The image of VoIP Internet calls pioneer Skype has been struggling recently but it is fair to say that only a tiny fraction of its millions of regular users will have had the faintest idea that anything has been even slightly awry.
Judging by the slow reaction, Skype’s management have also been unaware that the image of the program had started to change in some circles, or that such a body of opinion, however small, might matter.
Now that tardiness appears to be changing – Skype is shedding its startup complacency and counter-attacking against its critics.
Problems started around the time that the version 2.0 beta appeared last year, the moment when a handful of software engineers started to assess a troubling issue thrown up by the program’s new and evasive design: it was incredibly hard to detect using perimeter security systems.
Skype’s unofficial explanation for its extreme stealthiness has always been that this was necessary to avoid telcos threatened by its business model from blocking it. While this presents no issues for a home user, using “invisible” software capable of making and receiving voice calls, opening instant messaging sessions and exchanging files on a corporate networks, caused some to ponder whether the ever-more-popular Skype hadn’t just turned itself into a huge security risk.
Is such a design really that big a security deal? It could be if the company in question is expected to comply with laws on information disclosure, or simply to meet best security practice. It stands to reason that any application moving data in and out of a company’s network without that company being aware it is even there offers the potential for abuse.
And Skype has certainly been turning up on corporate networks, though people disagree about whether this has been driven by a naïve desire by departmental heads to save on phone charges or just employees importing their home software into places of work because they happen to like using it.
In May, Techworld reported that US company Reconnex had detected Skype running on 22 percent of analysed company networks, one program among a growing panoply of unauthorised P2P software. According to the company, companies were not aware of the program’s existence, and were not tracking, blocking or managing it in any way.
As with any software, the program has also suffered its own vulnerabilities, which open a new class of risks of their own. How can you patch something on a risk you don’t even know, nor can know, you have on your network? You can’t.
With all this going on it is surprising that Skype has been able to keep its head down. About the only concession the company has made is to start publishing a security blog of sorts, where it attempts to explain its position. At best, these have been partial rebuttals of some of the criticisms the program has attracted.
For instance, one from March discusses the possibility of managing Skype, turning off features considered inappropriate in enterprises, such a file transfers.
This assumes, however, that companies know about Skype’s existence, are prepared to devote time to using it in the ways described, and are willing to configure security using a proxying setup where applications must pass through an access layer.
Interesting then that earlier this month Skype embarked on a campaign to put its point of view, speaking to a number of journalists, Techworld included. According to Kurt Sauer, Skype’s CSO, the program is misunderstood by its critics.
“One of the reasons Skype is difficult o find is that the people who provide the carrier services [ISPs, telcos] are in competition with Skype,” he said, repeating the claim that Skype uses stealthiness because it has to.
“We don’t want the product to work in such a way as to allow it to be degraded.”
According to Sauer – by way of evidence - unnamed US cable companies had been blocking third-party services such as Skype and Tivo because they wanted to make money from the same services. But invisibility and its accompanying problems still seems a high price to pay to stop the interference of a few companies nobody outside of certain states in the US will even have heard of, surely?
He also revealed that the company was currently looking at the issues of how it recommends user patches and upgrades that have been driven by security vulnerabilities. There is a body of opinion that users should be compelled to patch, or at least have the choice properly explained to them (at the moment, security is not given as a reason to upgrade which allows people to ignore the prompts).
Sauer revealed that Skype has now seen the errors of its silence on enterprise security and had just appointed someone to oversee the creation of security guides that would set out how to use and manage it securely.
He wasn’t able to set a date by which these would be publically available, but they are sure to attract a great deal of interest from the vocal minority who view Skype in a critical light, when they do finally appear.
Short of a wide embracing of the proxying technologies suggested by Skype, it seems unlikely that the controversy about Skype security-worthiness in companies will recede quickly. It is, nevertheless, good that the company is no longer simply denying it has a problem to sort out, and is bothering to puts its case.
There is no reason why Skype should adopt the awkward mantle of its parent, eBay, and retreat into arrogance and convenient silence.