Backdoors in Skype?

With 309 million registered users,
Skype has become a service used by consumers and businesses alike. I use it all
the time for since I’m based in the UK
and my boss is in Silicon Valley – I know many
people who do the same. As so many employees are downloading and using the
latest Internet-based tools, it’s no wonder that security
concerns in the enterprise about these tools get an increasing amount of
attention. But are all of them true?

There’s been a fair amount of interest
from people like Irwin
Lazar and Daniel
Sokolov in a news story regarding potentially hidden backdoors in Skype. A
set of discussions (filled with numerous contradictions) suggest that Austrian
police seem to have a way to listen in to secret Skype communications.

As someone who has been following
the long-running history of this controversy, I thought I’d weigh in on the
discussion. While I can’t confirm the rumours, I would say this:

1) Why would the Austrian police have been given this access but nobody else? Wouldn’t some other force somewhere be a more likely candidate for this kind of access? US Law Enforcement, I’m looking at you…

2) In general, putting a backdoor in your application is not a great idea, because you can’t guarantee the wrong people are going to find, use and abuse it.

3) If it was in there, someone would find it eventually, wouldn’t they? From as far back as 2006, security researchers have been looking at Skype in close detail (I believe there was an eBay Developer Conference 2006 held in Vegas where a researcher intended to talk about reversing Skype, and of course there have been numerous Black Hat presentations about it too). Either this is the most well hidden backdoor in history, or we’re not doing a good enough job of trying to detect it.

I don’t think I’ll be losing too much sleep over this either way, until something more concrete emerges.

 

My take on today’s court ruling against Reuters… in favor of FaceTime

After a six-month contract dispute and a resulting court ruling in favor of FaceTime, Thomson Reuters as of this Friday, Aug. 1, 2008 will no longer be able to provide its customers in the financial services sector with FaceTime technology that has provided important compliance capability in the Reuters Messaging Network since 2006.

 

While FaceTime is understandably pleased that our intellectual property is protected, we are very concerned about what this outcome means to customers’ compliance status.

 

My take? Reuters is choosing to potentially put its customers in jeopardy of not having adequate compliance capabilities for Reuters Messaging, a communications tool hundreds of financial institutions in the world rely on.

 

How did this happen?

 

Two and a half years ago we reached an agreement with Reuters whereby they licensed our source code to provide compliance for the Reuter Messaging Network. The Reuters Messaging Network is used extensively by market professionals in the financial services industry.

 

The deal made sense. For Reuters, for FaceTime and, most importantly, for our customers.

 

FaceTime’s customers include 9 of the top 10 banks in North America and most of the largest investment banks in the world. Most of them have employees that use Reuters Messaging – typically traders whose communications are subject to strict compliance regulations. As a result of this agreement, they were able to log their Reuters messages within IMAuditor, along with messages from AOL, MSN, Yahoo, Microsoft OCS, Sametime and other popular public and enterprise networks – or they could log them directly with Reuters “in the cloud” using the Reuters Messaging Compliance Manager (RMCM).

 

Many customers use FaceTime’s IMAuditor to log all conversations on all IM networks – including Reuters – using our solution as a unified repository. For some, it made more sense to log Reuters Messaging with Reuters’ archiving solution. The customer had a choice.

 

Our agreement with Reuters expired on January 31, 2008.  Shortly thereafter, we approached them to negotiate a new agreement. One of our key requirements was a technology partnership whereby Reuters would continue to allow FaceTime access to the Reuters Messaging Network to provide customers with this continued choice as they have done for years.

 

Reuters contested the language of the expired agreement. To protect our intellectual property, FaceTime filed suit in the Southern District Court of New York, and as Eric Goldman (Assistant Professor at Santa Clara University School of Law) mentions in his blog, won an “open and shut” ruling.

 

However, the story doesn’t end there.

 

With this week’s deadline looming, Reuters now plans to move ahead with a platform switch replacing the FaceTime technology in RMCM with another solution. Yet, in a court filing earlier this month, Reuters’ claimed

 

“There is no practical immediate substitute for the Reuters messaging compliance product …”

 

“Any development of a suitable replacement (and complete transition of existing customers to the new product) would take several months…” and

 

“If Thomson Reuters were suddenly unable to make use of the Reuters Messaging compliance product, Thomson Reuters’ customers would be crippled in their day-to-day business operations…”

 

As if the financial sector doesn’t already have enough to worry about.

 

The Natural Progression of IMAuditor

This week we announced a major update to IMAuditor. The most significant new capabilities are around data leak prevention, and it got me thinking about how our business has shifted over the past few years. 

 

FaceTime first introduced its IMAuditor software in 2001, half a lifetime ago in Internet terms. At the time, it became the standard by which banks monitored and recorded conversations their employees (mainly traders) were having over IM to comply with SEC regulations. Over the past seven years, we’ve refined and advanced the product to stay ahead of the changing Internet and changing employee behavior. Today, employees routinely communicate over social networking sites like Facebook and LinkedIn, use Web-based file sharing sites like SlideShare and transfer information with P2P file sharing software such as LimeWire. That’s the nature of the New Internet.

 

This also means that setting and enforcing policies for information is more complex than ever… hence, constant updates to IMAuditor. 

 

In parallel, it’s been interesting to observe how my conversations with customers have changed over the past four years that I’ve been CEO of FaceTime. Foremost, our customer base itself has changed: from primarily financial services companies to large enterprises in general. And, the primary concern has shifted from regulatory compliance to security and integrity of enterprise data. Most interestingly, new triggers and pain points have emerged – from AIM to Facebook, from Napster to Skype.  As employees bring new Web 2.0 applications onto the enterprise network, protecting the organization against data leaks over these new channels is overtaking concern about incoming malware.

 

Something else is changing too: companies have started to realize that blocking these new Internet applications is not a solution. Especially in the case of IM, companies have seen the value of real-time communications and are rolling out unified communications suites like Microsoft OCS and IBM/Lotus/Sametime in an effort to realize these new productivity gains. And now, when savvy IT mangers discover that consumer-based applications like public IM or Facebook are in use on their networks, they realize that what they need is not a blocking mechanism but a good policy and some gentle reminders that help enforce it.

 

Don’t get me wrong – I’m not saying you should not trust your employees. But I’ve believed for some time that the biggest security threat to the organization doesn’t come from the outside, it comes from the company’s own employees. Not because people are malicious, but because people are people.

 

Last month, we commissioned Osterman Research to survey IT managers about their concerns for information leakage, as well as their preparedness to prevent it in their organizations. The most interesting data point for me is that more IT managers are concerned about unintentional or accidental information leaks than they are about intentional leaks or data loss from malware. Surprised?

Caught Stealing with Yahoo! Mail?

Does an employer have the right to access an employee’s PC and everything on it? Scott Sidell says no. I read about his situation in the New York Times and Ars Technica. Scott is the ex-CEO of Structured Settlements, who was hustled out of his office after being fired. Apparently, he was logged into his Yahoo! email account when this happened and now Scott alleges that his former company snooped around and copied files from his email account. They found that he’d transferred sensitive company documents, including customer lists and terms of deals, to his personal account. The company also monitored Sidell’s conversations with his lawyers about how to win the arbitration over his firing.

 

A ruling on Sidell’s complaint has not yet been made, but he might find the court on his side, since this case could be influenced by a decision made two weeks ago by the US 9th Circuit Court. According to the recent ruling, personal messages sent via work equipment are off limits to search by an employer unless the employer has an existing practice of regularly accessing the equipment.

 

This case is most interesting to me because Scott was allegedly caught sending company data to his personal account. He just happened to be caught. My guess is that thousands of companies lose confidential or sensitive information this way and don’t even know it. Trade secrets are escaping through consumer communication channels such as IM and Skype all the time. Malicious behavior has always filtered through the “corporate back alley” – a savvy employee who knows which communication routes are monitored, and is smart enough to pick the route where they won’t get caught.

 

This is also another good example of the blurred lines between work and personal communications technology. What belongs to my employer when I check Web based email on the company owned laptop from home?  What can I keep private when I text my friends from my work provided cell phone?  Where is the common ground between an employee’s privacy and a company’s network?  Companies looking to create or revise their Internet policies should clear with employees about how they monitor their communication channels.