Skype Is Working To Defeat the Reverse Engineering

ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it."

Skype on Linux

Perhaps if Skype's Linux client had been better maintained and offered a feature parity to the Windows and Mac OS X clients, there wouldn't be people spending time on reverse-engineering the protocol so that they could write their own client.

Or, maybe, there are just a lot of Linux users who hate proprietary software, and don't trust Skype. Skype uses a lot of anti-debugging techniques. What are they hiding?

Re:Skype on Linux

[Bizzeh]

someone else would have been free to create a competitor network and service, and would also have been free to open their protocol, making it popular in its own way, eventually taking over and shutting down the popularity of the original network... rather than the original network having their freedom stripped from them, just so others can cash in in the game

Re:Skype on Linux

[Bizzeh]

hes free to do with his program as he pleases, but not free to use the skype protocol as he pleases. skype own the protocol and the network that app connects too and its their protocol and network to do with as they wish. if they want to keep it closed, that is their own choice.

Re:Skype on Linux

[Intron]

imagine that the first telecom company kept their protocols private, locking everybody in!

Umm. They did. You never heard of A. G. Bell's little company? Subject of an antitrust suit back in the 70's? Name of AT&T?

Of course, like the T-1000, the Baby Bells are slowly coalescing back into the monster.

Re:Skype on Linux

[Neil_Brown]

its theirs to do with as they please and restrict how they see fit.

To an extent, perhaps. In terms of the code comprising the software, their rights exist today solely because of copyright; it is the rights granted to them by the law of copyright which establishes what they have. Indeed, copyright works by establishing a right over a fixed expression, and making that right a property right - a right of personalty. However, unlike the majority of the personalty rights, a property right of copyright is for a temporary (if legislatively extensible) period, and only reserves the performance of certain acts to the holder. Acts which do not fall within these reserved rights are outside the scope of the copyright limitations, although an owner might attempt to increase the scope of restrictions by virtue of contract - although this is only effective in the situation where the person in question agrees to be bound by those additional limitations.

Personalty through copyright, then, is not absolute - it is a restricted, time-limited right. Within the scope of the reserved rights, they are, subject to the below, free to do with it what they wish. If they wish to restrict things more widely than their rights under copyright, they need to establish a basis for those restrictions, with contract being the most likely option. Alternatively, they might look to other forms of intellectual property right, to gain additional coverage - for example, a patent covering certain aspects of functionality - or quasi rights, such as trade secret.

Not only are the ownership rights not absolute, one might also view them as Swiss cheese - full of holes, with the cheese representing the rights reserved to the owner, and the holes acts which can still be undertaken. (One could view carve-outs to reserved rights as simply areas not covered by the reserved rights in the first place, but, that's rather an academic issue here.) Under European law, for example, there is a right to study the operation of the computer program for the purpose of determining the ideas and principles which underlie the program (Art. 5(3), directive 2009/24/EC). Similarly, a licensor of a computer program has a right to reproduce and translate (acts which are otherwise reserved) relevant parts of that computer program, where such actions are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs - Art. 6(1), dir. 2009/24/EC.*

Whether there is the equivalent of these rights under US law, I am not sure, although I'm sure someone with greater knowledge of US copyright law could assist here. Similarly, I've not paid much attention to the subject of the piece, in terms of determining which jurisdictions might be applicable...

Outside the scope of copyright law, one might also look into the regulatory framework of communications services, to determine that, whilst a network might be created by someone, it does not mean that their rights are unlimited, nor that they can not be mandated to provide interoperability. Again within Europe, see, for example, Art. 12(1)(e) of directive 2002/19/EC, which provides that, amongst other things, a national regulatory authority may require an operator to grant open access to technical interfaces, protocols or other key technologies that are indispensable for the interoperability of services, or, by virtue of Art. 12(1)(g), to mandate an operator to provide specified services needed to ensure interoperability, thus taking the obligation further than merely provision of interface information.

There's nothing to suggest that a regulator has imposed such obligations on Skype**, nor that it is obligations of this nature at issue here, but it supports the point that, whilst intellectual property might grant some rights, they are not limitless, and, whilst, by definition, the rights are exclusionary, the scope of the exclusionary effect is regulated. Intellectual property exists as a matter of public benef

Re:Skype on Linux

[e9th]

Hey, it worked for AT&T from 1885-1968.

Re:Skype on Linux

[Missing.Matter]

Granted I've never used the Linux client, but the Windows client has only been getting worse and worse. It's pretty much the definition of bloat, consuming 100MB RAM currently and not being any more capable than I remember 3 versions ago.

Re:Skype on Linux

[djlowe]

hes free to do with his program as he pleases, but not free to use the skype protocol as he pleases. skype own the protocol and the network that app connects too and its their protocol and network to do with as they wish. if they want to keep it closed, that is their own choice.

1. So long as he reverse-engineered Skype's protocol cleanly (i.e. he didn't have access to Skype source code directly, nor was given it by third parties), then he is, in the US at least, free to do with his implementation as he wishes.

In the US, this has historical precedent, going back to Compaq's original "clean room" reverse-engineering of IBM's BIOS for the original IBM PC, which was, for those that don't remember, what made IBM-compatible computers possible in the first place.

2. Skype is, of course, free to alter their protocol, so as to prevent his implementation from working in the future.

3. Skype's "network" isn't theirs: It leverages the Internet, after all, and so there's *no* way that they could possibly claim it to be a discrete network. In order for it to be so, they'd have to implement a completely separate world-spanning network that was physically isolated from the Internet.

Since we all know that such isn't the case now, your point in that regard is completely invalid.

Certainly, they own their servers, but those are also connected to the Internet at large. However, given the fact that they also leverage users' computers in a "P2P way", this reinforces my point that it isn't "their" network.

Yes, they are free to try keep their protocol closed, but in light of this, their best approach in my opinion is to open it: They have sufficient presence on the Internet now that doing so would only benefit them, I think.

They could become a permanent standard by doing so and have a permanent presence/place on the Internet, now and in the future and probably would, if they chose to do so.

Regards,

dj

Re:Skype on Linux

[MaskedSlacker]

Allow me to introduce you to a magical concept known as utilitarianism: that which produces the most good for the most people is good. Open protocols are utilitarian. Closed protocols are the anti-thesis of utilitarian.

Re:Skype on Linux

[MaskedSlacker]

You forget that they have been bought by MS. I'd assume that all of their decisions until the actual takeover will be predicated on what they think MS would want (if not based on MS execs outright telling them what they want). Open ain't gonna happen.

Re:Skype on Linux

The Civilian Assistance to Law Enforcement Act mandates that all telecommunications service providers install and maintain back doors into their systems for the express purpose of enabling Federal law enforcement to intercept private communications. If you want your phone calls to be "off the record" you have to use VOIP and encrypt your traffic. If a closed source proprietary VOIP provider offers encryption, they are directly obstructing law enforcement agencies in the execution of their lawfully authorized surveillance activities. There is no question that Skype has been requested to provide back doors into their "secure" proprietary protocol - unless of course it has always been trivial snake oil crypto, always a strong probability with closed source commercial products.

Of course, the parent poster already knows all the answers, and we are lucky that he took a moment away from licking the boots of his beloved owners to favor us with words of wisdom.

Re:Skype on Linux

[AliasMarlowe]

Maybe they're not hiding anything, maybe they're just trying to protect their proprietary software. After all, they are a business just trying to make money.

They've been hiding their protocols. These are not protected by patent (which would involve publishing them, assuming they were patentable). Their implementation is probably protected by copyright, but a competing implementation is unlikely to infringe that copyright, unless it is a "slavish" copy. There does not seem to be a trademark issue in play. Conclusion: it looks like they are merely trying to protect a trade secret which has been uncovered by reverse engineering. Note that reverse engineering to uncover secret methods is entirely legitimate.

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software. These protocols have now been made rather less secret, and apparently by legally acceptable means. So let's all say to Skype: "good luck with that".

Re:Skype on Linux

[cavreader]

In the case of telephone communications it was the government who helped break the AT&T strangle hold on that industry. They basically broke the company up and AT&T was required by decree to provide access to their communication infrastructure. This allowed new companies into the market because they didn't have to spend the enormous amount of money it would have taken to build their own infrastructure.

Re:Skype on Linux

[White+Flame]

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software.

Not at all. Afaik, their revenue stream comes from upsell services tied to POTS interfacing and voicemail. Just because you know the client protocol does not mean you can access those services for free; they're tied to account balances that Skype maintains outside of the client connectivity.

Re:Skype on Linux

[nospam007]

"... he didn't have access to Skype source code directly, nor was given it by third parties), ..." ...and it's pure coincidence that it happened shortly after MS acquired Skype.

Re:Skype on Linux

[im_thatoneguy]

Well I would disagree about #3. It is "Their" network. The assumption I make when I install the Skype software is that I will be interacting in a P2P network with other Skype software users.

As the PR guy points out this allows Skype to better ensure the clients are legitimate users. It's a lot easier to spoof accounts, spam thousands of users etc. when there is no API and only a GUI interface. For instance I've never once received a spam message on Skype. I get at least one a month on other open messaging services.

If I'm a P2P hub/server then I expect that I'm facilitating skype services which I use not some spammer.

Similarly Skype also has "their" physical servers. And if they only want to use their bandwidth to facilitate customers who are seeing their ads then they should be legally able to refuse service to non-customers. They can no longer do that since they can't tell the difference between a non-customer reverse engineered client and a legacy client.

So I would say this is a different situation from something like BIOS reverse engineering in that this isn't to facilitate someone to setup a parallel and independent competing product based on the specs, it's going to be using people and Skype's computers and bandwidth to facilitate a network which might be behaving differently from what they agreed to when downloading the Skype software.

Re:Skype on Linux

[gerddie]

<quote>It does some suspicious things too, like reading /etc/passwd. </quote>
I have a surprise for you:

strace ls -l 2>&1 | grep passwd
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4

Re:Skype on Linux

[ChrisMaple]

Nice rewriting of history. MCI and Sprint were already successful before AT&T was broken up. The "antitrust" action took a stagnant AT&T, created 7 squabbling RBOCs of varying competence, and effectively destroyed Bell Labs.

Re:Skype on Linux

[cavreader]

Maybe you should take another look at history yourself. The Bell System divestiture of AT&T, was initiated by the filing in 1974 by the U.S. Department of Justice with an antitrust lawsuit against AT&T. MCI and Sprint were the major corporations driving this action because they could not compete with AT&T in the long distance telecommunications market because the cost of entry was to high for them to realistically compete. Prior to the breakup broadcast networks also relied on AT&T's infrastructure such as their microwave relays, coaxial cable networks, and broadcast-quality leased line networks to deliver their programming to local stations. This also gave a boost to their competitors in other areas as well. This thread started with questioning whether one party could use a competitors assets, which IP is considered to be, to compete. In the AT&T case it's competitors were awarded access to the infrastructure AT&T had built. This breakup also created chaos for AT&T during their attempt to re-group. While AT&T was busy with just surviving it's competitors got the chance to continue thier competitiveness without having to worry about AT&T. The one thing AT&T gained in this breakup was government permission to enter the computer industry which they had been locked out of due to anti-trust issues. This effort also failed all accept for Bell Labs who were able to succeed as a premier research, education, and consulting firm. One of their more noteworthy contributions was developing Unix. And finally I am not saying I personally think the actions against AT&T were needed and a lot of people benefited in the end but their competitors get something for nothing.

Re:Skype on Linux

[LordVader717]

Their revenue stream relies on lock-in. To the unknowing masses who don't understand packet switching or P2P connections Skype might seem like a reasonable deal, but for a VOIP gateway their service is ridiculously over-priced. If a competitor can offer their own service, but still allow it's users to easily interact with Skype customers then they would have to compete based on merit alone.

Wait.

[drolli]

Openly admitting your security is based on obscurity sounds a little strange IMHO.

Instead of using a secret protocol, plainly give out the necessary certifiates only via email and kill them off after abuse. Especially since everybody can use the Skpe API to spam if he wants.

Re:usable now?

[Fnord666]

...or we may end up with a lot of halfassed clients.

Sort of like the RIAA's attorneys.

Spam/phishing is just an excuse

[MtHuurne]

If a spammer or phisher would reverse engineer a protocol, it's very unlikely they would publish about it, since that would help their competition. It is possible that spammers or phishers will use the results of reverse engineering of course, but if your protection against malicious activities consists of a secret protocol then you should consider implementing real security instead of blaming the reverse engineering.

In any case it's clear that Skype doesn't want third party clients to interoperate with their own, so instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

Re:Spam/phishing is just an excuse

[StripedCow]

it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

As you know, for performing a telephone call, you need 2 ends. Try convincing the other end to install your open-source VOIP client of choice!

That's the problem!

IMHO, a much better approach against such lock-in would be to first develop an open-source binary compatibility layer inside web-browsers, like google is doing with native client (NaCl). That way, you could make a phone call by asking the other party to visit a website (assuming you have written your phone client software for that binary compatibility layer of course).

Re:Just say it...

[ghbpiper]

And you don't want to have to compete on SERVICE, only features. Much harder to compete if the protocol is open, and consumers have actual CHOICE. In the end openness could make for a better product, but only if Skype is up to the task.

If Skype really cared about spam or phishing...

[Dr.+Spork]

Why do I keep getting the same inane message from "Natalia", posted from various temporary accounts? I've blocked every account it's come from; I'm sure many have. Is Skype really too slow to get the hint? Jesus, make the spammers work a bit to change a word here and there! It's shocking to me how little Skype cares about spam and phishing in their network. My point is, you can do all the spam and phishing you want with the native client, because Skype apparently does nothing to stop even the clumsiest of spammers who know how to solve a capcha. So their alleged interest to protect their users was conveniently discovered when the possibility of competition suddenly arose.

Re:If Skype really cared about spam or phishing...

[luke923]

Ironically enough, that's the reason I stopped using Skype altogether; yet, an alternative client which did a better job of blocking spammers would bring me back.

Not surprising

[mmcuh]

So Skype's PR people are morons. No surprise there, PR people are usually the bullshitters who couldn't make it as politicians.

Re:Skype Skype

I'm British, I have friends all over the country and no-one has ever used or heard this term being used as you describe it. I think you've either mixed Britain up with a very small regional part of Britain or have the wrong word.

Re:Correct me if I am wrong.

[artor3]

You are correct that it's legal, but that doesn't mean that Skype is under any obligation to make it easy.

Re:What are you talking about?

[arikol]

I use Mac and Linux, my in-laws and some of my contacts use Windows.
Give me a client that reliably (well, as reliably as Skype, anyway) works on these platforms (iOS would also be nice, as both I and the missus use that as well) and is simple enough to install and start for my in-laws, my parents, and the others I want to contact.
Google chat should work, but is seriously confusing to beginners, and they want a standalone client anyway.

When you can point me to that VOIP client, then I'll consider dumping Skype.
Until the, Skype is king.

Re:"Oops! We broke the Linux client . . .sorry!"

[fuzzyfuzzyfungus]

I suspect that it depends on where they plan to slot Skype into their list of product offerings.

If it becomes part of some 'enterprise' offering, playing cat-and-mouse would likely not be a sensible strategy. Corporate/institutional customers hate petty version churn of the sort needed to keep constantly breaking 3rd parties and they have a fairly low likelihood of going with 'unofficial' software. They may well keep globbing on new features(as with Office document formats, Sharepoint tie-ins, etc.); but corporate customers are conservative enough that even the perception that 3rd party clients are not feature-complete and 100% compatible usually keeps them well away, and the few exceptions are likely to either be impecunious contrarians or competing titans(eg. IBM) large enough to make an issue of it if you play dirty.

If it becomes a "Live" consumer offering, playing cat-and-mouse is at least an option, since the consumer market has largely learned to suck up their auto-updates when told(and isn't behind a firewall that blocks them, and doesn't need to open a ticket with IT to install them...) It still isn't totally clear what their motivation would be(since they would still control the skype-out gateways, where the money is, and having third parties voluntarily make your network more popular among markets you don't feel like serving doesn't seem like an obviously bad thing(though they might keep the banhammer hovering, just to ensure that people license the rights to embed skype in wifi VOIP phones and whatnot from them, rather than go 3rd party...)

If it becomes a consumer-electronics thing, affiliated with xbox or Windows Phone, it seems to be some sort of ontological obligation to lock it down as hard as possible, just on principle, just because that is how they roll in console-land.

Re:Just say it...

[hairyfeet]

Riiiight, and if the protocol was completely open like SIP we wouldn't have the problems with Robodialers like SIP because? The problem with mass communication protocols is there are plenty of assholes in legal nowherelands that can and WILL use anything and everything they can get their slimy hands on to hack, harass, spam, and generally act like giant fucking douchebags without regards to anyone but themselves.

One should never forget the universal truth that is Gabriel's Greater Internet Theory and then add in the ones that would be acting like douchebags because they could make money doing so ON TOP of the ones just being dicks for the sheer fun of being a fucktwit? It would be a damned mess and you KNOW this. The reason why everyone uses Skype is that it "just works" without having to worry about your video chat window suddenly popping up with someone's junk in it or getting called every two seconds from some automated voice trying to sell you herbal Viagra. While I think FOSS is fine in some places, in others it would be a BAD idea, and I'd say this here is one of the latter.

Re:Bad business

[Kalriath]

I believe the problem they face is that if the client protocol is understood, any monkey can implement that client protocol in a program which dials millions of Skype users per second offering to sell them half-off auto warranties or telling them about that $15,000,000 they need to smuggle out of Zambia, effectively destroying the trust in Skype, potentially resulting in an exodus of customers. Their perspective is not entirely unjustified.

However, they don't appear to be spending much time working on a mitigation technique for when some jerk-off in the middle of nowhere (i.e. Nigeria) manages to achieve the same goal - because no legal threat will work on those fuckers.

Once Microsoft acquires Skype...

[supersat]

... won't they be obligated to license the protocol to third parties to avoid the wrath of anti-trust regulators (especially in the EU)?