Thursday, January 19, 2006

Skype Revisited

This is a response to some of the comments to my previous post. I know many of you subscribe using RSS and don't read comments, so I wanted these thoughts to appear in a real post.

I did not conduct a security audit of Skype. I did not run Skype in a corporate setting. I am not conducting important business using Skype. I did not leave the program running beyond the duration of my test calls. I did not test Skype bandwidth usage, although I did successfully use it over 802.11g to a residential cable modem connection.

I used Skype to send a test call to my dad. Today I am using Skype to record a podcast that will be publicly available. I do not care if the content of my call is routed through other machines. The bottom line is I am not giving "a thumbs up" to Skype for its use in anything other than the capacity my post and this one describe.

I am not about to start signing my posts with a disclaimer saying "this is not an endorsement," etc. I imagine the vast majority of the people who read this blog are not making decisions solely based on a post like my previous one?

6 comments:

Anonymous said...

Don't worry Richard, I didn't take your last post as a security endorsement. :)

Skype does indeed "rock" but from a security standpoint, boy is it trouble! Unless your outbound firewall rules are all blocked by default, Skype WILL make contact! It's nearly impossible to stop but fortunately it makes so much "noise" that it's pretty easy to detect. For me, what is most troubling about Skype is it's encrypted P2P file transfer ability. If you're concerned about what leaves your network then you should defintely be concerned about Skype.

I've always been a proponent of default outbound deny firewalls using proxies. Unless that's how your Internet border is configured then technologies like Skype will find it's way out.

Rocky D said...

I guess my original post seemed like an endorsement for corporate use. I use it from my home network not from customer or corporate networks. I use skype for telecon's or personal conversations.

I agree that from a corporate perspective it Skype is not ideal. I haven't worked as a normal "corporate" employee in quite some time. So my use personal use of technologies is quite different than what I would recommend for corporations or government entities.

The encrypted file transfer is scary. As far as the "routing" of skype calls and inteception is concerned, let's just agree that no communication is perfect - as an ex-intell guy that's all I can say.

Joe said...

Ewww. Your blog is being read by security n00bs. Better go back and remove any sarcasm or potential endorsements!

;-)

Ignore the noise. Most of your readers know you better than that.

Anonymous said...

I wouldn't call anyone who reads this "security n00bs." I mean, it WAS reasonable to wonder about the point of the previous post. A number of IT managers have had rather huge issues with Skype. For instance, it "rocks" so much that non-technical people are wide-eyed and surprised that a corporation won't adopt it because those people want to use it. That's quite a fight on one's hands...

I like Skype for home use about as much as I like p2p apps. Cool concept, but I just simply don't like the idea of my bandwidth being utility bandwidth for the rest of the world or users. Overall though, Skype does have its place and will be quite the popular home app for a long time, right up there with other pioneers like ICQ back in the day.

For corporate use, I have a lot of empathy for anyone who has had to deal with this issue.

Lastly, Richard, I am sure you are more than aware that if you post something on your blog, more often than not you are espounding a tool, method, or idea to your readers to further disemminate information. This is obvious and quite reasonable, in whole. I will say though, you didn't have to sound so snappish in this response post. I, and others no doubt, appreciate you clarifying your stance, but it really sounded very defensive like someone insulted your security integrity. :(

Just be aware Skype is a rather touchy subject for many people, and we all know what happens with touchy subjects (think Linux vs Windows discussions that may start out innocent, but quickly turn into political/religious zealotry).

-LonerVamp

Richard Bejtlich said...

LonerVamp,

I didn't realize I had such power to influence world events. Why isn't everyone running FreeBSD? :)

Let's all remember this is a non-commercial blog and a forum for opinions. The day I start charging to say "IPS is dead" is the day readers should feel free interpret anything I mention as a product recommendation!

Anonymous said...

Well, I guess I sounded off a bit much in my comments last night (I'm the "Head of IT Engineering").

I understand that you were just talking about using Skype for personal reasons, and that this is a personal blog. I, in my sleep deprived haze, reacted blindly, for which I apologize to everyone reading, especially you. If you can't tell, Skype is a sore point in our shop, and one that we deal with constantly.

On the other hand, for home use, go for it - it works, it's easy to setup and use, it is something that my mom could use and it's used and enjoyed by a ton of people. I don't use it - I use Asterisk server and a SIP or IAX client for personal work, vonage for home phone - but there are probably a ton of things that I use or do on my personal systems that I'd never recommend for use at work.

And by the way, you do have some influence, but not enough to get me running FreeBSD :) -- I'll stick with my variant (OSX) for the time being, which is yet another thing that I don't support on my corporate network.

Have a good one, and keep the good info coming.