The two-day outage that hit Skype's peer-to-peer VoIP service last week at first looked like it could have been caused by a distributed denial of service (DDoS) attack. The reality was that the problem was a flaw in the Skype software.
This eWeek story says the problem occurred when Microsoft dispatched an automated update that required end-user devices to reboot. A bug in the proprietary "SuperNodes" couldn't handle all the subsequent requests to log on to Skype, and the outage ensued. Despite early attempts to shift some of the blame to Redmond, the problem was Skype's. No matter what the reason was, not being able to serve some customers for two days is a crisis for a provider. It can be argued, however, that a bug is preferrable to a massive hacking attack. A bug can be fixed once it is known. A huge DDoS attack could be ongoing and come in waves.
There is no disputing the fact that this was a disastrous event for Skype. Besides damage to its brand name, the eWeek piece points out that the situation illustrates the difference between VoIP and legacy services carried on the public switched telephone network (PSTN). For all its advantages, VoIP still isn't as stable as the old standby.
Another harsh reality for Skype is that the problem went on for two days. Companies thinking of migrating to Skype for applications that are anywhere near mission-critical are well advised to think of what 48 hours without service would mean for their business.
The question now is how stable Skype is. Was the problem a one in a million chance, or is there a likelihood that a similar outage could occur again? This interesting Digital Media Update piece differentiates the type of P2P used by Skype and other flavors of P2P. Skype SuperNodes simply are subscriber computers that are used by the network. The idea of relying so heavily on something the provider doesn't own or fully control should raise a yellow flag for IT managers.
That's not the only question when considering whether to use Skype for business-critical applications. Seccurity of course, is a key consideration. This very interesting survey at Viruslist details experts' attitudes to Skype and security. The respondents (roughly equally divided among users, system administrators and IS specialists) think there is a danger. Says the report:
In conclusion, we can say that almost half of the survey participants think Skype makes the theft of confidential information much easier for those who wish to misuse internal data.
This will be a problem for the platform's success, or at least IT folks' enthusiasm about it:
Despite this, almost two-thirds of those surveyed (66.4%) incline to the view that the threats which attend the introduction of Skype into the corporate environment are a serious obstacle to the program's wider acceptance. Only one-third of specialists (33.7%) felt that IS problems would not prevent the program's wider acceptance among companies.
During what turned out to be a bad few days for the company, Network Box released a report that criticized Skype's security. The report, excerpted at Techworld, says Skype's proprietary software could be used by hackers to compromise the data the system is carrying. The sense of the report clearly is that Network Box concludes that there are significant problems with the prototocol.
The bottom line is that organizations have to be very careful about using Skype. It's not just last week's bug -- businesses have been using flawed software for decades -- but the delay in rectifying the situation and, perhaps more importantly, questions flowing from the proprietary nature of the company's approach to P2P.