Dan, I think the relevant snippet of the ULA is: "Skype Software may utilize the processor and bandwidth of the computer (or other applicable device) you are utilizing, for the limited purpose of facilitating the communication between Skype Software users."
In other words, they may use your computer and bandwidth to help other people communicate. This is part of what makes Skype both a good and bad product: its Peer to Peer nature. Instead of having a central server that routes traffic, peers on the network do that work. Hence, for users with a fat pipe to the internet, they may want to think twice about giving Skype the okay to use as much of that pipe as they need. Home users likely won't and don't need to care, and frankly a lot of organizations are okay with this kind of thing, if for no other reason than the impact is possibly minimal. If your organization, however, wants to know and control internet data flows, then peer to peer technology is going to make your job very difficult. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College > -----Original Message----- > From: Clemens, Dan [mailto:[EMAIL PROTECTED] > Sent: Friday, May 19, 2006 9:08 AM > To: [email protected] > Cc: Herren, Jason; Sanders, Jonathan > Subject: RE: Skype & IPS vendor claims > > I think everyone including searchsecurity.com is taking the > ULA out of context. > > The context basically states that - "You give Skype the > ability to use your computer in the context of the > communication", which seems entirely logical to me. > > Context is everything. > > >snip from skype> > The ULA states the following: > > 4.1 Utilization of Your computer. You hereby acknowledge that > the Skype Software may utilize the processor and bandwidth of > the computer (or other applicable device) You are utilizing, > for the limited purpose of facilitating the communication > between Skype Software users. > > 4.2 Protection of Your computer (resources). You understand > that the Skype Software will use its commercially reasonable > efforts to protect the privacy and integrity of the computer > resources (or other applicable > device) You are utilizing and of Your communication, however, > You acknowledge and agree that Skype cannot give any > warranties in this respect. > Article 5 Confidentiality and Privacy > > 5.1 Skype's Confidential Information. You agree to take all > reasonable steps at all times to protect and maintain any > confidential information regarding Skype, its Affiliates, the > Skype Staff, the Skype Software and the IP Rights, strictly > confidential. > > 5.2 Your Confidential Information and Your Privacy. Skype is > committed to respecting Your privacy and the confidentiality > of Your personal data. The "Privacy Policy" that is published > on the Skype Website at www.skype.com/go/privacy applies to > the use of Your personal data, the traffic data as well as > the content contained in Your communication(s). > We do not sell or rent Your personal information to third > parties for their marketing purposes without Your explicit > consent and we use Your information only as described in the > Privacy Policy. We store and process Your information on > computers that may be located outside Your country that are > protected by physical as well as technological security > devices. You can access and modify the information You > provide in accordance with the Privacy Policy. If You object > to Your information being transferred or used in this way > please do not use our services. > >snip> > > If you look at the rest of the information provided on > searchsecurity.com it seems to be all based on FUD IMHO! > > > Notes from searchsecurity's article: > Reasons on why skype is bad: > "Skype is a closed-source VoIP solution." > > Re: Ok ,well everyone uses microsoft on this list and msrpc > is pretty closed source also. Can we block that also? > > "Some Skype traffic may take place in the clear." > > Re:Much like most voip traffic. Big deal, just watch what you > say like any other phone conversation. Phones are trasmitted > generally in the clear also. > > "Skype traffic bypasses audit controls. By their nature, VoIP > calls placed on the Skype network evade local call auditing > systems. If you operate in a regulated environment, this may > pose an unacceptable risk or require the use of specialized > controls designed specifically to audit Skype traffic." > > Re:This isn't a technical vulnerability, but a policy violation. > > I have yet to see any _technical_ vulnerabilities surrounding > the use of skype and it seems the only use in having a idp > rule would be to block the transmission of instant messaging > type communication which would once again be a policy > violation and not a technical risk to the execution of > arbitrary code etc. > > -Daniel Clemens > > -----Original Message----- > From: Basgen, Brian [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 18, 2006 6:44 PM > To: [email protected] > Subject: RE: Skype & IPS vendor claims > > > Tipping Point blocks Skype under its P2P category. > > Someone asked why block it. Read the Skype ULA, which > essentially says > they can use your network for relaying traffic. > > ~~~~~~~~~~~~~~~~~~ > Brian Basgen > IT Security Architect > Pima Community College > > > > > > -----Original Message----- > > From: Vladimir Parkhaev [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, May 16, 2006 9:08 AM > > To: [EMAIL PROTECTED] > > Subject: Skype & IPS vendor claims > > > > > > Greetings, > > > > Many IPS vendors are claiming that their devices can block Skype. > > Reading "An Analysis of the Skype Peer-to-Peer Internet Telephony > > Protocol" > > (http://www1.cs.columbia.edu/~library/TR-repository/reports/re > > ports-2004/cucs-039-04.pdf), > > paper I fail to see how those claims can be true. > > > > > > Has anyone looked into blocking Skype? > > > > > > Thanks. > > > > -- > > .signature: No such file or directory > > > > -------------------------------------------------------------- > > ---------- > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it with real-world > attacks from > > > CORE IMPACT. > > Go to > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > -------------------------------------------------------------- > > ---------- > > > > > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------- > ---------- > > > > ----------------------------------------- > Confidentiality Notice: This e-mail communication and any > attachments may contain confidential and privileged information for > the use of the designated recipients named above. If you are not > the intended recipient, you are hereby notified that you have > received this communication in error and that any review, > disclosure, dissemination, distribution or copying of it or its > contents is prohibited. If you have received this communication in > error, please notify me immediately by replying to this message and > deleting it from your computer. Thank you. > > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------- > ---------- > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
