Linked by Thom Holwerda on Mon 28th Nov 2005 09:54 UTC, submitted by anonmyous
OpenBSD "After much digging online for an effective way to stop this pesky application that is highly de-centralised and a big pain to blocked, I finally found a way to do it. It has been working perfectly fine on our corporate network, and we have had no complaints of users being denied access to legitimate web destinations (that are in compliance with our security policy of course)."
Order by: Score:
:|
by h0lden on Mon 28th Nov 2005 11:09 UTC
h0lden
Member since:
2005-07-27

i didn't know that blocking skype is such important...

Reply Score: 3

RE: :|
by dave on Mon 28th Nov 2005 16:14 UTC in reply to ":|"
dave Member since:
2005-07-01

I recently read (like 2 months ago or so?) where skype can be used for p2p transfers of files; if so, that would break my network IDS'. More annoying is that it uses ports 80 and 443 instead of it's own standard port (you can configure it to use a specific one, i believe, but by default it tries to use 4 preset ports and if they don't work, it switches over to 80 and 443/tcp.) Poor design and intentionally set to evade port filtering. Nearly as bad as gotomypc.com's product.

Reply Score: 1

wow
by devurandom on Mon 28th Nov 2005 11:21 UTC
devurandom
Member since:
2005-07-06

I'm impressed when I see the use of free software to reduce the users freedom... what's so bad in skype? In my lab everyone uses it and we find it useful to chat with other collegues in other labs. And nothing bad happens.

Reply Score: 2

RE: wow
by gilboa on Mon 28th Nov 2005 13:12 UTC in reply to "wow"
gilboa Member since:
2005-07-06

Oh?

Let us assume that I've got a company of 100 employees and I don't want them to /abuse/ a company resource (Internet) to make their own /private/ calls using ICQ/AIM/Skype.
What does freedom of choice has to do with it? Does this freedom gives you the right to abuse the right of others?

Gilboa

Reply Score: 2

RE[2]: wow
by Anonymous on Mon 28th Nov 2005 18:09 UTC in reply to "RE: wow"
Anonymous Member since:
---

It is inherently bad for any company to do that sort of thing. Chances are, they have more or less unmetered bandwidth, so it doesn't really hurt them if people use the net for personal uses a couple minutes a day...

Reply Score: 0

RE[3]: wow
by gilboa on Mon 28th Nov 2005 18:37 UTC in reply to "RE[2]: wow"
gilboa Member since:
2005-07-06

While you might be right, it is certainly within their right to do so.
Plus, due to its design, Skype eats a fair amount of bandwidth even when idle.

Gilboa

Reply Score: 2

RE[4]: wow
by Celerate on Tue 29th Nov 2005 00:52 UTC in reply to "RE[3]: wow"
Celerate Member since:
2005-06-29

Lets not forget corporate espionage, companies with big enough secrets (such as source code they don't want leaked) will need to keep their network security very tight. One of the above comments mentioned that skype can do file transfers, therefore it presents such a risk.

Reply Score: 1

RE[4]: wow
by Soulbender on Tue 29th Nov 2005 07:00 UTC in reply to "RE[2]: wow"
Soulbender Member since:
2005-08-18

"Chances are, they have more or less unmetered bandwidth"
That's rather irrelevant. The bandwidth is there to serve *the company* and if it's used up by Skype (and P2P etc) than that's bad. Sorry folks, you dont get paid to come to work and call overseas and chat with your friends on IM, you get paid to do your job.

Reply Score: 1

hm
by Anonymous on Mon 28th Nov 2005 11:24 UTC
Anonymous
Member since:
---

skype is insecure.
that'd be one raeson. but blocking skype is sure not a real solution for securing such things. but people hardly understand it ;)

Reply Score: 0

RE: hm
by test on Mon 28th Nov 2005 11:43 UTC in reply to "hm"
test Member since:
2005-07-06

You say: "skype is insecure".

I say:
1) Back your claim with some hard data!
2) Support your argument with some verifiable fact-based evidence!
3) Explain what is your frame of reference (ie: what you compare it to)!

Until then I think I will still consider Skype very secure thank you very much!

Reply Score: 1

Skype usually disearves blockin in corporate environment
by Anonymous on Mon 28th Nov 2005 12:30 UTC in reply to "RE: hm"
Anonymous Member since:
---

The problems with Skype in a corporate network are :

1- Its protocol is proprietary. We don't know how it deals with your privacy => many security critical organizations (especially research centers) have forbidden its use.

2- It uses your bandwith even if it's not started. Imagine what happens if all employees use it => what a loss of investment!

If thes aspects are important for you, you know what to must do ;-)

Reply Score: 2

Anonymous Member since:
---

Yes paranoia ("we don't know how it deals with your privacy") is always a sensible and intelligent reaction to something. If you want to know, why not contact the company that makes the product, instead of simply taking the knee-jerk reaction of blocking it. And as for "proprietary", when the heck will people stop using this as a swear-word. In any field other than IT people accept "proprietary" products without even blinking. I would be much more paranoid about what goes in my mouth and stomach, if I were of a paranoid nature, than of anything going on my computer!!! We have nothing to fear but fear itself!

Reply Score: 2

devurandom Member since:
2005-07-06

Now that's a sound technical argument. If the skype design eats bandwidth by default, that's not good.

I don't use skype myself, but this is interesting nonetheless. Where can I find info about this misdesign?

Reply Score: 1

Anonymous Member since:
---

Nowhere...as Skype "eats" around the same bandwidth as all other IM softwares...

Reply Score: 0

RE[2]: hm
by dsmogor on Mon 28th Nov 2005 12:51 UTC in reply to "RE: hm"
dsmogor Member since:
2005-09-01

Actually author had a workplace in mind. By having access to internet there you have to agree that ways of using it will be mandated can be mandated by your boss.
And that's a clear right of him/her.

Reply Score: 1

Illegal in France
by Anonymous on Mon 28th Nov 2005 12:17 UTC
Anonymous
Member since:
---

>Back your claim with some hard data!

http://www.zdnet.fr/actualites/internet/0,39020774,39267873,00.htm

Safety - the software of VoIP has been just prohibited by the ministry for Research in the administrations of the universities, the research centers and the higher schools. A measurement recommended by the secretariat-general to national defense

Reply Score: 1

RE: Illegal in France
by Anonymous on Mon 28th Nov 2005 12:33 UTC in reply to "Illegal in France"
Anonymous Member since:
---

Yes the French Department of Defense insisted that the French Department of Research (& Education) stop using skype. What they do not tell you is that the French Department of Commerce needed an excuse to block Skype because it wants to protect telephone revenues of the state-owned France Telecom.

Skype uses AES 256 and so far it's the most powerful encryption mechanism, developed for the US department of Defense. Now that is probably something the French Department of Defense does not like either ;-)

Reply Score: 3

RE[2]: Illegal in France
by Anonymous on Mon 28th Nov 2005 14:55 UTC in reply to "RE: Illegal in France"
Anonymous Member since:
---

"Yes the French Department of Defense insisted that the French Department of Research (& Education) stop using skype. What they do not tell you is that the French Department of Commerce needed an excuse to block Skype because it wants to protect telephone revenues of the state-owned France Telecom."

1. France Telecom is partiually state owned not fully state owned.

2. That would be the same French government that has regulated into existence one of the most competative telecoms market's in Europe despite its involvement with France Telecom. (Its actually more competative than the US telecoms market, for example.) This is far more detrimental to any revenues it would gernerate from France Telecom than a couple of governemntal contracts. With this in mind it is hard to call the French government very protectionist of France Telecom. and unless there some evidence for saying it was a pro France Telecom move I'd think it wiser to put it down to governmental paranoia or your second reason.

Reply Score: 1

There is no "freedom" argument here.
by RenatoRam on Mon 28th Nov 2005 12:21 UTC
RenatoRam
Member since:
2005-11-14

Corporate intranets are always filtered and blocked.

Your employer always chooses what you can or cannot do with the network infrastructure: if they do not want to chat they'll block jabber, icq, msn and whatever. If they do not want you to call your mum with skype they'll block skype.

Where's the problem in that?

Reply Score: 4

v EULA
by Anonymous on Mon 28th Nov 2005 13:53 UTC
RE: EULA
by Anonymous on Mon 28th Nov 2005 14:01 UTC in reply to "EULA"
Anonymous Member since:
---

Before spreading FUD, check for yourself: http://www.skype.com/company/legal/terms/tos_web.html

Reply Score: 0

RE[2]: EULA
by valeri_ufo on Mon 28th Nov 2005 14:18 UTC in reply to "RE: EULA"
valeri_ufo Member since:
2005-07-06

yes, but you better check out the EULA ( http://www.skype.com/company/legal/eula/ )

Edited 2005-11-28 14:20

Reply Score: 0

v RE[2]: EULA
by valeri_ufo on Mon 28th Nov 2005 14:19 UTC in reply to "RE: EULA"
RE[3]: EULA
by Anonymous on Mon 28th Nov 2005 14:28 UTC in reply to "RE[2]: EULA"
Anonymous Member since:
---

So you do not like them to use third party libraries (I dunno, like something called QT for example) to create an application and you do not like them to provide new services (I dunno, like an activeX control to be able to use Skype from a ebay webpage) ?

Next.

Reply Score: 1

v RE[4]: EULA
by valeri_ufo on Mon 28th Nov 2005 14:40 UTC in reply to "RE[3]: EULA"
RE[5]: EULA
by Anonymous on Mon 28th Nov 2005 14:44 UTC in reply to "RE[4]: EULA"
Anonymous Member since:
---
v RE[6]: EULA
by valeri_ufo on Mon 28th Nov 2005 14:48 UTC in reply to "RE[5]: EULA"
RE[7]: EULA
by Anonymous on Mon 28th Nov 2005 14:53 UTC in reply to "RE[6]: EULA"
Anonymous Member since:
---

Of course I can!
But only after you answer the very same question about each and every networked application installed on your computer ;-)
Bye now.

Reply Score: 0

RE[7]: EULA
by Anonymous on Mon 28th Nov 2005 20:03 UTC in reply to "RE[6]: EULA"
Anonymous Member since:
---

Jesus. Something that is not there, whilst it could be virtually anywhere, can't be proven *NOT* to be there. Such finding may mean only one thing: You weren't looking hard enough. In this vein, it is stupid to say that Windows or any other software has a "new" security hole. Windows never had a new security hole, not a single one. All of them have always been there, and in case of Windows been there for some good six years - only you didn't yet know about them. Same goes for spyware you couldn't "prove" to be in place.
The proof you demand works the other way round: Show me that there is in fact an issue, that there is spyware contained in Skype.

Reply Score: 2

v RE[2]: EULA
by valeri_ufo on Tue 29th Nov 2005 10:10 UTC in reply to "RE: EULA"
Anonymous
Member since:
---

Most companies have a policy that everything should be sourced from more than one party if possible. Claiming that other fields other than IT accept propietary products is laughable at best

Reply Score: 0

Companies that block Skype are...
by Clinton on Mon 28th Nov 2005 16:52 UTC
Clinton
Member since:
2005-07-05

Stoopid!

First of all, Skype is a great program for working with other employees without having to walk all over hunting somebody down or the classic type an email, wait for response, type a response to the response, wait some more, etc.

Also, if an employee is using Skype for personal use (say talking to their spouse/friend/mom/etc), which would you rather have, a five minute Skype conversation, or a 30 minute phone conversation? The employee is going to talk regardless so it is stupid to limit one of the more effective ways of personal communication.

I can Skype and work at the same time, but I can't talk on the phone and work at the same time because the medium demands an instant response, whereas Skype allows me to finish a thought and then respond to the wife/friend/mom/coworker/whoever. I also find that phone conversations last far longer than IM conversations.

Reply Score: 1

helf Member since:
2005-07-06

A. It wastes bandwidth
B. The company doesn't want it. Doesn't need it. And has full right to block it.

Edited 2005-11-28 17:26

Reply Score: 2

Straw man argument
by JaredWhite on Mon 28th Nov 2005 17:44 UTC
JaredWhite
Member since:
2005-07-06

Sure, a company has a right to block Skype, and anything else it wants. And I have a write to tell said company that I would never work for them.

I work in the technology sector. I find it insulting that companies feel the need to block *outgoing* connections made by programs that can be used for totally legitimate reasons (VoIP/Chat/etc.). If it's a question of bandwidth usage...get more bandwidth! I work in a small start-up company that has a simple firewall to protect itself from *outside* intruders -- otherwise, everything is wide open. No proxy, no anything. Why? Because we are all *trusted* by management to be responsible computer users. Trust...you know, that little thing that people have forgotten in this day and age.

Jared

Reply Score: 1

Skype...
by Anonymous on Mon 28th Nov 2005 17:52 UTC
Anonymous
Member since:
---

Funny how the same people who encourage others to use open formats jump on this proprietary software called Skype. It's not like SIP wouldn't exist...
If there's one software which deserves to gets blocked then it's Skype. Not because it would be insecure, it's not less or more secure than other internet applications. But it doesn't follow standards, it uses much bandwidth and even more time. You can use it at home, but not at work.

Reply Score: 0

v RE: Skype...
by valeri_ufo on Mon 28th Nov 2005 18:01 UTC in reply to "Skype..."
blocking or encouraging?
by Anonymous on Mon 28th Nov 2005 18:03 UTC
Anonymous
Member since:
---

Not that I particularly like skype but I don't quite understand why anyone would want to block it. Aren't most companies moving to VoIP and encouraging their employees to do the same rather than running up the company's phone bill? Instead of thinking about how to block it, it would perhaps make more sense to think about why you would want to block it at all and what may be the consequences.

Reply Score: 0

Evil. This should NOT have been linked to
by Anonymous on Mon 28th Nov 2005 18:08 UTC
Anonymous
Member since:
---

Controlling what people do on the Internet is BAD. It should NOT be encouraged. Do NOT feed the net-Nazis by linking to their work.

Reply Score: 0

devurandom Member since:
2005-07-06

Yes. It's plain bad. Really bad.

Who draws the line between Good and Bad? Me? You? Who are you (or me) to control what people want to see? What do you see as an hate website maybe it's perfectly legit for me. Maybe I'm interested of looking at it just for curiosity and have a good laugh.

If you don't want to see kiddy porn and hate websites, just don't look at them and don't look for them. No one forces them down your throat.

Reply Score: 1

Rev.Tig Member since:
2005-11-28

>>kiddy porn

Hmm a new variant of Godwins law methinks, but anyway...

Bottom line is this : you work for a company enforcing company policy, if company policy does not allow Skype, you block Skype. You use the best tools for the the job.

I block port 25 to other mailservers apart from our own at work using FOSS tools will the people in this thread wailing about "Freedom of Speech" start flaming me? I block all sorts of things as work policy dictates, I will change the policy when I pick up the bill for the net access.

This has nothing to do with FOSS software or freedom of speech, this is all todo with enforcing a company policy and the story is about how to solve an interesting technical problem.

As for Evil? Please.

Reply Score: 1

Anonymous Member since:
---

Last time I checked you couldn't call kiddie porn by phone or Skype... what exactly are you trying to tell us here..?

Reply Score: 0

Anonymous Member since:
---

Last time I checked you couldn't call kiddie porn by phone or Skype... what exactly are you trying to tell us here..?

Exactly how much crack have you been smoking?

The point of content filtering and blocking services
is highly dependent on the situation.

Maybe a company doesn't want its employees using this
service, as it could be unrelated to work.

The OpenBSD article is just a guide on how to block
Skype, if the need arises.


Why in god's name are people screaming about freedom
and such? Why don't you folks go whinge to RIAA, MPAA,
Sony BMG, and Microsoft, if you're all so worried about
freedom...

Reply Score: 0

Protocol Blocking
by rajj on Mon 28th Nov 2005 19:39 UTC
rajj
Member since:
2005-07-06

All this has resulted in is having almost everything being tunneled through port 80 in an effort to evade firewall rules. Even SOAP was designed this way to avoid firewall headaches (sigh...).

Now we have packet shapers trying to analyse traffic packet by packet for protocol signatures which, in turn,
results in everything being encypted AND tunneled through port 80.

The next logical step is to have encryption cracking packet shapers (har har har).

And the absurdity continues...

One cannot solve a social problem with technology.

Edited 2005-11-28 19:42

Reply Score: 1

v Biased fanboys
by valeri_ufo on Mon 28th Nov 2005 19:56 UTC
Just complain
by Kris on Mon 28th Nov 2005 20:03 UTC
Kris
Member since:
2005-07-24

If you don't like the company policy
(a) complain to your boss
(b) complain to your labor union
(c) leave the company
(d) circumvent the policy, risking an automatic (c)
(e) find smth. else to do, use your brain

Rather simple, right ?

Personally I'd go (a)->(c) because I prefere to be trusted rather than criminalized. However there's good reasons for companys to implement such a policy. Communication to the outside can be harmfull because if the link is established into one direction it's naturally easier to do harm than if there's no link at all. Also humans are the weakest link in security, I could imagine someone IM-social-engineering by somehow hijacking the username of a trusted person (or maybe just using a very similar one).

Edited 2005-11-28 20:05

Reply Score: 1

If your company blocks pages, use this...
by Anonymous on Mon 28th Nov 2005 20:18 UTC
Anonymous
Member since:
---

http://opensource.region-stuttgart.de/index.php?main=8&sub=8_0

That is a German authorities supported Demo server to promote Desktop-Linux. Press the "Start Linux" button. You will download a non-installing streaming client that streams a Linux Desktop-session nice and fast. My corporate network is ridden by the pest that is Websense. If the client gets through, you can browse all sites minus web-based email.

And to the guy who wrote that article: There is yet another toy for you: try blocking the Hamachi client that gives you a VPN to Windows shares all over the show - it doesn't rely on port forwarding, etc... ;) Now, if someone in your company is opening up a few systems with that, that's a good laugh..

Reply Score: 0

Time Out
by Anonymous on Tue 29th Nov 2005 19:33 UTC
Anonymous
Member since:
---

This was a write-up on solving a relatively challenging technical problem. The issue at hand is very simple: how to block an UNWANTED application on a PRIVATE network. Fullstop. No philosophical discussions of any motives, reasons, pros or cons. The article was technical and straight to the point.

It is not aimed at people running ISPs or public networks and hence any discussion of public freedoms or user rights is rubbish. Do you dictate to your employer how they should run their company ? I don't think so. And controlling their network is also up to them, and that is done via an enforceable security policy.

Any mention of "trust" between management and employees is also laughable. Most employees are non-technical in nature and click "download" on almost any link that promises money, naked pictures, or free stuff. Anyone who has seriously tried to manage a network knows the headaches that come along with giving end-users too many priviliges.

And speaking of rights, one point does come to mind : We all have a right to controlling what runs on our networks. I am sure that if an intelligence agency came up with an application that worked through any firewall, everyone would be scurrying to block it. But just because Skype offers free VoIP does not make any difference : it takes away your right to control what goes on your network and poses serious issues for people that try to block it without the budget for expensive firewalls. The article simply shows how you regain that right. It does not aim to promote monopolistic practices and invasion of user privacy. I am not even sure about the feasibility of using this method on a public network (such as one run by an ISP).

rootn0de

Reply Score: 0