I've read some interestin posts over at SnapVoIP in the past few months. On Monday, this one caught my eye and I've been juggling time constraints to comment.

Remove skype from your computer and use a "portable skype", on any computer.
The Skype, one of the leading VOIP IP Telephony solutions today, has much benefits and drawbacks to a user. Whatever the reason, the popularity of the application, shows that users are satisfied or it is providing whatever VOIP needs a user has.

Then again time and time, many network admins run around trying to find out how to stop skype users. Be it company policies, bandwidth usage or security reasons.

I have written earlier about "remove skype", one of the popular articles;
VOIP IP Telephony: Remove skype, stop skype or detect skype with skypekiller.

But say you want to use skype application but do not want to be /or want to be a skype supernode, then the post;
VOIP IP Telephony: How to be or not to be a skype supernode?
should help.

But how about carrying your skype with you, and sneak past the admins that stopped your skype on your office computer? yes, you need "portable Skype".

The easiest method is to grab a U3 USB stick. U3 drive, according to the U3 sites statement;
"Imagine carrying your software on the same flash drive that carries your files. That’s what you can do with a U3 smart drive. You can plug it into any PC and work, play a game, message friends, send email, edit photos and more. A U3 smart drive makes any PC your own PC. And when you unplug it, it leaves no personal data behind."

I feel compelled to add a caveat or two here. First, the article is absolutely accurate and on target. U3 technology in thumbdrives makes portable applications very, very easy to use. The SANS Cruzer U3 thumbdrives come with Skye pre-loaded and make it incredibly easy to use.

They also make it incredibly easy for users to either knowingly or naively breach network security in the corporate environment.


I've taken my Cruzer thumbdrive and tried it out. What I found is that any machine that's connected to the net in most corporate environments, including servers, that's equipped with a USB port, easily turn into a Skype workstation.

For Skype users, this is a benefit to be sure. For corporate security admins, it may be a nightmare. This technique works even if users don't have admin rights to the machine. It doesn't write to the registry. It doesn't leave a trace that I can find. In short, if there's a corporate policy forbidding Skype, it is, by default, followed by behaviour only in most cases today.

That said, there are technologies that easily control access to the USB ports, enabling or disabling them, and more importantly, actually controlling what USB devices are allowed to connect. I've worked on two implementations that allow PDAs and smartphones to connect, but disallow access to the SDIO card and won't allow thumbdrives to operate.

Thumbdrives can pose a number of risks to corporate intellectual capital. They make it easy for data to walk out the door. In most cases, they don't require user authentication and encryption. There's probably been far more corporate data lost to misplaced/stolen thumbdrives than to laptops, but that scenario is very poorly documented.

User education is critical to enterprise security. The organization that doesn't establish a corporate culture of stewardship in protecting proprietary information and intellectual capital is courting disaster.

Corporate policies regardin the use of Skype, the use of thumbdrives, and the use of other U3-based applications are all very weak today. That will have to change over time, but the education really needs to begin now, and become an ongoing part of the corporate culture.

I know of several organizations where running Skype will get an employee fired. And while plugging in a thumbdrive might allow it to work technically, and users might think their footprints have been erased, there's an ever widening array of network monitoring technologies that easily detect and prevent Skype at the network border.

Users, follow your company's policy and keep your job. Don't be the example who gets fired for Slyping from a thumbdrive just because you think you can. First and foremost, employees owe it to the company's they work for to adhere to corporate policies and practices. Technology making policy violation easy don't change the fact that it's a policy violation.

I posted months ago that I could foresee an employee beign fired for using Skype. I actually know of three instance where employees in different organizations have been formally warned and put on notice that their next offense will result in termination.

Don't lose your job through naivete and ease of use.


Technorati Tags: Skype, thumbdrive, U3, Infosec, VoIP security