In article <9BPSe.8084$_k2.133064@news2.nokia.com>,
=?ISO-8859-15?Q?Lassi_Hippel=E4inen?=
<lahippel@ieee.orgies.invalid> wrote:
>Walter Roberson kirjoitti:

:> - Skype appears to make deliberate attempts to find ways around
:> firewalls

:Of course. That's the whole point in peer-to-peer networking. It isn't a
:security risk as such.

Our firewalls do not happen to be able to inspect down finely enough
to determine whether Skype or other P2P is being used. If Skype finds
its way out through a port that we have had to allow for other
purposes, then it is abusing our security policy.


:> - Skype attempts to contact an amazing number of remote devices
:> on random-looking ports -- not just occasionally, either.

:Looking for a hub that can connect calls, no doubt.

No, the traffic continues as long as Skype is running, even when
no local calls are taking place, and even when all "buddy lists"
have been turned off. The traffic is the local Skype attempting to
partake in the distributed processing.



:> - If Skype can figure out a way to get your system to accept
:> incoming connections from random outside systems, then your
:> system will be used for distributed processing to maintain the
:> skype infrastructure or to switch calls. Your acceptance of this
:> is part of the EULA.

:If your network has end user hosts that can receive connections from
:outside, you're screwed even without Skype.

We have anti-virus software to detect and nullify other software
that build trojans. Unfortunately that software doesn't flag Skype.


:> If you are not careful with Skype, you could end up with nasty
:> excess-bandwidth bills. We have a gigabit connection to the 'net, so
:> you can imagine how much traffic Skype would think could be switched
:> through us... but we have to pay for non-research traffic.
:> It's a hidden cost of using Skype.

:Only is you have a Skype hub. They are normally in open serves, e.g.
:university networks.

Re-read the documents on "How Skype Workds". *Every* system
is eligable to be turned into a hub, if Skype can figure out a way
to allow other hosts to connect to it. If Skype can find even one
port that your firewall permits traffic on at the request
of an inside system then you are on the hook for whatever
bandwidth charges may acrue, and you won't get far protesting
because it's in the EULA.


:> After that, one gets into questions of whether one trusts that
:> Skype has no security holes in its protocol.

:That is a real concern. All the other things you mentioned above aren't
:security issues.

Perhaps they aren't security issues in your security domain, but
where I am, one of my duties as security administrator is to
ensure that we don't get hit with big bandwidth bills because some
program running internally has found a way to subvert firewall policy.
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter