Skype Protocol Has Been Cracked

nsrCZ writes "The Skype core protocol has been reverse-engineered by a Chinese company. The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it. If it's true, then it could affect the whole eBay/Skype business in many ways, including that they might not get their piece of the emerging Chinese cake." From the article: "By cracking the Skype protocol, the company claims it can also block Skype voice traffic, Paglee said. 'They could literally turn the lights off on Skype in China very, very quickly,' said Paglee, who is also a lawyer and engineer, speaking from California on Friday. The company could transfer the technology to the Chinese government, which has continually sought ways to tighten its filtering and control over the Internet. So far, the company doesn't have any plans to market its blocking capabilities, Paglee said."

Innovation

[SleeknStealthy]

I love how the Chinese innovate. Corporate espionage, reverse engineering and overall IP infringement...Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

Re:Innovation

I love how the Chinese innovate. Corporate espionage, reverse engineering and overall IP infringement...

Yes, the US have been a good master.

Re:Innovation

[LittleBigLui]

Exactly. Reverse engineering is theft! And Skype should have patented not only their protocol but also talking itself!

Re:Innovation

[spyrochaete]

Thanks for sharing your generalizations about the most populous country in the world. Obviously every aspect of China meets your concise description.

Re:Innovation

[JPribe]

And patenting their protocol here in the States would have what effect in China? Please share, as I seem to have forgetten and am in need of a reminder.

Re:Innovation

[sholden]

Because the US respected all the British IP in its early days.

Re:Innovation

[castoridae]

Even if our ancestors were also "wrong", it's still "wrong" for China (defined as the collective group of infringing companies, government agencies and individuals which happen to reside and work in China) to do it.

* Quotes intentionally added to "wrong" to allay any possible tangent subthreads about how IP/patents/copyrights are in principal wrong/imorral/broken. Gotta know your audience. :-)

Re:Innovation

[Jeremy+Erwin]

Perhaps I'm being unrealistically naive, but the original concept of the patent system was "full disclosure for protection". During the patent term, manufacturers would have to obtain a license to duplicate the patented object, but after those 17 years were up, no assistance (engineering or otherwise_ from the original inventor would have been necessary-- because the invention had been fully disclosed.

If skype had patented its system, it would have had to disclose elements of its protocols which would make it quite easy for any espionage shop to infiltrate, route around or otherwise frustrate.

Consider, for instance, a lock manufacturer. Their cylinders are described in exquisite detail in their patents. A person skilled in the art of lock-picking might find their patents to be of particular interest. But if the lock incorporates security mechanisms which defeat all potential attacks, it doesn't matter if they are disclosed.

However, if the companies key manufacturing division and distribution network are infiltrated, then a duplicate key can probably be manufactured with a modicum of difficulty. That's why such practices are not disclosed in the patent, and are usually subject to "trade secret" regulations.

P.S. I'm not so sure that the NSA and CIA let IP laws get in the way of espionage.

Re:Innovation

[utopianfiat]

I, for one, welcome my new gaim-skype compatability. ... no, seriously!

Re:Innovation

[f0rtytw0]

oh if only I could mod you up

Re:Innovation

[IAmTheDave]

Thank you - not to mention that every true innovation stands on the shoulders of giants who came before. Want to know why patents/copyrights are killing innovation? Because there are now police lines around those proverbial shoulders.

True, groundbreaking innovation is rarely anything more than a modification of an existing process or practice or idea or thought. An ingenious one, yes - but without the work that came before, there would be nothing. Stopping the work that can come after is nothing short of criminal.

Re:Innovation

I love how the Chinese innovate. Corporate espionage, reverse engineering and overall IP infringement...Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

They're more American than the United States!

Re:Innovation

[c_forq]

Come on now, he didn't comment on every aspect of China, just the corporate one. And to be fair in the corporate arena you pretty much have to do what the competition is doing to stay in business, wither it be espionage, bribes, maximizing efficiency, price cutting, or advertising.

Re:Innovation

[tomstdenis]

Um hello, IBM PC clones anyone?

Oh that's right you were born in the 90s and don't remember the 80s.

Kids these days...

Re:Innovation

[Aardpig]

Why exactly is it wrong? If the Chinese government gives the go ahead, can't Chinese entities do what the fuck they like with Skype? Or any other piece of software, for that matter?

Re:Innovation

[castoridae]

You missed my point (specifically, you missed my "footnote"). I'm saying that you have to apply your principals consistently. If it was wrong for the US in colonial days, it's wrong for China now. If it isn't wrong for China now, then it wasn't wrong for the US then.

Re:Innovation

[babbling]

Why should Skype have patented this, and how does this negatively affect Skype?

Skype don't get their money from people installing their client, they get their money from people paying for the extra services like SkypeOut, SkypeIn, and so on. They should regard maintaining the Skype clients as an unwanted hassle. What they really want is as many people as possible connecting to their servers and using the extra services. This is separate from the protocol.

If I was an executive at Skype, I would view this as a good thing for the company. It's only going to result in more users. It's strange that Skype didn't voluntarily open up their protocol earlier!

Re:Innovation

[Em+Ellel]

Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

Erm, ok, if they patent it, don't they have to disclose details of it? Kinda defeats the purpose of having a secret closed protocol that Skype wanted. I think there might be a better way to protect IP, via "trade secret" or something like it, but I am no specialist in the area :-)

-Em

Re:Innovation

[fotbr]

According to your, mine, and many other people's sense of ethics, perhaps. Ethics, like morality, are individual.

Re:Innovation

[arivanov]

That is if you can patent a protocol.

Protocol in itself is not an invention.

You can have a protocol as a part of an invention or rely on an invention to work, but in itself...

The chances of patenting it even in the US are pretty slim.

Re:Innovation

I love how the Chinese innovate. Corporate espionage, reverse engineering and overall IP infringement...Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

Yeah, they should follow the US model:

1) Patent idea for something obvious and do nothing else...
2) Wait.
3) Wait..
4) Wait...
5) Find out someone actually implementing something tangible and useful that might be based on similar idea ...
5) SUE!!
6) PROFIT!!!!

Now that's real Yankee innovation.

Re:Innovation

[1u3hr]

it's still "wrong" for China (defined as the collective group of infringing companies, government agencies and individuals which happen to reside and work in China) to do it.

What "infringement"? As TFA says, THERE IS NO PATENT. They reverse-engineered a protocol. A week ago, some Americans did the same to the Galileo GPS signal. And that will lead to a direct monetary loss to Galileo. Was that "wrong"?

copyrights are in principal wrong

The word is "principle".

Re:Innovation

[kfg]

Even if our ancestors were also "wrong". . .

IF our ancestors were also wrong. . .

It remains to show they were wrong, and in doing so you necessarily question the legitimacy of the USA's sovereignity. We were signatory to no treaties to "respect" British IP and our ip laws still differ. It took a special act of Congress to partially respect the British copyright of Peter Pan (which is, in effect, in perpetuity, forbidden by the US Constitution).

If and when China does not respect American ip they are wrong because we are both signatory to the Berne Convention treaty, even if we were both wrong to do so.

And bearing in mind that the current administration has declared that treaties it has willfully signed are not binding upon it, as that violates American legal sovereignity. Yes, the Supremes have recently bitch slapped them over that, but the current adminstration seems to be gearing itself up to treat that as a legal opinion not actually binding upon it.

And herein lies the real damage that has been done to America's international standing in the past few years. If we declare null and void international law to which we are signatory on war, torture and due process why the fuck should anyone respectfully decline to copy Pauly Shore movies, no matter how cruel that is?

KFG

Re:Innovation

[saleenS281]

So exactly where has China innovated?

Automobiles they have "chery" whose entire line-up are shoddy copies of cars already produced by other manufacturers.

We have Huawei, who has literally stolen Cisco's router code to make a "competing product".

And then we have their military who happened to... yes steal their designs as well (at least the stuff they didn't just purchase from Russia and reverse engineer).

So exactly what are these innovations taking place in China you wanted to defend?

BTW, there's PLENTY more examples to prove how they don't innovate at all, just steal/reverse engineer/copy others if you need them.

Re:Innovation

[Instine]

I'm trying not to flame, but what an awful post.

No they shouldn't have patented their software (I thought everyone on /. thought this way?...). Patents for software are stupid. They just don't work. This is yet another reason why. Even if they had, It's unlikely it would be valid in China. Just as European and US companies rarely check for prior art in China or Russia in case of infringment.

I love how the Chinese innovate. Corporate espionage, reverse engineering and overall IP infringement...
And no that is not how the Chinese inovate. That is how people inovate.

Re:Innovation

Obviousry evely asprect of China mreets your croncise descliption.

Fixed.

Re:Innovation

[DarkDragonVKQ]

Oh I don't know, perhaps the inventions from long long ago that made their way across the Silk Road into EUROPE. Yeah...

Re:Innovation

[saleenS281]

I think you're missing the point... this company won't just make another Skype client, they'll make their own "skype" network. Skype won't get anything because this will be a completely different service. The reason this is of concern is because it is well known in the Chinese market, if there's a Chinese alternative, the people will use it (notice Google losing out to the Chinese duplicate).

Re:Innovation

Because the US respected all the British IP in its early days.

Jeez, when will you guys get it?

Like information, MUTTON CHOPS WANT TO BE FREE

Re:Innovation

[init100]

And bearing in mind that the current administration has declared that treaties it has willfully signed are not binding upon it, as that violates American legal sovereignity.

This is interesting, especially since the Bush administration recently pressured the Swedish government to close down The Pirate Bay, referring to American copyrights. According to the Swedish national television, the US threatened with WTO sanctions if we do not adhere to signed treaties. Looks like hypocrisy to me.

Not that I care about The Pirate Bay (apart from their legal page), I do care about hypocrisy in politics though.

Re:Innovation

[spyrochaete]

That General Tso sure makes some delicious chicken! How's that for starters?

Re:Innovation

[blugu64]

ya know that that was legal right?

Re:Innovation

[init100]

Skype should have patented its technology, but it's not like the Chinese respect IP anyway.

First, patents are issued on a country-by-country basis. Even if patented in the United States, such a patent have no validity in other countries, where they can be freely ignored. And even if they tried to patent it everywhere, this would probably amount to a software or business method patent, which are not available in many countries, effectively making it impossible to reach global patent coverage. And without global patent coverage, people in those countries where they had no patent would be free to use the technology.

This is different from e.g. copyrights. Swedish citizens are required to respect American copyrights, but we aren't required to respect American patents. We are only (at the moment) required to respect Swedish patents.

Re:Innovation

[SharkJumper]

From Paglee's blog post about this:

The advent of the release of this software raises many interesting issues. According to their CEO, their software will not support Skype's Super Node technology. Right now every computer with Skype installed on it can be used as a relay to carry data between two other computers when both of those computers are only allowed to make outgoing TCP calls. This means that very soon Skype users will have an alternative client which will not hijack their computer. This could eventually have a very negative effect on the Skype network if too many people choose not to act as Skype Super Nodes and the network starts to deteriorate.

Re:Innovation

[TubeSteak]

You make it sound like they didn't learn anything from the British Empire.

Re:Innovation

[tomstdenis]

And so is reverse engineering skype. I don't see why everyone is harping on China here. It's not like their the only country to do this.

It's just ignorant xenophobia that allows people to bad mouth an entire nation based on what are essentially standard operating practices anywhere else.

Tom

Re:Innovation

[blugu64]

woah calm down there, I never said reverse engineering skype wasn't

Re:Innovation

[tomstdenis]

Yeah, my original reply was to the troll who basically said that the chinese are a bunch of thiefs and that this was immoral.

I was pointing out that in the 80s the PC revolution was ONLY made possible because of this. And that happened in the USA.

Personally I don't give two shits about the chinese one way or another but if you're going to hate, then hate for a good reason.

Tom

Re:Innovation

[soliptic]

So exactly where has China innovated?

If you put a time frame on that you might have a point.

Since you don't, it's hilariously wrong.... You can hardly begin to imagine how many things came out of China.

Re:Innovation

[blugu64]

Gottcha, I just don't understand why I got mod'ed troll! (first time ever sadly)

Re:Innovation

[soliptic]

I don't see why everyone is harping on China here.

I'm not sure why you're surprised, slashdot is the most racist forum/comment-enabled-website I frequent.

Admittedly we're not talking "kill niggers" or "funny slitty eyes" type of racism, but ignorant, unfair, patronising, offensive, unfounded generalisations abound.

Any time China ("thieves"), India ("job thieves"), Russia ("mafia"), anywhere in Europe ("socialists"), etc gets mentioned, the state of the comments on here makes me absolutely cringe.

Re:Innovation

[tomstdenis]

Yeah, well you have to look at the audience... You got mostly white males in the ages of 16-24. They think they know everything about anything and therefore can easily feel comfortable shooting off about entire peoples they have never met. The fact that they're american doesn't help either :-)

On the flipside some of the stereotypes and comments are well deserved. I mean, read comp.lang.c for a week. You'll get a lot of "I have to write this program and I don't have the first damn clue" types of posts, amazingly enough mostly from India. Look at phishing stats, they're mostly organized by people in Eastern block countries. That's not conjecture or hyperbole that's the truth. China does have a track record for more than just reverse engineering. Classic IP violations are more common than in other nations [although I wouldn't say it's epidemic like some people suggest].

So like all nonsense there is some element of truth to it.

Tom

Re:Innovation

[Knuckles]

something in the last 500 years

T'ai Chi Ch'üan

Re:Innovation

[saleenS281]

I assumed time frame was recognized as the last 10-20 years when they've started to become industrialized... My apologies for not specifying.

Re:Innovation

[indil]

Why should Skype have patented this...?

Because a secure protocol design does not require secrecy. If the security of a design relies upon its secrecy, then it won't be secure for very long. This is why it doesn't matter that the encryption algorithms commonly used today, such as RSA, are open and can be freely inspected.

If the Skype protocol is made unsecure because it was reverse-engineered, then it's not worth using anyway.

Re:Innovation

[hackstraw]

And patenting their protocol here in the States would have what effect in China? Please share, as I seem to have forgetten and am in need of a reminder.

It would go against the Chinese business plan.

Make cheap crap and sell it to Americans.

China now makes most of the 50$ and less DVD players, and they gladly pay the 20$ or so license fee (or whatever you want to call it) for the DVD label and whatnot so they can sell it to cheap Americans.

In other words, it usually pays to go along with the rules, even if you do not agree with them or think they don't apply to you.

Re:Innovation

[killjoe]

"Why should Skype have patented this, and how does this negatively affect Skype?"

Skype didn't patent it because it would mean revealing the implementation and it would provide a point of attack to the phone companies.

Reverse engineering is legal in most of the world so there is nothing to protect them now. Of course they could get a patent now but somehow I don't think they will. Ebay isn't really a smart company and they bought skype on a whim, they never knew what to do with it anyway. I think they will just ignore this and up their marketing like all other US companies do.

Re:Innovation

[Schraegstrichpunkt]

+5, Insightful, WTF?

It's one thing to criticize the Chinese government, or even the Chinese people for tolerating the Chinese government, but what insight is shown here?

Re:Innovation

[Schraegstrichpunkt]

So exactly where has China innovated?

Apparently you never heard of the MD5 and SHA-1 breaks.

Re:Innovation

[Schraegstrichpunkt]

Protocol in itself is not an invention.

Protocols are inventions, but it is very hard to claim that patented protocols would benefit the public or increase innovation.

Also, effectively, some protocols are patentable, at least in the US. Otherwise Microsoft wouldn't have been able to kill the IETF Sender-ID protocol.

Re:Innovation

[BalkanBoy]

wiretapping is not a standard operating practice in the united states, unless it is preceeded with a probable cause as well as a warrant (in principle). having said that, the issue at stake here isn't that - it goes much deeper - China is still a repressive regime. they can claim all they want they are going to be the largest economy in another 20 years - and they still will never attain the civilized status of the USA in many respects. what status? start with the constitution - we have a bill of rights/constitution which many other developed countries model. China does not. nor do they want to. nor will they ever, most likely, unless a certain revolution on the inside takes place.

their desire to curtail skype's use among its citizens is indicative of a stale communist/dictatorship-like policy that still permeates to this day. china's government is afraid to let information of the sickest and the best kind flow freely among its citizens. it, the govt, thinks its citizens en masse are morons, who aren't able to make the most basic decisions about the benefit of the country, or the communities they live in. of course i'm exaggarating - but only to make a point. without a free flow of information and without allow people their ability to choose (regardless of how bad their choice may be or what not), china will never attain any kind of civilized status, of the kind we enjoy in the united states, or other western countries.

you can be the largest economy in the world, and at the same time be the most repressive, poluted and demoralizing place to live in - which is what China is currently, for a vast percentage of the population. change that? good luck. the USA isn't going to change that. however, the internet in its intended form does have the capability to help/catalyse that change along. what their corrupt leaders are doing is stifling the only source of untainted information available.

Re:Innovation

[magetoo]

In other words, it usually pays to go along with the rules, even if you do not agree with them or think they don't apply to you.

That works with the positions slightly shifted too. China gets away with a lot more than "lesser" countries, thanks to US companies' infinite greed, sorry, desire to have access to the giant Chinese market.

Re:Innovation

[arivanov]

Otherwise Microsoft wouldn't have been able to kill the IETF Sender-ID protocol.

Subtle difference: It killed it by patenting the encoding scheme for the records. Encoding can be patented and when MSFT or the like want to limit the proliferation of interoperable applications they always go for an encoding related patent. Sender ID is one example, there are others.

Re:Innovation

[ScrewMaster]

Hey ... we don't serve your kind here.

Re:Innovation

[ardin,mcallister]

Moot, you tool.

Not to mention that without China, and the great wall, the Mongolians would be running freely across the planet!

Re:Innovation

[DarkDragonVKQ]

Dunno, when an entire world changes (for the worse IMO) because of some of the inventions. I think it's rather good that the Chinese DON'T invent more new technology.

Re:Innovation

[geekoid]

With the NAU , the U.S. will lose some sovereignty. It is being pushed very ahrd, and very quietly by the current administration.

Re:Innovation

[kfg]

With the NAU , the U.S. will lose some sovereignty

Ya know how Microsoft "embraces" open standards?

KFG

Re:Innovation

[endr]

No, I haven't heard about the MD5 and SHA-1 "breaks". What I have heard about is the MD5 and SHA-1 _collision_ scenarios. That's vastly different from a break.

Re:Innovation

[Achromatic1978]

How did Google "lose out" to the "Chinese duplicate"? If you mean Google.cn, then it's still theirs. If it's another service, Google had no 'right' to the users, and no-one did anything untoward in building a competitor. I know what you mean, but either way, your statement almost implies impropriety, of which there was none.

Re:Innovation

[jrobinson5]

1. Create a beowulf cluster of Soviet Russians.
2. Make sure it runs on Linux.
3. ????
4. PROFIT!!!

I for one welcome our new profitable, Linux-running, Soviet Russian Beowulf overlords.

Re:Innovation

[AnyoneEB]

China has a constitution providing for many, if not all, of the rights specified in the United States Bill of Rights. The difference is that the United States government usually follows its constitution. Unfortunately, like in the US, most people in China simply do not care about politics.

Re:Innovation

[thegrott]

Thank you for not taking the time to explain your view on every aspect of china, including each of its residents. Somehow i don't think I would get the time to finish reading it this lifetime... I felt the generalization was within reason, and used the same assumptions that the article in question does.

Re:Innovation

[Schraegstrichpunkt]

Subtle difference: It killed it by patenting the encoding scheme for the records.

The fact is that it is illegal to use a large number of protocols, and software in general, in the U.S. because of patent law. The mechanisms by which the law does this are properly referred to as details, not differences.

Re:Innovation

[Schraegstrichpunkt]

No, I haven't heard about the MD5 and SHA-1 "breaks". What I have heard about is the MD5 and SHA-1 _collision_ scenarios. That's vastly different from a break.

That's an odd statement to make. If you have an algorithm that is claimed to be a collision-resistant hash function, and you can find a collision in fewer operations than brute force, then the algorithm is broken.

Quoting from Bruce Schneier's Self-study course in block cipher cryptanalysis:

Breaking a cipher doesn't necessarily mean nding a practical way for an eavesdropper to recover the plaintext from just the ciphertext. In academic cryptography, the rules are relaxed considerably. Breaking a cipher simply means finding a weakness in the cipher that can be exploited with a complexity less than brute-force. Never mind that brute-force might require 2^128 encryptions; an attack requiring 2^110 encryptions would be considered a break. Breaks might also require unrealistic amounts of known or chosen plaintext---2^56 blocks---or unrealistic amounts of storage: 2^80 . Simply put, a break can just be a "certicational weakness": evidence that the cipher does not perform as advertised.

Successful cryptanalysis might mean showing a break against a reduced-round variant of the cipher---8-round DES versus the full 16-round DES, for example or a simplied variant of the cipher. Most breaks start out as cryptanalysis against reduced-round variants, and are eventually (maybe years later) extended to the full cipher. In fact, a break on a reduced-round version of a cipher is often a publishable result.

If you read the literature, you'll find that Bruce is correct.

From the same author, here is the announcement of the SHA-1 break:

February 15, 2005
SHA-1 Broken
SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.

If you had searched Google for SHA-1 broken, you could have figured that out yourself. Please do some fact-checking next time.

Re:Innovation

[1u3hr]

If it was wrong for the US in colonial days, it's wrong for China now.

US companies pirated books and copied industrial processes in the 19th C. But I don't recall any reverse-engineering a protocol. There is little similarity; and I see no moral problem at all.

Re:Innovation

[redcane]

the govt, thinks its citizens en masse are morons

I have always found that humans en masse appear to be morons. It seems whenever people act as a group they get worse. Each individual in the group might be logical, and have common sense, but when you put them in a mob suddenly you see nasty patterns emerge. Ask anyone who has worked retail.

Re:Innovation

[bigpicture]

I think that way back when, spaghetti, gunpowder, and several other such technologies were "reverse engineered" (stolen) from China. It's the old what goes around comes around thing.

Re:Innovation

[d34thm0nk3y]

Yeah, well you have to look at the audience... You got mostly white males in the ages of 16-24. They think they know everything about anything and therefore can easily feel comfortable shooting off about entire peoples they have never met. The fact that they're american doesn't help either :-)

I am just going to go ahead and pretend irony was the actual intention of this post.

Re:Innovation

[ZzzzSleep]

I believe the rule is: The intelligence of a mob is the intelligence of the dumbest member divided by the number of members in the mob.

Re:Innovation

[AcidLacedPenguiN]

leave it to slashdot to find a starwars reference in everything.

Re:Innovation

[palindromic]

MOD THIS FUNNY, MOD THIS FUNNY.. he just said that the Chinese have been innovative in CRACKING THE MOST TRUSTED ENCRYPTION ON THE INTERNET. THATS INNOVATION! /irony off.

Seriously, that is hilarious.

Re:Innovation

[foobsr]

Debatable if considering Xu Xuanping.

CC.

Re:Innovation

[Knuckles]

It certainly is debatable, but there are no known historical records more than ca. 150 years back, and it seems pretty safe to say that the currently practiced forms weren't developed much earlier. There is no doubt though that other internal arts, and/or direct precursors existed way longer. And in the context of the parent I replied to: it is in any case true that major developments in the internal arts happened within the last 500 years and the parent was an idiot.

To be honest, I was mainly trying to plug the links :) May I ask what style you practice and in what school/lineage? (and nice sig!)

Re:Innovation

[foobsr]

May I ask what style you practice and in what school/lineage

For sure, Yang (Cheng Man Ch'ing) for only three years now with Wilhelm (forgive him for the site, computer related issues are not his main concern) who was raised :) by Patrick (among others).

And, yes, I agree that Tai Chi adds much to life.

CC.

Re:Innovation

[Knuckles]

Ah, funny, Germany. I've been with ITCCA (that's Yang Cheng Fu -> Yang Shou Chung -> Chu King Hung) for 8 years or so (albeit with quite some gap when I didn't really practice), first in Vienna and now in Berlin. Currently working on the 3rd internal principle of the solo form (moving the center), and started with the sword last year.

I agree that Tai Chi adds much to life.

It's amazing, isn't it!

Open Source?

[guruevi]

Open source it and put it in a decent project like say, Asterisk... I hate Skype just because their protocol is closed. I can't do anything useful with it except when I use their crap.

Re:Open Source?

[Macthorpe]

So your solution to China cracking the protocol is to make it open-source.

You are a genius.

Re:Open Source?

[ikejam]

Gizmo project? http://www.gizmoproject.com/

Re:Open Source?

[BioCS.Nerd]

What the hell is that supposed to mean? First of all, let's address this statement:

I can't do anything useful with it except when I use their crap.

Perhaps you wrote this incorrectly, but, by definition, nothing is useful unless you use it. Would you care to elaborate why you think their service is useless crap? Oh yes, this nugget of gold:

... I hate Skype just because their protocol is closed.

(emphasis mine)

What you're saying, implicitly, is that you have no real qualms against Skype aside from their lack of openess with respect to their protocol. That's absurd! I could understand if you disliked this about their service, but to actually hate their service because of this one fact is borderline stupid.

Re:Open Source?

[spyrochaete]

If Skype was open source would they have had the leverage to enable free calls within North America until the end of this year? Even if so, is it wise or ethical to make such a powerful technology open source? There is potential for abuse when you open up any technology, but I think the subject gets even touchier when it's a free gateway to technology everyone in the continent uses (PSTN).

Re:Open Source?

[Millenniumman]

I think he is complaining because he has to use the Skype application. He can't do anything useful with the protocol except when he uses their application.

Re:Open Source?

[guruevi]

It's not as stupid as soon as you have to actually use the darn protocol. If you implement a VoIP phone server with all bells and whistles and all of a sudden some jerk-manager asks why you didn't implement the functionallity to Skype the company... well, because it's not open, I can't use it... but I want to call you with Skype from home, that's VoIP too isn't it... aargh.

Re:Open Source?

[BioCS.Nerd]

I'd certainly hope so. But in his/her vague response, a failed opportunity to bring an intelligent and interesting discourse to our corner of the web was lost.

Re:Open Source?

[zaphod_es]

If Skype was open source would they have had the leverage to enable free calls within North America until the end of this year?

I do not see that open/closed source has anything at all to do with enabling free phone calls. I have no idea how that was negotiated or what regulations were applied but I very much doubt that they started with "Hey guys we are not open source, will you give us free phone calls"

As for leverage Jajah offer free calls and look to be a startup with very little clout.

Re:Open Source?

[spyrochaete]

Jajah sounds extremely impressive, though it's unfortunate that it requires a landline on both ends. I imagine they use VOIP to bridge PSTN lines local to the recipeint. Smart! I suppose in a way this is even more complex than simple VOIP to PSTN - one fewer degree of separation.

My comment about open source was more of a financial issue, not so much a programming methodology issue. Skype is near the top of most telco's 10 most wanted lists, so I presume they are willing to go that extra mile to provide services smaller companies\projects cannot.

All I'm doing is speculating. Jajah is a great example of a little fish in the shark tank.

Re:Open Source?

[Mister+Whirly]

Hey, this is Slashdot, where "open source" is the solution to all of life's problems...

Re:Open Source?

[kubla2000]

So you want Skype to educate your "jerk-manager" as to the difference between Skype and Voip?

I'm still failing to see how any of your arguments in any way reflect badly on the company or the technology. I think there are many reasons to be wary of Skype but you've fairly efficiently managed to hit none of them.

Re:Open Source?

[grcumb]

So your solution to China cracking the protocol is to make it open-source. You are a genius.

And you, evidently, are not.

If you're analysing the risks inherent in a communications infrastructure, and you find that one (and only one) outside party has access to the protocol, it makes perfect sense to drop the 'security by obscurity' part of the plan entirely, and to move to the next element of your defense-in-depth. In this case, open sourcing the protocol could have the effect of ensuring that others invest heavily in it, improving and expanding the service, making it harder for the Chinese authorities to justify blocking it.

This is, ultimately, why the Great Firewall of China will never be effective against the Web: The value of the system to the Chinese is greater than the value of blocking it outright. Instead, they compromise by making it somewhat difficult for most people to get to most 'objectionable' content. This 'whack-a-mole' strategy guarantees that those who really want to access restricted information sources can do so, given time and a nominal amount of effort.

Re:Open Source?

[geekoid]

The protocal not being open is a good reason to dislike Skype.

Can you trust it? what happens if it changes? how locked in will we be? etc.

Re:Open Source?

[Macthorpe]

And you, evidently, are not.

Actually I am, but there are so many different ways you can be a genius it is possible to be one and still be wrong about something. Not that I'm wrong about this, of course.

If you're analysing the risks inherent in a communications infrastructure, and you find that one (and only one) outside party has access to the protocol, it makes perfect sense to drop the 'security by obscurity' part of the plan entirely, and to move to the next element of your defense-in-depth. In this case, open sourcing the protocol could have the effect of ensuring that others invest heavily in it, improving and expanding the service, making it harder for the Chinese authorities to justify blocking it.

Nope.

OSS is not a solution to every problem, and certainly not this one. China have already broken the protocol, so making it open now is completely irrelevant. In fact it's opening the stable door after the horse has bolted.

The only justification the Chinese government needs to block anything is that it can be used by dissidents to exchange information that is damaging to the Chinese government. Ergo, they already have justification to block because they otherwise would not have made the effort to break the protocol. Whether Skype expands or not, goes open source or not, they would have done this anyway because it's dangerous to them. The only thing that you achieve by making it open now is allowing others access to it, which Skype will not see being in their best interest. It would also piss off China, which is no-one's best interest.

Re:Open Source?

[Lucractius]

clearly your genius isnt in your grasp of modesty.

Tapping

[slindseyusa]

Isn't the more important aspect of this the concern that anyone could use this to tap into a conversation over Skype?

Re:Tapping

[j00r0m4nc3r]

Pfft.. nobody would do something so dastardly..

Re:Tapping

[Barsema]

From TFA :

The company, however, has not been able to decrypt the phone calls passing through those computers and listen in because of the complicated encryption keys used during calls, Paglee said.

So I guess not.

Re:Tapping

[twells5150]

How do you know the NSA hasn't already done so. If they have, they'd never tell us.

Re:Tapping

[Antique+Geekmeister]

I agree with you. Skype, due to its central corporate authentication of the RSA keys for customers, is ripe for law-enforcement mandated man-in-the-middle attacks. Without publising their protocol and any safeguards they've embedded in it, such as a public RSA key repository similar to those used by many GPG users, it's technologically easy for them to authenticate a centralized key upon request for NSA, CIA, FBI, or my aunt-Matilda-if-she-asks-them-nicely tap in the center of any conversation connection.

For all such transactions, whether they are SSL, SSH, or some proprietary technology like Skype, you have to trust the site that holds the server keys or the people that write the software not to embed backdoors or fake keys to allow tapping. There are even technical reasons to permit such forgery: web-proxies for high-availability banking transactions, for example, may want to have their SSL keys multi-hosted. I've sat in on discussions about exactly that sort of approach and its security consequences.

Anyone who assumes that Skype conversations is immune from a legal wiretap order or even an unconstitutional Patriot Act order that Skype dare not publish due to the Patriot Act's nature is engaging in wishful thinking. If you want real end-to-end encryption, you have to have personal control of the key exchange. In fact, that's how PGPphone used to work, if you can still lay your hands on a copy of it. It just never got broadly enough deployed, or provided the convenience and computer->cheap telephone call services that Skype provides.

Re:Tapping

[x-vere]

Burn!

Re:Tapping

[Chris+Toohey]

Would you expect them to say, "Yes, we can track everything you're saying in those conversations. Now please keep using Skype for stuff like calling your accountant..."?!

Chris Toohey
http://www.dominoguru.com/

In His Apartment Earlier

[neonprimetime]

Paglee details in his blog a call he received from the engineers using a rudimentary client. Part of the proof that the protocol had been cracked came when the engineers sent Paglee the IP address of his computer, information that normally would be encrypted during a Skype session.

Little did he know they were in his apartment earlier in the day.

Re:In His Apartment Earlier

[LnxAddct]

Wait a second, someone please correct me if I'm wrong, but isn't Skype a *p2p* voip protocol, implying that you are directly connected with who ever you are talking to, implying that it should be trivial to get their IP?
Regards,
Steve

Re:In His Apartment Earlier

That's correct. Send them a message and a few seconds with tcpdump is all you need. No hacking required.

Does it really matter?

[Rosco+P.+Coltrane]

Closed Skype protocol gets cracked in X months == Skype releases a new version with a new closed protocol that'll take X more months to crack. Big deal...

Anyway, Skype is a big no-no for me. I don't like software that connects to who-knows-what and uses bandwidth all the time without any way to know what the heck it's doing.

Re:Does it really matter?

i totally agree - i see this on our network with ntop -with all sorts of weird people (wanadoo, universities, etc.) connected to a local user on weird ports doing as you say, 'who knows what ...' -i wouldn't be surprised if it's being used to distribute SPAM sending bots, hidden proxies, bandwidth theft, bit torrents, spyware, etc.

Re:Does it really matter?

[Zebedeu]

No, you release a new version that supports both protocols and when the time is right, kill off the old protocol and force upgrade the remaining users.
You do this either by then releasing a new version that supports only the newer protocol, or with some sort of a kill switch on the 2-protocol software.

Re:Does it really matter?

[owlnation]

I completely agree with you. But note that it seems to matter to eBay shareholders. Their share price seems to be off on one of its regular weekly slides again.

My guess is Meg Whitman is hanging on by her nails...

Re:Does it really matter?

[paskie]

Closed Skype protocol gets cracked in X months == Skype releases a new version with a new closed protocol that'll take X more months to crack. Big deal...

Big deal for Skype, since the old version won't be able to talk to the new version.

Anyway, Skype is a big no-no for me. I don't like software that connects to who-knows-what and uses bandwidth all the time without any way to know what the heck it's doing.

And this is precisely what cracking their protocol alleviates, isn't it? (RTFA, part about Super-nodes.)

It could indeed.

[Rob+T+Firefly]

The company could transfer the technology to the Chinese government

In other news, my front door could be unlocked with my house key, I could inhale the next time I need oxygen, and water could cause things it touches to become wet.

Re:It could indeed.

[regen]

The interesting thing is since skype uses encryption and encryption use by private citizens is illegal in China, just using skype could get you arrested. But then again, if the Chinese government wants to arrest a citizen in China they just do it and can find (or make up) a reason for the arrest afterwards.

Re:It could indeed.

[orzetto]

But then again, if the Chinese government wants to arrest a citizen in China they just do it and can find (or make up) a reason for the arrest afterwards.

...See the straw in the Chinese's eye and not the beam in your ass... In America they don't even have to make up something later to deport you to Guantanamo, and in Europe you can be abducted, tortured at a military base, and dumped in some sort of Konzentrationlager in some country not too fussy about human rights.

Start worrying about civil rights in your backyard before you go nitpick on the Chinese. That's the Chinese's problem and it's up to them to solve'em. You solve yours.

Speaking of illegal encryption, guess why Skype is based in Luxembourg and not in the US.

Re:It could indeed.

[AnyoneEB]

You mean the enemy combatant status which was overturned by the Supreme Court

Lower taxes?

Re:It could indeed.

[mldqj]

encryption use by private citizens is illegal in China

Do you have any source for this? I know plenty of people do use ssh in China, and such things are as safe as they are in the US.

Net Neutrality

[hansamurai]

They could sell it to US Telco companies and make a little profit too.

Wouldn't it depend on perspective?

[Timex]

The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it.

I'm sure Skype's lawyers might see this differently.

If this happened in the US, lawyers would be crying "foul!" on the basis of the protocol being a Trade Secret, and they would have something to say about the agreement that one sees when installing the software. I believe I remember seeing a "no reverse-engineering" clause in there.

This being a Chinese source, though, means that US rules don't necessarily apply.

Re:Wouldn't it depend on perspective?

[rednuhter]

Who says they had to install the software ...
If the packets are coming across their routers then they are pretty fair game, although I doubt they did break it without the software, if asked they [could/should/would] say they only examined packets in transit.

Re:Wouldn't it depend on perspective?

[IamTheRealMike]

Trade secrets are just that - secrets - and have no protection under law. You find them out, good for you.

Reverse engineering isn't illegal either and that cannot be changed by a EULA. As far as I'm aware a protocol is not an "invention" per se, so it cannot be patented either. Though with the modern state of the US patent office, who knows ....

Re:Wouldn't it depend on perspective?

[vertinox]

I'm sure Skype's lawyers might see this differently.

I'm sure the Chinese authorities might not care what they see differently.

Re:Wouldn't it depend on perspective?

[Timex]

I'm sure the Chinese authorities might not care what they see differently.

This was the exact point of the last line in my comment. :)

Re:Wouldn't it depend on perspective?

[geekoid]

Clean room reverse engineering pretty much solces any EULA issues.

Re:Wouldn't it depend on perspective?

[DerekLyons]

The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it.

I'm sure Skype's lawyers might see this differently.

Skype's lawyers can see it however they want - but in this instance, they have no legal leg to stand on. It's not illegal to replicate something protected as a trade secret. (It *is* illegal to steal or 'borrow' it, or to hire employees from a rival to 'work on your own _x_'.)

Why would a protocol be closed anyway?

[otis+wildflower]

I mean in this day and age, depending on the secrecy of a closed protocol running on top of an open network for a business model seems pretty... dumb... Though obviously they are also trying to do services (like SkypeOut) which make much more sense, what is the value in having a proprietary protocol, when something like SIP (maybe an updated version that supports P2P negotiation) is out there? I mean it's not like the OSS world is playing catch-up this time (like, say, Jabber is compared to AIM's installed and active user base)..

Just curious...

Is this forshadowing

[elmCitySlim]

...of things to come? China Rising...

Isn't that sweet?

[botzi]

"Even if it was possible to do this, the software code would lack the feature set and reliability of Skype,"

Don't you just love when people speak with certainties about yet unreleased things? Sure, it may well lack it for about 24 days. Then what happens? I'm not convinced that people would base stand alone software on that protocole anyway. More likely soe SIP clients would implement the protocole as an add on.

If it were patented

[mocm]

they couldn't make it closed. That is the purpose of patents.

Blocking

[slashkitty]

Do you really have to "crack" the protocol to block the traffic? Were their packets that well disguised?

Re:Blocking

[smbarbour]

Unless it looks like other well-known traffic, wouldn't it be a lot easier to block using a "I can't tell what this is, so just discard the packets"-type filter? The device filtering the traffic will see the session from start to finish, so it's not like it has to figure it out mid-session.

Re:Blocking

Excerpt from http://lists.grok.org.uk/pipermail/full-disclosure /2005-November/038646.html :

*********

1) Skype will initially attempt to contact supernodes, the IPs of which
are in a file stored along with the other files that Skype installs. The
first method of contact is direct. The source ports that Skype attempts
to connect from are non-default ports. From my observations I could see
that the UDP source port 1247 is the initial control channel. Once the
connection is established, the rest of the communications is done in TCP
over non-default source ports with ranges sweeping from 2940-3000.
In general, any company that is serious about its security policy would
have strict egress filtering rules, which makes identifying the
non-default source/destination ports that Skype uses irrelevant since
they would be blocked anyway.

2) If the above fails, Skype will use the proxy server specified in Internet
Explorer, and attempt to tunnel the traffic over port 443 using the SSL
protocol. The destination IPs are of course random as above, which makes
destination blocking out of the question. The only option left is to
block SSL,
which is not really a solution, unless you want to end up excluding all
legal SSL destinations.
Deleting the user's proxy settings would also disallow Skype from
connecting. That would however leave the user without internet access.
Even if the user had no proxy settings, and the proxying was done
transparently (which would definitely include proxying http and https
traffic), the Skype traffic (SSL) would again be transparently proxied,
which puts us back at square one.

********

The aforementioned link however speaks of a somewhat twisted method of blocking out skype by restricting outbound HTTPS to only the requests adressed by FQDN.

Perhaps Skype will eventually just use SSL over 443 for the whole of the communication in order to establish connections, which is quite an effective method of bypassing any kind of firewall or filter put in place by a corporation. And the same technique holds true for any other "undesirable" protocol. With VPNs now starting to use SSL over 443 to evade restrictive outbound ACLs, it's getting more difficult to restrict what leaves your network.

Re:Blocking

[Ulrich+Hobelmann]

Probably not, but I think it's much more interesting for authorities to not block traffic, but simply wiretap it.

Since China controls the Chinese routers, it's easy to be the listening man in the middle.

Re:Blocking

[Duncan3]

Yes. Skype is one of the most sneaky and well disgused protocols ever.

Mainly becasue they "borrow" (no such thing as stealing on /.) massive amounts of bandwitdth from the people unfortunate enough to meet the *.edu criteria to be a supernode.

Botnet designers have nothing on Skype, except alot to learn.

Re:Blocking

[jroysdon]

Using "SSL" over 443 has long worked for bypassing firewalls and even proxies. I wrote about this back in 2003 and have been using ever since. It works even through a proxy server, as the proxy server just has to blindly forward all "SSL" traffic over port 443. By the very nature of SSL traffic, there is nothing you can do about it. All I do is wrap my SSH (or whatever) traffic inside an "SSL" stream and you can't touch it without breaking every other https site.

The only way to block this would be to create a whitelist of SSL/https sites and allow only those access. Since every business relationship is driven online these days and everyone wants it encrypted, unless you sell tires to folks that walk in and just have a cash register, you'll still going to have to allow SSL.

Re:Blocking

[IEEEmember]

Both the parent and grandparent assume a simple form of blocking. Some (most?) VoIP blocking done commercially is done by NARUS' semantic traffic analyzer. The NARUS STA can simply look at the pattern of the traffic without regard to content and make the assumption that it is voice traffic and block it where required or, more importantly, create call detail records identifying the time and length of calls for use in billing.

NARUS Press Release Specifically Mentioning Skype

One side effect of this type of blocking is that calls can actually be established and are then blocked. This can be an even worse situation for users because they may incur call termination fees before the call is dropped.

I would, however, like to see statistics at how good NARUS is at recognizing Skype traffic since it's signature is not as straight forward as a simple SIP call. Additionally it should be possible to create additional traffic to disguise the VoIP traffic signatures, but this is beyond the capability of the typical user.

Re:Blocking

[jroysdon]

However, this makes the assumption that all someone is doing is voice. If you looked at my ssh tunnels over tcp/443, it has everything I'm doing going through it (essentially like a VPN), and it is all to the same remote box that proxies what I do.

I don't think NARUS can tell when voice calls start and stop if I'm running remote Terminal Services (RDP and/or Citrix), other VPNs to other customers (within the SSH), web traffic, email, steaming music (last.fm. While I'm very unique, and what I do is unique, I don't think TS and/or steaming music is unique. My workflow involves constant open VPNs with SSH and/or telnet and/or RDP. With it all run over a single SSH over TCP/443, there is no way to break down what is going on by traffic signatures, unless I do nothing but the voice call. However, I always have debugs and remote desktop running in the background coming in.

I think a NARUS box only works if it can see where the traffic is really going to. Since I proxy/tunnel all my traffic to a host I have on a DS3, it would be totally blind without being able to see what traffic is coming out of that host (which has tunnels of many of my users coming out).

Re:Blocking

[Lucractius]

How the narus box works is the least of your worries if your traffic crosses one of these world class privacy violation enabling tools.

read the details of the EFF v AT&T case to see more on how Narus is helping big brothers everywhere.

I cant see why i would want this kind of device on my network. If i want control, ill simply lock it down more. the only conceivable uses seem to be of the invasive "we bill you more" and "we want to know what your saying" kind of thing... scaryiest is the fact these boxes keep records of the traffic crossing them & the analysis of the traffic as well.

They renamed the protocol

It's now call Scrype terraphone and it love you long time

Re:They renamed the protocol

Just because it abuses a stereotype doesn't mean it can't also be very funny. And it doesn't make me any more of a racist to laugh at it, even though I dislike racism, and wouldn't use humor that way myself. Try as I might, I can't find it unfunny. Guys getting kicked in the nuts is also pretty funny to watch, but that doesn't mean I advocate testicular violence. So get over your enlightened condescension and enjoy the ride.

Re:They renamed the protocol

[ScrewMaster]

You know, it does seem that people who are so overtly against racism are damn near as annoying as actual racists. Interestingly, I've found that many such people are, when push comes to shove, much less open-minded than they would have you believe. When I was much younger my family lived in a town with a significant percentage of upper-middle-class/rich types, many of them leaning pretty far left. I mean, these people would run their mouths all day long about the evils of bigotry and racism, how we're all equal in the eyes of God and so on ad nauseam. Kinda made me want to throw up, frankly. Anyway, it all sounded good, but just let one black family move into the area, and it became immediately obvious just how "enlightened" my neighbors really weren't.

Personally, I'd rather deal with an out-and-out in-your-face honest-to-God BIGOT than a hypocrite. At least then, you know where you stand.

Re:They renamed the protocol

[Mister+Whirly]

Hmm, Troll huh? I guess a racist joke on a rascist isn't funny...Oh wait, this is Slashdot. Next time I'll aim the humor a little lower...

Reverse Engineering

[ultrasound]

it is not patented and thus it is not against the law to crack it....

Patenting something does not prevent anyone from reverse engineering it, and in fact they wouldnt need to because the mechanism would be documented in the patent.

Reverse engineering is not 'against the law' in most parts of the world, only the US thanks to the DMCA (C is for copyright, not patent), so therefore they probably have not broken the law if they did this outside the US. At present it is legal in the EU to reverse engineer a competitors product for the purpose of producing a compatible interface, sadly however that may not be the case if the proposed "directive on criminal measures aimed at ensuring the enforcement of intellectual property rights" is ratified.

Re:Reverse Engineering

[YU+Nicks+NE+Way]

The parent is only "informative" in the weakest sense. Yes, a patent application must contain detail sufficient for a third party to replicate your invention. However, that detail is utterly useless until either the patent expires or an infringement case comes before a court. In particular, if I hold a patent on process X, then I hold a grant patent to bar any comer from constructing any mechanism which implements the patented process. (Bear in mind that the current European controversy has nothing to do with that part of patent law, but only about what properties a "patentable mechanism" must possess. The arguments against business process patenting boil down to the claim that a "process" is too broadly applicable a notion to be granted patent protection.)

Since reverse engineering necessarily requires that the engineer construct a working model, to the extent that Skype's protocols were patented, the construction of that working model would, in fact, constitute a prima facie infringement.

Re:Reverse engineering

[geekoid]

not any more - See DMCA.

Patents != legally uncrackable

[Aim+Here]

The article submitter seems to be a lot confused regarding the law. There's nothing unlawful about cracking a patented algorithm. It might be unlawful to market a device using the same encryption, in those parts of the unfree (softwarewise) world where software patents are implemented, but that's a different thing.

Cracking encryption algorithms is generally only unlawful where the encryption is a method of encrypting copyrighted material, AND the country involved has implemented some variant of the DMCA or EUCD. That's the legal machinery that DVD Jon had problems with. The Skype Protocol won't be covered by DMCA-like provisions.

Re:Patents != legally uncrackable

[elgaard]

You should't even have to crack it. You should be able to just read the patent application.

In theory that is.

Closed Protocol != Security

[Penguin+Programmer]

Closed protocols are not a substitute for security. Any traffic that goes over the internet can be intercepted. Once you have the packets, it's just a matter of figuring out what they mean. This certainly does raise concerns that tapping into Skype conversations may become easy, but this was bound to happen eventually and should be no surprise to anyone.

Besides, who really cares? Phone conversations can be tapped into. Cell phones, too. Everyone knows not to transmit confidential information over the phone.

Re:DMCA?

[alienw]

Uh, no. See Lexmark vs. SCC.

link to info on skype protocol

[throwaway18]

Lots of info on how skype works, including that the people who run skype could evesdrop on conversations, the possibility of using skype to relay non skype traffic and an overflow security hole (hopfully now fixed) were revealed four months ago.

Silver needle in the Skype at Blackhat Europe

Re:link to info on skype protocol

[numatrix]

Mod parent up!

1) Almost all (if not every bit) of this is not new information, it was already broken in the above referenced article.

2) Blocking the traffic was already described in the article, all the Chinese government had to do was read the paper some time ago instead of waiting for these schmucks to "discover" it.

3) If you read the paper you'll see how much work Skype goes through to make it hard to dissassemble their code and protocols. I'm sure if blocking in China becomes an issue they'll have the same smart people who did it the first time further obfuscate things (of course, for all the same reasons I'm not a fan of the Skype software to begin with, but that's another story).

Re:link to info on skype protocol

[throwaway18]

Almost forgot, An analysis of the skype protocol from 2004

No one should use Skype anyway

[Bromskloss]

Good point in the FAQ of standards based (H.323, SIP) communications program (text, audio, video) Ekiga:

Ekiga is not compatible with Skype and will never be as long as their protocol will stay proprietary. We do not think using closed protocols for communications is a good thing.

For more info on the repercussions of this...

[viper21]

Check out:

Skype Journal

Looks like there are a lot of opportunity for deeper business integration. Wonder if this opens up any vulnerabilities for standard client users?

Paglee means . . .

[narsiman]

Paglee - a mad girl in Hindi. (mockingliy)

Welcome to global communications.

Re:Implicitly, Skype has lost its best feature..

[throwaway18]

To be able to reverse-engineer the Skype protocol, these guys had at one point or another to decrypt the data, and encrypt it as well.

What this means is that they could configure their application as a SuperNode and intercept conversations, files, text in between.

This is not a valid conclusion. To send out and receive audio when participating in a call it is necessary for a client to have the crypto keys. When the client is running on a general purpose computer the keys are inevitably accessable by the end user. The only solution to that is tamper resistant hardware and we, the slashdot masses, hate that.

To function as a relay for other people skype conversations you don't need to be able to encrypt and decrpt the streams, you just pass them on.

There is a big problem with skype which is that the way is implemented means thats the people who run skype could evesdrop on calls and could be served with warrants to do so. Using end to end public key encryption to prevent that would not prevent anyone reverse engineering it and creating a compatable client.

Re:DMCA?

[flipper65]

More to the point, Skype did not copyright the technology.

Re:DMCA?

[riflemann]

Think about it - your conversation could arguably considered copyrighted information (as it's being recorded) - and the Skype protocol "effectively" protects it from being played back.

Not that the DMCA is relevant to me, yet (being outside the US), but I like this (currently) hypothetical topic...

Don't the anti-curcumvention provisions in the DMCA only protect the copyright holder? As the person doing the talking over Skype, presumably you are the copyright holder, and thus you are therefore allowed to decrypt your own copyrighted 'content'.

Or am I missing something? Does the Skype EULA transfer copyright of your conversation to Skype themselves? *scary*

Re:DMCA?

[drinkypoo]

I realize that the DMCA doesn't extend outside of the USA, but could Skype use it to block this software/information in the US?

This is why mod points should be more carefully controlled.

The DMCA explicitly protects your right to reverse-engineer for the purposes of interoperability.

The Skype's the Limit

[Doc+Ruby]

A real patent of Skype's protocol (if a protocol patent could be considered "real") would have published all the details, precisely to protect by law what Skype instead protects by secrecy.

Of course China's mafia government would have found ways to to protect their local "infringers" if it gave them control over Skype's important telecom traffic.

An open protocol using open software from more than a single (point of failure) source is a lot more reliable in the face of large scale attackers, like a government. SIP and IAX are safer.

Not really cracked until we see skype.c

It's not really cracked until the "crack" is public.

Patent != secrets!

[headqtrs]

You cannot keep a protocol secret if you patent it because in the patent you have to document everything. This concept does not seem to be clear to the writer of the article.

Re:Patent != secrets!

[Andy+Dodd]

Yeah. In the case of Skype, legality of reverse engineering the protocol would depend on the EULA of the software being reverse engineered.

I'm sure Skype's EULA forbids reverse engineering the protocol, thus Skype has legal grounds to sue whoever reverse engineers the protocol for violating the license agreement.

Re:Open Source = Openser

[mpapet]

This isn't really an insightful comment. It's currently modded as such.

Asterisk does not currently provide the nuts and bolts of connecting SIP callers. It's SIP integration is not built out so great either. (ex. can't easily connect to a STUN or RTP proxy)

The normal procedure is to use an SIP server with asterisk as a voicemail backend.

The SER and OpenSER SIP server projects both connect to asterisk.

There is no reason to use skype's proprietary protocol. Good for the Chinese for putting a dent in their proprietary methods. Let SIP providers compete on a service basis, not protocol competition.

Re:Grammar Nazi to the Rescue

[tprox]

Talking into a teapot or a teacup would probably block most of the sound provided you weren't talking very loud.

AsterSkype

[Doc+Ruby]

Now that it's (reportedly) proven crackable, it should be a matter only of time before someone gets a cracked Skype protocol into an open Asterisk module.

Re:I'd assumed they'd done this already.

yes they are already blocking http://anonet.org/ and all of its subdomains but intermitantly, its a great tool, i just hope the chinese doesn't block VPN's next! for those in china, use tor to access the site, same goes for those in the _peoples republic of amerika, franKe, germEny oh and soon engFand.

Re:Grammar Nazi to the Rescue

[Blue+Trapezoid]

It's British English. Get over it.

Re:DMCA?

[Bogtha]

your conversation could arguably considered copyrighted information (as it's being recorded)

Is it being recorded though, or just transmitted? Something is only copyrighted once it gets fixed into a medium. So if you are recording to disk and then transmitting, that would be protected by copyright. But the user would hold the copyright, not Skype, so Skype couldn't use the DMCA against anybody.

I thought that maybe Skype could include a copyrighted logo or something at the beginning of each transmission, but Nintendo tried to do exactly this, and the court ruled that the copying for protocol purposes wasn't infringement. But the law has gotten far more protective over copyright lately, so who knows? Skype might be able to ward off competitors with just the possibility of a successful lawsuit.

Reverse engineering

[wiredlogic]

Reverse engineering is always legal. The only question is whether you have the right to do anything with the results of such activity. You can only infringe a patent directly if you engage in the commercial sale of products using patented technology.

You can be found guilty of contributory infringement if you publish detailed information about how to go about infringing a patent. This is a shady area though, since the patent itself already describes the technology in question so it boils down to an evaluation of the individual's intent.

NSA congratulates Paglee

[kanweg]

on being second.

Bert

Literally

[RPoet]

They could literally turn the lights off on Skype in China very, very quickly

No, they could metaphorically turn the lights off on Skype in China very, very quickly.

Re:DMCA?

[DevanJedi]

If mod points were more carefully controlled, your post wouldn't have a score of 5 either.

Re:Interoperability

[Oliver+Defacszio]

Skype, much like DVDs prior to CSS getting cracked, wasn't useful.

Hear that, everyone?

If you're one of the millions who found a ton of value in Skype before it was cracked, you were very, very wrong, because this anonymous Internet jackass has said so. No matter how valuable you think Skype was before, it really wasn't.

You know all the money you saved on long distance calling since Skype dropped the fees behind North American calls? That didn't happen either.

But, as you'll guess, now Skype will become useful, as it will become interoperable with some piece of garbage OSS code that will be orphaned within five seconds of its Alpha version being released. Now that's value.

Re:DMCA?

[Aardpig]

The DMCA explicitly protects your right to reverse-engineer for the purposes of interoperability.

Except when it might interfere with the profits of the MPAA*.

*See DVD Jon

Incorrect view of the law.

As most people here seem to be somewhat lacking in knowledge over the legal aspect, just because something does not have a patent does not mean it is legal to crack it. Reverse engineering may or may not be legal depending on the country the reversing was done in. US law is *NOT* global law, as so many large US companies and the US government itself is learning. Patents, ignoring their frequent misuse by US companies, are designed to protect innovative ideas long enough for a person or entity to make profitable use of the innovation. It also prevents other companies from copying the idea without some form of licensing - free or otherwise.
However, a patent does *NOT* protect an idea only the implementation of an idea; that's a very important distinction. Further, not having a patent on an innovation does not mean you cannot sue if someone uses your innovation without your permission - in fact the only real value to a patent is a kind of 'date-stamp' to *help* decide (but not confirm) who got there first.

But as to the question of a patent making it illegal to reverse engineer an innovation - No, patent law does not cover this aspect of the law. Anti-reversing laws are a totally separate beast and country dependant.

Re:Incorrect view of the law.

[fishbowl]

>Reverse engineering may or may not be legal depending on the country the reversing was done in.

Kindly list some countries where this type of "reverse engineering" is illegal.

Re:Incorrect view of the law.

[Mister+Whirly]

In Soviet Russia, engineers reverse you

Re:Incorrect view of the law.

[fishbowl]

>Well, let's start with the DMCA in the USA. :-)

No, the DMCA does NOT prohibit reverse engineering.

Re:Incorrect view of the law.

[fishbowl]

That isn't even language from the act. I know that distribution of "circumvention devices" is forbidden, but that doesn't stop you from making and using them.

Re:DMCA?

[schon]

The DMCA explicitly protects your right to reverse-engineer for the purposes of interoperability.

The reverse-engineering clause has many exceptions - not the least of which is "non-infringing uses"

And as a previous poster pointed out, it interoperability didn't stop the MPAA suits against DeCSS.

Further Clarification.

[pavon]

Patenting something does not prevent anyone from reverse engineering it, and in fact they wouldnt need to because the mechanism would be documented in the patent.

Well no, because you can't patent a protocol. Instead they could patent a core method upon which the protocol is based, and that method would be made public - in non-specific legalese, that would in itself be practically useless for the purpose of implementing the protocol. The details of the protocol itself would still need to be reverse engineered.

You are absolutely right about reverse engineering not being illegal. In fact even with the DMCA reverse engineering is still entirely legal. The catch with both the DCMA and patents is what you can do with the protocol once it has been reverse-engineered. In the case of patents, the basic priciples have been disclosed, and you are allowed to distribute any additional information that you learn about the implementation, but you are not allowed to implement the protocol without a patent license.

In the case of the DCMA, you may be* prohibited from disiminating information that you have reverse-engineered, if can be used to circumvent a copyright protection device. I don't think that would apply in this case - what copyrighted work is being protected? The only possibility are the conversations themselves, but this does not allow you to listen in on anothers conversation, it simply allows you to initiate new coversations. Assuming that you are using secure cryptography, revealing the mechanism of the encryption does not weaken the security of the system, only revealing the keys, which in this case are generated per connection, like SSL.

So unless Skype's security is crap, which I don't believe to be true, the DMCA would not restrict you from publishing the details of the protocol, or third party implementations of it. On the other hand patents could. Therefore, the submitter was correct in bringing them up as a potential barrier, even if his wording was not.

* The law contradicts itself, and while there have been some precident setting cases, the interpretation is still very much up in the air.

Re:DMCA?

[jank1887]

copyright is inherent in creation, not an act that needs to be taken (a la trademark registration or patent filing)

Re:DMCA?

[nullman]

RAM is my medium, and I record to it all the time.

-- No sig for you!

Re:DMCA?

[chris234]

> And as a previous poster pointed out, it interoperability didn't stop the MPAA suits against DeCSS.

Were any of those lawsuits in the US?

Did "DVD Jon" help them out?

[BroncoInCalifornia]

He seems to be the world's best reverse engineer!

Re:DMCA?

[drinkypoo]

as a previous poster pointed out, it interoperability didn't stop the MPAA suits against DeCSS.

The DMCA also prohibits the construction, possession, and/or use of a device to defeat copyright infringement. In a case where the law contradicts itself, the people with the most money win.

"Skype's been cracked" is old news

[s_p_oneil]

The Skype protocol has been cracked for a while, and by at least three organizations I know of, each using different techniques. Some of those techniques have been published, and it's only a matter of time before hackers start exploiting Skype. The only news here is that one of the companies who cracked it is releasing their own Skype library.

who cares about monkeys and shakespeare?

[brunokummel]

I guess we can reformulate the theorem to:
Two billion chinese hitting keys at random on their computers for a month or so, eventually one of them will almost surely break your code!

Open Vs Closed

[kiran_n]

Ultimately it comes to down to open systems vs closed systems. Traditional telco vendors (carrier and enterprise) all had "closed" systems - propreitery hardware and operating systems and usually propreitery protocols. *ALL* of them are moving (or have moved) towards open systems (read Linux) - supporting standard protocols that other vendors/end users can (in theory) work with. If you look at any product or system - it ultimately has to move to towards an "open" system.

Would Skype be as successful if it had been based on SIP? Skype was a disruptive product and most disruptive products *have* been "closed" systems to begin with. This has to happen sooner or later - and Skype cannot shy away from that. Take a look at http://skypejournal.com/ this has an interesting comment on this.

I don't think this is evil and has anything to do with breaking or cracking something. (Is DVD John bad?) I think this is a good thing - systems have to be eventually open and good systems win on the merit of the quality, user experience and, of course, cost...

---
Sig fault and hence dumped

Re:Hmm

[flooey]

What's to stop them from changing the protocol now?

The several million people whose copies only support the current one.

PGP Phone

[Civil_Disobedient]

In fact, that's how PGPphone used to work, if you can still lay your hands on a copy of it.

Oh, I'm sure you can find it floating around somewhere.

Re:DMCA?

[Mister+Whirly]

True, but it is much easier to establish who did something first if you register for a copyright. Otherwise you may need to prove that you were using it first, which can be difficult sometimes.

Re:DMCA?

[Mister+Whirly]

"In a case where the law contradicts itself, the people with the most money win."

Isn't that the case pretty much regardless of contradictory law??

Re:Grammar Nazi to the Rescue

[Macthorpe]

Thank you!

Saved me the bother.

A lot has been known for a few years now ...

[__aadkms7016]

This paper was published in 2004, by the VoIP group at Columbia. It reverse-engineers the Skype network with sufficient detail to let one make a serious attempt at firewalling Skype traffic.

I guess Coobol did it

[BTWoo]

I guess Coobol did it.

German officials cracked Skype already

According to an article from the New York Times back in May 21, German authorities claim to have the ability to intercept and decrypt Skype calls.

Re:Open Source = Openser

[jmorris42]

> Asterisk does not currently provide the nuts and bolts of connecting SIP callers. It's SIP integration is not built out so great either.
> (ex. can't easily connect to a STUN or RTP proxy)

Methinks thou have been modded 'informative' by others as lacking as clue as thee. Granted I'm still learning about VoIP and Asterisk but I took a WiFi VoIP phone (zyxel) home and it used the Asterisk server at work from behind my Linky's NAT just fine. Perhaps previous versions of * didn't have as complete support for SIP as 1.2 but I think you need to try a current version and update your knowledge.

As for Skype, it is great it has been reversed. Now we need a reversed copy of the protocol out in public so other products can interoperate with it. Until then it is just another closed product of zero interest because it has zero longterm future.

Re:DMCA?

[init100]

The DMCA also prohibits the construction, possession, and/or use of a device to defeat copyright infringement.

I think you meant "enable copyright infringement". Otherwise DRM would be illegal. :)

Open Source

[microbee]

What you said might be true, but it's exactly what some people say about open source.

Re:Interoperability

[blackest_k]

Interoperability is what the AC should have stuck with and yes it does have interesting possibilitys.

maybe soon we will see that vonage and skype customers can talk to each other without having to subscribe to both
(add any number of other service providers to this too) maybe your own ISP might do a voip deal thats cheaper than skype. who knows. (vonage just used as an example)
millions of people currently use skype now billions don't. If the protocol is open then its no longer a choice of who has the most users but who has the best rates.

course the lawyers now will have a feeding frenzy and hopefully the winners will be the consumers -actually win or lose skype will lose. Customers are free to go elsewhere at anytime if their interests, lower prices and greater interoperability are not met, many will desert skype.

Mergers will be made Deals will be struck between other telecommunications companys sharing a common protocol.
skype may or may not be included.

if there is value in cracking something

[bobamu]

it will be cracked.

now whether it takes a 5 year old laptop to do it or the latest supercomputer, it will be cracked.

Troll?

[metamatic]

Truth hurts, eh American moderators?

Re:Troll?

[bcmm]

I M2'ed the Troll mod. So there.

Re:Details Shmetails...

[mpapet]

I took a WiFi VoIP phone (zyxel) home and it used the Asterisk server at work from behind my Linky's NAT just fine

1. Because it works in your situation, it's not a good idea to generalize.

2. Conveniently, you fail to mention how you are connecting to the office network.

3. http://www.voip-info.org/wiki-Asterisk+SIP+not-pro xy explains the difference between it and a proxy. Please read it and consider carefully.

The task of proxying over heterogeneous security appliances and public/private networks is not as easy as you claim.

Gaim

[Dasch]

So how long 'til I can use Skype from Gaim? If voip is going in anyway (gtalk), why not add Skype to the (lengthy) list of supported protocols?

Pffft!

[marevan]

I remember slashdot story about some american being sued (or something as bad) for reverse engineering something. Then everyone was instantly saying how is it ok to reverse engineer a product to find out how it works. So why it suddenly isn't ok? Because it's China?

Now that we know the protocol...

[r00t]

We need at least one other implementation, and then we can publish the spec as an RFC.
Perhaps somebody wants to hack Asterisk PBX to handle this?

Definitely.

[r00t]

Once there is a second implementation, we can publish an RFC.

It would be a riot. Imagine reading an RFC that tells you to obfuscate your packets. Imagine if it told you to use a specific set of RSA keys and a specific set of IP addresses.

Hoax

[HunterZ]

Screenshots or it didn't happen.

Re:Hoax

[Lucractius]

im pretty sure one of the other articles i swa on this had a screenshot... cant for the live of me find it ... wasnt on a site i regularly visit.

Re:Hoax

[Lucractius]

update ... triped over the article with the screenshots

http://blog.tmcnet.com/blog/tom-keating/skype/skyp e-cracked.asp

Re:Hmm

[geekoid]

no, they'll just push an upgrade.

Re:DMCA?

[Beryllium+Sphere(tm)]

>The DMCA explicitly protects your right to reverse-engineer for the purposes of interoperability.

Whatever the statute actually says, that's not the way it's working in practice.

On February 27, 2003, judge Karl Forester ordered Static Control Components to stop selling inkjet cartridges that interoperated with Lexmark printers. He issued the injunction under the DMCA.

Skype for Linux

[Jacek+Poplawski]

Skype for Linux works very badly, there are even problems with using it two times without restarting - you will notice "sound device error" message. Interface is very unfriendly and I am sure it would be much better to use Open Source client. But there is no any!
I believe that making this protocol public would help community a lot.

Innovation? Skype?

[m874t232]

What should Skype have patented? The company didn't invent anything, they just took existing technology and built a successful business around it. It took billions of dollars to develop the technologies that have made Skype successful, and Skype didn't pay a dime for those technologies.

If there is anything to complain about at all, it's the fact that Skype's protocols aren't open to begin with and that Skype fails to follow open Internet telephony standards. Skypte is the problem here, not the Chinese.

Re:Err, umm, No.

[Neoncow]

How 'bout we make a deal? I'll give you the packet dumps from my SSL session with [insert_ecommerce_site_here] and I'll even give you 100 years and unlimited computing power. And all you have to do is tell me what I bought, what I paid for it, or my credit card info.

Good thing you posted as AC. With my unlimited computing power, I assign one computer to attempt to use each key in the keyspace. I think maybe you meant polynomial computing power.

But seriously, if you gave me 100 years and unlimited computing power, I'd live the rest of my life in virtual universe where I am omnipotent.

OT: Actually, that's a really interesting question, what would YOU do with 100 years and unlimited computing power?

Re:Err, umm, No.

[jeremyp]

With unlimited computing power I could break your SSL session in minutes, seconds even. No cipher short of a random one time pad is perfectly secure.

However, the principle behind encryption is not to make messages perfectly secure, but secure enough so that by the time they have been decrypted the information being protected is useless. For instance, let's pretend I can decrypt your SSL session on my laptop in 100 years. That's entirely possible if the cipher used is a bit weak, but what good does it do me to know your current credit card details in 100 years time?

With modern computers, it's quite easy to make ciphers almost arbitrarily secure but in olden days, when secure ciphers were extremely expensive, the trade off between how long lived the information was and the security of the cipher was often critical and when misjudged could lead to disastrous results.

Re:Err, umm, No.

[Lucractius]

destroy it before it took over the universe...

unlimited power would require some form of mechanism to gather (potentialy) unlimited energy from the universe.