Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Does Skype Read the BIOS?

Posted by kdawson on from the phone-home dept.

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

12 of 327 comments (clear)

  1. About figures by TopSpin · · Score: 5, Insightful

    Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

    Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.

    Too much to ask I guess.

    --
    Lurking at the bottom of the gravity well, getting old
    1. Re:About figures by albertost · · Score: 3, Insightful

      Pros: You don't wind up with a corrupted registry and DLL hell because every app ships with its own copies of the libraries it needs. If Microsoft did that, noone would consider that a "pro"
  2. Re:Processor info? by repvik · · Score: 5, Insightful

    Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board. Especially since there's easy ways to identify the CPU. I bet windows has a syscall that gives you CPU information.

  3. Go to the source by ZX3+Junglist · · Score: 5, Insightful

    Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
    Might I suggest mailto:info@skype.net

    I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.

  4. Re:What about Macs ? by Ash-Fox · · Score: 3, Insightful

    Use a debugger.

    The amount of information required to teach one how to use a debugger and understand it goes far beyond the amount of text Slashdot would even allow in a single post. However there are many websites on Google that can help you learn with this matter.

    Good hunting.

    --
    Change is certain; progress is not obligatory.
  5. Re:Here's a question for you.... by Ash-Fox · · Score: 5, Insightful

    I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy.
    I doubt it. Besides, one can change their Mac address, IP address and 'Nickname' without replacing hardware.

    You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer.
    Or maybe... Just maybe... They could make design decisions based on the majority of users.

    What proccessor speed do the majority have? What OS? How much RAM? How much harddrive space?

    It's important to know about who you're making software for.

    If Skype did that, they'd lose not every bit of faith from me
    Did you know Skype is owned by Paypal and eBay now?

    I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.
    Asterisk and what? What SIP providers? What solution exactly? -- Asterisk is not a easy solution to setup compared to Skype. The end user can setup Skype, but Asterisk? I doubt it.
    --
    Change is certain; progress is not obligatory.
  6. Re:Serves You Right by animaal · · Score: 3, Insightful

    If you run closed-source software on your machine, then you deserve everything you get support that isn't limited to that old open-source favourite advice, "RTFM"?
  7. Re:Finally... by Lurks · · Score: 4, Insightful
    The thing is, what Skype did was take VOIP and turn it into an actual consumer usable product. Actual real IP phones are indeed based on an open standard but it's a really really stupid standard. Seriously, buy one and visit the configuration web page for it. I've tried many with several real VOIP services and they are pretty much a pain to set up even if you do know what you're doing, and as products they're under polished and buggy. That's today, go back to when Skype started up and these things were even *worse*.

    So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.

    Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.

  8. Re:Goddammit ! It is FREE so what do you care ? by morie · · Score: 4, Insightful

    so it is free but still requires something from me. To me, that is the difference between free and not free. Hence, skype seems not to be free, but to be paid for with information.

    --
    Sig (appended to the end of comments I post, 54 chars)
  9. Re:Goddammit ! It is FREE so what do you care ? by aesova · · Score: 5, Insightful

    That's a reasonable perspective, but if you are, as you say, "paying with information," wouldn't you prefer that your decision to do so be an informed one? After all, Skype doesn't appear to be particularly straightforward with this information, and therefore your payment is taken without your knowledge, which could be considered by some to be fraudulent.

    --
    If bullshit were music, you'd be a brass band.
  10. Re:Don't like it one bit. by Gr8Apes · · Score: 5, Insightful

    the original hardcoded MAC address is always visible to the OS somehow. Just changing the setting does not lose that information. I was under the impression that there was no such thing as a hard-coded number. Why do I say this? Because one fine day many years ago I received a shipment of 100 ethernet cards all with identical MACs. That was one fun day as those cards rolled out into the network...

    Processor serial numbers are about as innocuous as a privacy concern as if you used your grocery store loyalty card. To say that someone is going to target you because you have a certain loyalty to the grocery store is ludicrous. I don't share your ambivalence, yet agree with your point. They might haul you into jail, however, for buying large amounts of plastic forks, rubbing alcohol, and a couple of other items though.

    Uniquely identifying systems is ESSENTIAL to the current internet and DRM problems. Wrong. It's completely irrelevant and impossible to uniquely identify a system on the internet. It is ESSENTIAL to have unique connections. Identity is essential for law enforcement types, not the internet. For instance, do I care that I connect to machine 1 or 1,000,000 of those answering for google.com? DRM in this scenario is irrelevant, and any argument in support of that is already terminally flawed. (DRM's problems are that DRM exists at all)

    Just think, if a processor serial number had become a standard, they may not have decided so fast that they needed TPM and per-machine iTunes authorizing so hackneyed, and so on. Of course you can be uniquely identified on the internet. How much crazy hashing crap like this would it have made totally unecessary? TPM exists purely to serve DRM. See above. QED.

    --
    The cesspool just got a check and balance.
  11. Re:Don't like it one bit. by Alsee · · Score: 3, Insightful

    No, the TPM design is indeed inherently evil.

    Your explanation otherwise... it's like citing the vitamins and minerals in a poisoned apple. Apples where you are forbidden to have anything but an apple with a cyanide pill inside. The TPM is explicitly designed to secure the computer against the owner, the TPM technical specification even explicitly refers to the owner as an "attacker" to be defended against. Yes, I have read the entire (several hundred pages) TPM technical specification.

    You very can easily get *all* of the benefits for the owner, including the secure startup you reference, and eliminate the cyanide pill and eliminate *all* of the abuses, from virtually identical hardware that is *not* secured against the owner.

    The problem with the TPM, the cyanide pill that makes it inherently evil, is the fact that the owner is forbidden to know his own master key. In technical terms we are talking about the PrivEK - Private Endorsement Key. (* footnote)

    Take absolutely identical hardware with absolutely identical capabilities, and simply offer people the option to receive a printed copy of their PrivEK (their master key) along with their machine when they buy it. Simple as that. It is identical hardware with identical capabilities to secure your computer for you. The mere fact that you may *know* your own master key (if you wanted it) does not alter that functionality. However the fact that you can know your master key then means that your computer cannot be secured against you. With your master key you can control and alter your security settings at will. With your master key you can override any lockout and escape any lock-in. With your master key you can ensure you can unlock your own encrypted files if you need to.

    The Trusted Computing Group and the Trusted Computing specifications absolutely *forbid* you to ever get your master key. They forbid you to have an apple without the cyanide pill inside. A poisoned apple is not a "neutral tool" because it has vitamins and minerals in it... not when you are being forbidden to have normal nutritious non-poisoned apples. Not when you could so easily get all of the benefits and eliminate all of the abuses.

    (*)Footnote: Being able to know your PrivEK is the minimum to guarantee you can maintain full control over your computer, but for very technical reasons only knowing your PrivEK leads to a more complex and less secure solution. You really want both your PrivEK and your RSK - Root Storage Key. Aside from the option to get a printed copy of your PrivEK, the chip should gain a single added function - the ability to output the RSK encrypted to the PrivEK. That keeps the RSK properly secured and only usable in conjunction with the PrivEK.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.