Slashdot Mirror
Skype Is Working To Defeat the Reverse Engineering
ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it."
You want to muscle control over the information and keep as much money for yourself as you can.
Perhaps if Skype's Linux client had been better maintained and offered a feature parity to the Windows and Mac OS X clients, there wouldn't be people spending time on reverse-engineering the protocol so that they could write their own client.
Or, maybe, there are just a lot of Linux users who hate proprietary software, and don't trust Skype. Skype uses a lot of anti-debugging techniques. What are they hiding?
Since 'skype' is Britishism for obtaining by nefarious means skyping Skype seems rather appropriate.
A man spends the first half of his life accumulating stuff, the second trying to get rid of it all.
Openly admitting your security is based on obscurity sounds a little strange IMHO.
Instead of using a secret protocol, plainly give out the necessary certifiates only via email and kill them off after abuse. Especially since everybody can use the Skpe API to spam if he wants.
"who said ... that it's an infringement of their IP"
"You keep using that word. I do not think it means what you think it means."
i think it's completely possible that this could be a good thing for skype. i've always found there client to be bloated and annoying and worst of all ,the linux port is trash.
this could be fantastic... or we may end up with a lot of halfassed clients.
Anons need not reply. Questions end with a question mark.
If a spammer or phisher would reverse engineer a protocol, it's very unlikely they would publish about it, since that would help their competition. It is possible that spammers or phishers will use the results of reverse engineering of course, but if your protection against malicious activities consists of a secret protocol then you should consider implementing real security instead of blaming the reverse engineering.
In any case it's clear that Skype doesn't want third party clients to interoperate with their own, so instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.
Why do I keep getting the same inane message from "Natalia", posted from various temporary accounts? I've blocked every account it's come from; I'm sure many have. Is Skype really too slow to get the hint? Jesus, make the spammers work a bit to change a word here and there! It's shocking to me how little Skype cares about spam and phishing in their network. My point is, you can do all the spam and phishing you want with the native client, because Skype apparently does nothing to stop even the clumsiest of spammers who know how to solve a capcha. So their alleged interest to protect their users was conveniently discovered when the possibility of competition suddenly arose.
So Skype's PR people are morons. No surprise there, PR people are usually the bullshitters who couldn't make it as politicians.
..."Criminals reverse engineered our stuff to commit crimes against innocent people." Whatever, I get phishing messages on Skype regularly.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
No doubt they managed to reverse engineer the protocol. I wanted to use skype the other day and found 4 different bugs just on the website and installing the application. --- You only have 1 try for password guess before you "used all your tries" --- "Lost username" e-mail actually write your username on the first line of the e-mail, then ask you to click on a link to verify a code and it gives you the same thing --- You need to login a second time on the download page, cookies are not linked to the main site. --- In the installer when you choose your language, if you press the first letter (ie. E for english) instead of clicking on it, all hell break loose on that UI. How they managed to get a multimillion dollars enterprise with some lack of polishing like that is beyond me.
But isn't reverse-engineering legal ?
In addition to that, claiming that it is for phishing/spamming purposes is FUD, not to say that people who engage in those activities cant use this.
They claim violation of their IP. Is that copyright? probably not. Trademark? Nope. Patent? Hmmm do they have a patent in this area? I don't know, but probably not. That would leave trade secrets, which IIRC are not protected from reverse engineering in any way. IANAL but they really should say what is being violated, not just the nebulous "IP".
This makes perfect sense, because spammers and phishers always obey the law, so if they're forbidden from using code which has already been released I'm sure they will comply.
Yeeeeeaaaaaaa
>80 column hard wrapped e-mail is not a sign of intelligent
>life
instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.
I find it hard to understand why people use skype at all when there are plenty of good voip providers. Skype has completely random call quality/ you never iknow if a connection will be fine or sound like it in an echo chamber or have a buzz. You can get excellent voip service for $5 to $10 /month. Indeed Ooma offers FREE service (but requires you to purchase a $130 appliance and pay the E911). Ooma's quality is excellent their service is responsive and it keeps getting better (HD voice now available for ooma-to-ooma).
There are lots of quality VOIP providers. Why would anyone put up with low quality skype?
Some drink at the fountain of knowledge. Others just gargle.
She isn't very hard to find on Facebook. Just sent her the following message:
In what universe do spammers and phishers openly publish their results for the public to look at? Somehow I don't think you have any idea about the subject matter on which you are harassing people over, and frankly, I am astounded that someone so wholly ignorant about both communication and technology would somehow manage to become the VP of a communications company. Who'd you blackmail to get your job, lady?
While I'm at it, just three days ago I received a spam message via Skype. It seems like the utterly insecure software that you're ineffectually trying to defend is already full of holes, why don't you people try dealing with the actual spammers and phishers that infest your so-called "service" rather than attacking legitimate researchers? No need to give me an answer to that question, I know why: Because it's easier. You people can't do a single thing to take care of the real problems Skype faces, so instead, you make a lot of kerfluffle when something at which you can lash out raises its head. Good work, you're a terrible human being.
Or am I the only one who thinks M$ will use this as an excuse to work their "embrace, extend, extinguish" magic on Skype? This is just a way for the pirates of Redmond to kill the Linux (beta) client - which, incidentally, hasn't seen any progress in the last two years - while keeping their grubby little meat-beaters clean.
I find it a likely story that someone would open-source Skype for the purposes of sending spam. That's an activity you keep secret and sell to spammers for big bucks. So without even knowing the motive we get this attack on the coder by none less than the VP of Skype's PR company. There should be a good libel suit in here somewhere.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I suspect that it depends on where they plan to slot Skype into their list of product offerings.
If it becomes part of some 'enterprise' offering, playing cat-and-mouse would likely not be a sensible strategy. Corporate/institutional customers hate petty version churn of the sort needed to keep constantly breaking 3rd parties and they have a fairly low likelihood of going with 'unofficial' software. They may well keep globbing on new features(as with Office document formats, Sharepoint tie-ins, etc.); but corporate customers are conservative enough that even the perception that 3rd party clients are not feature-complete and 100% compatible usually keeps them well away, and the few exceptions are likely to either be impecunious contrarians or competing titans(eg. IBM) large enough to make an issue of it if you play dirty.
If it becomes a "Live" consumer offering, playing cat-and-mouse is at least an option, since the consumer market has largely learned to suck up their auto-updates when told(and isn't behind a firewall that blocks them, and doesn't need to open a ticket with IT to install them...) It still isn't totally clear what their motivation would be(since they would still control the skype-out gateways, where the money is, and having third parties voluntarily make your network more popular among markets you don't feel like serving doesn't seem like an obviously bad thing(though they might keep the banhammer hovering, just to ensure that people license the rights to embed skype in wifi VOIP phones and whatnot from them, rather than go 3rd party...)
If it becomes a consumer-electronics thing, affiliated with xbox or Windows Phone, it seems to be some sort of ontological obligation to lock it down as hard as possible, just on principle, just because that is how they roll in console-land.
Maybe they'd be better off assigning some of the people trying to defeat reverse engineering to test their installer software.
You know, so they don't "accidentally" install third party applications on users' computers without permission again.
Remember the day before there was skype? Yeah.. people actually *CHOSE* their product and then it snowballed into where they are at now. While its true that having an open protocol would be beneficial for the consumer, don't forget that skype actually made the protocol/product worth using.
Any fool can create a voip protocol. It takes something else to make it popular. As usual open source people want to copy existing successful proprietary products (hint: unix) and expect established companies to just roll out the red carpet. Why don't these nerds make their own open protocol which is better than what skype uses and make it popular? Yeah.. much harder ;-)
If your business model is shot by having your wire protocol well understood, your business model is crap. Based on my admittedly low knowledge of Skype, I don't understand how third party clients can threaten them, since the client is free, not ad-supported, and they charge for access to services, unless they enforce those business policies client-side, which brings us to point two...
If your protocol being understood opens the door to unauthorized access to your premium services and phishing and other security threats, your protocol is crap. The term in the industry is security through obscurity, with well deserved disdain.
XML is like violence. If it doesn't solve the problem, use more.
sooo, skype is going to reverse the reverse engineering so it could be reverse engineered again, go skype!
So how do you defeat the reverse engineering of an engineered piece of software? Re-engineer it?
In my opinion it sounds like Skype is trying to patch the hole in its bike tire; sure they can cover it up but the hole is still the same size. So it can still be re-reversed engineered...
Comment removed based on user account deletion
Comment removed based on user account deletion
This is so easy to solve.
1. Dont make games tied to an OS, but bootable of DVDROM, like an xbox/ps3, but on the PS. And since theres only 2 ever video card makers, its easy to support.
2. boot this into linux under a VM that lets you control the video card.
3. Failing that, just give up dudes, and use Windows VM. Its not gona kill you, you wont run out of harddisk space, ram is cheap.
Liberty freedom are no1, not dicks in suits.
From what I understand Skype uses encryption as well as proprietary protocols to provides its services. No doubt many governments around the world, fearing the possibilities enabled by secure and anonymous point-to-point communication, would be very interested in learning anything they can about how it works and what weaknesses it might have, if any.
This is an excuse to rework the code so the already outdated Linix client is rendered useless on their network. Sorry, but due to a recent security breach and lack of resources we must cease development on Skype for Linix. Double whammy: blame it on open source hackers and also piss off Linux users.
As for Mac, Skype will give the MacBU something to do other than play XBox all day.
... won't they be obligated to license the protocol to third parties to avoid the wrath of anti-trust regulators (especially in the EU)?
OK then...
They should support UBUNTU only.
Just limit yourself to one Linux distribution and the fragmentation problem goes away.
Next time you hear some stupid company complaining about Linux fragmentation, point out they only need to support ONE distribution.
Well, looks like someone reverse engineered slashdot's protocol.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
But I bet this has nothing to do with security and everything with preventing other clients connecting to the network.
Here's the exact quote from TFA: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."
Even the PR drone is saying "unauthorized us for malicious activities"... so reverse engineering the protocol isn't the problem, it's what you do with it. And considering it seems to be a Russian effort, I'd worry too.
Thus, the encrypted passwords, required for brute-force decryption attempts, are not available to every Tom, Dick, and Mallory.
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
Something to read.
http://skype-open-source.blogspot.com/2011/06/my-interview-to-east-west-digital-news.html
Ekiga is really nice (I'm using it on a regular basis).
But it's setup isn't as simple.
You still can't select the used port range without manually editing the configuration with gconf-editor, for example.
There are some nice efforts to avoid the whole "opening-port" thanks to STUN and TURN technologies.
But still there are lot of situation where you end up with the dreaded "Sorry, ekiga couldn't configure your network automatically" window.
Meanwhile, skype, because it uses aggressive techniques coming from the P2P-Download world, and because any Skype client with a sufficient bandwidth can be turned into a super-Node, "just work" in almost any situation. Including border case situations where the network is semi-broken.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]