Voice of VOIPSA

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

IP Softphone specialists CounterPath recently announced that they will license Phil Zimmermann’s ZRTP (Zfone) technology for use in their client products, namely eyeBeam and X-Lite, joining other publicly announced licencees Borderware, PGP Corp, Ripcord and TiVi.

As you may know, ZRTP has done very well in terms of acceptance in the last few months. Zimmermann has many friends in the security community, but also has great credentials in the open source world. ZRTP is an openly published protocol, but also is available as source code, thereby making it possible to test in all kinds of ways, not only closed-box (black box) testing but also in terms of working through the algorithm and even unit testing the code.

At the recent IETF meeting, methods of key exchange were discussed, as subscribers to the Voipsec list (from the VOIPSA site) cannot have failed to miss. The IETF have gone from a list of thirteen proposals down to a final two, and ZRTP is one of those, despite being considered by some as a latecomer.  Many organizations and people that I have come across trust in Zimmermann and believe that ZRTP is the answer.

If we go to the opposite end of the trust scale, we find Skype.  Poor old Skype are still getting weekly batterings from press critics on the security front.  A lot of the same criticisms are brought up time and time again, and in fairness Skype have countered a lot of the concerns, by allowing features to be switched off, changes to the package and so on.  We don’t need to rehearse all those issues here once again.

However, the issues that keep coming up, and which Skype have not argued away are those of security by obscurity and the secrecy of the protocols they use for encryption and key exchange. Famously, Skype hired security expert Tom Berson to write a report based on a long evaluation of Skype’s security provisions, but most academics still desire transparency, and the ability to evaluate the algorithms for themselves.

Academics and commercial security experts both say that simply using a secret algorithm is no guarantee of safety. Furthermore, the fact that it is secret merely means that when someone does compromise Skype, the detection and mitigation of the problem will be slowed down or prevented. Skype at that point becomes a dangerous ‘bot’ sitting behind thousands of firewalls.

What better time, then, for Skype to embrace ZRTP? Licensing ZRTP can hardly be a problem for Skype and its Ebay parent, and there is so much to gain from this. A large community of security and VoIP specialists already believe in ZRTP; the IETF likes it; commercial acceptance exists in licencees in the Softphone and Session Border Controller market. IT Managers, I’m sure, would be happier with Skype usage in the workplace if they were allowed to detect and control it, and (who knows with key escrow) in some way to log and record from it.

Come on, Skype, grab the nettle. The tools are in your hands to silence your critics.

Blue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

Last week, in a post entitled “Skype Reads Your BIOS and Motherboard Serial Number” a developer named myria outlined how Skype was calling a file called “1.com” to read your PC’s BIOS. Predictably, this set off a Slashdot firestorm when posted there as well as numerous other mentions throughout the blogosphere and wider web. Ultimately, Skype CSO Kurt Sauer posted an explanation that this was part of the DRM component of the EasyBits framework Skype uses in their Extras Plugin Manager.

If you look at what Skype is doing with their Extras Gallery, they are very clearly making the play to be an application delivery platform - for commercial apps as well as free apps. Leaving the DRM religious war aside, the reality is that the moment you start talking commercial apps typically most vendors also start talking about some form of DRM to ensure that people aren’t just copying the commercial apps and giving them to their friends. Skype’s answer is this “EasyBits framework” and it appears that this framework was reading the BIOS to obtain a unique identifier for the PC. You can read the slashdot trail or the responses to the initial post to see various views on the intelligence of doing this, but suffice it to say that Skype owned up to the fact that this was what was going on.

Kurt Sauer also provided the simple solution - upgrade to the latest Skype 3.0 version, 3.0.0.216, where they now use a version of this framework that no longer reads the BIOS. Kudos to Skype for the quick response and to everyone who is worried about it… you can upgrade now. (Or for those really worried about Skype, just continue to not use it.)

That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:

But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.

Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:

We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.

We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.

Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns - and security concerns. Where do we as nations, companies and individuals strike the balance?

Why in the world would I want to install a Skype “extra” that lets people change my inbound ringtone? i.e. they can make my version of Skype ring with a different ringtone than I have it configured for - or play annoying messages. I can only imagine working in an office and having Skype set to have a quiet non-obtrusive ring… and then suddenly someone calls me with some loud and really obnoxious ring (or profane or pornographic).

Why would I want to do this?

Scanning my personal email this morning, I had a “newsletter” from Skype encouraging me to download the latest version (which I found especially ironic given that I’m running the very latest version) and in that newsletter they highlighted several “extras” by name. One was “Ringjacker” and had this text:

Hijack your friend’s ringtone – ring them up with your music.

Okay, I’m a security guy… mention something like that and yes, Skype, you have my attention. In looking at the Ringjacker page in the Extras gallery, it has this ominous text (my emphasis added):

Ringjacker™ is the next generation of ringtone released on Skype phones. It is an optional plug-in application in Skype that enables Skype callers to ring up other Skype users with a selection of songs, tracks and sound effects. Ringjacker™ is a perfect conversation starter. The free plug-in lets a caller make his or her friends’ Skype phone ring with any of a range of audio tracks, including perenial Electronica, classic seasonal songs, and various hilarious animal calls to surprise and delight the recipient. Ringjacker™ allows the user to temporarily hijack his or her friends’ Skype ringer and will be available worldwide via the Skype 3.0 distribution.

The perfect “conversation starter“? I can think of a few other choice words. Perhaps I’m just a control freak, but I don’t want anyone messing with MY phone configuration! Naturally at this point, my curiousity - and concern - was getting heightened. Was this going to make me uninstall Skype or leave it in DND mode all the time? So I went over to the Ringjacker home page to learn more about the company. Thankfully, on the help page they answered my question:

(Note: if the contact does not have Ringjacker installed, the contact will be sent a message asking the contact to install Ringjacker. Only after the contact has installed Ringjacker will you be able to make a Ringjacker call to that contact.)

Whew! So in other words the only people who will be bothered by Ringjacker’s tones are those who choose to install this extra. Which goes back to my original question - why in the world would someone want to install this extra?

Now, I’m all for experimentation and encouraging people to try out wacky ideas, but I just don’t get it. I guess that the Ringjacker folks believe this will be “fun”. Maybe I’m just being a grumpy curmudgeon who needs to drink more tea before blogging in the morning… but the only thing I can see installing this extra would do is set myself up for more annoyances! What do you think? Would any of you actually use this? Since we’re on a security blog, I’m betting no, but thought I’d ask…

P.S. Judging by the user comments in the Skype extras site, there appear to also be some technical issues, although many of those may be with Skype’s own Extras component.

For those of you out there looking at Skype, Skype CSO Kurt Sauer has written post over on the Skype Security Blog titled “Deploying Skype in a Windows domain - Skype Security Blog” where he talks about the changes Skype has made to give administrators some degree of greater control over Skype.  He also includes these questions and an invitation for feedback:

However, there remains much work to be done. Some of the key questions I have for the future are:

• What’s the best way to manage non-Windows devices (Macs and Linux) in a way that can be federated or managed in an enforceable way?
• Should we support some kind of policy broadcast mechanism, to require and/or suggest that itinerant users on networks to follow certain policies, such as the use of a specific outbound proxy?

There is a lot of work ahead for us — not just in the policy area but in security as a whole. Policy management is just one part of the process, but it is an important part. Feel free to send your thoughts to us at security@skype.com or make reply comments to this posting.

So for those of you wanting to provide feedback to Skype… they are looking for it.

(Tip of the hat to Irwin Lazar who posted about this and blogged his feedback.)