Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Does Skype Read the BIOS?

Posted by kdawson on from the phone-home dept.

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

19 of 327 comments (clear)

  1. About figures by TopSpin · · Score: 5, Insightful

    Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

    Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.

    Too much to ask I guess.

    --
    Lurking at the bottom of the gravity well, getting old
    1. Re:About figures by albertost · · Score: 3, Insightful

      Pros: You don't wind up with a corrupted registry and DLL hell because every app ships with its own copies of the libraries it needs. If Microsoft did that, noone would consider that a "pro"
  2. Re:Processor info? by repvik · · Score: 5, Insightful

    Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board. Especially since there's easy ways to identify the CPU. I bet windows has a syscall that gives you CPU information.

  3. Go to the source by ZX3+Junglist · · Score: 5, Insightful

    Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
    Might I suggest mailto:info@skype.net

    I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.

  4. Re:What about Macs ? by Ash-Fox · · Score: 3, Insightful

    Use a debugger.

    The amount of information required to teach one how to use a debugger and understand it goes far beyond the amount of text Slashdot would even allow in a single post. However there are many websites on Google that can help you learn with this matter.

    Good hunting.

    --
    Change is certain; progress is not obligatory.
  5. Re:Here's a question for you.... by Ash-Fox · · Score: 5, Insightful

    I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy.
    I doubt it. Besides, one can change their Mac address, IP address and 'Nickname' without replacing hardware.

    You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer.
    Or maybe... Just maybe... They could make design decisions based on the majority of users.

    What proccessor speed do the majority have? What OS? How much RAM? How much harddrive space?

    It's important to know about who you're making software for.

    If Skype did that, they'd lose not every bit of faith from me
    Did you know Skype is owned by Paypal and eBay now?

    I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.
    Asterisk and what? What SIP providers? What solution exactly? -- Asterisk is not a easy solution to setup compared to Skype. The end user can setup Skype, but Asterisk? I doubt it.
    --
    Change is certain; progress is not obligatory.
  6. Re:Random generator? by ZX3+Junglist · · Score: 2, Insightful

    There's not anything more random in the BIOS than there is somewhere unprotected.

  7. Re:Serves You Right by animaal · · Score: 3, Insightful

    If you run closed-source software on your machine, then you deserve everything you get support that isn't limited to that old open-source favourite advice, "RTFM"?
  8. Re:Identification? by AndrewStephens · · Score: 2, Insightful

    Good theory, in theory the SMBIOS tables (which is what I think they are trying to read) can contain serial numbers for the motherboard, etc. But in practice these fields are often blank or change after every BIOS update, making them useless for identification.

    --
    sheep.horse - does not contain information on sheep or horses.
  9. Re:Finally... by Lurks · · Score: 4, Insightful
    The thing is, what Skype did was take VOIP and turn it into an actual consumer usable product. Actual real IP phones are indeed based on an open standard but it's a really really stupid standard. Seriously, buy one and visit the configuration web page for it. I've tried many with several real VOIP services and they are pretty much a pain to set up even if you do know what you're doing, and as products they're under polished and buggy. That's today, go back to when Skype started up and these things were even *worse*.

    So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.

    Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.

  10. Re:Goddammit ! It is FREE so what do you care ? by morie · · Score: 4, Insightful

    so it is free but still requires something from me. To me, that is the difference between free and not free. Hence, skype seems not to be free, but to be paid for with information.

    --
    Sig (appended to the end of comments I post, 54 chars)
  11. Re:They could have used Win32 calls by Tony+Hoyle · · Score: 2, Insightful

    you make the assumption there that win32 calls are available, I'm running Linux.

    It makes sense to try and keep the code as cross platform as possible.


    If Win32 isn't available you're probably running on a proper OS that wouldn't let you map the BIOS anyway, so they might has well have used the Win32 calls in the first place.

    It's just an example of poor programming.

  12. Re:Serves You Right by Anonymous Coward · · Score: 2, Insightful

    Probably that myth that having open source gets your better, safer, bug free software - because of COURSE skilled coders are spending huge amounts of time sifting through thousands and thousands of lines of other peoples code. I mean, I've been coding for 20+ years now and it's what I like to do with my spare time.

    Yah right. Do you have any idea how few good coders there are? Now add that to the chance they happened to write nothing but open source (yah, cause you can make so much money doing that). See the picture? Reality: Most open source code is written by semi-good coders - which means, oh boy, walking the code is gonna be an exercise in torture (it's only one step below that when it is good code, btw).

    Coders do NOT like to walk through other peoples code. (Yah yah whatever, someone will claim they do. I call horse pucky) And then again, why would you trust some other person. The ONLY way this 'open-source' code is safe is because YOU take the time to read through, analyze and understand what it's doing. That's a joke. SURE having it as open source AFTER something bad happens is nice - you've got the 'bad' code sitting right there. But this idea that BECAUSE it's open source, it's not doing anything bad....well that's right up there with since it's a Mac it must be safe. Wait, you probably think that too as it's the same sort of kool-aid.

  13. Re:Goddammit ! It is FREE so what do you care ? by aesova · · Score: 5, Insightful

    That's a reasonable perspective, but if you are, as you say, "paying with information," wouldn't you prefer that your decision to do so be an informed one? After all, Skype doesn't appear to be particularly straightforward with this information, and therefore your payment is taken without your knowledge, which could be considered by some to be fraudulent.

    --
    If bullshit were music, you'd be a brass band.
  14. Re:Don't like it one bit. by Gr8Apes · · Score: 5, Insightful

    the original hardcoded MAC address is always visible to the OS somehow. Just changing the setting does not lose that information. I was under the impression that there was no such thing as a hard-coded number. Why do I say this? Because one fine day many years ago I received a shipment of 100 ethernet cards all with identical MACs. That was one fun day as those cards rolled out into the network...

    Processor serial numbers are about as innocuous as a privacy concern as if you used your grocery store loyalty card. To say that someone is going to target you because you have a certain loyalty to the grocery store is ludicrous. I don't share your ambivalence, yet agree with your point. They might haul you into jail, however, for buying large amounts of plastic forks, rubbing alcohol, and a couple of other items though.

    Uniquely identifying systems is ESSENTIAL to the current internet and DRM problems. Wrong. It's completely irrelevant and impossible to uniquely identify a system on the internet. It is ESSENTIAL to have unique connections. Identity is essential for law enforcement types, not the internet. For instance, do I care that I connect to machine 1 or 1,000,000 of those answering for google.com? DRM in this scenario is irrelevant, and any argument in support of that is already terminally flawed. (DRM's problems are that DRM exists at all)

    Just think, if a processor serial number had become a standard, they may not have decided so fast that they needed TPM and per-machine iTunes authorizing so hackneyed, and so on. Of course you can be uniquely identified on the internet. How much crazy hashing crap like this would it have made totally unecessary? TPM exists purely to serve DRM. See above. QED.

    --
    The cesspool just got a check and balance.
  15. Re:What about Macs ? by qazsedcft · · Score: 2, Insightful

    If you run a VM that emulates the entire PC and run Windows inside it you can get a dump of everything, no matter where it is cached. They have NO way to look outside the VM and NO way to hide anything inside the VM. Please do contradict me if I'm wrong because this would be very interesting, but AFAIK there is no way to get around this.

  16. Re:What about Macs ? by blank+axolotl · · Score: 2, Insightful

    Whoa! Good link.

    So, Skype censors text messages in China, and has some kind of blacklist there too. That's news to me. Scary.

    I also didn't realize companies go to such lengths to obfuscate their code. Putting all that work into obfuscation seems pointless as somebody is going to be able to undo it, as demonstrated by the link. As pointed out there, the fact that it's obfuscated is what makes it interesting to understand. Like the act of reading the bios, it hints that there's something sinister hidden (like censorship).

  17. Re:Don't like it one bit. by Sancho · · Score: 2, Insightful

    TPM has a distinctly separate use, even within open source computing.

    Bruce Potter pointed this out at DefCon 14 this past year. He noted that, with TPM, you can basically be assured of a protected path from bootup until your OS takes control through signing the bootloader. In theory, this makes it possible for computers to effectively be tamper-proof. Trojaning the bootloader would be immediately noticed (in the case of signing) or impossible (in the case of encrypting--though the machine's BIOS would have to support something like that.

    I encourage you to try to find his talk online. It definitely opened my eyes. Before, much like you, I felt that TPM was only useful for restricting ones rights. Now that I realize that there is another potential use, my opinion is certainly different.

    As Bruce says, TPM is not evil, it is a tool.

  18. Re:Don't like it one bit. by Alsee · · Score: 3, Insightful

    No, the TPM design is indeed inherently evil.

    Your explanation otherwise... it's like citing the vitamins and minerals in a poisoned apple. Apples where you are forbidden to have anything but an apple with a cyanide pill inside. The TPM is explicitly designed to secure the computer against the owner, the TPM technical specification even explicitly refers to the owner as an "attacker" to be defended against. Yes, I have read the entire (several hundred pages) TPM technical specification.

    You very can easily get *all* of the benefits for the owner, including the secure startup you reference, and eliminate the cyanide pill and eliminate *all* of the abuses, from virtually identical hardware that is *not* secured against the owner.

    The problem with the TPM, the cyanide pill that makes it inherently evil, is the fact that the owner is forbidden to know his own master key. In technical terms we are talking about the PrivEK - Private Endorsement Key. (* footnote)

    Take absolutely identical hardware with absolutely identical capabilities, and simply offer people the option to receive a printed copy of their PrivEK (their master key) along with their machine when they buy it. Simple as that. It is identical hardware with identical capabilities to secure your computer for you. The mere fact that you may *know* your own master key (if you wanted it) does not alter that functionality. However the fact that you can know your master key then means that your computer cannot be secured against you. With your master key you can control and alter your security settings at will. With your master key you can override any lockout and escape any lock-in. With your master key you can ensure you can unlock your own encrypted files if you need to.

    The Trusted Computing Group and the Trusted Computing specifications absolutely *forbid* you to ever get your master key. They forbid you to have an apple without the cyanide pill inside. A poisoned apple is not a "neutral tool" because it has vitamins and minerals in it... not when you are being forbidden to have normal nutritious non-poisoned apples. Not when you could so easily get all of the benefits and eliminate all of the abuses.

    (*)Footnote: Being able to know your PrivEK is the minimum to guarantee you can maintain full control over your computer, but for very technical reasons only knowing your PrivEK leads to a more complex and less secure solution. You really want both your PrivEK and your RSK - Root Storage Key. Aside from the option to get a printed copy of your PrivEK, the chip should gain a single added function - the ability to output the RSK encrypted to the PrivEK. That keeps the RSK properly secured and only usable in conjunction with the PrivEK.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.