Note - editied so links and references work properly. There has apparently been some discrepancy among the sources. I'm just trynig to share the information.

There have been some recent observations about Skype and the SanDisk option using U3 technology to run Skype from a stick, or thumb drive. While the U3 approach may be new, there are wrappers available the pretty effective run Skype from a thumb drive today without problems.

I tested one and found that without admin rights to a machine, I could easily run Skype with no installation. That's right. No installation. No registry entries. Almost without a trace. Almost but not quite since the tools I used did actually leave recoverable deleted files. But you had to know to look for them.

I've seen lots of talk about the convenience of walking into an Internet cafe with Skype on a stick, and they're good ideas. Dan York asked the more important question Skype on a USB stick... (what about the security concerns?)

Yet also think about that "convenience" from a security point-of-view. Your company might have the policy that you do not want Skype installed on company PCs. (I'm not advocating for or against that policy - it just is a policy that some companies will choose.) But now anyone can walk in and insert a USB stick and away they go.

Just another reason why security work will never be boring... :-)

Truer words were never spoken. Security work is never boring and below the radar of blogs and the web news, many corporations are working to figure out how to block Skype effectively because they do view it as a security problem. I've talked to several colleagues who feel much the same way. Sure, it's a great tool. It's handy and works well, but it introduces risk as well.

In Sneaky and Clever Communications, my friend Phoneboy does a great job of dissecting some of the security concerns. He does a great job of explaining how Skype circumvents the corporate firewall, breaching the security perimeter. A couple really key points he made are:

1. The protocol Skype uses is a mystery. It does not use any protocols that are publicly documented standards.
2. Skype provides no method that I am aware of that a network administrator can prevent Skype from being used. In fact, it is widely reported that Skype appears to be designed to evade being detected.

Big news yesterday morning as all that began to change. I first heard from Jan that Skype Protocol Has Been Cracked. Later in the day Alec posted Skype Cracked and dropped me a note about the big news. Word is that a group in China has reverse engineered and cracked the Skype proprietary protocol. This morning there are ripples of conversation across many blogs and news sources.  Here's a snip from Jan's post.  Here's a snip from what seems to be the original post

The first time we talked there was a noticeable echo on my end. The
second time the voice quality was good ol’ Skype crystal clear. At
present they only support placing Skype peer-to-peer phone calls and
they have not yet implemented presence. They have
plans to add presence, instant messaging, and a host of other features.
Their end goal is to create a client 100% compatible with Skype. They
sent me a screen shot of their software (below) and my IP address was
100% correct.

One of their engineers told me the news a few days ago, but I wanted
to wait until I had actually seen the software or at least
received a call before I wrote about it. They say their software is not
stable enough to release to the public, but they are working night and
day on a demo which they hope to launch before the end of August.

A demo before the end of August. If someone's saying they plan to demo a client that can communicate using the Skype protocol by then, they've got a pretty good handle on how it works.

There's been some speculation that this will lead Skype to consider opening the protocol so others can play. More important to security managers, this will lead to signature detection capability that will enable blocking Skype effectively in those corporate environmetns that feel a need to lock Skype out.

A lot of the possiblities are still pure speculation. There might be competitive Skype-compatible clients on the horizon. There might eb a way to effectively block Skype ahead. It's a certainty that new information will be more commonly available about the inner workings of Skye. It's also certain that Skype's life just changed It's a new world for them. New challenges to face. It will be really interesting to see how they respond.


Technorati Tags: Skype, Skype cracked, reverse engineering, VoIP, VoIP security, VoIPSec