RE: FW: Your opinion on Skype

["Joe George" <j.george () conservation org>]

I sincerely appreciate all of your feedback in the last couple of weeks.
I plan to use your statements to nudge them a bit more against allowing
end-users from using such noisy and uncertain software.  I was positive
my sentiments were not off-base.  I don't wish to cast off the Skype
developers as bad, but in my experience (as I'm sure many of you agree)
when things are too good to be true, it probably is. Deploying it over
the enterprise so haphazardly is so risky.  

I discovered one statement in Skype's EULA that confused me quite a bit.
Please see below: 

No warranties. THE SKYPE SOFTWARE IS PROVIDED "AS IS", WITH NO
WARRANTIES WHATSOEVER; SKYPE DOES NOT, EITHER EXPRESSED, IMPLIED OR
STATUTORY, MAKE ANY WARRANTIES, CLAIMS OR REPRESENTATIONS WITH RESPECT
TO THE SKYPE SOFTWARE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF
QUALITY, PERFORMANCE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR
USE OR A PARTICULAR PURPOSE. SKYPE FURTHER DOES NOT REPRESENT OR WARRANT
THAT THE SKYPE SOFTWARE WILL ALWAYS BE AVAILABLE, ACCESSIBLE,
UNINTERRUPTED, TIMELY, SECURE, ACCURATE, COMPLETE, AND ERROR-FREE OR
WILL OPERATE WITHOUT PACKET LOSS, NOR DOES SKYPE WARRANT ANY CONNECTION
TO OR TRANSMISSION FROM THE INTERNET, OR ANY QUALITY OF CALLS MADE
THROUGH THE SKYPE SOFTWARE. (Article 10.1 - Disclaimer of Warranties.
Skype EULA, 2004).   

I'm not sure how disclaimer of warranties are written with most trusted
software, but the fact that they claim to be secure (refer to
http://www.skype.com/products/explained.html) but state in the EULA that
it may not always be so seems a little misleading, no? 

Time will tell...

Thanks again.  If anyone has anymore experiences or knowledge that might
even dispel any "myths" and apprehension of Skype, I am open to all
opinions.  I feel it is better to approach it with an open-mind but with
steadfast prudence.

Best Regards,

JG








-----Original Message-----
From: cc [mailto:cc () belfordhk com] 
Sent: Friday, August 26, 2005 10:06 PM
To: security-basics () securityfocus com
Subject: Re: FW: Your opinion on Skype

Joe George sighed and wrote::

> I've been reading several articles including the link to one below
regarding Skype software.  We have several users in our HQ office as
well as field offices who were recommended to use Skype to keep in
communication.  Several of us in our IT department are very apprehensive
about it for many reasons including the fact it's not been through a
pilot phase.  Aside from the VoIP functionality, I do not understand why
they need it, because we have an enterprise IM client available, which
you can integrate several other IM clients with.  A VoIP solution is not
far away from being deployed throughout organization as well.  
> Skype's claim of being secure does little to ease my mind.  Skype is
not on the list of our supported applications, and as a low on the totem
pole I am within the organization; I would be remiss by not mentioning
my apprehension to the end-user of it being on their computer.   I just
wanted to get your thoughts on it.  I've installed Skype on my own
computer and haven't seen any adverse effects, but I do not use it often
due to lack of time.  Have any of you deployed it successfully within
your network? What is your opinion on the application? 
>   
The reason for my company using Skype was that we use a
3rd party software which requires constant modifications
from the 3rd party.  Due to the long distance involved(they
had moved their operations to China), phone calls or
ICQ'ing wasn't as efficient(in their eyes) as having
Skype running.  Communication is a little easier.

You are experiencing the exact same apprehension as I
do.  When they (user and 3rd party) installed Skype behind
my back, I was furious, especially when I was monitoring
the firewall and seeing so many incoming and outgoing
traffic at 1am in the morning.

(Can you believe it?  A user ALLOWING a 3rd party installing
software on a company machine...  MAN... was I hot under
the coller.)

The next day, I had Skype uninstalled and fired off an
email imparting my utter caution in using these products.

Then recently, they had another meeting (they being the
director, business manager, user and the 3rd party) with
me on a conference phone with them.

The 3rd party completely thought my paranoia was
uncalled for and that if I were so paranoid, why
not block the http port, or the ftp port or the
smtp port?   That got me riled up.

Anyway, me being not present at the meeting was
a good thing, as they'd be watching me seething
with anger.

But at the end of the conference, I buckled under
combined pressure of the user, the business manager
and the director.   That I was blocking their
progress in getting things done.

The compromise was that when they needed to use
Skype, they'd turn it on.  If not, they
turned it off.

But to me, it's pretty much just a facade.  Anything
can happen during usage and since the source is closed,
it makes me even more jittery.

So my advice, unless your organization vitally
needs it, stay away from it.  If your organization
needs it, READ THE LICENSING AGREEMENT.

Edmund