Re: FW: Your opinion on Skype

[Michael Puchol <mpuchol () sonar-security com>]

My biggest worry about Skype is that your machines become a node on the 
Skype network, which means that you become a forwarding point for ALL 
the traffic Skype decides to send you.

If you read the EULA, it states that they will measure your bandwidth 
and turn you into a little node or a supernode depending on how fat your 
pipe is. They of course say they will never take more than x% of it, but 
can they really assure you this? There are several ways falsed readings 
could cause your bandwidth to be estimated higher, specially if you have 
a lot of Skype users in your NATed LAN.

There are other worrying things in the EULA such as that Skype can use 
their network (and in turn YOU) to transfer whatever data they please - 
since it's encrypted, they have the perfect supertransfer network they 
can resell to people moving large amounts of data. They can also use 
idle time on your machine to perform tasks in distributed computer form.

There are plenty of good VoIP solutions out there, from free to very 
expensive, that you can use alternatively (Google asterisk pbx).

Regards,

Mike


cc wrote:
> Joe George sighed and wrote::
>
>
> > I've been reading several articles including the link to one below regarding Skype software.  We have several users in our HQ office as well as field offices who were recommended to use Skype to keep in communication.  Several of us in our IT department are very apprehensive about it for many reasons including the fact it's not been through a pilot phase.  Aside from the VoIP functionality, I do not understand why they need it, because we have an enterprise IM client available, which you can integrate several other IM clients with.  A VoIP solution is not far away from being deployed throughout organization as well.  
> >
> > Skype's claim of being secure does little to ease my mind.  Skype is not on the list of our supported applications, and as a low on the totem pole I am within the organization; I would be remiss by not mentioning my apprehension to the end-user of it being on their computer.   I just wanted to get your thoughts on it.  I've installed Skype on my own computer and haven't seen any adverse effects, but I do not use it often due to lack of time.  Have any of you deployed it successfully within your network? What is your opinion on the application? 
> >  
>
> The reason for my company using Skype was that we use a
> 3rd party software which requires constant modifications
> from the 3rd party.  Due to the long distance involved(they
> had moved their operations to China), phone calls or
> ICQ'ing wasn't as efficient(in their eyes) as having
> Skype running.  Communication is a little easier.
>
> You are experiencing the exact same apprehension as I
> do.  When they (user and 3rd party) installed Skype behind
> my back, I was furious, especially when I was monitoring
> the firewall and seeing so many incoming and outgoing
> traffic at 1am in the morning.
>
> (Can you believe it?  A user ALLOWING a 3rd party installing
> software on a company machine...  MAN... was I hot under
> the coller.)
>
> The next day, I had Skype uninstalled and fired off an
> email imparting my utter caution in using these products.
>
> Then recently, they had another meeting (they being the
> director, business manager, user and the 3rd party) with
> me on a conference phone with them.
>
> The 3rd party completely thought my paranoia was
> uncalled for and that if I were so paranoid, why
> not block the http port, or the ftp port or the
> smtp port?   That got me riled up.
>
> Anyway, me being not present at the meeting was
> a good thing, as they'd be watching me seething
> with anger.
>
> But at the end of the conference, I buckled under
> combined pressure of the user, the business manager
> and the director.   That I was blocking their
> progress in getting things done.
>
> The compromise was that when they needed to use
> Skype, they'd turn it on.  If not, they
> turned it off.
>
> But to me, it's pretty much just a facade.  Anything
> can happen during usage and since the source is closed,
> it makes me even more jittery.
>
> So my advice, unless your organization vitally
> needs it, stay away from it.  If your organization
> needs it, READ THE LICENSING AGREEMENT.
>
> Edmund