“After much digging online for an effective way to stop this pesky application that is highly de-centralised and a big pain to blocked, I finally found a way to do it. It has been working perfectly fine on our corporate network, and we have had no complaints of users being denied access to legitimate web destinations (that are in compliance with our security policy of course).”
i didn’t know that blocking skype is such important…
I recently read (like 2 months ago or so?) where skype can be used for p2p transfers of files; if so, that would break my network IDS’. More annoying is that it uses ports 80 and 443 instead of it’s own standard port (you can configure it to use a specific one, i believe, but by default it tries to use 4 preset ports and if they don’t work, it switches over to 80 and 443/tcp.) Poor design and intentionally set to evade port filtering. Nearly as bad as gotomypc.com’s product.
I’m impressed when I see the use of free software to reduce the users freedom… what’s so bad in skype? In my lab everyone uses it and we find it useful to chat with other collegues in other labs. And nothing bad happens.
Oh?
Let us assume that I’ve got a company of 100 employees and I don’t want them to /abuse/ a company resource (Internet) to make their own /private/ calls using ICQ/AIM/Skype.
What does freedom of choice has to do with it? Does this freedom gives you the right to abuse the right of others?
Gilboa
It is inherently bad for any company to do that sort of thing. Chances are, they have more or less unmetered bandwidth, so it doesn’t really hurt them if people use the net for personal uses a couple minutes a day…
While you might be right, it is certainly within their right to do so.
Plus, due to its design, Skype eats a fair amount of bandwidth even when idle.
Gilboa
Lets not forget corporate espionage, companies with big enough secrets (such as source code they don’t want leaked) will need to keep their network security very tight. One of the above comments mentioned that skype can do file transfers, therefore it presents such a risk.
“Chances are, they have more or less unmetered bandwidth”
That’s rather irrelevant. The bandwidth is there to serve *the company* and if it’s used up by Skype (and P2P etc) than that’s bad. Sorry folks, you dont get paid to come to work and call overseas and chat with your friends on IM, you get paid to do your job.
skype is insecure.
that’d be one raeson. but blocking skype is sure not a real solution for securing such things. but people hardly understand it
You say: “skype is insecure”.
I say:
1) Back your claim with some hard data!
2) Support your argument with some verifiable fact-based evidence!
3) Explain what is your frame of reference (ie: what you compare it to)!
Until then I think I will still consider Skype very secure thank you very much!
The problems with Skype in a corporate network are :
1- Its protocol is proprietary. We don’t know how it deals with your privacy => many security critical organizations (especially research centers) have forbidden its use.
2- It uses your bandwith even if it’s not started. Imagine what happens if all employees use it => what a loss of investment!
If thes aspects are important for you, you know what to must do 😉
Yes paranoia (“we don’t know how it deals with your privacy”) is always a sensible and intelligent reaction to something. If you want to know, why not contact the company that makes the product, instead of simply taking the knee-jerk reaction of blocking it. And as for “proprietary”, when the heck will people stop using this as a swear-word. In any field other than IT people accept “proprietary” products without even blinking. I would be much more paranoid about what goes in my mouth and stomach, if I were of a paranoid nature, than of anything going on my computer!!! We have nothing to fear but fear itself!
Now that’s a sound technical argument. If the skype design eats bandwidth by default, that’s not good.
I don’t use skype myself, but this is interesting nonetheless. Where can I find info about this misdesign?
Nowhere…as Skype “eats” around the same bandwidth as all other IM softwares…
Please, show me your statistics and tests.
Actually author had a workplace in mind. By having access to internet there you have to agree that ways of using it will be mandated can be mandated by your boss.
And that’s a clear right of him/her.
>Back your claim with some hard data!
http://www.zdnet.fr/actualites/internet/0,39020774,39267873,00.htm
Safety – the software of VoIP has been just prohibited by the ministry for Research in the administrations of the universities, the research centers and the higher schools. A measurement recommended by the secretariat-general to national defense
Yes the French Department of Defense insisted that the French Department of Research (& Education) stop using skype. What they do not tell you is that the French Department of Commerce needed an excuse to block Skype because it wants to protect telephone revenues of the state-owned France Telecom.
Skype uses AES 256 and so far it’s the most powerful encryption mechanism, developed for the US department of Defense. Now that is probably something the French Department of Defense does not like either 😉
“Yes the French Department of Defense insisted that the French Department of Research (& Education) stop using skype. What they do not tell you is that the French Department of Commerce needed an excuse to block Skype because it wants to protect telephone revenues of the state-owned France Telecom.”
1. France Telecom is partiually state owned not fully state owned.
2. That would be the same French government that has regulated into existence one of the most competative telecoms market’s in Europe despite its involvement with France Telecom. (Its actually more competative than the US telecoms market, for example.) This is far more detrimental to any revenues it would gernerate from France Telecom than a couple of governemntal contracts. With this in mind it is hard to call the French government very protectionist of France Telecom. and unless there some evidence for saying it was a pro France Telecom move I’d think it wiser to put it down to governmental paranoia or your second reason.
Corporate intranets are always filtered and blocked.
Your employer always chooses what you can or cannot do with the network infrastructure: if they do not want to chat they’ll block jabber, icq, msn and whatever. If they do not want you to call your mum with skype they’ll block skype.
Where’s the problem in that?
The problem is that communist Linux hippies don’t like someone who’s paying for a service/product telling them how to use the service/product. Communist Linux hippies have the most bastardly sense of entitlement around.
I thought this story was about OpenBSD, maybe you simply don’t know what you are talking about?
Doesn’t (or didn’t) the Skype EULA have a spyware-esque clause?
Before spreading FUD, check for yourself: http://www.skype.com/company/legal/terms/tos_web.html
yes, but you better check out the EULA ( http://www.skype.com/company/legal/eula/ )
Edited 2005-11-28 14:20
Oh, yes and something about the fud: EULA, 2.4 Third Parties. You acknowledge and agree that the Skype Software may be incorporated into, and may incorporate itself, software and other technology owned and controlled by third parties. Skype emphasizes that it will only incorporate such third party software or technology for the purpose of (a) adding new or additional functionality or (b) improving the technical performance of the Skype Software.
So you do not like them to use third party libraries (I dunno, like something called QT for example) to create an application and you do not like them to provide new services (I dunno, like an activeX control to be able to use Skype from a ebay webpage) ?
Next.
I do not like the clause, because it gives them permission to run spyware.
Reassured ?
See http://www.skype.com/i/no_spyware.png
Found at http://www.skype.com/products/skype/windows/
Could you please say to me who verified the fact, that skype contains no spyware?
And what about the closed protocol, can you say what skype is exactly sending?
Edited 2005-11-28 14:50
Of course I can!
But only after you answer the very same question about each and every networked application installed on your computer 😉
Bye now.
Ok, I understand, you nave no idea.
Should I say now, that I’ll only start telling something about the protocols only after you tell me what exactly skype is sending to the net? I think yes.
Jesus. Something that is not there, whilst it could be virtually anywhere, can’t be proven *NOT* to be there. Such finding may mean only one thing: You weren’t looking hard enough. In this vein, it is stupid to say that Windows or any other software has a “new” security hole. Windows never had a new security hole, not a single one. All of them have always been there, and in case of Windows been there for some good six years – only you didn’t yet know about them. Same goes for spyware you couldn’t “prove” to be in place.
The proof you demand works the other way round: Show me that there is in fact an issue, that there is spyware contained in Skype.
I only said that Skype’s EULA gives them permisson to run spyware, I never said that there is spyware but I do not trust them because of the Altnet cause. Only you guys were saying that there is definitely no spyware, and if you can prove it ,please do it.
The thing I’m complaining about is the closed protocol, if Skype’s protocol were open, we would have a great opportunity for other IM clients to support Skype and that is not the only advantage.
you guys were saying that there is definitely no spyware, and if you can prove it ,please do it.
Paranoia: describes excessive concern, sometimes suggesting a person holds persecutory beliefs concerning a threat to themselves or their property and is often linked to a belief in conspiracy theories.
– Wikipedia
*yawn*. Have you ever heard something about healthy paranoia?
Edited 2005-11-28 22:28
LOL, I havent seen this, I think I was blind or something.
You posted: “Before spreading FUD, check for yourself: http://www.skype.com/company/legal/terms/tos_web.html“
Have you actually read what is written there? I quote from the website: “Terms of Use of Skype Website”, how is Skype’s EULA connected to the Terms of Use of Skype Website?
Maybe you are simply dumb or you are a biased troll. I cant find any other explanation.
Most companies have a policy that everything should be sourced from more than one party if possible. Claiming that other fields other than IT accept propietary products is laughable at best
Stoopid!
First of all, Skype is a great program for working with other employees without having to walk all over hunting somebody down or the classic type an email, wait for response, type a response to the response, wait some more, etc.
Also, if an employee is using Skype for personal use (say talking to their spouse/friend/mom/etc), which would you rather have, a five minute Skype conversation, or a 30 minute phone conversation? The employee is going to talk regardless so it is stupid to limit one of the more effective ways of personal communication.
I can Skype and work at the same time, but I can’t talk on the phone and work at the same time because the medium demands an instant response, whereas Skype allows me to finish a thought and then respond to the wife/friend/mom/coworker/whoever. I also find that phone conversations last far longer than IM conversations.
A. It wastes bandwidth
B. The company doesn’t want it. Doesn’t need it. And has full right to block it.
Edited 2005-11-28 17:26
Sure, a company has a right to block Skype, and anything else it wants. And I have a write to tell said company that I would never work for them.
I work in the technology sector. I find it insulting that companies feel the need to block *outgoing* connections made by programs that can be used for totally legitimate reasons (VoIP/Chat/etc.). If it’s a question of bandwidth usage…get more bandwidth! I work in a small start-up company that has a simple firewall to protect itself from *outside* intruders — otherwise, everything is wide open. No proxy, no anything. Why? Because we are all *trusted* by management to be responsible computer users. Trust…you know, that little thing that people have forgotten in this day and age.
Jared
Funny how the same people who encourage others to use open formats jump on this proprietary software called Skype. It’s not like SIP wouldn’t exist…
If there’s one software which deserves to gets blocked then it’s Skype. Not because it would be insecure, it’s not less or more secure than other internet applications. But it doesn’t follow standards, it uses much bandwidth and even more time. You can use it at home, but not at work.
full ack!
Not that I particularly like skype but I don’t quite understand why anyone would want to block it. Aren’t most companies moving to VoIP and encouraging their employees to do the same rather than running up the company’s phone bill? Instead of thinking about how to block it, it would perhaps make more sense to think about why you would want to block it at all and what may be the consequences.
Controlling what people do on the Internet is BAD. It should NOT be encouraged. Do NOT feed the net-Nazis by linking to their work.
uh huh. You are crazy.
So it’s bad to try controlling kiddy porn? hate websites? etc etc… ??
Yes. It’s plain bad. Really bad.
Who draws the line between Good and Bad? Me? You? Who are you (or me) to control what people want to see? What do you see as an hate website maybe it’s perfectly legit for me. Maybe I’m interested of looking at it just for curiosity and have a good laugh.
If you don’t want to see kiddy porn and hate websites, just don’t look at them and don’t look for them. No one forces them down your throat.
>>kiddy porn
Hmm a new variant of Godwins law methinks, but anyway…
Bottom line is this : you work for a company enforcing company policy, if company policy does not allow Skype, you block Skype. You use the best tools for the the job.
I block port 25 to other mailservers apart from our own at work using FOSS tools will the people in this thread wailing about “Freedom of Speech” start flaming me? I block all sorts of things as work policy dictates, I will change the policy when I pick up the bill for the net access.
This has nothing to do with FOSS software or freedom of speech, this is all todo with enforcing a company policy and the story is about how to solve an interesting technical problem.
As for Evil? Please.
Last time I checked you couldn’t call kiddie porn by phone or Skype… what exactly are you trying to tell us here..?
Last time I checked you couldn’t call kiddie porn by phone or Skype… what exactly are you trying to tell us here..?
Exactly how much crack have you been smoking?
The point of content filtering and blocking services
is highly dependent on the situation.
Maybe a company doesn’t want its employees using this
service, as it could be unrelated to work.
The OpenBSD article is just a guide on how to block
Skype, if the need arises.
Why in god’s name are people screaming about freedom
and such? Why don’t you folks go whinge to RIAA, MPAA,
Sony BMG, and Microsoft, if you’re all so worried about
freedom…
All this has resulted in is having almost everything being tunneled through port 80 in an effort to evade firewall rules. Even SOAP was designed this way to avoid firewall headaches (sigh…).
Now we have packet shapers trying to analyse traffic packet by packet for protocol signatures which, in turn,
results in everything being encypted AND tunneled through port 80.
The next logical step is to have encryption cracking packet shapers (har har har).
And the absurdity continues…
One cannot solve a social problem with technology.
Edited 2005-11-28 19:42
This thread is getting funny because biased fanboys are voting down people whose opinion they don’t like!
If you don’t like the company policy
(a) complain to your boss
(b) complain to your labor union
(c) leave the company
(d) circumvent the policy, risking an automatic (c)
(e) find smth. else to do, use your brain
Rather simple, right ?
Personally I’d go (a)->(c) because I prefere to be trusted rather than criminalized. However there’s good reasons for companys to implement such a policy. Communication to the outside can be harmfull because if the link is established into one direction it’s naturally easier to do harm than if there’s no link at all. Also humans are the weakest link in security, I could imagine someone IM-social-engineering by somehow hijacking the username of a trusted person (or maybe just using a very similar one).
Edited 2005-11-28 20:05
http://opensource.region-stuttgart.de/index.php?main=8&sub=8_0
That is a German authorities supported Demo server to promote Desktop-Linux. Press the “Start Linux” button. You will download a non-installing streaming client that streams a Linux Desktop-session nice and fast. My corporate network is ridden by the pest that is Websense. If the client gets through, you can browse all sites minus web-based email.
And to the guy who wrote that article: There is yet another toy for you: try blocking the Hamachi client that gives you a VPN to Windows shares all over the show – it doesn’t rely on port forwarding, etc…
Now, if someone in your company is opening up a few systems with that, that’s a good laugh..
This was a write-up on solving a relatively challenging technical problem. The issue at hand is very simple: how to block an UNWANTED application on a PRIVATE network. Fullstop. No philosophical discussions of any motives, reasons, pros or cons. The article was technical and straight to the point.
It is not aimed at people running ISPs or public networks and hence any discussion of public freedoms or user rights is rubbish. Do you dictate to your employer how they should run their company ? I don’t think so. And controlling their network is also up to them, and that is done via an enforceable security policy.
Any mention of “trust” between management and employees is also laughable. Most employees are non-technical in nature and click “download” on almost any link that promises money, naked pictures, or free stuff. Anyone who has seriously tried to manage a network knows the headaches that come along with giving end-users too many priviliges.
And speaking of rights, one point does come to mind : We all have a right to controlling what runs on our networks. I am sure that if an intelligence agency came up with an application that worked through any firewall, everyone would be scurrying to block it. But just because Skype offers free VoIP does not make any difference : it takes away your right to control what goes on your network and poses serious issues for people that try to block it without the budget for expensive firewalls. The article simply shows how you regain that right. It does not aim to promote monopolistic practices and invasion of user privacy. I am not even sure about the feasibility of using this method on a public network (such as one run by an ISP).
rootn0de