[VOIPSEC] regarding skype's usefulness in the enterprise

[Rodney Thayer]

(first of all, you people need to fix your out-of-office autoreplies.
I don't mind getting them but the information leakage from all you
voip vendors lurking on the list is terrible ;-)

(second of all, if you get digested email, CHANGE THE SUBJECT LINE.
someone's going to get grumpy about that.)

OK, now about Skype.  It's peer to peer.  Image someone coming in
and doing a network audit and finding that you have 300 machines on
your network sharing out your bandwidth via locations in taiwan,
the balkans, and all sorts of other places where you may well not have
any trading partners.  Is that what you meant to be paying for
the last time you paid your ISP bill?  If I said "all the users
in accounting are downloading and using kazaa" you'd have a fit.
if it's skype it's ok?  really?  isn't that a policy violation?

and it's proprietary encryption.  there are some simply rules in
the crypto world, one of which is "if it's not a reviewed crypto scheme
you should assume it is suspect".  skype's crypto is proprietary.  It's
been reviewed, in a very limited fashion, and the review doesn't
read to some like it's ok.  Furthermore, there is no technical justification
for cooking a new protocol rather than using some existing scheme
at least as a basis.