Archive for July, 2008
With 309 million registered users,
Skype has become a service used by consumers and businesses alike. I use it all
the time for since I’m based in the UK
and my boss is in Silicon Valley – I know many
people who do the same. As so many employees are downloading and using the
latest Internet-based tools, it’s no wonder that security
concerns in the enterprise about these tools get an increasing amount of
attention. But are all of them true?
There’s been a fair amount of interest
from people like Irwin
Lazar and Daniel
Sokolov in a news story regarding potentially hidden backdoors in Skype. A
set of discussions (filled with numerous contradictions) suggest that Austrian
police seem to have a way to listen in to secret Skype communications.
As someone who has been following
the long-running history of this controversy, I thought I’d weigh in on the
discussion. While I can’t confirm the rumours, I would say this:
1) Why would the Austrian police have been given this access but nobody else? Wouldn’t some other force somewhere be a more likely candidate for this kind of access? US Law Enforcement, I’m looking at you…
2) In general, putting a backdoor in your application is not a great idea, because you can’t guarantee the wrong people are going to find, use and abuse it.
3) If it was in there, someone would find it eventually, wouldn’t they? From as far back as 2006, security researchers have been looking at Skype in close detail (I believe there was an eBay Developer Conference 2006 held in Vegas where a researcher intended to talk about reversing Skype, and of course there have been numerous Black Hat presentations about it too). Either this is the most well hidden backdoor in history, or we’re not doing a good enough job of trying to detect it.
I don’t think I’ll be losing too much sleep over this either way, until something more concrete emerges.
After a six-month contract dispute and a resulting court ruling in favor of FaceTime, Thomson Reuters as of this Friday, Aug. 1, 2008 will no longer be able to provide its customers in the financial services sector with FaceTime technology that has provided important compliance capability in the Reuters Messaging Network since 2006.
While FaceTime is understandably pleased that our intellectual property is protected, we are very concerned about what this outcome means to customers’ compliance status.
My take? Reuters is choosing to potentially put its customers in jeopardy of not having adequate compliance capabilities for Reuters Messaging, a communications tool hundreds of financial institutions in the world rely on.
How did this happen?
Two and a half years ago we reached an agreement with Reuters whereby they licensed our source code to provide compliance for the Reuter Messaging Network. The Reuters Messaging Network is used extensively by market professionals in the financial services industry.
The deal made sense. For Reuters, for FaceTime and, most importantly, for our customers.
FaceTime’s customers include 9 of the top 10 banks in North America and most of the largest investment banks in the world. Most of them have employees that use Reuters Messaging – typically traders whose communications are subject to strict compliance regulations. As a result of this agreement, they were able to log their Reuters messages within IMAuditor, along with messages from AOL, MSN, Yahoo, Microsoft OCS, Sametime and other popular public and enterprise networks – or they could log them directly with Reuters “in the cloud” using the Reuters Messaging Compliance Manager (RMCM).
Many customers use FaceTime’s IMAuditor to log all conversations on all IM networks – including Reuters – using our solution as a unified repository. For some, it made more sense to log Reuters Messaging with Reuters’ archiving solution. The customer had a choice.
Our agreement with Reuters expired on January 31, 2008. Shortly thereafter, we approached them to negotiate a new agreement. One of our key requirements was a technology partnership whereby Reuters would continue to allow FaceTime access to the Reuters Messaging Network to provide customers with this continued choice as they have done for years.
Reuters contested the language of the expired agreement. To protect our intellectual property, FaceTime filed suit in the Southern District Court of New York, and as Eric Goldman (Assistant Professor at Santa Clara University School of Law) mentions in his blog, won an “open and shut” ruling.
However, the story doesn’t end there.
With this week’s deadline looming, Reuters now plans to move ahead with a platform switch replacing the FaceTime technology in RMCM with another solution. Yet, in a court filing earlier this month, Reuters’ claimed
“There is no practical immediate substitute for the Reuters messaging compliance product …”
“Any development of a suitable replacement (and complete transition of existing customers to the new product) would take several months…” and
“If Thomson Reuters were suddenly unable to make use of the Reuters Messaging compliance product, Thomson Reuters’ customers would be crippled in their day-to-day business operations…”
As if the financial sector doesn’t already have enough to worry about.