Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Open Source Your Rights Online

Skype Is Working To Defeat the Reverse Engineering 169

ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it."
This discussion has been archived. No new comments can be posted.

Skype Is Working To Defeat the Reverse Engineering

Comments Filter:
  • Skype on Linux (Score:5, Insightful)

    by Anonymous Coward on Saturday June 04, 2011 @12:53PM (#36337184)

    Perhaps if Skype's Linux client had been better maintained and offered a feature parity to the Windows and Mac OS X clients, there wouldn't be people spending time on reverse-engineering the protocol so that they could write their own client.

    Or, maybe, there are just a lot of Linux users who hate proprietary software, and don't trust Skype. Skype uses a lot of anti-debugging techniques. What are they hiding?

    • Re: (Score:1, Insightful)

      by calzakk ( 1455889 )
      Maybe they're not hiding anything, maybe they're just trying to protect their proprietary software. After all, they are a business just trying to make money.
      • Re:Skype on Linux (Score:5, Insightful)

        by AliasMarlowe ( 1042386 ) on Saturday June 04, 2011 @03:21PM (#36337892) Journal

        Maybe they're not hiding anything, maybe they're just trying to protect their proprietary software. After all, they are a business just trying to make money.

        They've been hiding their protocols. These are not protected by patent (which would involve publishing them, assuming they were patentable). Their implementation is probably protected by copyright, but a competing implementation is unlikely to infringe that copyright, unless it is a "slavish" copy. There does not seem to be a trademark issue in play. Conclusion: it looks like they are merely trying to protect a trade secret which has been uncovered by reverse engineering. Note that reverse engineering to uncover secret methods is entirely legitimate.

        So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software. These protocols have now been made rather less secret, and apparently by legally acceptable means. So let's all say to Skype: "good luck with that".

        • Re:Skype on Linux (Score:5, Informative)

          by White Flame ( 1074973 ) on Saturday June 04, 2011 @05:09PM (#36338394)

          So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software.

          Not at all. Afaik, their revenue stream comes from upsell services tied to POTS interfacing and voicemail. Just because you know the client protocol does not mean you can access those services for free; they're tied to account balances that Skype maintains outside of the client connectivity.

          • Exactly. I pay Skype to access phone lines at a competitive rate. If another client lets me connect to their service I still need to pay them to access that service. However, if they change protocol to defeat another client, and if they do not upgrade their linux client accordingly, then they force me as a paying customer to abandon the service. Hence, Skype itself is endangering their revenue stream, not the reverse engineered client.

          • Their revenue stream relies on lock-in. To the unknowing masses who don't understand packet switching or P2P connections Skype might seem like a reasonable deal, but for a VOIP gateway their service is ridiculously over-priced. If a competitor can offer their own service, but still allow it's users to easily interact with Skype customers then they would have to compete based on merit alone.

      • If your business model is shot by having your wire protocol well understood, your business model is crap. Based on my admittedly low knowledge of Skype, I don't understand how third party clients can threaten them, since the client is free, not ad-supported, and they charge for access to services, unless they enforce those business policies client-side, which brings us to point two...

        If your protocol being understood opens the door to unauthorized access to your premium services and phishing and other secu

        • Re:Bad business (Score:4, Insightful)

          by Kalriath ( 849904 ) on Saturday June 04, 2011 @08:33PM (#36339476)

          I believe the problem they face is that if the client protocol is understood, any monkey can implement that client protocol in a program which dials millions of Skype users per second offering to sell them half-off auto warranties or telling them about that $15,000,000 they need to smuggle out of Zambia, effectively destroying the trust in Skype, potentially resulting in an exodus of customers. Their perspective is not entirely unjustified.

          However, they don't appear to be spending much time working on a mitigation technique for when some jerk-off in the middle of nowhere (i.e. Nigeria) manages to achieve the same goal - because no legal threat will work on those fuckers.

    • by gweihir ( 88907 )

      Rather obvious: Skype very likely has an eavesdropping interface hidden in there and has deals with at least the NSA. Nobody in their right mind uses Skype for confidential calls.

      • Skype is Peer to Peer. It hardly needs to have something installed to allow eavesdropping, all it needs is the feds to put up a Skype client with sufficient bandwidth to pretty much guarantee a Supernode assignment - which is fairly trivial for a government.

        • by gweihir ( 88907 )

          That would not help a lot with end-to-end encryption. There are ways to eavesdrop on encrypted voice communication, but a backdoor into the crypto is what you really want. Also, a way to help the supernode selection along is most welcome and reduces effort.

    • It does some suspicious things too, like reading /etc/passwd. Ideally to be used in a chroot.
      • Re:Skype on Linux (Score:5, Interesting)

        by gerddie ( 173963 ) on Saturday June 04, 2011 @07:15PM (#36339126)
        <quote>It does some suspicious things too, like reading /etc/passwd. </quote>
        I have a surprise for you:

        strace ls -l 2>&1 | grep passwd
        open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
    • What are they hiding?

      Awesome, Anonymous Coward is wondering what the other dude is hiding...

  • Skype Skype (Score:1, Interesting)

    Since 'skype' is Britishism for obtaining by nefarious means skyping Skype seems rather appropriate.
  • by drolli ( 522659 ) on Saturday June 04, 2011 @12:57PM (#36337196) Journal

    Openly admitting your security is based on obscurity sounds a little strange IMHO.

    Instead of using a secret protocol, plainly give out the necessary certifiates only via email and kill them off after abuse. Especially since everybody can use the Skpe API to spam if he wants.

    • by Idbar ( 1034346 )
      Well, that's why trade secrets are not protected. If you want to protect them, you open them and patent them. Since the people trying to reverse engineering their protocol have no "non-disclosure agreements", I don't see how this may be protected by IP law. Then again IANAL so perhaps they can cover their asses with the Terms of Use and licensing agreements for the software. But AFAIK reverse engineering stuff should be fair.
      • Maybe properly define reverse engineering in the copyright law so that not everything is allowed? Though using the reverse engineered protocol implantation to access the original service is perfectly legal under most copyright laws.
    • I agree with the fact that security through obscurity is never a good stance, however I do recall reading an article either in Linux Pro Magazine or a similar print publication several years back that an outside security researcher was given access to Skype's source and his conclusion was that the protocol was indeed secure. In this case, I believe the company just doesn't want others seeing into their product. Myself, I'm not giving any opinion as to what I think about reverse-engineering it, just wanted
      • by Anonymous Coward
        Security only through obscurity is a bad idea. Obscurity is an excellent part of a well-balanced security system, however.
        • Obscurity keeps Joe Derp from breaking into your system on accident. Obscurity does nothing for motivated attackers. Since security is all about time-until-breakage, and obscurity at best adds time on linearly (admittedly, this is hard to measure) compared to the exponential gains provided by properly implemented cryptographic protocols the only reason to rely on obscurity is if you're a water headed moron who thinks it makes a difference because you can't imagine a mindset other than your own (i.e. the m

          • ... which is why he said security only through obscurity is a bad idea, and it should be layered with encryption and stuff.
            • Apparently you fail reading comprehension if you think my post supports that view.

              My ENTIRE point was that obscurity, alone or in addition to "encryption and stuff" ONLY inconveniences legitimate users while providing zero security benefit. To make this as simple as I can, since you seem to have missed it the first time:

              Security(Encryption +Obscurity) = Security(Encryption) + ShitTonofInconvenience

              The only reason to add obscurity is if you're stupid enough to think that inconvenience for legitimate users

              • No need to be an asshole. I guess you just have a different idea of what "Security through Obscurity" is than I do.
    • But I bet this has nothing to do with security and everything with preventing other clients connecting to the network.

  • by Anonymous Coward

    "who said ... that it's an infringement of their IP"

    "You keep using that word. I do not think it means what you think it means."

  • i think it's completely possible that this could be a good thing for skype. i've always found there client to be bloated and annoying and worst of all ,the linux port is trash.

    this could be fantastic... or we may end up with a lot of halfassed clients.

  • by MtHuurne ( 602934 ) on Saturday June 04, 2011 @01:09PM (#36337258) Homepage

    If a spammer or phisher would reverse engineer a protocol, it's very unlikely they would publish about it, since that would help their competition. It is possible that spammers or phishers will use the results of reverse engineering of course, but if your protection against malicious activities consists of a secret protocol then you should consider implementing real security instead of blaming the reverse engineering.

    In any case it's clear that Skype doesn't want third party clients to interoperate with their own, so instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

    • instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

      I find it hard to understand why people use skype at all when there are plenty of good voip providers. Skype has completely random call quality/ you never iknow if a connection will be fine or sound like it in an echo chamber or have a buzz. You can get excellent voip service for $5 to $10 /month. Indeed Ooma offers FREE service (but requires you to purchase a $130 appliance and pay the E911). Ooma's quality is excellent their service is responsive and it keeps getting better (HD voice now available f

      • by arikol ( 728226 ) on Saturday June 04, 2011 @02:56PM (#36337784) Journal

        I use Mac and Linux, my in-laws and some of my contacts use Windows.
        Give me a client that reliably (well, as reliably as Skype, anyway) works on these platforms (iOS would also be nice, as both I and the missus use that as well) and is simple enough to install and start for my in-laws, my parents, and the others I want to contact.
        Google chat should work, but is seriously confusing to beginners, and they want a standalone client anyway.

        When you can point me to that VOIP client, then I'll consider dumping Skype.
        Until the, Skype is king.

        • Ekiga

          • Ekiga is really nice (I'm using it on a regular basis).

            But it's setup isn't as simple.
            You still can't select the used port range without manually editing the configuration with gconf-editor, for example.
            There are some nice efforts to avoid the whole "opening-port" thanks to STUN and TURN technologies.
            But still there are lot of situation where you end up with the dreaded "Sorry, ekiga couldn't configure your network automatically" window.

            Meanwhile, skype, because it uses aggressive techniques coming from th

    • by StripedCow ( 776465 ) on Saturday June 04, 2011 @03:24PM (#36337904)

      it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

      As you know, for performing a telephone call, you need 2 ends. Try convincing the other end to install your open-source VOIP client of choice!

      That's the problem!

      IMHO, a much better approach against such lock-in would be to first develop an open-source binary compatibility layer inside web-browsers, like google is doing with native client (NaCl). That way, you could make a phone call by asking the other party to visit a website (assuming you have written your phone client software for that binary compatibility layer of course).

      • As you know, for performing a telephone call, you need 2 ends. Try convincing the other end to install your open-source VOIP client of choice!

        That would be stupid when you could use SIP instead of some proprietary solution. I'm not sure why you imagined this right away when there are already better options.

  • by Dr. Spork ( 142693 ) on Saturday June 04, 2011 @01:18PM (#36337304)
    Why do I keep getting the same inane message from "Natalia", posted from various temporary accounts? I've blocked every account it's come from; I'm sure many have. Is Skype really too slow to get the hint? Jesus, make the spammers work a bit to change a word here and there! It's shocking to me how little Skype cares about spam and phishing in their network. My point is, you can do all the spam and phishing you want with the native client, because Skype apparently does nothing to stop even the clumsiest of spammers who know how to solve a capcha. So their alleged interest to protect their users was conveniently discovered when the possibility of competition suddenly arose.
    • by luke923 ( 778953 )

      Ironically enough, that's the reason I stopped using Skype altogether; yet, an alternative client which did a better job of blocking spammers would bring me back.

    • by devjoe ( 88696 )
      The inane Skype message I keep getting from various accounts I keep blocking is one trying to tell me they've detected a security problem on my Windows system - even though I am logged in from Linux. Maybe once a month I get this, almost always in the middle of the night while I am sleeping.
  • by mmcuh ( 1088773 ) on Saturday June 04, 2011 @01:20PM (#36337318)
    So Skype's PR people are morons. No surprise there, PR people are usually the bullshitters who couldn't make it as politicians.
  • ..."Criminals reverse engineered our stuff to commit crimes against innocent people." Whatever, I get phishing messages on Skype regularly.
  • They claim violation of their IP. Is that copyright? probably not. Trademark? Nope. Patent? Hmmm do they have a patent in this area? I don't know, but probably not. That would leave trade secrets, which IIRC are not protected from reverse engineering in any way. IANAL but they really should say what is being violated, not just the nebulous "IP".
  • This makes perfect sense, because spammers and phishers always obey the law, so if they're forbidden from using code which has already been released I'm sure they will comply.

    Yeeeeeaaaaaaa

  • Comment removed based on user account deletion
    • by fuzzyfuzzyfungus ( 1223518 ) on Saturday June 04, 2011 @03:08PM (#36337826) Journal
      I suspect that it depends on where they plan to slot Skype into their list of product offerings.

      If it becomes part of some 'enterprise' offering, playing cat-and-mouse would likely not be a sensible strategy. Corporate/institutional customers hate petty version churn of the sort needed to keep constantly breaking 3rd parties and they have a fairly low likelihood of going with 'unofficial' software. They may well keep globbing on new features(as with Office document formats, Sharepoint tie-ins, etc.); but corporate customers are conservative enough that even the perception that 3rd party clients are not feature-complete and 100% compatible usually keeps them well away, and the few exceptions are likely to either be impecunious contrarians or competing titans(eg. IBM) large enough to make an issue of it if you play dirty.

      If it becomes a "Live" consumer offering, playing cat-and-mouse is at least an option, since the consumer market has largely learned to suck up their auto-updates when told(and isn't behind a firewall that blocks them, and doesn't need to open a ticket with IT to install them...) It still isn't totally clear what their motivation would be(since they would still control the skype-out gateways, where the money is, and having third parties voluntarily make your network more popular among markets you don't feel like serving doesn't seem like an obviously bad thing(though they might keep the banhammer hovering, just to ensure that people license the rights to embed skype in wifi VOIP phones and whatnot from them, rather than go 3rd party...)

      If it becomes a consumer-electronics thing, affiliated with xbox or Windows Phone, it seems to be some sort of ontological obligation to lock it down as hard as possible, just on principle, just because that is how they roll in console-land.
  • I find it a likely story that someone would open-source Skype for the purposes of sending spam. That's an activity you keep secret and sell to spammers for big bucks. So without even knowing the motive we get this attack on the coder by none less than the VP of Skype's PR company. There should be a good libel suit in here somewhere.
  • Maybe they'd be better off assigning some of the people trying to defeat reverse engineering to test their installer software.

    You know, so they don't "accidentally" install third party applications on users' computers without permission again.

  • From what I understand Skype uses encryption as well as proprietary protocols to provides its services. No doubt many governments around the world, fearing the possibilities enabled by secure and anonymous point-to-point communication, would be very interested in learning anything they can about how it works and what weaknesses it might have, if any.
  • This is an excuse to rework the code so the already outdated Linix client is rendered useless on their network. Sorry, but due to a recent security breach and lack of resources we must cease development on Skype for Linix. Double whammy: blame it on open source hackers and also piss off Linux users.

    As for Mac, Skype will give the MacBU something to do other than play XBox all day.

  • by supersat ( 639745 ) on Sunday June 05, 2011 @01:32AM (#36340636)
    ... won't they be obligated to license the protocol to third parties to avoid the wrath of anti-trust regulators (especially in the EU)?
  • Here's the exact quote from TFA: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."

    Even the PR drone is saying "unauthorized us for malicious activities"... so reverse engineering the protoc

After all is said and done, a hell of a lot more is said than done.

Working...