Posted by Fabian Wenk on Tuesday January 25, @01:15PM
from the free-does-not-mean-it-cost-nothing dept.
Last week our mail account for support got an email from somebody from Luxembourg asking why his computer has a open connection to one of our computers. The connection was not to one of our servers (which is quite common) but to TCP port 4617 on a regular computer in an office. Read on for more...
I walked over to the office where this computer is, to have a look at it and found the free Internet telephony from Skype running on it. For our international co-worker this seems to be an affordable way to talk to their relatives at home without expensive international phone calls.
After further checking this computer with netstat and Fport (from Foundstone) I had a detailed look at the TCP ports 80 (http), 443 (https) and 4617 which are not so common open on a users workstation. The output from netstat shows some connections to the local TCP port 4617 especially from some dial up and end user internet connections (*.adsl.xs4all.nl, *.pool80182.interbusiness.it, *.user.veloxzone.com.br and *.mundivox.com) and from some random IP addresses. In the output from Fport it is clear, that this connections are going to the Skype software.
As far as this looks like to me, Skype is using some kind of peer-to-peer like distributed network of "servers", actually the computers of their own users/customers to distribute the connections from their other customers so they do not solely need to depend on the availability of Skype's own servers and performance. I had not to read very far in the Skype End User License Agreement until to get to Article 4. Permission to Utilize on which the following proved my guess:
4.1 Permission to utilize Your computer. In order to receive the benefits provided by the Skype Software, you hereby grant permission for the Skype Software to utilize the processor and bandwidth of Your computer for the limited purpose of facilitating the communication between You and other Skype Software users.
Yesterday there was a discussion started on the Full-Disclosure security mailing list with the Subject blocking SkyPE?, also some follow-up postings are very interessting, eg. this from Alain Fauconnet and this answer from Bryan K. Watson and then this from Alain Fauconnet again.
From my point of view I'm glad I did not use this software even though it was suggested to me personally. In the first place I did not like the proprietary approach of Skype's solution even if they provide cost free service and a cost free software. But the protocol they use to communicate is not free, so users/customers of this service depend on Skype as long as they want to use it. Also Skype has the freedom to change their policy any day and charge for their currently free services.
With this "anonymous" use of the computers at our site (Swiss Federal Institute of Technology Zurich) we probably will have some legal problems in the future. So think twice if you really want to use such "free" services like Skype's Internet telephony.
That reminds me a bit of Comcast. I don't know if they still do this, but years ago to listen to some radio stations online (Q107 FM in Toronto was one of those using the Comcast software, but they changed their feed years ago) you had to agree to Comcast's terms, which included using your bandwidth and your computer to rebroadcast the feed to your area. The same people probably protested P2P* networks vociferously.
(*Say the last sentence aloud and you'll have to clean your computer screen...)