[VOIPSEC] So who is SKYPE listening to?

Michael Slavitch slavitch at gmail.com
Fri Jun 23 12:21:48 CDT 2006 

Comments inline:

On 6/23/06, Simon Horne <s.horne at packetizer.com> wrote:

"To be honest, adding PKI peer-entity authentication to SKYPE does not
really "improve" security since the network is already closed. As was
discussed previously with respect to current vendor specific VoIP islands in
SIP, the real power of peer-entity authentication is when calling parties
identify themselves in inter domain (inter VoIP Island) connections across
an open internet, where there is no centralized "network" control and the
trust is derived from a common third party. This is much more suited to the
standard based protocols where businesses control their own networks."

I agree. That's why the presentation calls for loose Skype Federations,
which offer a double-blind trust.  Skype is the island interconnect between
enterprises as well as between enterprises and consumers.  Skype is the E2E
overlay that spans networks, including NATs and walled gardens, turning them
into the dumb but good network that they should be.

"I think you are going to have a hard sell trying to convince
businesses that the best solution is to buy a server and donate it and all
the bandwidth (at your expense) to SKYPE so it can be run into the ground
proxying other (not related to your business) SKYPE  users traffic."

My employer pays 1/10th of a cent per bit of bandwidth that has QoS to
the core NAP.  Best-effort over and above that costs 1/100th of a cent per
bit. That's per month. And as the bandwidth goes up the cost per bit goes
down.  Bandwidth isn't the issue as it's a commodity.  Quad-core CPU is
coming and it will be cheap.

My employer's annual cost of bandwidth is about the same as a week of
professional services time including travel costs.  Any competing system
that requires an additional week of professional services per year is no
longer competitive.   A Windows cluster server that offers 5-nines
reliability can be bought on a credit card and expensed.  Bandwidth and CPU
are no longer real issues.
Cost of implementation is an issue however.  Deployment has be automated and
self-scale in order for it to be economic.

I agree with you that many a IT department will be reluctant to have
something that is seemingly so fractal even if it can be tamed through
policy. They are by definition control freaks wanting things to be as
deterministic as possible using systems that appear to be deterministic even
when they are not.  It is my experience that such IT departments will never
be convinced.  But enough will understand enough to take the risk if there
is enough upside.  But as of now there is little upside in VOIP apart from
toll bypass.

And that's the key part.  In the model I propose business communications
moves from being a cost center to being a strategic value proposition for
the business side.  It becomes a profit center through monetization.  Profit
centers are more willing to take risks and to do the work needed to mitigate
risk because the upside is revenue.  Cash on the bottom line.

The problem with VOIP today is that the value proposition is either cost
reduction or amorphous productivity gains.  The cheapest way to reduce cost
is to do nothing, which explains why VOIP deployment is low even after a
decade.  There isn't enough value, and the claims of improved productivity
on the enterprise side are much harder to make now than than they were 10
years ago because the evidence is that the real gains aren't what they were
pitched to be.  Is anyone here really 'paperless' yet?

But if there is a revenue model everything changes. As long as the ROI is
real cash money the effort is worth it if the ROR is high enough. Right now
the ROI on VOIP in the enterprise is low, there is no payback hence there is
no bandwagon effect.  If business communications moves out of the geek silo
into the business side everything changes.  For a hint of how things will
change look at how Oracle sells software. They don't sell features.  They
sell dollars and revenue models.   The sales model is that of Oracle.

In such a world everyone makes money. Even the carriers, the smart ones that
is.

- First and foremost the customer must make the most coin.  Otherwise why
bother.
  The real winners are enterprises and consumers.

- Skype makes money.  Paypal does too.  So does eBay.  Good for them.

- My employer makes money, that is also good for me.  I'm not doing this for
free.

- Microsoft makes a pile of money through server sales, CALs, desktops, and
churn, along with continued dominance in their space.
  I can assert that the most profitable course for Microsoft to follow in
such a world is to do nothing and let things happen naturally.
  Certain groups within that company will most certainly disagree with my
assertion, you'll know more details on that by Monday.

-  Companies like Packetizer have the opportunity to make a pile of money
ensuring that things are happening as they should.

-  The consulting business should be happier than pigs in... whatever as
they get to explain things all over again.

-  The carriers that build good dumb networks get traffic and customer
retention.

Everyone wins.

Skype now has involuntary relays because there is no alternative. If
relaying is monetized it can and will become not only voluntary but
competitive. For example a Skype call through a  voluntary relay could have
as a comp a quiet blurb saying 'this call brought to you by slavitchcorp'
and with the relay maxed at 200 simultaneous sessions to ensure call
quality.  The calls I sponsor must be good. The link goes to my Skype-based
service, whatever that is.  It's an ad:  a streaming media ad through
Skype.

A competitive market for relays would stabilize the network as the number of
relay slots will eventually exceed the requirement for relays.

Some examples of natural entrants as relay providers, given the media nature
of Skype, would be the existing television broadcasters.
Or, say, Apple and iTunes.  Lots of room there for making money.
Lots.  Money changes everything.

Regards

M






>
> Simon
>
>
> At 09:56 PM 22/06/2006, you wrote:
>
> Here is some suggested reading:  http://www.well.com/~theek/skype4e.pps
>
> This is the talk I gave last week at their devcon. It's for public
> consumption.
>
> Regards
>
> M
>
>
> On 6/22/06, *Simon Horne* < s.horne at packetizer.com> wrote:
>
> Saw this on our Industry news feed.
>
> Skype to address identification concerns
> http://news.com.com/Skype+to+address+identification+concerns/2100-7352_3-6086360.html?tag=fd_nbs_ent&tag=nl.e433
>
>
> Quote
> One security concern for IT managers is that while Skype uses an encrypted
> public key infrastructure, it automatically authenticates users itself.
> This means that users cannot authenticate the identity of the people they
> are communicating with.
> "Skype is a public key infrastructure, which means nothing if you don't
> know who you are identifying at the other end," Sauer said.
> End Quote
>
> It seems even though some people have difficulty understanding the
> importance of caller (peer-entity) authentication, it appears that is has
> not been lost at SKYPE.
>
> Simon
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>

More information about the Voipsec mailing list