"Inveniam viam aut faciam" : I will either
find a way, or I shall make one
gaping security hole or wünderapp?
so what do we know about this p2p, voice application?
about 170 million users (and growing) skype has come under fire lately
many sysadmins claiming that because they cannot effectively block or
the traffic, that it may be one HUGE security hole. Skype runs on its
proprietary protocol, the code for which, is jealously guarded by its
Attempts to reverse engineer this protocol have so far proved
Reverse engineering the program is also proving to be problematic. The
executable refuses to load if certain debugging programs are running in
programmers believe that the executable itself is suspicious at a
of 12Mb what else is in there??
do know that it’s letting users around the world
(well, SOME parts of the world anyway) make local AND international
calls at one
HELLUVA reduced rate (thereby taking business away from and annoying
uses peer-to-peer technologies to allow
connections based on Kazaa (the creators of skype are Niklas
Zennström and Janus Friis, none other than the boys responsible for
established use strong encryption, making listening in on conversations
impossible (thereby irritating certain governments)
- By using it’s own protocol and
peer-to-peer technologies, it circumvents many firewalling and NAT
(thereby irritating many security conscious sysadmins)
a nutshell, the skype network is made up of a number of nodes and
because of the nature of peer-to-peer, the only “centralized” servers
login authentication servers which are hardcoded into skype and hidden
code. Once a user is logged in, skype will look for skype “supernodes”
supernode is ANY skype user that has good bandwidth and is not sitting
firewall. From this supernode, he will receive the list of peers and
part of the skype network.
protocol is proprietary and jealously guarded, all traffic is encrypted
at least 128-bit encryption using RC4 method, server login is encrypted
256-bits with an MD5 hash check added to the username, random node
64-bit encryption, so, this is all good and well, but... what’s in the
exactly? If an exploit is found, what could stop skype’s infected p2p
Would we end up with a net that looked like kazaa in it’s later days?
taking a walk in the dark woods?
one takes a close look at the Skype EULA (end user license agreement)
of section 2.4 which states:
acknowledge and agree that the Skype Software may be incorporated into,
incorporate itself, software and other technology owned and controlled
does skype want to run other companies software on your system?
be enough? The likely scenario is that skype is referring to codecs and
technologies not owned by skype, but… who knows. No one can really know
going on until the code is cracked. Will skype make the program open
Not so according to it’s founder, Niklas Zennström, who claims
they simply don’t have the time.
hereby acknowledge that the Skype Software may utilize the processor
bandwidth of the computer”
its peer to peer nature, skype uses your
facilitate communications between other skype users. By as much as 5Kb
normal nodes (normal users) and up to 10Kb for supernodes. Imagine
this… you are
the sysadmin of a company. You have users that run skype. Perhaps three
might be normal nodes, and one of them is a supernode. This could mean
possible 25Kb of your bandwidth out the window.
good, the bad and the downright nasty
So, is this
program all bad? I must admit, that
took a deep look into this program, I was vehemently anti-skype due to
subversive nature, but… let me step back a moment and take a look at
is offering a viable alternative for low-cost local
and international calls forcing fat cat telecoms companies from around
world to reduce prices. That is indeed its biggest calling card to
third world countries where the cost of using the traditional high cost
the business-cost savvy, skype offers many options
for reducing cost of calls, for example, the skypein feature, allows a
create a telephone number in Helsinki that will ring on a skype device
Tokyo, the Helsinki landline caller only paying local telephone rates.
also offers a voicemail feature, ideal for having
an answering machine follow you around the world (or wherever internet
So, why would
any sysadmin, of sane mind and body
DARE run this application that sits behind your firewall, can figure
out a way
of getting PAST your firewall (it can connect through port 80 or 443,
corporate firewall today does not allow these out?) AND has HEAVILY
its traffic so that we have no way of knowing what’s coming into or
of our corporation?
certainly would not have my network running such an
app, especially one that uses p2p as the backbone of its technology.
many apps out there that can duplicate skype’s functions such as Google
and msn messenger that has long ago had voice capabilities built in.
messenger even has video facilities built in!
other voice over IP programs run with a
server-client model that a sysadmin can track and keep an eye on, and I
keep an eye on. It lets me sleep at night.
skype is a great app for what it is, at
of the day, it’s just not worth the risk running such a subversive app
network, and as in any I.T. problem, there is always more than one way
a cat. There are other apps out there, USE THEM, be AWARE, that's all
to sources, a Chinese info-tech company
not in the know if they are doing this for fun
financial, (most likely financial) but, there it is, someone has gotten
skype's MASSIVE encryption. This could possibly mean free telephone
the skype network, and I'd love to see skype techs try pick out this
traffic from their legitimate traffic, hahaha. But most likely, this
will collaborate with skype and the Chinese government and sell this
a controlled service (i.e. No political naughtyness!). From what I
hear as well, it can do IP address
regardless of what firewall you are sitting behind, so you can be
if you are being politically naughty.
of the hack skype version vs.
As far as I know. This software
is not yet out.