[Dshield] Question on Skype
John B. Holmblad
jholmblad at aol.com
Wed Mar 1 00:53:21 GMT 2006
Skype is by no means a perfect service and has many limitations. I hope
they eventually divulge the details so that security researchers can
once and for all deduce the security, or lack thereof, of the underlying
protocol components, and the service as a whole. Maybe now that Ebay
owns the company that will happen.
Having said that, consider the founders strategy, in a nutshell:
1. The founders started with the concept of, let's give it (i.e. the
voice service) away at no cost. It is hard to beat "free".
2. For the design lets not start from scratch, conceptually, lets build
on our earlier Kazaa effort. And we have some good experience working
around NAT, firewalls, etc. which we can carry forward.
2. Let's not build our own network. Lets use the existing networks and
the spare capacity on computers all over the world to deliver the service.
All we need to do is put up a few authentication servers, and, as we
add paid services, servers for collecting payment (all in advance, i.e.
prepaid, mind you so cash flow is great) and gateways to the PSTN.
4. Let's sell the business to someone like Ebay for, say, $2.6 billion
after a few (less than 3 I think) years. Now some think this is an
the P.T. Barnum " there's a sucker born every minute" sales strategy
but then again, maybe not. Ebay is already cross-selling Paypal service
by bundling in free Skype minutes.
It does not get any smarter than this. Skype is one of those 1000 to 1
return on investment (ROI) kind of ideas that don't require tons of VC
money and years of tortuous, risk prone product development. Perhaps,
only the guy who recently sold his www page pixel by pixel for $1m has
achieved a bigger ROI (because he did it in a much shorter time frame)
than the Skype founders. What the Skype founders have done is in one
sense so radical that, not to many years ago (like less than 10) in some
countries, businesses that tried to offer similar "voice over packet"
services in competition with the incumbent provider were shut down,
threatened with jail time, and chased out of "town".
GSEC Gold, GCWN Gold, GGSC-0100, NSA-IAM, NSA-IEM
(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388
primary email address: jholmblad at aol.com
backup email address: jholmblad at verizon.net
www page for texting: www.vtext.com/users/jholmblad
text email address: jholmblad at vtext.com
> At 3:25 PM -0500 2/17/06, Kenton Smith wrote:
>> OK, teminology aside, I new I had read something
>> recently that had an excellent summary of the
>> implications of using Skype, including security. P2P
>> is an issue he lists in there.
>> "Like KaZaA, Skype is based on peer-to-peer
>> technology: instead transmitting all voice calls
>> through a central server, as Vonage does, Skype
>> clients seek out and find other Skype clients, then
>> build from these connections a network that can be
>> used to search for other users and send them
>> "Third, because Skype is mostly a peer-to-peer system,
>> the overall security can be affected by third parties
>> that are in the network (but that are unknown to
>> those in a particular phone conversation)."
>> Entire paper is here:
>> It addresses a number of issues surrounding Skype
> OK, I agree that there are numbers of security related issues
> specific with skype, especially if you become a node. However, if
> you are behind a NAT/firewall the potential legal problems of having
> other peoples traffic transit your equipment is basically nonexistant
> and the security issues behind the router/firewall are no different
> than with AIM, and other IMs and equivalent apps.
> However, I find the paper hyping issues that are not Skype specific
> issues just normal security issues and it muddles everything together
> making me (all colleagues who also read the paper) believe that the
> author flet that all were Skype problems.
> For example, statements such as
> "Finally, it must be remembered that the security of the Skype system
> also depends entirely on the good will of Skype's programmers and the
> organization running Skype's back-end servers. It is possible that
> there are back doors Skype conversations."
> So how is this any different than software from Oracle, Microsoft,
> IBM, or even preconfigured "open sources" such as SuSE or RedHat or
> mySQL? All of these could have been configured by a programmer with
> evil intentions to steal information
> "Skype enables history recording by default, meaning that all IM
> conversations are recorded unless users take other action. These
> files could be retrieved through the use of spyware, other
> remote-control applications, or by an
> adversary who gains physical possession of a computer system."
> So this is a "Skype" vulnerability? If your client is so infected for
> this to happen, all your private documents have by now been copied to
> an adversary and they have to be more valuable that some IM chats.
> This is not a Skype issue.
> "If a Skype user accesses the Skype network through a malicious
> Internet Service Provider, it may be possible for the ISP to direct
> that user's Skype communications to the malicious Skype node. Thus,
> it may be possible for a malicious ISP to learn any of their user 's
> Skype passwords."
> If the messages are encrypted and authenticated (as Skype states and
> the article's author begrudgingly infers) then it is difficult to
> understand how the "evil ISP" can create a " malicious Skype node"
> unless they stole source code and cryto keys from Skype. If not, I
> don't see that this is any different risk that any other remote
> access scenario.
> Now remembering that the article was about NGOs....
> If I was an NGO employee in the middle of nowhere but with access to
> the net on a laptop, I just might want to use Skype (or iChat audio,
> etc) to call home...
> Now, on my corporate network, I don't think so yet as there are too
> many unknowns! Here, we're implementing our own private iChat server
> that will support private, secure (https) jabber text/voice/video
> communications between our own users.
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list