Slashdot Mirror
Why Does Skype Read the BIOS?
pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"
This is a random guess, but it could be part of skype determining the make and model of your CPU. They had made a deal with Intel a while back to only allow large conferences on their processors, and the BIOS reading could be part of that or anticipation of other deals to come.
What is mankind really? Well, it's just two words put together Mank, and ind.
What is Skypes bad history?
riding round the world on an old motorcycle
nothing to see here. move along.
we are not spying on you. we swear.
oh btw.. your wife is cheating on you.
What better unique identifier than the system bios? Ip addresses are becoming less reliable since many people use wireless internet and mobile phones for skype.
Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.
Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.
Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.
Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.
Too much to ask I guess.
Lurking at the bottom of the gravity well, getting old
They could use this for tracking the number of computers the program is installed on, which would work independently of current user, IP, or even reinstalls. Combined with other things this could be a unique and interesting statistic that's hard (impossible) to test by other methods.
Turning coffee into code.
Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.
I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy. Dunno if it's true, or not, but personally, I don't want you trying to identify what the hell makes up my system. Perhaps I'm building it SECRETLY for a fucking reason. You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer. If Skype did that, they'd lose not every bit of faith from me, but I'd go tell my company that I work for, which uses SKYPE on a regular basis. I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
could it be that skype uses bios data to generate random numbers for the crypted communication layer?
Wait, I know the answer to this one!!
Because it was stapled to the punk rocker's face!!!1
Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
Might I suggest mailto:info@skype.net
I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.
It seems as if we exist solely to be data-mined. The whole "consumers, not citizens" viewpoint of business and politics is getting old. Is it time for the next revolution yet?
Because it's bored and can't find a good book.
... and then they built the supercollider.
... ...
To know what's written there.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Can someone tell me how can I check if its doing the same on my Macbook?
Thanks
I wonder what gizmoproject is reading on my sys?
Read my bios settings, I have no problem with this. There is no information on my BIOS that I would consider sensitive, maybe a touch of chargin if if turns out I have my RAM config set wrong(?) but thats it.
Writing to my BIOS.... now thats a different matter and one I would take exception to.
In the not too distant future, next Sunday A.D.
If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.
Look what they try to do if you or I copy someone's code ...
There's someone teach the skype 'reading'
Couldn't it just be that they want to identify individual computers? If they can read a serial number from the motherboard then they don't have to count that computer again? The actual number of installations made (and used) is quite important for a company whose stock price depends on the number of customers but whose product is free to download...
Try Gentoo. Apart from fanboy overtweakers, it provides just the kind of installation control you're asking for, via emerge. Emerge builds the new app in a sandbox, then transfers it to your running system. You then run etc-update to update your config files. If the install wants to modify files in 'protected' directories (/etc, /etc/init.d, etc.), it will ask you before making the changes. Sometimes it's a pain in the ass (327 files to update...), but at least you get to see what's going on.
If you run closed-source software on your machine, then you deserve everything you get.
If the suppliers of software weren't ashamed of it, they would gladly show you what was inside, beaming with pride as you carefully inspected each immaculately-tooled part. If they won't let you look, it's always for one of two reasons. Either it's doing something they don't want you to know about (*cough* ActiveX *cough*), or it's so badly written that they wouldn't want to admit to it (*cough* StarOffice *cough*).
Stick to open standards like SIP and IAX. Only download Skype if you're planning to try to force it open.
Je fume. Tu fumes. Nous fûmes!
Dear Sir/Madam,
As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ this morning that Skype appears to read the system bios on start up.
While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.
Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.
What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?
I look forward to your response,
Yours,
Andrew Simpson
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
I don't know why Skype is reading the BIOS, others have speculated that they are trying to generate a unique key from the SMBIOS tables or perhaps lock certain features to certain processors. Sounds plausible I guess.
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.
sheep.horse - does not contain information on sheep or horses.
It's important to remember that Skype comes from the same people who brought us Kazaa. It's the DNA.
Simpy
well getting hardware information of this kind could practically be used as seed for random numbers.
why always feed it with zero or get-ticks-since reboot?
bye
This will generate some much needed criticism of Skype. It's not only that it is closed source, it's a closed protocol as well. I presume every Skype phone will have to pay nice amount of royalties.
Basically Skype is not much more than VOIP. What it has going is a lot of hype, a cool name and an efficient way of doing the networking. But even then I have always been very sceptical of Skype. Unfortunately I haven't seen this reflected in real life. People simply buy Skype phones - even ones that only know how to do Skype - without realizing they are setting up a new monopoly again.
And, as you can see, monopolies can do really bad stuff. Maybe this will turn out to be nothing spectacular, but who says that the next time this will be the case? It's not that I hold eBay in such a high esteem either (although this is mostly gut-feeling).
I will only eat in restaurants that have a double door to the kitchen and a rabid security guard preventing entry. Everyone knows that the best kitchens never allow you to see what goes on inside. That is un-hygienic.
Neither do I ever check under the hood of my car. My wife insisted on that, she assured me she made sure the brakes work just fine afer she adjusted them with the box-cutter. So that is alright and she waved me goodbye so nicely, together with the poolboy, as I drove away for a week trip across the mountains.
Checking the work of a software company? Pah, next thing you will be insisting that the bible is translated into your native tongue so you can read it for yourselve and not have to rely on your religious leader to tell you what is inside it. INFIDEL!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Too bad there are no open source alternatives that are fully interoperable with Skype. This seems like a great opportunity for the FOSS community, but why aren't there any takers?
Actually you should be able to get the CPU information via WMI calls, the WIN32_Processor tree exists for that very reason. And that would work on 64bit windows too.
Hmm, what software is reading my BIOS.... Windows does....Linux DOES! OMG I see conspiracy! /me is pressing power button and runs away.... AAARRRRGH!!! HELPPP!!!
Perhaps the federal government requires them to make all phone calls traceable?
On Linux most people run Skype as a normal user - it won't allow things like opening the BIOS etc. there. Also I doubt Windows allows the non-Admin user to open/read BIOS.
So whatever it is be doing must be for functionality which is not significant or necessary for that matter.
Goddammit ! It is FREE so what do you care ? Ebay has to make some money back somehow ! So it sells some of your personal details . So what ? It's FREE !
This is almost certainly relating to fraud - sometimes Skype offer free credit and using something akin to a poor man's Trusted Platform Module (TPM) makes them sleep better at night knowing the hordes aren't running them up a big phone bill.
This is not to excuse this behaviour, both in terms of them for asking for the information and of the operating system for giving it to them!
http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -speakers.html
That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!
>north
You're an immobile computer, remember?
So Skype reads my motherboards serial number. We don't know what it does with it and if they send it anywhere. And so what? Even if they do send it back to HQ, they will be able to say "someone with a BrandName motherboard with the serial number ABC123XYZ has been using Skype"... and?...
I just don't see the big deal.
Anyway, my guess would be that they are using it - along with some other info - for generating some kind of unique key for the encrypted communication.
The thing is, what Windows did was take the computer and turn it into an actual consumer usable product. Actual real computers are indeed based on an open standard but it's a really really stupid standard. Seriously, buy one and visit the man pages for it. I've tried many with several real *nixen and they are pretty much a pain to set up even if you do know what you're doing, and as products they're under polished and buggy. That's today, go back to when Windows started up and these things were even *worse*.
.NET functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of usable computers full stop.
So yeah it's a closed standard because, not for the first time, a company sitting down to design an operating system from scratch often comes up with something remarkably better than designed-by-commitee products.
Now I'm not saying everyone should dump stuff and go to Windows, I still find their service haphazard and buggy at best particularly when using the
"I think an etch-a-sketch with an ethernet port would beat IE7 in web standards compliance."
Anyone who tries hard to secure their app tries to find the most unique way to seed their key generation process. By grabbing a bunch of unique hardware ID's, they may simply be trying to make it more difficult for hackers to find the key generation pattern to crack your calls.
From the goverment. They say that if I won't let them look at my files, then I am either doing something wrong I don't want they to know about, or I am a terrorist/supporter and I don't want to admit it, or both.
Where is that guy who'd die defending what I had to say when I need him?
I refuse to use Skype since it has it's own 'standard' and is not interoperable with SIP or any other standard and open VoIP protocol. It's also closed source so you don't know what it's doing. I hope a lot of these 'privacy' breaches will be uncovered and people will start seeing the benefit of having truly open source code.
Custom electronics and digital signage for your business: www.evcircuits.com
They sell an unlimited service, and I was notified during the sign-up process that to allow use of my account by other people would violate the TOS and result in my account being canceled.
Now, if someone could just tell me how to keep Skype from setting itself to "Start with Windows" every time I run it, I'd be very grateful! Personally, I have more of a problem with this behavior, than them checking if I'm sharing my login.
Most likely it is for the software registration and to check to the software is registered too / what features you have and to make sure you have a valid registration.
One of the companies I work for do the same thing. What happens is each time application is run it collects some information from the users hardware. If then makes a magic number and sends it to a web service to compare to the magic number that was created when the person registered the program.
If the numbers dont match then the software is not valid and the program wont allow the users to access the program.
And yes if the person does upgrade their hardware they have to re-register the software.
TruePunk | Games
Skype allows you to conference in more people if you have a newer Intel Core CPU. The easiest way to check what CPU you have, without letting you lie to Skype, is to check the BIOS. Also, checking the BIOS is code that works on all platforms. Saves them a little bit of trouble when porting Skype to the other platforms.
The GeekNights podcast is going strong. Listen!
I am gonna repeat my grand conspiracy theory: It is my belief that eBay's purchase of Skype was somehow coaxed by the NSA/CIA and here is why: Ebay's purchase of Skype never made sense. Ebay could have included skypeout:// links in their auctions without spending a penny. That would be like saying slashdot can't use IM unless they buy AOL. Skype spent way above considered market value for Skype and their share holders have applied no real pressure to have it turn a profit. This makes the transaction suspicious. The reason of course if because prior to the eBay's purchase Skype was owned in Luxembourg and definitely not an ideal partner for eavesdropping on "terra'rists" (given those crazy European privacy laws). Given that the calls are encrypted, and that Skype does maintain the keys to decrypt those session, getting Skype under US subpeona power is a powerful tool for eavesdropping. Infact, because it is VoIP for most if not all of the calls, it can easily route traffic into the US were it can be picked up, decoded and monitored. Or, since it is known that open IP's become super nodes, Skype can naturally be coaxed into steering packets toward a super-node that can easily be monitored. I use to work for the company that wrote Carnivore. People got worked up over that? It was only the prototype.
They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.
This seems pretty logical. Since they got rid of that hackneyed scheme a while back to give each processor a serial number (wait -- did they get rid of that?), some sort of hash of the BIOS memory, plus the Ethernet MAC, plus the HD serial number, all concatenated together, is probably as close to a unique identifier as you're likely to find on a "per machine" basis.
That said, it doesn't make me feel any better. I wasn't a fan of the processor serial number concept, and not just because it was a serial number in the processor; there were serious privacy concerns with any uniquely identifying, per-machine serialization concept, and that's true whether it's a dedicated number that's being used, or some sort of combination of semi-unique factors.
It's just one more piece of information, sitting in a database somewhere, that could be subpoenaed and used to generally cause trouble. Particularly given how close-mouthed the Skype people are about how their network actually operates (e.g. their alleged encryption, peer to peer communications), I'm not ready to run right out and trust them.
I wonder if it would be possible to run Skype in a sandbox, where the information it's fed could be carefully controlled? On further thought, I wonder what happens when you run it in VMWare or Wine? Do they actually pass information about the hardware up to guest applications? It seems like this behavior would be one that the user should be given an option about, at the very least; I can only think of a few programs who have any reason to be getting the drive serial number, or the Ethernet MAC address, and for the most part they are not userland apps.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.
A++++++ A PLEASURE TO BE SPIED ON! WOULD HAVE PERSONAL INFORMATION STOLEN AGAIN!
They are reading the BIOS and sending it to Skype's servers.
Isn't that a violation of the BIOS manufaturer's rights? I don't think it is legal if I read my BIOS and dumped it on the net without their written consent. Why would this be any different?
We all like a good conspiracy theory, but it seems to me there are enough tech journalists at /. reading this thread that at least one might call and ask. It might even break into a bigger story, or maybe just be a few more minutes spent reading /. instead of working...
Can anyone post the necessary steps to see how skype is getting BIOS' data ?
If possible for Linux and MS Windows =)
I think it will be very instructive for anyone.
The Sony/BMG rootkit was free as well. So goddamn why do you care if it installs a back door or something?
What if they could use such a feature to ban usage by Mobo serial numbers? It would be a bit complicated, but should be able to work. Good way to get rid of a user instead of IP bans.
--Matt
Does Skype 1.x do this? Does it do it on Linux?
Is it in fact possible for a non-root user to read the BIOS on Linux?
# cat
Damn, my RAM is full of llamas.
...they need an initialization vector for their encryption algorithm... so they use something large and quite sure uniq, the BIOS of the machine... yes you may call me naive... but have you any proof of any misuse of the information ?
Following the Superbowl a few days ago, was a Television program that introduced the concept that a criminal was able to control the webcam (on a Mac) to surrepticiously view the activities in the room in which the running laptop was placed.
My wife said "They cannot really do that!", to which I replied, "Oh, yes they can". In the TV program, the laptop was conveniently left open and running in the bedroom.
It has bothered me alot that Skype is a closed source program that responds to commands from outside of your home, and conveniently, has complete control of your microphone and webcam. And as a default, Skype installs in the system tray, so that it is "always on".
Am I the only person to feel uneasy about this?
Furthermore, even if you're behind, for example, a firewall _someone_ knows your IP address from proxy logs. Also, Skype could easily generate a GUID and store it somewhere on your computer where you couldn't find it, or use an existing GUID
I KNEW that bitch was using an aimbot!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The posts says "For copyright reasons I can't post the file or a complete disassembly. However, I can describe the program in terms of 16-bit DOS C:" While I understand the author's worries, it's frightening he feels this way. He shouldn't have to worry.
Doesn't fair use specifically include an exception for Comment and Criticism? If the whole code is being criticized and commented on, it should be reproduced in full, particularly given that it's distribution and dissemination does not harm Skype's marketshare.
Never mind that a reasonable interpretation of freedom of the press demands that the entire code be reported on and shared in an informative matter. Right? Right?
--sabre86
The creators of Skype got their money from the very popular P2P application, Kazaa.
Kazaa was well known for being a conduit for spyware on to user's machines. Virtually all of the money these guys made from Kazaa was by charging huge per-install fees to makers of spyware and adware. They full well knew what this software did, and they were perfectly happy to take the money.
But paying on a per-install basis means you need to be able to reliably identify a person's machine. This isn't as easy as it sounds. There is really no single piece of information that can uniquely identify a machine.
But doing a dump of the BIOS and gathering a few dozen pieces of information would allow you to fairly accurately identify unique installs.
Now, I'm not saying that Skype is spyware. And I'm not saying that these guys intend for it to become spyware at any point in the future. But I bet that they originally intended Skype to be the next big vehicle for spyware delivery.
Now that Skype is so popular and seems like a legit way to make money, they no longer intend to use it for evil. But old habits die hard, and so does old code.
Perhaps they are trying to detect whether or not Skype is being run from a virtual environment.
Currently, Google's video player does something like this.
Somebody else probably already said something about this, but if they're having trouble getting a 64 bit driver working, why don't they migrate to using a WMI query instead? You should be able to get plenty of information regarding the BIOS and CPU via WMI, as well as almost any other information you could ever dream about finding about the computer. Of course, this fails to answer the question of why they need this information, but I'm merely assuming it stems from the CPU check.
Come on, guys. This is a non-Microsoft company we are talking about. Since that is the case, they can't possibly be doing anything wrong.
We have to stand by our anti-MS zealotry, even when it begins conflicting with reality. If MS chooses to fight cancer (like the Bill & Melinda Gates Foundation), we have to be pro-cancer. If Apple wants to be a brutal monopoly, we have to ignore it and stand by them for the sake of their not being Microsoft. If Google wants to violate our privacy, we have to ignore it and stand by them for the sake of their not being Microsoft.
And if Skype wants to create a huge database on each of their users... well, suck it up, ignore it, and stand by them. It's only bad if they are Microsoft.
Here it is http://blackhat.com/presentations/bh-europe-06/bh- eu-06-biondi/bh-eu-06-biondi-up.pdf
SOOoooo many selfobfuscating features.... It's overkill, it's useless... As for DRMs: what could one do with all this money if such huge costly features weren't implemented? So many things !
I'm honestly not as concerned about the CPUID as I am about software pulling the MAC address and disk serial numbers. While I can think of some legitimate reasons for userland software to need to know about the processor it's running on (for technical/performance, and not identification, reasons, i.e. identification of the presence of certain features like MMX), I can't think of any good reason why it would need to know uniquely identifying information about other hardware.
Obviously the operating system, in particular the network stack, needs to know the MAC address at some point, but this information shouldn't be passed on to potentially untrusted applications. By running the operating system on the bare metal I am implying that I trust it (most people don't think about it too hard, but you'd better trust whatever's running in Domain 0, because it can do whatever it wants and only report to you what it wants), however I don't necessarily trust all my userland applications to the same degree.
I think it's just common sense that only trusted applications should have access to serial numbers or other pieces of information which can be pieced together to create a per-machine ID. Per-machine is much closer to a per-user ID than an IP address (particularly with the heavy use of NAT), and so it could easily be used to track a user, or prove later that a particular user did something and break anonymity.
Obviously, there should be a mechanism for applications that need it, to get the Ethernet MAC, CPUID, drive status and serials, but those mechanisms should be controlled and limited only to applications that are authorized by the user as having a bona fide reason to get them. To let all software pull up this sort of information automatically, relinquishes a lot of control from the user, to potentially untrusted or untrustworthy pieces of software, and that, I think, is a fundamentally bad idea.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Well I am 6 feet three inches tall, and by definition, my height at least puts me in the troll ballpark as far as physical attributes go.
"Troll - a race of giants. They appear in various Northern mythologies. In Norse mythology Trolls are represented as a type of goblin."
I also have been "goblin" my lunch recently - I should slow down and take my time - it's better for digestion.
To papraphrase a movie title - "The Mods Must Be Crazy."
I just found it interesting that the first two Google links talked about a Blackhat convention, and the article on flash BIOS's made me think that it would not be too hard to create an EXE (Dell does this with their BIOS updates) to exploit flash BIOS vulnerabilities.
Well, gotta go now - some goats want to cross my bridge" - and it ain't happening!
"Let us raise a standard to which the wise and honest can repair" - George Washington
Hehehehe... Having tinkered with Asterisk, I'll second that =:-> And all of those SIP phones (Esp. Polycom's) have their own set of poorly documented flaming hoops to jump through.
Nice tagline =:->
---
Play Six Pack Man. I
Skype's protocol has some pretty nice traffic-shaping evasion stuff built in. It's notoriously hard to block. If its proprietary protocol was better known, then ISPs and telecoms could start to block or slow its traffic...which would dramatically reduce the value of that protocol to users. (Unless Net Neutrality goes in, but then there's all sorts of legal kerfuffle about telecoms trying to monopolize VoIP anyway.)
Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.
Right on!
Coming from the Mac world, where I know there's most often no technical reason why an app couldn't just be drag-and-drop "installed" (i.e. just copy the app bundle to wherever the hell you want it and run it from there), I raise a suspicious eyebrow every time I download some program which should be entirely a userland thing (a game, a document or media editor or player of some sort, etc) which insists that I run an installer program that asks me for an admin password. I feel like asking the devs, "Why exactly do you need write access to anything outside your app bundle? Give me a damn good reason why I should entrust my system to you."
I want my OS to serve me like I want my government to serve me: stay out of my way unless I ask it for something (and have useful services available for the asking), except to keep people from doing bad things to me and my property, in which case I want it to proactively defend me. This means that no programs are running that I don't want running or don't know are running; nothing can *get* running without my telling it to or at least granting it permission to; and no files get written anywhere, perhaps outside of a few sandbox areas like the user's Preferences folder, without my permission.
OSX does most of this right already. The only more-stringent thing I would really ask for is that installers/etc which ask for an admin password not just get blanket permission to do whatever they want; I'd prefer it if the system instead told me, for each item the app wanted to install, that:
"The application FooBar wants permission to create the folder "Beezelbub" in System/Library/YourMom/. The justification it provides for this is:
Beezelbub is a video codec needed to play cutscenes in FooBar: The Quest For Metasyntax.
Do you wish to allow FooBar to create this item? [Yes] [Yes To All] [No] [No To All]."
And if you click one of the "Yes" buttons, THEN it prompts you for an admin password.
Of course, the app would be allowed to write whatever the hell it wants into folders it creates, so you don't have to get this prompt for every one of the thousand little files that some library or codec might include, unless those files are scattered to the winds and not in one nice neat package like they should be. Currently existing apps of course would not have such justification strings built into them, but even still, this would be a more secure way that would allow users who care to selectively allow the installation of crap on their system. And of course, users who don't care can always say "Yes To All" and be no worse off than they are today.
But users like me would feel much less suspicious, no longer wondering "what the heck does this installer want with my admin password? Why does this program need an installer in the first place?"
A related thing I might like would be if the system notified me any time any program tried to open up a network connection of any sort; to which I could say "allow", "always allow" (for trusted things), "disallow", or "always disallow" (for things you think are spyware). Include similar justification strings as the above dialogue does. This would work well to combat any sort of trojan spyware you might have gotten (that is, programs you downloaded and installed yourself, which are sending data to someone that you don't want it to send; since the way O
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."
Unless you're constantly updating the BIOS, anything it got from there would NOT be random at all. In fact, it probably wouldn't change a bit (save some of the hardware info if you added new hardware, I guess).
You couldn't find very much that would be worse than that if you want random numbers!
Now, they COULD be using it to attempt to uniquely identify any given computer. That would make a lot more sense (though it would not be foolproof).
NTVDM, the DOS emulator in NT, needs a BIOS image to place for DOS programs to use, since many depend on it. Rather than provide such an image with NT, Microsoft decided just to map the real image into user space 000F0000 on request. This is done with the (officially) undocumented system call NtVdmControl.
Other than perhaps revealing a unique identifier, there isn't a security risk to allowing unprivileged programs access to it. The mapping is read-only, and only the BIOS and video BIOS can be mapped this way.
I don't know why they want the BIOS so much. The Windows product key, the primary MAC address and the computer SID all make good identifiers if you combine them.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I don't think it's likely that they are sending the BIOS to their servers. I have no idea what they're doing with it, but I don't feel like bypassing their anti-debug stuff to find out. Like others here have mentioned, it's most likely just to get a unique identifier.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
My understanding of fair use law is that the proportion of copied code matters. Copying a few paragraphs from a book to comment on them is clearly fair use. However, commentary on this program would necessarily be a complete copy because the program is so small. See point 3 on Wikipedia.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
See Microsoft ClickOnce deployment for .NET for just what you're describing. The default security is *just like* a Java sand-boxed applet, and applications need to define any greater access to other resources.
. aspx
.NET 2.0 doc's, so I wonder if they're downplaying this feature?
http://msdn2.microsoft.com/en-us/vstudio/aa700952
Personally I don't like it -- to hard for the developer, and end users will just click OK anyway. Look into their scheme for certificates to secure this, from both the developer and the "publisher", to see a real mess that no end user will understand. The article is from the
tomorrow who's gonna fuss
http://gizmoproject.com/
e _id=177
v s-gizmo-project/
e ct.htm
http://www.michaelrobertson.com/archive.php?minut
http://www.petefreitag.com/item/522.cfm
http://www.randomthink.net/blog/2005/07/08/skype-
http://voip.about.com/od/voipsoftware/a/gizmoproj
-avi
For example, if you want to generate a UID from what unique stuff you can get on a machine... you can peek at the bios version, look at the scsi serial (did you know every scsi drive has a unique serial number?), mac address...
/\/\icro/\/\uncher
I can recommend Gizmo Project. I've used their SIP-based service without hiccups from my Windows laptop and my Mac desktop for over a year now. It even works with third-party softphone apps, on my WiFi-enabled Windows Mobile device...
First, if you took all the applications that read BIOS for some reason and printed their names, you would need to replace your ink cartridge before you were done. What makes this different? If BIOS reads were such a dangerous violation of privacy, how come any application can read it and as a limited user, since the PC stone age! If one wants to yell Fire in a crowded building, lets start by creating a list of applications that read BIOS, find out how many years they have been doing it, and make a list. I would be much more worried about the little yellow dots on your documents you printed on your printer than the master database of mother board numbers kept by the pentagon. One thing is for sure, this story just set back the possiblity of intelligent life forms stopping at this bus stop of a rock for at least 10 more years.
Black Gray White Hats Unite to protect http://testing.OnlyTheRightAnswers.com
>Processor serial numbers are about as innocuous as a privacy concern as if you used your grocery store loyalty card. To say that someone is going to target you because you have a certain loyalty to the grocery store is ludicrous.
The dangers of grocery store loyalty cards include going to jail.
http://forums.tomcoyote.org/index.php?showtopic=74 921&view=findpost&p=346242
/. is ultimate FUD nest
it looks like
Skype started out well enough, but as it gained pouplarity it was bought by the Electronic bay of theives, the people who know about all sorts of shill bidding and purchases to defraud people but do nothing about it unless it gets so much media attention that it brings down heat that threatens their cut. There are one or two people not happy about abuses of paypal, another thing they bought with their ill gotten gains. And I expect the list continues to grow. Not that that is important to support the concern that this action is wrong. Stealing information from your system and sending it home to be tracked, and not even disclosing that action, should be enough to concern anyone in this age of privacy violations and idenity theft. Looks like this is just another black mark on this corporation's record.
I'm an American. I love this country and the freedoms that we used to have.
Actually, the current e-bay ownership is the primary reason I will not use it. You may feel otherwise, but I think they are one of the most evil companies on the Internet (after MS, of couurse).
I'm an American. I love this country and the freedoms that we used to have.
No, the easiest way to check what kind of processor is with the CPUID instruction.
It is so eBay can prepare future pages for you to sell your computer.
Does this BIOS call have anything to do with the soft lock problem encountered by me and many other Ubuntu users? My guess is not, but I don't know enough about these things to guess with much confidence.
I ran Skype with filemon and it didn't access a single .com file on my machine. Maybe the articles author should install a virus scanner lol.
Can anyone else reproduce this behavior, perhaps Slashdot should start doing more thorough fact checking on their articles.
If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.
First off, anyone stupid enough to use Skype and IGNORE their EULA is probably having their bank account cleared out by someone while their on vacation since they are probably VERY careless with their personal data on the Internet too.
It's quite obvious to me how this is used. If the CPU and other hardware information score high enough, this is part of how SKYPE likely uses your PC (oh yeah, violating the terms of service with your ISP at the same time, because you host stuff, right?) to activate the SKYPE Hub-to-Hub protocol.
This is just one of the many reasons why the SKYPE network is untrustworthy, because it's almost impossible to keep your PC from being elevated if they determine your network configuration and hardware profile makes a good candidate as a SKYPE switchboard operator.
Maybe you could create an empty read-only file named "1.com" and place it here:
C:\Documents and Settings\[name]\Local Settings\Temp\12\1.com
Then Skype would be unable to create the file. (Does Skype always use "12?
-Or if your file system is formated NTSF and you don't use any 16-bit applications you could disable execute permission for ntvdm.exe. I saw this as a suggestion for stopping certain trojans. (I have FAT32, so CACLS won't change the execute permission, ATTRIB can't do that... I tried renaming ntvdm.exe, but windows prompty recreated it. I don't know what system process did that, or if it can be disabled.)