I’ve been doing some scripting at work and had a desire to test if a server exists before attempting to do some work against it (less errors, cleaner execution…). I hadn’t found anything that I wanted to use so I asked in the #powershell channel on irc.freenode.net. MoW, of course, knew the answer since he is the Google of PowerShell. Give him a question and he’ll throw out the answer.

shell> $ping = new-Object System.Net.NetworkInformation.Ping
shell> $ping.Send(‘localhost’).status
Success
shell> $ping.Send(‘blah’).status
Exception calling “Send” with “1” argument(s): “An exception occurred during a Ping request.”

Update: Gaurhoth gives some information comparing Win32_PingStatus with the above method.

It’s time again to prune some more links. I’ve been seriously contemplating moving a lot of my links on the right menu over to a page on my wiki. I’ve yet to do that so far, and I think I’ve talked myself into leaving them here. I just wish I had less links since they do get pretty long, however, I use a significant portion of them regularly; sort of my own little personal portal (hence why I would move the portal part to a wiki page). Of course, then my page might look a little bare…I guess I could fill the space with vertical Google ad bars! Hehe, no thanks.

Haxorthematrix seems to have gotten lost in the new year. Info-pull has disappeared as well with few updates. I know just barely over one month of no updates is really being picky, but I’m more picky with more personal blogs and especially those that have not been up more than a year. I’m very aware of the tendency of people to start strong on an endeavor, and then putter out after a few months.

SecurityBullshit is being removed, but only because Mark has merged it with his other blog, SecurityBuddha. I totally dig that name, and I think it interesting the sort of zen way of life that can be found in parts of the computer security industry, from techbuddha to securitybuddha to taosecurity…I wonder if zensecurity is taken? Considering I am highly sympathetic to the Buddhist (and related) way of life and philosophy, I really have this odd little affinity to such sites. Oh, and securityzen.net is not taken! I might have to think about grabbing something like that someday, for possible future branding. Until then, I’m really happy with Terminal23.

The O3 e-zine seems to have disappeared after 3 colorful issues through the first few quarters of last year. I really liked this zine’s focus on Open Source, but it really was just the same thing as (in)secure and uninformed (how’s that for a combo phrase?!) when you get down to it.

The list of top 10 security live cds from DarkNet is starting to look dated, especially as BackTrack2 is now out and really kinda dominates this field (minus general livecd and forensics offerings). Besides, I have moved this to my own live cd list on my wiki anyway. I don’t use VMyths, so why bother with the link, especially as I try to get this list down a bit (of course, for every one I remove, I seem to add another…). Church of the Swimming Elephant is a classic site that still has lots of useful stuff. Sadly, it continues to grow more and more dated. If you’ve not gone there, go there and browse the info and wares. Definitely harkens back to a more innocent time in hacking!

A reverse engineering site that I never really visited seems to have also disappeared. I also never visit the ProfessionalSecurityTesters site. Besides sounding a little off, the site itself just never sat well with me and I never really went back.

Holy crap, there’s a ton of first year birthdays going on in my rss feeds reader from bloggers. Hell, even RSnake hasn’t been around a year! This is just crazy since I could have figured a lot of people had been around longer. It kinda puts some things in perspective, since I’ve been documenting my day to day “stuff” here or on my personal site since late 2001 when I installed my first news script (no blogs back then!) on my website which, itself, I had maintained since late 1996. It’s been a wild ride since then, and obviously I am not one to bang on the door for hits and visitors. 🙂

Grats to all those people with baby blogs that are starting to grow up and find their identity or realize that they had an identity long ago and can stand just fine as themselves!

George Ou posted what I hope is the last commentary on the Apple wireless debacle from last year, which I still think was the biggest security news of 2006. What I like about Ou’s article is how unassuming it is (the digs on Apple aside). I watched the Maynor video last year when it broke and never once thought they were attacking Apple directly. Anyone who watched the video could have seen that.

The problem came from the “blogosphere.” Everyone wants to trump others and so when news breaks they attempt to make the most sensational deal about it; a case of news “reporters” trying to make news instead of just reporting it. Pretty quickly, one post claims an attack on Apple, and another one claims lying and scandal, and everyone starts posting willy-nilly third-, fourth-, and fifth-hand information without really knowing jack. Pretty soon, small responses of wrong-doing are muffled out by the masses clamoring and all up in passionate arms about a non-issue.

Ethics in blogging is going to continue to be an interesting topic. In addition, ethics in information usage will be interesting. Throughout history the victors have always written history and made the laws and beliefs. But what about things like Wikipedia? What if they get something wrong? But what if 98% of people believe it to be fact when it really is false? Can that wronged person ever prevail, or does majority (the victor) rule? Interesting questions in our new age…

Michael posted a comment just a bit ago that got me thinking. I’m very open to this sort of stuff right now because it is a position I am in. I am sponging up everything I can learn still on a rather broad scale, and I am also not in a job that I see myself sticking another year in. I guess, like Bridget Jones with relationships, I’m looking for something extraordinary that adds to my life, as opposed to sucks away 8 hours or more a day. There’s plenty out there, so it is a waste to stay in something that doesn’t fit the bill.

So part of Michael’s post was:

I thought I’d be a shoe-in but alas, everyone was looking for the Exchange-SQL-Checkpoint-Oracle-Linux-Unix-and-all-the-Windows-versions guy. Sucks to be me I guess.

That’s too true. I really hate those adds and people who are expecting an IT guy to know 15 mainstream things and then an additional 5 rather small tools or technologies. And then to only have 2-4 years of experience and get paid a barely competitive level. What the hell?

It is important to realize one’s limitations and skills when looking for an IT job these days. Do I know all 20 tools? Or better yet, do I have the capability to learn the tools I don’t know at the moment? Is the company (manager) looking for someone who can grow into those roles, or already knows them at that level?

And that’s where I am today. I am keeping myself broad and rather open and knowledgable about a hell of a lot of things in IT and security, but have yet to really dive in and get to be an expert in any one (then again, I am likely harder on myself than others are on me, so others may consider me nearly expert whereas I think I have a ways to go…).

This way, when I find that job that truly adds to my life, I can adapt to it and see what opportunities are presented to me. For instance, if I happen to get a job that opens doors to web app security, I can quite happily dive into it feet first. Likewise with something like PCI/DSS.

By the way, yes, that means I may post my resume somewhere around here in the near future. If you want to see it or offer suggestions or see what I did as inspiration in your own, feel free to email or IM me and I’d be happy to give it out.

Has anyone else out there noticed sudden activity against MovableType’s trackback (mt-tb.cgi) function? Yesterday afternoon and this afternoon my server suddenly stopped responding. Both times this was immediately preceded by a small flood of disparate sources attempting to post trackbacks (which I have disabled). My logs show nothing but onesy-twosy attempts over the past 6 months, months apart.

I’ve been refraining from posting on this since I didn’t think it a big deal, but I’ve seen far too many other sites posting about the “59 Top Influencers in IT Security.”

Absolutely no offense to anyone on that list, but here are a few things wrong:

1) That list is not new, in fact, I found and used that list about 4-6 months ago when looking for more blogs to add to my RSS feeds. It was billed as just someone’s list of security blog links. It has only just now been rebranded as a “top of” list. Amazing what a simple title change can do for how distributed it can become. 🙂

2) Fyodor was mispelled back then as well, and I distinctly recall that.

3) If you read some of the small captions, you’ll wonder if the author even reads the blogs/people they are talking about. I expecially liked Bejtlich’s and Maynor’s entries.

4) Some people are left off that shouldn’t have been, and others were included that kinda make you go, “Hmmm.” Some of the most important names made the list but only as a “here’s the rest” mention.

Anyway, I really didn’t want to post that but it’s been on the top of my head the last couple days, especially since I keep reading entries about it on my favorite sites. No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.

I read a few bits in a row today about small business security which made me kinda sit back and decide I disagree. I read a piece from Andy, another from Rothman, and another that Rothman pointed to over at SmallBizResource. I’m sure I’ll read some more in the next few days as I attempt to get caught up on my reading in this rather busy week. For now, let me rant a bit and enjoy some foam being flung from my lips.

First, security is easier than a red-headed step-child to get mad at (that’s so un-PC, but that’s why I’m not a professional blogger…). You can poke holes at it until you turn blue and the sky turns into pudding. That’s the nature of the beast we attempt to control and tame every single day, and the grim reality is there will always be holes and improvements and places where we can say, “they don’t get it” or “they’re not taking care of security.” By the way, eventually business is going to tire from this fact that we can always criticize and give security exceptions; eventually this will bite us in the ass as business “settles” for checklist security and nothing more. (But I guess we at least get that far, eh?)

Second, securing a Fortune 50 is a hell of a lot different than securing a 500-person company which is also different from securing a 50-person company. In fact, I really think securing those smaller companies would actually be easier given a knowledgeable geek. Just like in warfare, they are nimble, quick, have a low profile, and tend to be pretty unpredictable and all without the slow-moving girth of a politically-motivated blimp. In other words, I don’t think size correlates with security on any other level than coincidental. I don’t think there’s causation here. (More on this later.)

I still keep my list of the top 5 things I would suggest all small businesses do, not to become compliant with PCI or some other checklist, but to rather make big strides towards security. These 5 things can make a huge move towards being more secure, especially for a small business. They’re not really that hard, and I think we overestimate the number of companies who don’t do them (and yes, that’s coming from me, the skeptic who thinks all companies are basically fucked and full of holes, if not from an outside perspective, then from an insider).

Third, I really don’t think the article on SmallBizResource paints with the right colors. The article attempts to paint that SMBs are doing poor security by holding up that many of them are “currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard.” So? This is a problem with checklist security. So what if they are storing data? How are they storing that data? So what if their front door is unlocked when they have a mantrap, cameras, and internal doors protecting other areas of the company? The act of storing data adds to risk and may be against a compliance regulation, but that is not necessarily insecurity at work. Likewise, not following a security guideline and instead working by common sense can be just fine…unless you want to assume that no one has good common sense. I know I don’t follow some blueprint for my own home security and instead follow some common sense, but that itself doesn’t mean I’m insecure. And what if they don’t store that data but also don’t have a properly configured firewall and anti-virus software? Yes, at least they’re not going to hemorrhage millions of credentials, but they are certainly not secure.

Fourth, I said I would get back to my comment on how size does not necessarily correlate to security. I truly think security is a function of the quality and intelligence of our security and IT professionals. We need more quality people securing things and running IT and managing the data. Andy brushed up against this in his post. I don’t think SMBs don’t get it because they’re SMBs or have less employees or less resources, per se. I think they don’t get it because their IT staffers don’t get it and haven’t had a chance to get it. There’s still an awful, awful number of IT techs who are still learning just how to DO things, let alone do them in a secure fashion.

I liked this post by Curphey in relation to the SourceFire IPO. In fact, I like it because of how it portrays IDS/IPS and the typical installation.

[1:20:17 AM] XXXX-XXXX says: I’ve never been at a company where i’ve heard them say they were happy with their sourcefire deployment or for that matter… convinced me they were glad they made the purchase
[1:21:58 AM] XXXX-XXXX says: The security departments gets this new toy, they quickly figure out they dont have the time to babysit it (or configure it properly) then they outsource the monitoring
[1:23:02 AM] XXXX-XXXX says: once the monitoring company gets it.. they detune it as much as possible.
[1:24:44 AM] XXXX-XXXX says: What I see happening is “what do you mean this IPS might stop legit traffic? well lets just run it in IDS mode then”

[1:24:52 AM] XXXX-XXXX says: and after talking to XXXX-XXXX sales engineers
[1:25:02 AM] XXXX-XXXX says: 90% of XXXX-XXXX deployments are in IDS mode only
[1:25:40 AM] XXXX-XXXX says: Less then 5% of XXXX-XXXX deployments take advantage of the SSL decryption and analyze features.

While we have a larger and larger IT force doing things like desktop support and making sure the business world still works in the digital world, there is still a huge shortage of the type of geeks who “get it” and can make a difference with truly technical things. This is why the dashboard IDS/IPS has been superficially successful because it doesn’t require deep technical knowledge to get and click through alerts. But the knowledge of what those alerts means is pretty damn spotty and if the IDS/IPS doesn’t support tools to drilldown into the mucky darkness of the real technical trenches, that solution is overall just superficial.

But how do you know your out-sourcer is decent with security? Really, we shouldn’t move to make security a commodity that is driven by checklists and statistics without understanding. We need more skilled professionals, even if that means they have an inflated salary for a while and later take a small dip.

[10:15:40 AM] XXXX-XXXX says: Hey, I’m so glad you guys took over our security monitoring! We had no clue what was going on with the IDS/IPS after the installation techs left. You guys have helped us pass important compliance initiatives and haven’t impacted our business at all!

[10:18:23 AM] SecMonTech04 says: No problem! Looks like we came in just in time too! You had 12,476 alerts in the last month alone, but we’ve totally taken care of you! Just look how much you needed us!

[10:19:49 AM] XXXX-XXXX says: Sweet mother of all that is good and pure, that’s a lot! Whew! By the way, is that the number of alerts after you’ve tuned the monitoring?

[10:20:45 AM] SecMonTech04 says: Uh, yes.

[10:22:27 AM] XXXX-XXXX says: What did you all tune out?

[10:23:33 AM] SecMonTech04 says: Um, we ignore ARP alerts because it’s really just too noisy.

[10:24:12 AM] XXXX-XXXX says: That’s it?

[10:24:56 AM] SecMonTech04 says: I believe so…

[10:26:43 AM] XXXX-XXXX says: This is kind of odd. How many of those alerts are important enough to warrant further investigation or worry and wouldn’t ever be tuned out by anyone?

[10:29:42 AM] SecMonTech04 says: Looks like about 3…maybe 6 if I am paranoid.

[10:30:31 AM] XXXX-XXXX says: That’s it?

[10:31:21 AM] SecMonTech04 says: Oh, and we’re not really monitoring much on incoming port 80 because there’s too many application level attacks that we don’t want to give you a false sense of security about if we said we protected port 80.

[10:32:22 AM] XXXX-XXXX says: Huh? Why the hell not??

[10:34:45 AM] SecMonTech04 says: By the way, did you read the latest alerts from the anti-virus companies? The Internet is falling apart and is being overrun by hooligans and criminals. You better be glad you have us!

[10:37:32 AM] XXXX-XXXX says: Hold on a minute, back up. You’re not tuning anything out and not monitoring what might be one of our most important incoming ports. Are you actually blocking any attacks at all?

[10:39:12 AM] SecMonTech04 says: No, we’re operating in IDS-only mode. We don’t want to risk negatively impacting your business and cause you to distrust and dislike us.

[10:44:41 AM] XXXX-XXXX says: Oh god, I need some Tums…

[10:49:40 AM] XXXX-XXXX says: You realize we will need to start blocking some things?

[10:51:40 AM] SecMonTech04 says: Tell you what, we will turn in blocking (IPS mode) for all incoming ports between 55000 and 58000. Will that be enough?

[10:53:11 AM] XXXX-XXXX says: Whew, I think that will be ok…glad you guys are the experts.

[10:55:54 AM] SecMonTech04 says: Actually, we hire not only the inept techs you let go because you outsourced security, but we also employ interns who just click “ok” to every alert that comes in. They don’t really know what this means either.

[10:56:30 AM] XXXX-XXXX says: …I’ll assume you meant to type that in another window.

[10:59:10 AM] SecMonTech04 says: Oops, yes I did, sorry.

For once I am posting a question since it is something I have yet to be able to answer properly, but the bug keeps itching at me to answer it.

How do you physically locate a wireless user? Pretend you have a wireless network and someone has been getting in. Other than getting lucky and walking around, how do you locate someone efficiently?

Now, I know expensive and expansive solutions exist for larger campus-type wireless implementations to locate users using information on their signal strength and triangulation between overlapping wireless coverage. But what about for your average techie joe who wants to do this? Is there any software and non-expensive hardware that can help?

I also know that I could attempt attacks against a laptop and see if I can turn on an annoying WAV file and increase the sound…but that’s a bit too intrusive and variable.

I’ll likely troll a few forums and IRC chans looking for this information over the course of the next few months as I’d really like to answer it.

In case you missed this, the REcon 2006 presentation videos are available.

REcon is a Reverse Engineering Conference in Montreal. If you’re in that area and consider yourself part of the “in” crowd (or want to be) with reversing, you might want to check this out. Since I’m not exactly a reverser, I can’t attest to their quality. Perhaps the presentations might not be worth it, but the socializing and drinks with other geeks might be worth it.

I’ve watched the presentation by David “h1kari” Hulton on Breaking Wireless… Faster where he talks about FPGA and speeding up the cracking process (dramatically!). Of course, the chips themselves are dramatically costly, hehe. The demos don’t go over quite as smoothly as they could, but still a solid personality and presentation on wireless attacking by the author of coWPAtty.

It might be the hardest battle you will face as a security professional. It might cause the most grief, frustration, and exasperation. No, it’s not trying to make sure all your Windows servers perform smoothly. It’s not trying to fend off the dozen vendor calls that come in every day. It’s not even an entire weekend wasted because of some unknown glitch caused by someone else that brings down critical systems. And it’s not quite the often futile attempts to deter the insider attacks.

Quite possibly the hardest battle we will face is the battle to change the culture of a business from one that trusts everyone, particularly those “in the family,” to one that practices diligent security. Ever try to tell your Help Desk personnel that they should not ask for user passwords when doing some work over the user’s lunch hour so as not to disrupt their normal work day? Those same desktop people who typically are evaluated based on their customer service to those users? I’ve been in those shoes and I fully empathize. As a support person, you want to be able to bend over backwards if an important user needs you to; not to give a look of regret and explain that “security process” is tying their hands a bit and inconveniencing everyone.

Have you ever seen the look on senior management’s and human resources’ faces when you tell them they need to operate in a way where they don’t necessarily trust their own people? There’s not much more they brush off quite so quickly and easily than claims that their own people may be a threat, even an accidental one.

This battle can be easy in some compan…no. It can be easy in some organizational cultures. The military has ingrained security process very deeply. Larger corps are also a bit more successful in steering culture, especially those that might have real reason to hide things (think Boeing, Lockheed, or Microsoft, e.g.).

But the rest of us…yeah, the rest of us someday have to face those cultural battles where we should not be handing over passwords or being accomodating to persons whose username we may have seen but have never yet met when they ask for something beyond their typically level of access. Is this a new direction for the company that her department is shifting a bit and we have to compensate, or is this an attempt to get access to something she shouldn’t have? If we ask the manager to verify and/or authorize, will they just take the path of least resistance and kneejerk a “yeah sure, I approve” response? What kind of look do you get when you explain that perhaps their manager and then the data owner both need to approve access? Is it acceptance or a flash of genuine annoyance that you know will be spread around to anyone willing to hear?

And these are not things that are easily overcome with training and used education. It is one thing to educate a user about something they didn’t know previously and are open and receptive to the information. But it is another side of training altogether to tackle culture and paradigm shifts. This typically takes a lot of time and a lot of repeated training towards this aim (or just force it with technology and a big clue banana).

I admit, some places in this country might be easier to adjust attitude than Des Moines, Iowa where I live and work. We’re still a very open community and trust and customer service are pretty natural. Even “trust but verify” is a difficult adjustment. When does the line get crossed between being a helpful steward to a company versus practicing a dangerous habit?

Just like a courteous security guard who tends to recognize faces regularly, all it takes is one person out of 10,000 who walk by in a year to bury the company or disclose information that emboldens a competitor, jeopardizes a nation, and affects the livelihoods of your fellow workers. Just one person that is allowed to pass because he looks familiar (he was fired last week against his will), is dressed like a VIP, and looks like he’ll pin your manager’s ass to the wall if you inconvenience him, can be The One.

While my team has yet to convey a culture shift in the people that matter when it comes to security and customer service, at least we are still trying. We continue to implement technology to not only help cover the company’s ass in case our paranoia becomes reality, but we also try to maintain a foundation that if the direction of mgmt changes, we can quickly adjust and add on security as our openings allow.

(This post was partially inspired by Scott Wright’s recent post about the insider threat.)

Dave Aitel posted this to his mailing list today:

Next week is Shmoocon – and I’ll be there with whatever the latest
build of SILICA is in my pocket. Feel free to pull me aside for a
quick demo.

Man, Silica is about as expensive of a high class hooker, and it looks as good too! It’s sexy as all hell, and if I ever came up on a few grand to drop on a toy, I’d seriously think about this one (assuming I could get properly vetted). if any of you are at Schmoocon and see him (or maybe his wife too?) around, totally ask to see Silica in action.

Just posting a quick pair of links in case anyone is interested in reading about creating an exploit/buffer overflow. Trirat Puttaraksa discusses a Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow. Part 1 is a DoS condition and part 2 goes into actual code excution. Very interesting, although beyond my abilities for now. Browse the rest of his blog for even more dissections.

I’m in a bitchy mood today and want to rant on something. This article from ComputerWorld about “How dangerous is Skype” came in at the wrong time.

First, let me just say that I am mixed in my feelings about IM and Skype in a corporate environment. I think this is a trend that, in the long run, will be a losing battle for corporate IT and security. IM is just part of our culture and life, and embracing technology for the betterment of people and the company does have weight. That’s not to say I want Skype in corp nets, but I can sit on either side of the fence comfortably. Encrypted network traffic is also part of our future, and we need to start dealing with it now instead of whining about it.

Here is my take on some of the “Skype FUD” or myths that Michael Gough tackles in his article.

Myth No. 1: Skype uses a lot of bandwidth on my network. Great, I’m glad that Michael Gough tells me that a voice call takes 30kbit/sec on my network. That’d be great if I allowed only one call at a time. Scale that out with your users and get back to me.

Myth No. 2: Any computer can be a Supernode. This is one of those beefs with Skype that has been around a long time, and I hated it because it’s not an issue in almost every corporate network. Michael is correct, you can’t be a supernode if you’re behind a NAT. But, that does mean, as Michael mentioned earlier, that your communications will be weirdly routed through someone else. Annoying, but really a non-issue in any NAT situation. (This may become a huge problem in IPv6 or it may become a big problem for Skype itself if less and less supernodes are available as people hide behind NAT or slow connections.) So, I agree with Michael: this is a myth.

Myth No. 3: Skype is susceptible to IM worms and viruses. Myth? What the crap? Is this the Apple defense about “well other IM apps have had lots and Skype none so that means security?” Yes, in part it is although he oddly mixes actual client vulnerabilities with malware sent via other IMs via file transfer. That inflates his “other IMs” numbers and keeps Skype’s really low. *sigh*

He also mentions that file transfer can be turned off (which it can be on other IM apps too) and files can be scanned by anti-virus (other IM apps as well). So, I’m not sure what he’s trying to say here, but I can illustrate that Skype is no different from other IM apps that have been hit with his 1,000+ issues.

I also challenge that “the main vulnerability of IM applications is their file transfer
feature.” I conjecture that links to malicious sites sent via IM is more dangerous. This “myth” from Michael is completely wrong, and Skype is absolutely no different from any other IM program.

Myth No. 4: Skype is hard to stop on my network. This really is a half-myth but I slightly dislike how Michael Gough tackles it. From the start, Skype was not hard to defeat: just block it from being able to authenticate and logon the user. Easy. I’m surprised he never mentions this; maybe this has changed. I also dislike that he attempts to defend the network by controlling the OS inventory and OS outbound connections. I don’t think this is the best approach, and Skype should be able to be blocked on the network by the network alone. I will admit, however, that stopping a P2P app on a network presents problems, so in a way, Michael’s approach is still solid advice. The real issue, though, is Skype should not have to be that hard to block on the layers it uses.

Myth No. 5: Skype is encrypted, so I can’t archive IM messages. This is a two-headed dragon and I’m surprised Michael Gough attempted to tackle this in either direction as a myth. Instead, he fumbles the ball:

This one’s not really a myth. Skype sessions are encrypted, so yes, you
can’t capture or archive Skype communications. The same is true of many
IM applications, though, so it’s not less secure than other IM programs
that can use encryption.

Bah! Yes, Skype is encrypted so you can’t archive it off the wire, but I’m not sure what settings and apps he uses to say that other IM programs are the same. I can sit down and monitor and grab IMs off the wire on every other popular IM program with default settings. Skype has this feature enabled by default whereas other IMs do not. In fact, I can turn off this setting on every IM program, but with Skype I absolutely cannot. Also, for an article that itself says it is geared to corporate networks as well as individuals, he ignores any issues with HIPAA or compliance that requires logging/archiving/monitoring of data egress via IM. For home users, this is an awesome feature to protect privacy. But this is maybe the biggest hurdle Skype has been facing when it comes to corporate use.

Just to add one more item. Until Skype settings can be controlled centrally, that is another hold in the argument for Skype in the corporate network. Let me centrally control and force settings, file transfer allowances, and yes, adjust encryption such that I can monitor data egress (note that I don’t necessarily want it cleartext). There are other considerations, but that’s all I’ll throw out for now. 🙂