VOIP and VOIP Security

I've previously, and approvingly, cited Skype as a neat VoIP tool for teaching and learning. Now, security concerns focussing on the program's technical underpinnings could throw a (temporary?) spanner in the works.

Today, the Department of Physics at Cambridge issued a memo to all staff and students, blocking the use of Skype on the University data network (CUDN). Users were alerted to recent security compromises and back-door intrusion attempts on machines running Skype.

Breaches involved Skype's underlying P2P technology: essentially, the connection sharing permitted by Skype "makes the host computer and the CUDN available for the world at large to use for relaying purposes; indeed, the licence for such software can require the end-user to make them available even though the end-user has no power to make that commitment regarding use of the network" (Cambridge IT Syndicate policy statement on "Use and Misuse of Computing Facilities").

This event shows that an increase in network traffic is not the only reason to keep a close eye on P2P services. Users of the CUDN must be authorised, whereas P2P services allow access to unauthorised third parties. In fact, using Skype requires the granting of third-party access. Section 4.1 of Skype's End User License Agreement (EULA) states: