IDS mailing list archives
RE: Skype & IPS vendor claims
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Fri, 19 May 2006 11:08:19 -0500
I think everyone including searchsecurity.com is taking the ULA out of context. The context basically states that - "You give Skype the ability to use your computer in the context of the communication", which seems entirely logical to me. Context is everything.
snip from skype>
The ULA states the following: 4.1 Utilization of Your computer. You hereby acknowledge that the Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) You are utilizing, for the limited purpose of facilitating the communication between Skype Software users. 4.2 Protection of Your computer (resources). You understand that the Skype Software will use its commercially reasonable efforts to protect the privacy and integrity of the computer resources (or other applicable device) You are utilizing and of Your communication, however, You acknowledge and agree that Skype cannot give any warranties in this respect. Article 5 Confidentiality and Privacy 5.1 Skype's Confidential Information. You agree to take all reasonable steps at all times to protect and maintain any confidential information regarding Skype, its Affiliates, the Skype Staff, the Skype Software and the IP Rights, strictly confidential. 5.2 Your Confidential Information and Your Privacy. Skype is committed to respecting Your privacy and the confidentiality of Your personal data. The "Privacy Policy" that is published on the Skype Website at www.skype.com/go/privacy applies to the use of Your personal data, the traffic data as well as the content contained in Your communication(s). We do not sell or rent Your personal information to third parties for their marketing purposes without Your explicit consent and we use Your information only as described in the Privacy Policy. We store and process Your information on computers that may be located outside Your country that are protected by physical as well as technological security devices. You can access and modify the information You provide in accordance with the Privacy Policy. If You object to Your information being transferred or used in this way please do not use our services.
snip>
If you look at the rest of the information provided on searchsecurity.com it seems to be all based on FUD IMHO! Notes from searchsecurity's article: Reasons on why skype is bad: "Skype is a closed-source VoIP solution." Re: Ok ,well everyone uses microsoft on this list and msrpc is pretty closed source also. Can we block that also? "Some Skype traffic may take place in the clear." Re:Much like most voip traffic. Big deal, just watch what you say like any other phone conversation. Phones are trasmitted generally in the clear also. "Skype traffic bypasses audit controls. By their nature, VoIP calls placed on the Skype network evade local call auditing systems. If you operate in a regulated environment, this may pose an unacceptable risk or require the use of specialized controls designed specifically to audit Skype traffic." Re:This isn't a technical vulnerability, but a policy violation. I have yet to see any _technical_ vulnerabilities surrounding the use of skype and it seems the only use in having a idp rule would be to block the transmission of instant messaging type communication which would once again be a policy violation and not a technical risk to the execution of arbitrary code etc. -Daniel Clemens -----Original Message----- From: Basgen, Brian [mailto:bbasgen () pima edu] Sent: Thursday, May 18, 2006 6:44 PM To: focus-ids () securityfocus com Subject: RE: Skype & IPS vendor claims Tipping Point blocks Skype under its P2P category. Someone asked why block it. Read the Skype ULA, which essentially says they can use your network for relaying traffic. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Security Architect Pima Community College
-----Original Message----- From: Vladimir Parkhaev [mailto:vladimir () arobas net] Sent: Tuesday, May 16, 2006 9:08 AM To: focus-ids () lists securityfocus com Subject: Skype & IPS vendor claims Greetings, Many IPS vendors are claiming that their devices can block Skype. Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol" (http://www1.cs.columbia.edu/~library/TR-repository/reports/re ports-2004/cucs-039-04.pdf), paper I fail to see how those claims can be true. Has anyone looked into blocking Skype? Thanks. -- .signature: No such file or directory -------------------------------------------------------------- ---------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- ----------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ----------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Skype & IPS vendor claims, (continued)
- Re: Skype & IPS vendor claims Matt Jonkman (May 17)
- RE: Skype & IPS vendor claims John Brightwell (May 17)
- Re: Skype & IPS vendor claims Jason Haar (May 18)
- Re: Skype & IPS vendor claims ROB DIXON (May 17)
- Re: Skype & IPS vendor claims Christian Kreibich (May 18)
- Re: Skype & IPS vendor claims Matt Jonkman (May 18)
- RE: Skype & IPS vendor claims William Bell (May 18)
- RE: Skype & IPS vendor claims Dante Mercurio (May 18)
- RE: Skype & IPS vendor claims okolesnikov (May 18)
- RE: Skype & IPS vendor claims Basgen, Brian (May 19)
- RE: Skype & IPS vendor claims Clemens, Dan (May 20)
- RE: Skype & IPS vendor claims Basgen, Brian (May 25)