Slashdot Mirror
Why Does Skype Read the BIOS?
pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"
This is a random guess, but it could be part of skype determining the make and model of your CPU. They had made a deal with Intel a while back to only allow large conferences on their processors, and the BIOS reading could be part of that or anticipation of other deals to come.
What is mankind really? Well, it's just two words put together Mank, and ind.
What is Skypes bad history?
riding round the world on an old motorcycle
nothing to see here. move along.
we are not spying on you. we swear.
oh btw.. your wife is cheating on you.
What better unique identifier than the system bios? Ip addresses are becoming less reliable since many people use wireless internet and mobile phones for skype.
Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.
Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.
Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.
Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.
Too much to ask I guess.
Lurking at the bottom of the gravity well, getting old
Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.
I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy. Dunno if it's true, or not, but personally, I don't want you trying to identify what the hell makes up my system. Perhaps I'm building it SECRETLY for a fucking reason. You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer. If Skype did that, they'd lose not every bit of faith from me, but I'd go tell my company that I work for, which uses SKYPE on a regular basis. I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Wait, I know the answer to this one!!
Because it was stapled to the punk rocker's face!!!1
Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
Might I suggest mailto:info@skype.net
I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.
Because it's bored and can't find a good book.
... and then they built the supercollider.
... ...
To know what's written there.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Can someone tell me how can I check if its doing the same on my Macbook?
Thanks
Read my bios settings, I have no problem with this. There is no information on my BIOS that I would consider sensitive, maybe a touch of chargin if if turns out I have my RAM config set wrong(?) but thats it.
Writing to my BIOS.... now thats a different matter and one I would take exception to.
In the not too distant future, next Sunday A.D.
If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.
Look what they try to do if you or I copy someone's code ...
There's not anything more random in the BIOS than there is somewhere unprotected.
Dear Sir/Madam,
As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ this morning that Skype appears to read the system bios on start up.
While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.
Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.
What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?
I look forward to your response,
Yours,
Andrew Simpson
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
I don't know why Skype is reading the BIOS, others have speculated that they are trying to generate a unique key from the SMBIOS tables or perhaps lock certain features to certain processors. Sounds plausible I guess.
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.
sheep.horse - does not contain information on sheep or horses.
Good theory, in theory the SMBIOS tables (which is what I think they are trying to read) can contain serial numbers for the motherboard, etc. But in practice these fields are often blank or change after every BIOS update, making them useless for identification.
sheep.horse - does not contain information on sheep or horses.
I will only eat in restaurants that have a double door to the kitchen and a rabid security guard preventing entry. Everyone knows that the best kitchens never allow you to see what goes on inside. That is un-hygienic.
Neither do I ever check under the hood of my car. My wife insisted on that, she assured me she made sure the brakes work just fine afer she adjusted them with the box-cutter. So that is alright and she waved me goodbye so nicely, together with the poolboy, as I drove away for a week trip across the mountains.
Checking the work of a software company? Pah, next thing you will be insisting that the bible is translated into your native tongue so you can read it for yourselve and not have to rely on your religious leader to tell you what is inside it. INFIDEL!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Perhaps the federal government requires them to make all phone calls traceable?
So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.
Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.
so it is free but still requires something from me. To me, that is the difference between free and not free. Hence, skype seems not to be free, but to be paid for with information.
Sig (appended to the end of comments I post, 54 chars)
No, the really cool thing about Skype is that it works and works very well.
The audio quality over my MacBook, through a public WiFi network, through a very restrictive firewall, across the net, through another anally restrictive corporate firewall, across a nearly saturated WAN, to my client's desk is much, much better than using my digital mobile phone.
The ease of use is great. We whip together video calls or conference calls all the time and never have to worry about getting a third party involved to set it up for us.
Being able to call out is fabulous also. I've spent a lot of time in ICU's lately where I'm not able to use the mobile phone, but am able to use the WiFi network. It is very neat to be able to phone from an ICU to pretty much anyone (Skype or phone) with the option for video if they are on Skype also.
The Jabber community just hasn't gotten their stuff together quick enough. There was plenty opportunity to beat Skype to market, but no one else, using open protocols, got the job done. I wish they would have.
Joe
Joe Batt Solid Design
http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -speakers.html
That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!
>north
You're an immobile computer, remember?
I refuse to use Skype since it has it's own 'standard' and is not interoperable with SIP or any other standard and open VoIP protocol. It's also closed source so you don't know what it's doing. I hope a lot of these 'privacy' breaches will be uncovered and people will start seeing the benefit of having truly open source code.
Custom electronics and digital signage for your business: www.evcircuits.com
Probably that myth that having open source gets your better, safer, bug free software - because of COURSE skilled coders are spending huge amounts of time sifting through thousands and thousands of lines of other peoples code. I mean, I've been coding for 20+ years now and it's what I like to do with my spare time.
Yah right. Do you have any idea how few good coders there are? Now add that to the chance they happened to write nothing but open source (yah, cause you can make so much money doing that). See the picture? Reality: Most open source code is written by semi-good coders - which means, oh boy, walking the code is gonna be an exercise in torture (it's only one step below that when it is good code, btw).
Coders do NOT like to walk through other peoples code. (Yah yah whatever, someone will claim they do. I call horse pucky) And then again, why would you trust some other person. The ONLY way this 'open-source' code is safe is because YOU take the time to read through, analyze and understand what it's doing. That's a joke. SURE having it as open source AFTER something bad happens is nice - you've got the 'bad' code sitting right there. But this idea that BECAUSE it's open source, it's not doing anything bad....well that's right up there with since it's a Mac it must be safe. Wait, you probably think that too as it's the same sort of kool-aid.
Which is this mythical "support" people talk about?
I've NEVER heard of anybody calling MS support for say, routine Windows issues. At best, people would call the ISP when the connection went down. This is because most of those normal users don't have a clue of what a computer is, how it works, and whose fault it is when something doesn't work. They understand that their ISP provides their internet connection, so they call them, but they have no clue who to call when their computer breaks.
So they assume that something broke, or that they broke it, and just haul the box to the local PC shop, where they check it for spyware, etc. In fact, when I still did that sort of thing routinely, 90% of things people needed help with was due to various crap that got into the system (which doesn't even exist in Linux).
For the rest of issues, which would be the "Why does this page not work?" when the page insists on IE6 and only IE5 is installed and they don't know how to update it, they call their local friendly geek. These people, btw, are getting increasinly sick of Windows and switching to Linux. My life became a lot more relaxing since I started answering that I haven't even used XP, so I don't know how to fix it.
I am gonna repeat my grand conspiracy theory: It is my belief that eBay's purchase of Skype was somehow coaxed by the NSA/CIA and here is why: Ebay's purchase of Skype never made sense. Ebay could have included skypeout:// links in their auctions without spending a penny. That would be like saying slashdot can't use IM unless they buy AOL. Skype spent way above considered market value for Skype and their share holders have applied no real pressure to have it turn a profit. This makes the transaction suspicious. The reason of course if because prior to the eBay's purchase Skype was owned in Luxembourg and definitely not an ideal partner for eavesdropping on "terra'rists" (given those crazy European privacy laws). Given that the calls are encrypted, and that Skype does maintain the keys to decrypt those session, getting Skype under US subpeona power is a powerful tool for eavesdropping. Infact, because it is VoIP for most if not all of the calls, it can easily route traffic into the US were it can be picked up, decoded and monitored. Or, since it is known that open IP's become super nodes, Skype can naturally be coaxed into steering packets toward a super-node that can easily be monitored. I use to work for the company that wrote Carnivore. People got worked up over that? It was only the prototype.
They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.
This seems pretty logical. Since they got rid of that hackneyed scheme a while back to give each processor a serial number (wait -- did they get rid of that?), some sort of hash of the BIOS memory, plus the Ethernet MAC, plus the HD serial number, all concatenated together, is probably as close to a unique identifier as you're likely to find on a "per machine" basis.
That said, it doesn't make me feel any better. I wasn't a fan of the processor serial number concept, and not just because it was a serial number in the processor; there were serious privacy concerns with any uniquely identifying, per-machine serialization concept, and that's true whether it's a dedicated number that's being used, or some sort of combination of semi-unique factors.
It's just one more piece of information, sitting in a database somewhere, that could be subpoenaed and used to generally cause trouble. Particularly given how close-mouthed the Skype people are about how their network actually operates (e.g. their alleged encryption, peer to peer communications), I'm not ready to run right out and trust them.
I wonder if it would be possible to run Skype in a sandbox, where the information it's fed could be carefully controlled? On further thought, I wonder what happens when you run it in VMWare or Wine? Do they actually pass information about the hardware up to guest applications? It seems like this behavior would be one that the user should be given an option about, at the very least; I can only think of a few programs who have any reason to be getting the drive serial number, or the Ethernet MAC address, and for the most part they are not userland apps.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.
A++++++ A PLEASURE TO BE SPIED ON! WOULD HAVE PERSONAL INFORMATION STOLEN AGAIN!
That's a reasonable perspective, but if you are, as you say, "paying with information," wouldn't you prefer that your decision to do so be an informed one? After all, Skype doesn't appear to be particularly straightforward with this information, and therefore your payment is taken without your knowledge, which could be considered by some to be fraudulent.
If bullshit were music, you'd be a brass band.
I KNEW that bitch was using an aimbot!
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If you look at the history of Kazaa, the original developers were long gone by the time Sharman started pimping the spyware. These are the same long-gone guys who developed Skype and are long gone now working on YANNP (yet another new project)
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
So... You work for Microsoft?
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.
Right on!
Coming from the Mac world, where I know there's most often no technical reason why an app couldn't just be drag-and-drop "installed" (i.e. just copy the app bundle to wherever the hell you want it and run it from there), I raise a suspicious eyebrow every time I download some program which should be entirely a userland thing (a game, a document or media editor or player of some sort, etc) which insists that I run an installer program that asks me for an admin password. I feel like asking the devs, "Why exactly do you need write access to anything outside your app bundle? Give me a damn good reason why I should entrust my system to you."
I want my OS to serve me like I want my government to serve me: stay out of my way unless I ask it for something (and have useful services available for the asking), except to keep people from doing bad things to me and my property, in which case I want it to proactively defend me. This means that no programs are running that I don't want running or don't know are running; nothing can *get* running without my telling it to or at least granting it permission to; and no files get written anywhere, perhaps outside of a few sandbox areas like the user's Preferences folder, without my permission.
OSX does most of this right already. The only more-stringent thing I would really ask for is that installers/etc which ask for an admin password not just get blanket permission to do whatever they want; I'd prefer it if the system instead told me, for each item the app wanted to install, that:
"The application FooBar wants permission to create the folder "Beezelbub" in System/Library/YourMom/. The justification it provides for this is:
Beezelbub is a video codec needed to play cutscenes in FooBar: The Quest For Metasyntax.
Do you wish to allow FooBar to create this item? [Yes] [Yes To All] [No] [No To All]."
And if you click one of the "Yes" buttons, THEN it prompts you for an admin password.
Of course, the app would be allowed to write whatever the hell it wants into folders it creates, so you don't have to get this prompt for every one of the thousand little files that some library or codec might include, unless those files are scattered to the winds and not in one nice neat package like they should be. Currently existing apps of course would not have such justification strings built into them, but even still, this would be a more secure way that would allow users who care to selectively allow the installation of crap on their system. And of course, users who don't care can always say "Yes To All" and be no worse off than they are today.
But users like me would feel much less suspicious, no longer wondering "what the heck does this installer want with my admin password? Why does this program need an installer in the first place?"
A related thing I might like would be if the system notified me any time any program tried to open up a network connection of any sort; to which I could say "allow", "always allow" (for trusted things), "disallow", or "always disallow" (for things you think are spyware). Include similar justification strings as the above dialogue does. This would work well to combat any sort of trojan spyware you might have gotten (that is, programs you downloaded and installed yourself, which are sending data to someone that you don't want it to send; since the way O
-Forrest Cameranesi, Geek of all Trades
"I am Sam. Sam I am. I do not like trolls, flames, or spam."