Slashdot Mirror
Skype Protocol Has Been Reverse Engineered
An anonymous reader writes "One researcher has decided he wants to make Skype open source by reverse engineering the protocol the service uses. In fact, he claims to have already achieved that feat on a new skype-open-source blog. The source code has been posted for versions 1.x/3.x/4.x of Skype as well as details of the rc4 layer arithmetic encoding the service uses. While his intention may be to recreate Skype as an open source platform, it is doubtful he will get very far without facing an army of Microsoft lawyers. Skype is not an open platform, and Microsoft will want to keep it that way."
And yet we have several programs that can read/write to Office files. It seems the same could be done with MS Skype - call it OpenSkype or LibreSkype.
The only problem is the potential to be sued for theft-of-service (making calls w/o paying).
Information wants to be expensive AND wants to be free. So you have Value vs. Cheap distribution fighting each other.
Just because the protocol is reverse engineered doesn't make it open. I would rather see an open standard become supported or used by Skype/Microsoft.
Let's play video games with mailmanZERO
This is a perfect example of how little effort it takes to develop something like this and how easily a community could maintain it for the world to use but companies have to protect their billions
Facetime has much better video quality for low-bandwidth connections, and there is no Window's application for it. That would be a better target.
Microsoft did not threaten any Kinect hackers when they reversed that protocol...
This could be the Skype killer we have been wishing for. It doesn't have to work with Skype, it just has to be as good as Skype and to be open. Imagine people being able to set up their own private Skype-like servers for personal and business use... even for home-monitoring uses and more. Skype will undoubtedly kill support for Linux and probably restrict access in a variety of ways. While being able to access Skype servers and services would be desirable, I wouldn't expect that to be allowed to work and would end up as the arms race we saw previously in instant messaging. (One that I think was ultimately lost or abandoned by those trying to fight 3rd party clients.) But if a truly free and open Skype-like set of clients and servers were made available, a lot of useful things can occur.
in 2006 at RECON, 2 guys from EADS presented on that subject:
http://recon.cx/en/f/vskype-part1.pdf
http://recon.cx/en/f/vskype-part2.pdf
It's protected. Lawyers may bark, and pound a table or two, but ultimately, they'll fail.
Sec. 103(f) of the DMCA (17 U.S.C. 1201 (f)) says that if you legally obtain a program that is protected, you are allowed to reverse-engineer and circumvent the protection to achieve the ability the interoperability of computer programs
The remaining question to ask is what’s the point of doing this reverse engineering? Skype is a free-to-use service for the most part. You do pay for non Skype-to-Skype calls, and have to use the official software, but is that really enough to make users desire an alternative?
Yes.
sysadmins and parents of newborns get the same amount of sleep.
Not only that, but reverse engineering the encryption of the protocol...wouldn't that open the doors to people "listening in" to calls?
Here's the torrent if it gets taken down. http://thepiratebay.org/torrent/6442887
Reverse engineering for interoperability reasons is explicitly allowed under US copyright law.
And of course, the USA doth not the whole world make.
No worries. In the US its not illegal to reverse engineer protocols for compatibility.
Sec. 103(f) of the DMCA (17 U.S.C. 1201 (f)) says that if you legally obtain a program that is protected, you are allowed to reverse-engineer and circumvent the protection to achieve the ability the interoperability of computer programs (i.e., the ability to exchange and make use of information). The section states:
Skype is locked up in Microsoft land. People should focus their attention on something that's actually open, like Jitsi.
To me it seems MS will simply follow their standard procedure of "Embrace (purchase and/or adopt a standard), Extend (introduce incompatibilities), and thereby Extinguish." to thwart any sort of open source implementations.
Similar to their Zune device, which has embraced a standard USB interface and media protocol, but has been extended with a DRM challenge & response system to extinguish the possibility of any software but Microsoft's being used with the Zune.
IMHO, since Skype is actually a distributed Peer to Peer system (where some peers are used as relays or to coordinate NAT traversal for other peers), why not simply ditch Skype and create our own low cost system? Some type of PGP like system can be used to implement a distributed authentication/registration system, and perhaps Asterisk could be in our own homes (w/ landlines) to provide outgoing phone calls. Recent laws have made me wary of allowing others to out-dial from my node (to a select group of local area codes), but it is a type of solution that that we used in the BBS days...
Microsoft has been forced to release protocol and API information as part of anti-trust settlements. Would this not also apply to subsequent Microsoft acquisitions? Microsoft really isn't in a very strong position regarding proprietary protocols. Also, reverse engineering is legal.
Please stop calling every single person who is tinkering with code a 'researcher'...
The real question is does the "offender" has the financial resource to defend it. Large corporations have very deep pocket and army of lawyers. Does (s)he?
ELOI, ELOI, LAMA SABACHTHANI!?
Fantastic yet another open-source knock off clone of something proprietary that is just going to kick a hornet's nest of patent trolls and lawyers. Instead of that, how about a clean-sheet fully-original independant open alternative?
In software there is a Jazillion ways to solve a problem and it's doubtful the incumbent solution is the very best, why do you need to copy or reverse engineer anything in the software world except for lack of creativity, inspiration and originality?
It's perfectly ok of course to admit your ripping off an algorithim because you can't come up with something better, and want to make a statement by slapping an open licence on your rip off.
It'll never catch on of course, because a reverse-engineered skype protocol it can't be used in any major project because of the aforementioned hord of rabid lawyers.
OSS can do it's own thing, and can do it very well. There are sucess stories of originality from Firefox to BitTorrent and others. Just please not another me-too project that sets open software back a couple of years in terms of widespread acceptance.
Please don't feed the patent trolls.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
I would like to see a Pidgin plugin for Skype!
History repeats itself
I'm positive, don't belive me look at my karma
So is this wikipedia article incorrect? It has been out there for a year or two.
http://en.wikipedia.org/wiki/Skype_protocol
You can't do anything to anyone who makes their own implementation.
It's just like samba. and msn messenger, and almost everything else out there.
So long as you didn't look at their code, and did it yourself from scratch it's okay.
Think about it for a minute. There is an opportunity for Microsoft to make lemonade from lemons and ca$h in...
That would be if they come out with a public statement that they do not object to non-MS implementations of Skype protocol nor of use of a non-abusive non-MS implementation with the Skype network; with the proviso that MS is not in any way responsible for the performance of non-MS implementations on the Skype network.
It would be like Samba all over again. The "it's not free software" barrier to deployment is removed, but MS' non-free implementation will always be the latest and greatest version. The free implementations would be in a game of catch-up.
That's actually a nice place to be if you are a proprietary software vendor. "Yes, you can use it for free; but our fee-based product is better."
It also relieves them of the need to support non-favored platforms. "We're no longer developing the Linux Skype client since the GNU guys have their own version which works well enough."
Remember that MS would still own the protocol and its future direction. The burden of compatibility is on the free software.
The value of Skype protocol and code was in keeping it secret from the likes of MS. Now the value is the Skype user base, the unlimited ability to deploy it in products such as Windows however MS desires, and the fee-based services.
The third zipfile contains no less than 443,000 lines of code (not counting a number of duplicates under _old), including ports to Virtual C++, Borland C and Gcc under Unix, different versions of the protocol parser, and so on. The few bits I've looked at are written competently and with confidence, there's none of the "this byte is 42 in all messages, I don't know why" that you'd expect in reverse-engineered code.
It's either a leak of Skype's code, or a decompilation; it's certainly not a reimplementation. --jch
Every communication between you and a server is legally your property. You can peek, squeeze, record, play, read, study, understand it, etc. It's yours, comes and go from your machine and is open for being observed by any sniffer you want to use. It would be illegal if you crack the binaries, or hack into another one's communication. That's it.
For the rest, you can just read the reverse engineered specs... either this year's, or the details published in 2006.
you had me at #!
Has anyone tested this is the real thing and how far this guy got?
One thing that making this protocol public is doing is allowing government agencies to more easily wiretap skype videos. I've interviewed at companies working on that very type of tool. Of course, the real security should be the encryption itself. However, without the platform itself being open source, only Microsoft will be able to make improvements to this encryption, if it is lacking.
Why bother. Skype has been bought by M$ and so will now die. This kind of software is not even hard to write - its the server farm distribution and the popularity that rule. But we keep discovering there aint no room for dynasties in the noughties - anyone who can start something up has a chance of being the one.
So, Nokia dead. Skype dead. What now, something more from Grugle or will an outsider step up to the plate?
the entire point of them buying Skype was so that they could embed a Skype client into windows phone to use to make calls to windows desktop Skype users and vice-versa... to use the large user base to lock it in to windows only... the Mac and Linux Skype clients would be deliberately kept way behind in features in order to discourage use.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Can't we come up with a distributed system ? I mean . ok .. ip phones have been around ages .. can't we just add a function that uses the local machine's modem to make local calls ? Where every machine logged on is used as a local access point to the telephone system ?
Just a thought
When people dialed in on our conference call systems with Skype, they most of the times sounded too unclear to be properly understood, which slowed down the groups in the meetings. So we had to ban it.
I use for example voipbuster, about EUR 40 per year for free calls to almost any number in the world that I might want to ever call, and it comes with a phone number too. Sound quality is just as good as any land line.
I just needed to get this out of my system.
Why hasn't Jeremy Allison been sued yet by Microsoft/IBM?
Sanity.html - Error 404 not found
I think this is the point where I suggest that you have a laughably small number of friends.
Seriously, if you have any significant number of friends of a non-techie pursuasion (or otherwise, but with more pressing preoccupations than obscure choices of VOIP clients), insisting that everybody uses stinkyfinger to contact you is an easy path to a lonely life.
I consider myself to be reasonably tech-savvy, having worked as a sysprog in the aerospace industry (among others) since the 1970s, and I am not ashamed to say that Skype, despite its drawbacks offers a good enough VOIP/IM client for most purposes. And I don't need to behave like an asswipe with my friends to pursuade them to use it.
What you guys all seem to eb forgetting is that this sort of thing is perfectly legal, especially if the researcher can claim "accessibility" reasons.
The blind, etc have a lot more rights to decompile/reverse engineer things than a sighter person does, and these rights expand to things created or intended for their use.
I know this, being blind myself.
They can yell at lawyers all the way they want, but they can't do much.
The inner workings of Skype can only be protected by software patents.
As long as the theoretical "libreSkype" is developed and hosted from within a country that doesn't recognise software patents, there are no problem.
(And given the comments on this blogs, seems like there are several Russians working on this. And currently Russia doesn't recognise software patents).
As long as no product based on libreSkype is sold in the US, and as long as distributions only offer Skype support as a end-user downloadable after-market plug-in (as currently with MP3, etc.), nobody is going to get sued.
Microsoft is hopeless in this situation.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Efim Bushmanov is full of priase for Skype in a long interview. http://www.eweekeurope.co.uk/interview/russian-reverse-engineer-praises-skype-30956 He says all good products will not be able to stay in the closet for long, and hopes to see a full open source implementation for Skype soon. Peter Judge eWEEK Europe
Apparently not a lot of people bothered, although many were quick to repost the story under headlines like “Skype protocol reverse-engineered, source code published”. tl;dr: An important step on a long way is made, but it's going to take years until an alternative Skype client becomes reality.
Bushmanov based his work on de-obfuscated binaries of old versions of Skype for Windows which some other hackers had produced before (the first archive). He used IDA Pro to analyze the code (the second archive contains IDA databases) and gain understanding of some aspects of the protocol, which has layers of encryption and obfuscation. He also patched the binaries to add some logging. Basing on his findings, we wrote a program that can connect to a given [super]node and send an instant message for a given user. The third published archive contains a bunch of MS Visual Studio projects representing his progressive advancement.
To actually connect and send a message, the program needs so-called credentials. It seems to be a sort of session key issued by Skype login servers for 30 days or every time the user enters the password. Sean O'Neil wrote a hack in July 2009 that could connect to a login server and register a new user or log in as an existing one, procuring credentials. Since 2009 this has stopped working, probably because of changes on the server side. So instead Bushmanov used a hack to obtain credentials from running Skype for Windows.
To summarize: Bushmanov built upon prior work in the field and made an important step. There are hundreds of steps like that to be made until an alternative Skype client is possible. Microsoft has plenty of time to react, whatever strategy they choose.
One more thing: when Skype says they're going to do their best to defeat reverse-engineering attempts because the results can be used by spammers, they're lying. It's already possible to use Skype for spamming by automating it. What they're going to fight for is their business model, which relies upon there not being any alternative clients.