RE: Skype & IPS vendor claims

["Clemens, Dan" <Dan.Clemens () healthsouth com>]

I think everyone including searchsecurity.com is taking the ULA out of
context.

The context basically states that - "You give Skype the ability to use
your computer in the context of the communication", which seems entirely
logical to me.

Context is everything.

> snip from skype>
The ULA states the following:

4.1 Utilization of Your computer. You hereby acknowledge that the Skype
Software may utilize the processor and bandwidth of the computer (or
other applicable device) You are utilizing, for the limited purpose of
facilitating the communication between Skype Software users.

4.2 Protection of Your computer (resources). You understand that the
Skype Software will use its commercially reasonable efforts to protect
the privacy and integrity of the computer resources (or other applicable
device) You are utilizing and of Your communication, however, You
acknowledge and agree that Skype cannot give any warranties in this
respect.
Article 5 Confidentiality and Privacy

5.1 Skype's Confidential Information. You agree to take all reasonable
steps at all times to protect and maintain any confidential information
regarding Skype, its Affiliates, the Skype Staff, the Skype Software and
the IP Rights, strictly confidential.

5.2 Your Confidential Information and Your Privacy. Skype is committed
to respecting Your privacy and the confidentiality of Your personal
data. The "Privacy Policy" that is published on the Skype Website at
www.skype.com/go/privacy applies to the use of Your personal data, the
traffic data as well as the content contained in Your communication(s).
We do not sell or rent Your personal information to third parties for
their marketing purposes without Your explicit consent and we use Your
information only as described in the Privacy Policy. We store and
process Your information on computers that may be located outside Your
country that are protected by physical as well as technological security
devices. You can access and modify the information You provide in
accordance with the Privacy Policy. If You object to Your information
being transferred or used in this way please do not use our services.
> snip>

If you look at the rest of the information provided on
searchsecurity.com it seems to be all based on FUD IMHO!


Notes from searchsecurity's article:
Reasons on why skype is bad:
"Skype is a closed-source VoIP solution."

Re: Ok ,well everyone uses microsoft on this list and msrpc is pretty
closed source also. Can we block that also?

"Some Skype traffic may take place in the clear."

Re:Much like most voip traffic. Big deal, just watch what you say like
any other phone conversation. Phones are trasmitted generally in the
clear also.

"Skype traffic bypasses audit controls. By their nature, VoIP calls
placed on the Skype network evade local call auditing systems. If you
operate in a regulated environment, this may pose an unacceptable risk
or require the use of specialized controls designed specifically to
audit Skype traffic."

Re:This isn't a technical vulnerability, but a policy violation.

I have yet to see any _technical_ vulnerabilities surrounding the use of
skype and it seems the only use in having a idp rule would be to block
the transmission of instant messaging type communication which would
once again be a policy violation and not a technical risk to the
execution of arbitrary code etc.

-Daniel Clemens

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen () pima edu] 
Sent: Thursday, May 18, 2006 6:44 PM
To: focus-ids () securityfocus com
Subject: RE: Skype & IPS vendor claims


 Tipping Point blocks Skype under its P2P category.

 Someone asked why block it. Read the Skype ULA, which essentially says
they can use your network for relaying traffic. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
 
 
 

> -----Original Message-----
> From: Vladimir Parkhaev [mailto:vladimir () arobas net]
> Sent: Tuesday, May 16, 2006 9:08 AM
> To: focus-ids () lists securityfocus com
> Subject: Skype & IPS vendor claims
>
>
> Greetings,
>
> Many IPS vendors are claiming that their devices can block Skype. 
> Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony 
> Protocol"
> (http://www1.cs.columbia.edu/~library/TR-repository/reports/re
> ports-2004/cucs-039-04.pdf),
> paper I fail to see how those claims can be true. 
>
>
> Has anyone looked into blocking Skype?
>
>
> Thanks.
>
> --
> .signature: No such file or directory
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------
> ----------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------