Friday, October 12, 2007

Main articleSkypeFeaturesSkype LtdProtocolSecurity Skype (IPA pronunciation: /skaɪp/, rhymes with type) is a peer-to-peer Internet telephony network founded by the entrepreneurs Niklas Zennström and Janus Friis, also founders of the file sharing application Kazaa and the peer-to-peer television application Joost. It competes against existing open VoIP protocols such as SIP, IAX, and H.323. The Skype Group, acquired by eBay in September 2005, has headquarters in Luxembourg, with offices in London, Tallinn, Prague countermeasures against reverse engineering of the software or protocol.

System and Software

Main article: Skype Protocol Technology

Main article: Skype security Security
The Skype code is proprietary and closed source, and it is not planned to become open-source software, according to a quotation:
"We could do it but only if we re-engineered the way it works and we don't have the time right now."
A book from Que Publishing, Skype: The Definitive Guide points out:

Skype can utilise other users' bandwidth. (Although this is allowed for in the EULA, there is no way to tell how much bandwidth is being used in this manner). There are some 20,000 supernodes out of many millions of users logged on. Skype Guide for network administrators[1] claims that supernodes carry only control traffic up to 5 kbytes/s and relays may carry other user data traffic up to 10 kbytes/s (for one video call). A relay should not normally handle more than one "relayed connection".
Skype's file-transfer function does not contain any programmatic interfaces to antivirus products, although Skype claims to have tested its product against antivirus "Shield" products.
The lack of clarity as to content means that systems administrators cannot be sure what Skype is doing. (The combination of an invited and a reverse-engineered study taken together suggest Skype is not doing anything hostile). Skype can be easily blocked by firewalls.
The actual communication of any given Skype conversation uses modern encryption techniques to to make conversations secure, as mentioned in the above studies. General
Skype accesses the hard disk several times each minute. This can be verified by observing the HDD's activity LED, or by using a file access monitor such as FileMon.

Resource usage
Skype claims that the proprietary session establishment protocol is efficient and prevents both man-in-the-middle and replay attacks. The software is not self-certifying which means it needs to connect and login to a centralized Skype server to certify each user's public key.
Skype currently permits multiple concurrent logins: if an attacker is able to obtain a user's login password, the attacker could login as that user, and change their status to "Hidden". Thereafter, any chat sessions involving the real user are possibly copied to the hacker's "ghost" account. Provided a user keeps his/her password secure, this is not of concern.

Confidentiality of data
Skype provides an uncontrolled registration system for users: registration requires no proof (by means of state-issued ID card) of the identity of the user. This works two ways: you can use the system safely without revealing your real-life identity to other users of the system, but on the other hand you have no guarantees that the person you communicate with is the one they say they are in real life. The downside of this is that it is easy to use the personal name (but not identity) of a trusted person as a Skype nickname and trick a naive user into revealing information or executing a program sent to them.
It should be noted that this behavior is common to all digitally provided services: the exceptions are certificates from trusted certificate authorities with all the known drawbacks.

Authenticity of user identity
Versions now exist for Microsoft Windows [2000, XP and CE (Pocket PC)], Mac OS X and GNU/Linux. The Linux version runs on FreeBSD through its Linux binary compatibility layer; the Fedora Core version works fine, provided the user switches on the microphone in the GNOME sound settings. The Symbian version is currently under development. Major events

  • Detailed Windows changelog

  • Detailed Mac changelog

  • Detailed Linux changelog

Detailed Windows changelog
Detailed Mac changelog
Detailed Linux changelog Detailed changelogs
As of June 30, 2007, Skype had a cumulative number of unique user accounts of 220 million. Users may register more than once, and as a result, may have more than one account.
It was reported that nine million concurrent Skype users were online as of January 29, 2007.
Skype incorporates some features which obfuscate its traffic, but it is not specifically designed to thwart traffic analysis and therefore does not provide anonymous communication. Some researchers have also been able to watermark the traffic so that it is identifiable even after passing it through an anonymizing network [2].

Usage and traffic

Main article: Features of Skype Features
SkypeOut allows Skype users to call traditional telephone numbers, including mobile telephones, for a fee. This fee is as low as USD$0.024 per minute for most developed countries, and as high as USD$2.142 per minute for calls to the dependency of Diego Garcia. Beginning January 2007, Skype also charges an equivalent of 0.039 Euro for each SkypeOut call, in addition to the ordinary rate. After 180 days of not making a SkypeOut call the Skype balance expires. As of January, 30th 2007, SkypeOut calls to Canada and the United States are no longer free.
SkypeOut calls to most toll free numbers in France (+33 800, +33 805, +33 809) , Poland: (+48 800) , UK: (+44 500, +44 800, +44 808) and the United States and Canada: (+1 800, +1 866, +1 877, +1 888 ) are free for all Skype users, even if they do not have the SkypeOut service. [3][4] . However, for many other countries SkypeOut doesn't support calling toll-free and premium rate numbers, and SkypeOut doesn't support calling emergency numbers (such as 112 in Europe or 911 in the U.S.A.).
Quality of service is not guaranteed. Dropouts, broken connections and compression distortion are frequently observed by users.

SkypeIn allows Skype users to receive calls on their computers dialed by regular phone subscribers to a local Skype phone number. Permits users to subscribe to numbers in Australia, Brazil, Chile, Sweden, Switzerland, UK, Romania and the United States.
For example, a user in San Francisco could create a local telephone number in Helsinki. Callers from Helsinki would pay only local rates to call that number.

Skype has been criticized over its use of a proprietary protocol, instead of an open standard like H.323, Inter-Asterisk eXchange, or SIP, since this makes it much more difficult, if not impossible, for other developers to interact with Skype. Some have theorized that the decision was made to prevent competition over business with SkypeOut.
Due to the design of the protocol, if given access to an unrestricted network connection, Skype clients can become supernodes. These supernodes hold together the peer-to-peer network and provide data routing for other clients behind more restrictive firewalls, which can generate a significant amount of bandwidth usage. For this reason, some network providers, such as universities, have banned the use of Skype.

Heavy use of anti debugging techniques (used to deter development of alternative clients, hacking tools)
Significant use of obfuscated code (slows reverse engineering, less description of what program code does internal to the executable file)
Keeps chatting on the network, even when idle (even for non-supernodes. May be used for NAT traversal)
Blind trust in anything else speaking Skype
Ability to build a parallel Skype network
Lack of privacy (Skype has the keys to decrypt sessions)
Heap overflow in Skype
Skype makes it hard to enforce a (corporate) security policy
"No way to know if there is/will be a backdoor" Criticisms
Skype faces challenges from two main legal and political directions: challenges to its intellectual property and political concerns by governments wishisng to control the telecommunications systems of the respective countries.
Skype's technology is proprietary and closed to outside review. It is unknown to what extent it can potentially intrude upon other parties' patents and copyrights. It is not unreasonable, therefore, to expect legal challenges from third parties concerning Intellectual Property issues.
Skype also supply Skype-in phonelines without requiring proof of address, which is illegal in some countries.

Legal and political aspects

Legal challenges
In January, 2006, StreamCast Networks filed a complaint in U.S. District Court in Los Angeles, accusing Skype of stealing its peer-to-peer technology. The $4.1 billion lawsuit did not initially name eBay, Skype's parent company; however, the lawsuit was amended in a filing with Federal Court in the Central District of California on May 22, 2006, to include eBay and 21 other parties as defendants.
Streamcast seeks a worldwide injunction on the sale and marketing of eBay's Skype Internet voice communication products, as well as billions of dollars in unspecified damages.

Streamcast lawsuit
On June 1, 2006, Net2Phone (the Internet telephone unit of IDT Corp.) filed a lawsuit against eBay and Skype accusing the unit of infringing U.S. Patent 6,108,704 , which was granted in 2000.

IDT lawsuit

Political issues
For a brief period, SkypeOut was blocked in some regions of mainland China (notably Shenzhen) by the operator China Telecom for undisclosed reasons; it has been speculated that this may relate to SkypeOut's ability to take lucrative international and long-distance business away from the People's Republic of China's state-controlled telecommunications companies.

China 2005
In September 2005, the French Ministry of Research, acting on advice from the general secretariat of national defence, issued an official disapproval of the use of Skype in public research and higher education; some services are interpreting this decision as an outright ban. The exact reasons for the decision were not given, but speculatively may relate to issues noted earlier, relating to inability to monitor the nature of information being communicated, possible extreme resource usage, or unknown potential actions of the software.

France 2005
In May 2006, the FCC successfully applied the Communications Assistance for Law Enforcement Act to allow wiretapping on digital phone networks. Skype is not yet compliant to the Act, and has so far stated that they do not plan to become compliant.

United States, CALEA 2006
In December 2006, the Government of India announced they are preparing a crackdown on Internet telephony services, citing security risks and loss of revenue. The clampdown is targeted at outsourcers and other Indian IT businesses that use foreign owned Internet telephony services, such as Skype and Yahoo!, to cut their phone bills and evade the six percent revenue share and 12 percent tax imposed on local services by the government. According to The Times of India, companies must reveal the names of licensed service providers they purchase bandwidth and internet telephony minutes from. Companies will also have to undertake that they will not use the services of unlicensed internet service providers.

India 2006
Skype was abruptly blocked in the UAE for undisclosed reasons—Skype users in the United Arab Emirates are being blocked from the site, which prevents them from buying minutes for use with SkypeOut and taking advantage of deeply discounted international calling rates. The blockage has been speculated to originate within Etisalat, the only ISP in the UAE. Since Etisalat has a monopoly on telephony there, the motive could be economic, or it could be one of political control due to Skype's encryption of conversations.

United Arab Emirates 2006
The Sultanate of Oman has also blocked access to the website preventing users from accessing skypeout in order to maintain Omantel's monopoly on the telecommunications market in the country. This has also to do with security issues as well as economic ones as it is difficult to monitor the calls made with skype. If one is to attempt to reach the Skype webpage, the monitor says: "Access Denied (policy_denied) Your system policy has denied access to the requested URL. For assistance, contact your network support team." Many other Persian Gulf countries pursue similar policies regarding Skype for largely the same reasons.

No comments: