

Re:ports (1)

vbwilliams (968304) | more than 7 years ago | (#15664493)

Who said anything about attacking? I simply stated that if you used a transparent proxy to inspect ALL packets as they go in/out your network, you have a man-in-the-middle issue...I.E., a privacy issue. If user A thinks they are going to their personal banking website, when in fact you are intercepting their packets, looking at them, deciding if they are legit, then allowing/denying them, then that's a man-in-the-middle. It's not an attack, it's simple a man-in-the-middle. MITM =! attack. It just means that something is actively inspecting your stuff (SSL or not) and deciding whether it gets forwarded or not. Are YOU paying attention?

Re:ports (0)

Anonymous Coward | more than 7 years ago | (#15664561)

Point is, you can't look at them, even with a transparent proxy. You have to decrypt them and thus be a MitM. The concept of a transparent proxy is totally unrelated to the discussion.

Re:ports (2, Informative)

porkUpine (623110) | more than 7 years ago | (#15664605)

We can view any SSL traffic leaving or entering our network... been doing it for over a year: http://bluecoat.com/ [bluecoat.com]
We just tell the filter which traffic to allow, and which to prevent (based on our Corporate security policy).

Re:ports (1)

spotter (5662) | more than 7 years ago | (#15664570)

yes, but a transparent proxy just sees endpoints and traffic flow, can't disturb it. (i.e. it's just a router). If the ssl handshake is done appropriatly, there's nothing one can point to being out of the ordinary besides the type of traffic flows.

Re:ports (2, Insightful)

atrus (73476) | more than 7 years ago | (#15663920)

You can proxy the SSL handshake, and check that it is in fact a valid handshake. Unless you do something really sneaky (install custom CA on corporate machines, generate certificate for each website visited by user which is signed by your custom key), you can't intercept any of the data communication of SSL. My proposal was that a layer7 filter can look for SSL handshakes at the beginning of every port 443 connection. If it doesn't see one after X packets, kill the connection.

Re:ports (1)

atrus (73476) | more than 7 years ago | (#15663904)

I'm not talking about MMIT type scenario (which wouldn't work anyway without breaking SSL authentication, unless you generate a valid signed certificate based on a CA you distribute to your machines in your Intranet). I'm saying if Skype uses Port 443 but does NOT do the SSL handshaking, it will be very easy to catch. The initial SSL handshake negotiates which ciphers to use, and exchanges key information (since how do you encrypt something without the key there? :)). Seeing something else on port 443 than SSL handshakes? kill it!

Re:ports (1)

s_p_oneil (795792) | more than 7 years ago | (#15664170)

Actually, there is a product that blocks it without being a man in the middle. I know for sure because I'm one of the developers who worked on it. It's called NetSpective WebFilter [verso.com]. It runs in promiscuous sniffing mode only (no proxy), and it blocks Skype perfectly (along with several other protocols). I've also studied Skype well enough to know how big a security risk it really is.

Re:ports (1)

eekygeeky (777557) | more than 7 years ago | (#15664352)

So, with all due respect, how big a security risk is it?

Re:ports (3, Interesting)

s_p_oneil (795792) | more than 7 years ago | (#15664511)

I have a post below that references a PDF from Black Hat Europe 2006 called "Silver Needle in the Skype". The authors hacked Skype (the PDF explains how they did it) and exploited a buffer overrun to make it execute their own code. They gave a demonstration where they had a Python script craft a packet that caused a Skype client to launch the MS calculator. Obviously this was a trivial exercise, but it was done to prove a point.

By crafting some simple UDP packets, they were also able to get Skype clients to do a number of unsavory things, such as scout for information from behind a firewall (i.e. IP and port scans on the Skype client's internal network). However, there is more to it than that. Skype can also relay TCP connections to help a client that is blocked get connected to the Skype network. But the relayed TCP connection isn't restricted to carrying Skype traffic, and this makes that feature very dangerous. Imagine what a hacker could do if he could scan your internal network and open any TCP connection he wanted to from inside your firewall. And the only trail you'd have to trace the attack back to its source is virtually undetectable, obfuscated, and encrypted. It should even be pretty easy for the hacker to bounce his connection through several Skype clients in several different countries before it hits the target, making it virtually impossible for anyone to trace it back to the true source (although Skype did such a good job hiding that it's not even really necessary).

Re:ports (3, Interesting)

Oriumpor (446718) | more than 7 years ago | (#15663725)

You could proxy all SSL through a controlled host, and keep regular SSL blocked to maintain some modicum of control over the users SSL use. Otherwise, barring unsavory [thoughtcrime.org] techniques it's not really supposed to be possible.

Re:ports (1)

s_p_oneil (795792) | more than 7 years ago | (#15664274)

That's not even close to being true. This presentation from Black Hat Europe 2006 gives a decent description of how to recognize and block it (and even a high level description of how to hack it if you were so inclined): http://www.secdev.org/conf/skype_BHEU06.handout.pd f [secdev.org]

Re:ports (1)

Oriumpor (446718) | more than 7 years ago | (#15664573)

Well, as the handout (and others here) states you can block UDP, but it's not enough to keep Skype from functioning. You need more drastic measures. From reading this, my oppinion has changed. Using an IPS you might be able to write a signature to keep it from working, as not all of the data is encrypted.

Re:ports (5, Informative)

ThinkingInBinary (899485) | more than 7 years ago | (#15663708)

No. The whole point of the article is that Skype purposefully intends to be invisible and sneaky. The reason is that it makes it easier to run Skype on firewalled and/or NATted networks, either at home or at work. Many home users have convoluted NAT setups, and most don't have the expertise (or reason) to poke holes in the firewall. Skype likes to advertise that it offers Internet phone service that "just works", so they need to make it work on every network. That may mean using random ports, using ports intended for other protocols, tunneling to remote servers or through peers, or other things that can be interpreted as resourceful or sneaky, depending on your point of view.

Re:ports (2, Interesting)

DigiShaman (671371) | more than 7 years ago | (#15664075)

Which is why I use Skype to talk to my girlfriend located in China. The connection is encrypted for both voice and file transfer. Can't trust what's being filtered through the "Great Firewall of China" you know...

Will skype even work after net neutrality ends? (2, Insightful)

Billly Gates (198444) | more than 7 years ago | (#15663709)

After all the teleco's have a vested interest to mod all VOIP calls to force you to get cell phones. Unless you pay them an extra fee of course.

Not to sound trollish but I would have sold stock immediately after the bill became law in the senate.

Re:Will skype even work after net neutrality ends? (1)

Frogbert (589961) | more than 7 years ago | (#15664668)

Well given that skype is a European company I don't think US laws will make a lick of difference to them.

Its ok! (4, Funny)

vancondo (986849) | more than 7 years ago | (#15663722)

No Problem! They promise to DO NO EVIL!

..Oh, Thats not them?

well, maybe if we asked them nicely?

Re:Its ok! (0)

KiloByte (825081) | more than 7 years ago | (#15663784)

No Problem! They promise to DO NO EVIL!

Having the same authors as Kazaa, the mother of all p2p spyware, they pretty much promise to DO EVIL.

as a skype user..... (1, Informative)

Roskolnikov (68772) | more than 7 years ago | (#15663728)

working in a 'large' corp. network I can say that some skype functionality is blocked, some is not, I can dial out but IM doesn't seem to work;
the behaviour is random but would suggest someone is trying to block it, just not able to do so all the time.

blocking the 'ports' might not be so simple, it can/does use web proxy ports quite well and I can fully see why some would consider it a risk.

its a great product but its allure is certainly that it does work where others are blocked......

just my 10 cents.

Re:as a skype user..... (2, Interesting)

stoev (103408) | more than 7 years ago | (#15664134)

I used Skype until recently in a very big corporation in Asia. It was an interesting experience.
We have resident security program on each PC. Nobody knows exactly what this program is doing, I guess this program is killing Skype process on startup of skype. But this was true only for recent versions of skype. Old versions were running well, for example I guess they did not detect older skype binaries. But recently older version also has problems. It starts, but it never connects. So I guess our company introduced some smarter firewall. So I don't use skype anymore. But the funny thing is that SIP and googletalk pass though the firewall, no problem. I know that it is possible to sniff on them. This is not a problem for me. I just want to be able to contact and be contacted by my familly in Europe from time to time and SIP (X-lite) works well for me.

blocking skype is easy (5, Informative)

Anonymous Coward | more than 7 years ago | (#15663744)

Skype has done a pretty good job of creating a protocol that works in almost all situations, unlike SIP or many other VOIP technologies. You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

However, if you want to block skype, it is very easy. Have a look at reports [grok.org.uk] using openbsd & squid.

Or do a quick search with google.

Re:blocking skype is easy (3, Insightful)

gnuman99 (746007) | more than 7 years ago | (#15663878)

You don't have to worry about NAT full-cone, restricted-cone, port-restricted cone, STUN, or any other crap in a badly designed protocol.

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Re:blocking skype is easy (4, Insightful)

LordLucless (582312) | more than 7 years ago | (#15664326)

Have you ever stopped and think that maybe NAT, not the protocol that is the problem? The sooner we get rid of the cludge that NAT is and always was, the better it will be for all net users (hint: IPv6 + stateful firewall => better than NAT cludge)

Great, but until then, software needs to work in the real world. What do you suggest, Skype just hold off on offering a product until the whole world adopts IPv6 and they can do it nicely? Yes, NAT is a hack, but it's so widespread it has to be dealt with when developing a product. You can't just code to standards and ship it when the real world isn't obeying the standards.

Re:blocking skype is easy (3, Insightful)

gkhan1 (886823) | more than 7 years ago | (#15664429)

NAT is a wonderful technology. First of all it really solves the issue with IP-addresses running low beautifully (and saying "well, IPv6 would work even better!" are lousy arguments, it will take an enourmous amount of time before IPv6 is fully implemented, probably atleast a decade). Actually since the widespread adoption of NAT routers, it isn't even really a problem anymore!

Secondly, it's the most important thing ever to happen to internet security. Bar none. Due to how the NAT protocol works (by mapping ports based on outgoing requests), it works as a cheap very good hardware firewall. All the stupid windows exploits that works by looking for unsecure services with open ports is not a problem anymore. A person behind a NAT-router is completly stealthed and invisible to the outside world. The only remaining way to get into someones computer is if someone actually downloads the software themself or if they're using IE. Either way, they're probably to stupid to run a software firewall (which would protect them) (and yes, I love to use singular they [wikipedia.org], in case you were wondering ;)

Third, it's also great if you share your internet connection with several other computers (either at home or in a corporate environment). Old style hubs would simply broadcast incoming data to all computers in the local network. NAT doesn't do that, it maps local IPs to ports and only transmits to them. Which means that if you don't want every single person on your local network being able to read your email or know that you browsed to men-seeking-men.com, NAT works perfectly.

I'm guessing you are critizingNAT because at one point you wanted to run some software that required you act as a server and you were to dumb to figure out how to open a port? That must be it since it's really the only downside to NAT. Well, that's being solved too. More and more people are learning how to open ports easily (maybe you'll learn someday too!), and even better, software is learning how to do it automatically using either UPnP or getting help from third party servers to do it (that is, the two computers who wishes to talk to eachother connects to a third party server who informs them of the others IP and currently open port, that way the port is already mapped to the correct local IP so the two computers can connect. This is the trick that Skype, amongs others, are using).

Long story short, NAT is an amazing technology. Very soon the mapping ports issue won't even be a problem when all routers support UPnP and software takes advantage of it. Long story even shorter: you're dead wrong.

Re:blocking skype is easy (1)

newt0311 (973957) | more than 7 years ago | (#15664464)

while I wouldn't call NAT wonderful technology (believe it or not, it IS a hack. It goes against the whole layered approach taken to TCP/IP) you do express some valid points, but then so does the grandparent. You speak from a more practical perspective while the grandparent takes the theoretical approach.

Re:blocking skype is easy (1)

gkhan1 (886823) | more than 7 years ago | (#15664518)

I do agree that it is a hack, but it's an awesome hack at that. And while it is true that in the super-strictest theoretical sense, it counters TCP/IP philosophy, I'd rather have a technology that solves the ip-problem with out any pains and which provides mindnumbingly good security for people who don't even know what a firewall is.

And by the way, what point did the grand-parent (now grand-grand-parent) make? I couldn't see any except him saying "NAT suXXZor d00d!"

Re:blocking skype is easy (1)

Svartalf (2997) | more than 7 years ago | (#15663893)

Nifty trick, that- problem is, like the Great Firewall of China, it has the potential of collateral damage. That guy in the linked article was just lucky that nobody needed anything more than DNS mediated web surfing. It's a hack, and naught else.

aha (0, Offtopic)

rucs_hack (784150) | more than 7 years ago | (#15663745)

Well, I have an entirely new alternative to skype that addresses all these concerns.

I, ah, just can't seem to find it now I'm here.

Don't allow it... (5, Insightful)

locokamil (850008) | more than 7 years ago | (#15663754)

The gist of this article seems to be that unless you're doing complete content analysis on incoming packets, you aren't going to be able to detect Skype: it uses (on my system at any rate) port 443 (SSL?) and port 80 (HTTP) as its default ports. Any sysadmin that blocks those ports is going to get some very annoyed phone calls from pissed off users.

That skype is being devious and sneaky is not the issue here. I think the real issue here is that sysadmins don't have control over the machines they're supposed to be looking after. There are plenty of ways to make sure that Skype doesn't make it onto the corporate network-- don't give unauthorized users permission to install software, blacklist it on the company approved software image, packet analysis... the list goes on. I figure if the sysadmin is not paranoid enough to do these things to begin with, the use of Skype on his/her network probably isn't a major threat. Or the sysadmin is inept. Your call.

Unauthorized campus use (4, Interesting)

dj245 (732906) | more than 7 years ago | (#15664046)

I may have a personal gripe here, but the network admin at my university has a thing for any program except web browsers. Huge tracts of ports are simply blocked off because people set their IRC programs to use those ports. All the popular ports of the Bittorrent programs, every obscure port that some worm uses (he even blocked 443, SSL when he heard a worm used it, but mass complaining removed the block).

It is good that skype uses common ports that can't be blocked without huge reprocussions or fancy expensive packet inspectors. There are bastards out there who would be happy if all their users only used cloned-on-reboot machines with only a web browser. The internet is more than a big blue E (or a big red O)

Skype isn't a security risk... (5, Insightful)

cperciva (102828) | more than 7 years ago | (#15663762)

... caused some to ponder whether the ever-more-popular Skype hadn't just turned itself into a huge security risk.

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

Re:Skype isn't a security risk... (4, Funny)

CrazyJim1 (809850) | more than 7 years ago | (#15663827)

I could just imagine the security risk Skype has. For some reason, some virus writer hacked into my computer then used Skype to call everyone on my contact list and play back a digital recording for selling underground viagra, then it used the contact list to instant message everyone to download this killer new application that you have to try out.

Re:Skype isn't a security risk... (1)

vbwilliams (968304) | more than 7 years ago | (#15663859)

The security risk isn't the only issue. Maybe a netadmin or two don't want a couple users using up a noticeable piece of bandwidth with an application they don't need to be using to do their jobs. Policy can do nothing but dictate that the person(s) in question should be disciplined or fired. It cannot get your bandwidth back. Being a network and security admin for the company I'm with, there are more reasons that security that I would want it off...I already explained one of those reasons.

Re:Skype isn't a security risk... (0)

Anonymous Coward | more than 7 years ago | (#15663863)

Exactly, I mean if skype can do it, so can other software. The problem isn't with skype.

Re:Skype isn't a security risk... (2, Insightful)

eonlabs (921625) | more than 7 years ago | (#15664514)

I don't think that the security risk here is a digital one. It sounds more like te fact that you have un-monitorable, un-obstructed communication that is also untraceable and indistiguishable from generic traffic without significant effort. Insert the 9/11 big brother freaks who are obsessed with watching every move anyone makes and you'll start seeing laws against software coded in that fashion. Skype happened across a great way to whisper.

Re:Skype isn't a security risk... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15664752)

The fact that Skype is designed to be unfirewallable is not a security risk: Any site which wants to block Skype should have a policy prohibiting its use.

The security risk is users who ignore such policies, and system configurations which allow said users to install and use Skype.

What a load of crap. This whole argument is premised on the notion that some elite cabal of sysadmins should control what everyone does on the network, because normal users are stupid and will screw stuff up. Maybe everyone should just use dumb clients plugged into the IT department's servers.

The real reason these folks have a bug up their ass is that they have found themselves in the position of having to explain to the dollars and cents committee why the $50,000 application level firewall they purchased doesn't prevent people from using Skype. Especially if they are using Skype in lieue of, say, the metered phone service that they can bill for (like at a University).

The security argument is basically this: "We allow protocols like email, because we can monitor email for viruses and therefor are able to protect our users. We can't do that with Skype." Balony. You can't do it for email either, unless you have magic decryption powers. Ditto for web traffic. All the bandaids people put on email gateways and such are just that, bandaids. They don't address the root cause of most security problems in the slightest.

As we move into a future where more and more applications are built on web services protocols, we can only expect to see more applications stuffing their traffic through port 80 and (gasp) 443. I'm a network admin myself, and I really do wish I could do network magic that would protect everyone from everything. I can't. But I sure as hell don't want the solution to be that everyone has to expose every thing that they ever do on the network, so that I could ostensibly monitor the traffic and stomp every malicious packet. That would truly be terrible security.

I'm very concerned that... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15663766)

... software written to secure my communication is now being called a security risk as though the software is bad rather than the users of it. I rather enjoy secure communication.

Top Level Problems (4, Interesting)

nbannerman (974715) | more than 7 years ago | (#15663778)

I have a very simple policy; if a user wants something on a machine that is outside the core software I support, they have to get my permission.

This policy lasted all of 5 minutes during a meeting with the Senior Leadership Team, who completely ignored what I said and told me, in no uncertain terms, that Skype was going on their laptops.

Personally, whilst I understand that Skype want to be sneaky by design, I'm worried about allowing software on to the network that I can't monitor and disable at will. And as the discussion here has already mentioned, disabling 80 really is not an option.

Re:Top Level Problems (0)

Anonymous Coward | more than 7 years ago | (#15663823)

Buy a clue.

You can monitor Skype.

Re:Top Level Problems (5, Insightful)

epiphani (254981) | more than 7 years ago | (#15663833)

I'm worried about allowing software on to the network that I can't monitor and disable at will.

And thats exactly why I dont want skype to change. I dont want the ability for my ISP, or any other provider down the line, to be able to block skype. It is my personal long-distance telephone, and I dont doubt that there are plenty of providers out there that would jump at the opportunity to block it.

Imagine that you have just spent the last two years actively using an internet service for your telephone - at free or near-free pricing. You wake up one day, and it doesnt work anymore. You call up your internet provider, who also happens to be a telco, and say "my internet-based-replacement for long distance isnt working anymore".

You can bet what their responce would be.

Re:Top Level Problems (2, Interesting)

nbannerman (974715) | more than 7 years ago | (#15663877)

Good point. Of course, if I used Skype, then I'd probably have a different viewpoint.

But there is a definate difference between allowing an application on a personal machine / network, and a corporate (or in my case academic) network. In the personal case, you can install what you like and you want your ISP to allow whatever you deem fit. In my case, I want to block certain software, and my ISP (in this case, my local education authority) to allow anything I deem fit.

Re:Top Level Problems (2)

TorKlingberg (599697) | more than 7 years ago | (#15664085)

This problem wouldn't have existed if people like you didn't block everything you don't know. I'm at uni dorm network I'm right now. Whoever set it up must have takes the safe route and blocks everything except port 80, 22 and whatever. Skype works great. ICQ and MSN work too, but not as stable.

Please understand that the internet is not only for grandmas web surfing.

Re:Top Level Problems (1)

Jeff Molby (906283) | more than 7 years ago | (#15664474)

Please understand that the internet is not only for grandmas web surfing.
The internet is for whatever your TOS say it is for. If your ISP (or uni) provides you with internet service with explicit instructions not to run certain services, you are not authorized to run those services. If you wish to run those services, pay for the extra bandwidth that you will be using. Their enforcement capabilities have been notoriously bad, but that doesn't make leeching proper.

Re:Top Level Problems (2, Interesting)

stunt_penguin (906223) | more than 7 years ago | (#15664187)

", whilst I understand that Skype want to be sneaky by design"

I don't think that skype wants to be sneaky by design so much as they want to work by design. Skype works on any connection, on any network on any machine.

Re:Top Level Problems (1)

DoninIN (115418) | more than 7 years ago | (#15664298)

Send them a document that says that the presence of unauthorized, uncontrolled software on the network may be putting the entire enterprise at risk, and that they need to sign off on it and absolve you from any blame when the network and all the orginazitions data is gone. Request they give you a paper copy, with a post-it to explain there won't be any electronic copies of anything after the electronic apocalypse. Be sure and sing your note, "have a nice day" Seriously. You can never be paranoid enough. When things go bad they'll go worse than you can imagine. You will be the one left holding the bag and the blame. Back ups always fail when you need them. Yes you'll get another job. But you might as well make your stand right where you are now.

Re:Top Level Problems (2, Interesting)

patchvonbraun (837509) | more than 7 years ago | (#15664308)

Having spent most of my career as an IS/IT guy, with the last 12 or so as an IT security
    guy for a large company, I can certainly sympathize with the "if I don't support it, you
    can't run it" attitude.

But in a company full of knowledge workers, I can't see how to make this actually workable.
    I don't see how a person, or group of people, could possibly evaluate every piece of
    software that some hardware/software/whatever developer wants to run on their machine.
    Not to mention that the "you may only run approved-by-me software on your computer" fails
    badly when the person needs/wants to write their own software for their own machine.
    Unless, of course, you wish to redefine "useful work" to consist of shuffling documents
    around, using tools approved by the corporate security policy makers, sending the
    occasional e-mail, and checking the current stock price using the corporately-approved
    browser, visiting the corporately-approved website.

The same ignorant policies tend to spread to the corporate network. Such policies usually
    look like "thou shalt only emit packets that I recognize. Anything else must necessarily
    be a security risk". It's a little like restricting which words an employee may use
    while engaged in business conversation--pick from a list of 2000 "policy-approved"

I write my own (often throw-away) software on my corporate PC, which often emits
    packets that the on-every-subnet sniffers have likely never seen before. Technically
    I'm in violation of at least two corporate policies. But I have a hard time
    redefining my job in such a way that I can express everything I need to do in terms
    of PowerPoint presentations, word documents, and the occasional e-mail to the boss.

Eh... (2, Informative)

realmolo (574068) | more than 7 years ago | (#15663797)

If you run a corporate network and DO NOT have a firewall that does "full content inspection", then you aren't doing your job very well. Or your boss is cheap AND stupid.

Buy a Fortigate (or Packeteer, or whatever, but Fortigates are good and cheap) and configure the BUILT-IN filter for Skype traffic. Problem solved.

Seems like a matter of framing the debate. (4, Insightful)

Sheetrock (152993) | more than 7 years ago | (#15663801)

Skype isn't creating a security hole. Skype is demonstrating that current firewalling practices are inadequate for blocking a determined entity from making an outgoing connection.

Perhaps they ought not to do that; I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it) and it showed that fewer were willing to blame the inadequacy of the protection than they were the people "bypassing" it. Rather, we should take away the lesson that firewalls in and of themselves are not an absolute solution and instead incorporate other methods and practices in developing secure environments.

Re:Seems like a matter of framing the debate. (1, Funny)

Anonymous Coward | more than 7 years ago | (#15664228)

I remember similar concerns about SOAP when it was first being proposed (and no doubt many on here still refuse to use it)

Are there THAT many French users on slashdot?

Pioneer? My Ass. (0)

Anonymous Coward | more than 7 years ago | (#15663803)

"...VoIP pioneer Skype..."

What was Roger Wilco back in the early nineties then, if it wasn't voice over IP? (and the countless other "internet phone" applications that predate it)

Skype, from the makers of your favorite spyware and virus distribution: Kazaa. I advice all my friends and family to stay well away from skype. Not to be trusted.

Block it at the desktop? (2, Insightful)

Kaenneth (82978) | more than 7 years ago | (#15663817)

It's extra security for everyone when everyone uses encryption, someone sniffing the network wouldn't be able to tell a critical e-mail from a snippet of voice... Not being able to identify the data is the real reason 'Net Neutrality' is assured.

Since it's a good thing that the data can't be identified (in some ways) how about having your users, in a business setting, not run as Administrator on the desktop machines? Just disallow the installation of IP telephony applications, not as a policy, but as an account restriction.

Better yet, do it before the next worm ravages your network.

Also fix it for landlines calling Skype numbers (1)

slowbad (714725) | more than 7 years ago | (#15663858)

Be careful to not purchase a dedicated number from them where the prefix is long distance to most everyone else in that same area code!

There are locations in Houston with the ability to reach well over 1.5 million free numbers, yet are toll calls to reach paying Skype customers.

Even tracfones from Wal-Mart fare better with the NANP than this.

Traffic shaping (3, Interesting)

Zygfryd (856098) | more than 7 years ago | (#15663864)

As the admin of a small ISP's Linux routers I'd welcome very much the ability to classify Skype traffic. We do aggressive traffic shaping to let VoIP and games work nicely when the links are saturated with other traffic (mostly P2P garbage). The current l7-filter protocol definition doesn't work for skypeout traffic and it's not very pretty in general. When Skype decides to offer a conntrack helper or at least l7-filter definitions for their convoluted encrypted protocols I might consider suggesting it to our clients. At the moment we advise them to use other VoIP solutions.

Re:Traffic shaping (1)

plasmacutter (901737) | more than 7 years ago | (#15663942)

This is a very interesting point.

perhaps skype should be saving this "invisibility" for when they can truly confirm that being visible is detrimental to their business.

as it is, it is preventing potentially beneficial traffic equally.... throwing out the baby with the bathwater so to speak.

Re:Traffic shaping (1)

transwarp (900569) | more than 7 years ago | (#15664003)

So that's one poster who wants to give Skype traffic priority, and a page of them who want to block or limit it. I can certainly see why a small ISP would want to give Skype the same service as other realtime services, but as long as big ISPs and corporate networks want to block or impair it, the rewards of being invisible outweigh any losses.

Re:Traffic shaping (2, Informative)

s_p_oneil (795792) | more than 7 years ago | (#15664318)

Skype is very right to want to protect themselves from the telcos, but the IT managers are also very right in wanting to be able to identify and/or block it. It really is a security risk for them. And as I mentioned above (in case you didn't see it), NetSpective WebFilter can identify and/or block it without a proxy. Just plug it in where it can sniff your traffic going to the Internet, set it up to monitor or block, and very much like Skype, it just works. ;-)

Re:Traffic shaping (0)

Anonymous Coward | more than 7 years ago | (#15664452)

Skype business depends on its users usage, not on telco blocks.

Companies, big and small, want to priorize VoIP traffic to mantain the quality of service and it just ins't possible todo this without buying expensive and obscure QoS equipaments that nobody know until when they will continue to work, if skype change the protocol to bypass then too.
Also, home users are frequentely with their link congested due to p2p dowloads and if Skype protocol is not known, home ADSL routers can't apply QoS policies on it too.

Besides this, the big problem, I think, is not to block skype traffic, but to allow it. Well configured firewalls have a 'deny all by default' policy and don't allow outgoing traffic that is not on the company security policy, and if skype traffic is not indentifiable, it is not on the company security policy. So to try to bypass the firewall, skype will try to go over 80 or 443 ports. But responsable compenies also have a (transparent or not) http proxy that can apply a 'deny all by default' polity to http traffic too. Even more, the http proxy increases the skype latency and can make the calls.

So, how can a company allow skype only to specified users so to comply with it security policy (due to spyware theats, for exemple) and keep the quality of this traffic?

Skype business is more threated by it obscure protocol than by Telcos.

Blocking is easy, even if not convenient (4, Informative)

AK Marc (707885) | more than 7 years ago | (#15663905)

The most effective firewalling technique I've seen was a proxy set up as an internal host, the firewall blocking all traffic other than the firewall or other explicitly approved hosts. Then log all attempts through the firewall and audit those machines. No outbound packets would be send except from approved hosts, everything proxied and logged, all failures and direct connections logged, and nothing allowed in except to the approved hosts. Simple, effective, and pissed off everyone that wanted to run anything they shouldn't.

Rate limiting. (4, Insightful)

Craig Davison (37723) | more than 7 years ago | (#15663929)

Why not rate-limit outgoing TCP port 443? If Skype needs 100 kbps over a connection to maintain unbroken voice output, limit each connection to 50 kbps. You could also limit it to bursts of traffic - full speed for 0.5 second at a time, then 4.5 seconds at 50 kbps. Real HTTPS (small outgoing requests and large incoming responses) would still be responsive under these conditions.

Re:Rate limiting. (1)

caseih (160668) | more than 7 years ago | (#15664096)

Somehow I doubt users will agree to let that happen. HTTPS is used by more and more sites and I don't think anyone would want their https web sites restricted to modem speeds.

Re:Rate limiting. (3, Interesting)

petermgreen (876956) | more than 7 years ago | (#15664149)

your going to have to go a lot lower than that to kill skype, standard PSTN voice channels use 64kbps GSM uses 14.4kbps and i bet some modern codecs can go even lower. It may still be feasible though.

it would also hurt file uploads and downloads over https (e.g. https based webmail apps) of course you may view that as a good thing and could possiblly avoid it by only limiting connections that had both sigificant upload and download (but then your increasing the complexity again).

Re:Rate limiting. (1)

sharkey (16670) | more than 7 years ago | (#15664356)

i bet some modern codecs can go even lower.

G.729 needs ~12kbps to cover payload and overhead, IIRC.

Even 50kbps not low enough (1)

cbhacking (979169) | more than 7 years ago | (#15664363)

I suspect the Skype developers could find a way around this idea. However, the bigger question is whether it will work; the quality sucks (for Skype, meaning it's worse than some - though not all - cell phones) but Skype is usable over dial-up. I think the lower limit it will go to is 16 or 20 kbps per channel, so if you're willing to run simplex (one person talking at a time) a 28.8 would be sufficient.

Hooray for Sneaky (4, Insightful)

saihung (19097) | more than 7 years ago | (#15663945)

One important reason that Skype should be sneaky is so people using the software under corrupt/abusive regimes can continue to do so without easy interference on the part of the government. In comparison to your intranet's security, the security of dissidents wins.

Re:Hooray for Sneaky (1)

Bishop (4500) | more than 7 years ago | (#15664412)

Anyone relying on the sneakiness of skype is in for a world of hurt. Skype traffic may be hard to detect automatically, but it is almost trivial to detect with a little human analysis.

Skype isn't doing anything wrong here (4, Insightful)

TorKlingberg (599697) | more than 7 years ago | (#15664031)

This is the natural response to to the unnecessary port-blocking that seems to be used everywhere now. Many places block every port except for the few you need for web surfing, so everything runs on port 80. It's sad because it negates the point of ports in the first place.

In the end, I think sysadmins need to learn that users aren't satisfied with only web surfing.

Re:Skype isn't doing anything wrong here (3, Insightful)

DoninIN (115418) | more than 7 years ago | (#15664425)

Well... In what context? If the users on my corporate network aren't "satisfied" with just web surfing.. Is this some kind of problem? I mean hey, don't let me get in the way of their voice chatting, game playing IMing and P2P file sharing, 'cause hey we're just paying them to hang around the office for a few hours a day, not for actually accomplishing anything. Now in other contexts you may be correct, but for the most part I'm suspicious of my corporate users even using the web, much less anything else to connect to the internet, they need e-mail to do their jobs. Some of them need the web sometimes. We have a rather nice phone system. So why would they need skype?

One man's security hole... (4, Insightful)

Anonymous Coward | more than 7 years ago | (#15664032)

...is another's ticket to freedom.

If Corporate firewalls can't block Skype, neither can China's.

That's just well designed and implemented software (1)

gravy.jones (969410) | more than 7 years ago | (#15664137)

Interesting, since when is stealthy and private a cause for real concern. The engineers should just give it lip service but leave it alone.

What's wrong with SOCKS and logging? (1)

bitbucketeer (892710) | more than 7 years ago | (#15664280)

I would think that forcing all corporate Skype users to use a corporate SOCKS server (like Dante) would at least log the traffic. I would think that would be no less secure than Cisco IP phones or email.

bi2natCh (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#15664347)

[tux.org]? Are you

First I'd heard of "stealthiness" (1)

Oz0ne (13272) | more than 7 years ago | (#15664359)

But hey, it makes me like using it all the more. I regularly used encrypted IM clients, or SSH tunnels to use instant messaging, now I'm extra stealthy and I didn't even know!

I LIKE skype for being so hard to block (1)

jonwil (467024) | more than 7 years ago | (#15664466)

I wish someone would make a peer-to-peer file sharing program that is just as hard to block.

Re:I LIKE skype for being so hard to block (1)

JasonBee (622390) | more than 7 years ago | (#15664540)

Please see me in the IT department please...we need you picture and office number.


Wouldn't it be something if, (2, Interesting)

Roduku (950552) | more than 7 years ago | (#15664519)

after all the wiretaps, phone bugs, analyzing phone records and whatever else the NSA has gone through, they find out the terrorists are using Skype to communicate?

Newsflash! (2, Funny)

Progman3K (515744) | more than 7 years ago | (#15664535)

Companies are afraid of what their employees might say over a phone, what they might put in an envelope or carry out of the building.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account