Skype Is Working To Defeat the Reverse Engineering

ndogg writes "Michael Larabel of Phoronix was emailed a response to the reverse engineering of the Skype protocol from the VP of Skype's PR company, who said that the reverse engineering was done for the use of spam/phishing, and that it's an infringement of their IP, and that they are working to defeat it."

Skype on Linux

Perhaps if Skype's Linux client had been better maintained and offered a feature parity to the Windows and Mac OS X clients, there wouldn't be people spending time on reverse-engineering the protocol so that they could write their own client.

Or, maybe, there are just a lot of Linux users who hate proprietary software, and don't trust Skype. Skype uses a lot of anti-debugging techniques. What are they hiding?

Re:Skype on Linux

[Intron]

imagine that the first telecom company kept their protocols private, locking everybody in!

Umm. They did. You never heard of A. G. Bell's little company? Subject of an antitrust suit back in the 70's? Name of AT&T?

Of course, like the T-1000, the Baby Bells are slowly coalescing back into the monster.

Re:Skype on Linux

[Neil_Brown]

its theirs to do with as they please and restrict how they see fit.

To an extent, perhaps. In terms of the code comprising the software, their rights exist today solely because of copyright; it is the rights granted to them by the law of copyright which establishes what they have. Indeed, copyright works by establishing a right over a fixed expression, and making that right a property right - a right of personalty. However, unlike the majority of the personalty rights, a property right of copyright is for a temporary (if legislatively extensible) period, and only reserves the performance of certain acts to the holder. Acts which do not fall within these reserved rights are outside the scope of the copyright limitations, although an owner might attempt to increase the scope of restrictions by virtue of contract - although this is only effective in the situation where the person in question agrees to be bound by those additional limitations.

Personalty through copyright, then, is not absolute - it is a restricted, time-limited right. Within the scope of the reserved rights, they are, subject to the below, free to do with it what they wish. If they wish to restrict things more widely than their rights under copyright, they need to establish a basis for those restrictions, with contract being the most likely option. Alternatively, they might look to other forms of intellectual property right, to gain additional coverage - for example, a patent covering certain aspects of functionality - or quasi rights, such as trade secret.

Not only are the ownership rights not absolute, one might also view them as Swiss cheese - full of holes, with the cheese representing the rights reserved to the owner, and the holes acts which can still be undertaken. (One could view carve-outs to reserved rights as simply areas not covered by the reserved rights in the first place, but, that's rather an academic issue here.) Under European law, for example, there is a right to study the operation of the computer program for the purpose of determining the ideas and principles which underlie the program (Art. 5(3), directive 2009/24/EC). Similarly, a licensor of a computer program has a right to reproduce and translate (acts which are otherwise reserved) relevant parts of that computer program, where such actions are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs - Art. 6(1), dir. 2009/24/EC.*

Whether there is the equivalent of these rights under US law, I am not sure, although I'm sure someone with greater knowledge of US copyright law could assist here. Similarly, I've not paid much attention to the subject of the piece, in terms of determining which jurisdictions might be applicable...

Outside the scope of copyright law, one might also look into the regulatory framework of communications services, to determine that, whilst a network might be created by someone, it does not mean that their rights are unlimited, nor that they can not be mandated to provide interoperability. Again within Europe, see, for example, Art. 12(1)(e) of directive 2002/19/EC, which provides that, amongst other things, a national regulatory authority may require an operator to grant open access to technical interfaces, protocols or other key technologies that are indispensable for the interoperability of services, or, by virtue of Art. 12(1)(g), to mandate an operator to provide specified services needed to ensure interoperability, thus taking the obligation further than merely provision of interface information.

There's nothing to suggest that a regulator has imposed such obligations on Skype**, nor that it is obligations of this nature at issue here, but it supports the point that, whilst intellectual property might grant some rights, they are not limitless, and, whilst, by definition, the rights are exclusionary, the scope of the exclusionary effect is regulated. Intellectual property exists as a matter of public benef

Re:Skype on Linux

[djlowe]

hes free to do with his program as he pleases, but not free to use the skype protocol as he pleases. skype own the protocol and the network that app connects too and its their protocol and network to do with as they wish. if they want to keep it closed, that is their own choice.

1. So long as he reverse-engineered Skype's protocol cleanly (i.e. he didn't have access to Skype source code directly, nor was given it by third parties), then he is, in the US at least, free to do with his implementation as he wishes.

In the US, this has historical precedent, going back to Compaq's original "clean room" reverse-engineering of IBM's BIOS for the original IBM PC, which was, for those that don't remember, what made IBM-compatible computers possible in the first place.

2. Skype is, of course, free to alter their protocol, so as to prevent his implementation from working in the future.

3. Skype's "network" isn't theirs: It leverages the Internet, after all, and so there's *no* way that they could possibly claim it to be a discrete network. In order for it to be so, they'd have to implement a completely separate world-spanning network that was physically isolated from the Internet.

Since we all know that such isn't the case now, your point in that regard is completely invalid.

Certainly, they own their servers, but those are also connected to the Internet at large. However, given the fact that they also leverage users' computers in a "P2P way", this reinforces my point that it isn't "their" network.

Yes, they are free to try keep their protocol closed, but in light of this, their best approach in my opinion is to open it: They have sufficient presence on the Internet now that doing so would only benefit them, I think.

They could become a permanent standard by doing so and have a permanent presence/place on the Internet, now and in the future and probably would, if they chose to do so.

Regards,

dj

Re:Skype on Linux

The Civilian Assistance to Law Enforcement Act mandates that all telecommunications service providers install and maintain back doors into their systems for the express purpose of enabling Federal law enforcement to intercept private communications. If you want your phone calls to be "off the record" you have to use VOIP and encrypt your traffic. If a closed source proprietary VOIP provider offers encryption, they are directly obstructing law enforcement agencies in the execution of their lawfully authorized surveillance activities. There is no question that Skype has been requested to provide back doors into their "secure" proprietary protocol - unless of course it has always been trivial snake oil crypto, always a strong probability with closed source commercial products.

Of course, the parent poster already knows all the answers, and we are lucky that he took a moment away from licking the boots of his beloved owners to favor us with words of wisdom.

Re:Skype on Linux

[AliasMarlowe]

Maybe they're not hiding anything, maybe they're just trying to protect their proprietary software. After all, they are a business just trying to make money.

They've been hiding their protocols. These are not protected by patent (which would involve publishing them, assuming they were patentable). Their implementation is probably protected by copyright, but a competing implementation is unlikely to infringe that copyright, unless it is a "slavish" copy. There does not seem to be a trademark issue in play. Conclusion: it looks like they are merely trying to protect a trade secret which has been uncovered by reverse engineering. Note that reverse engineering to uncover secret methods is entirely legitimate.

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software. These protocols have now been made rather less secret, and apparently by legally acceptable means. So let's all say to Skype: "good luck with that".

Re:Skype on Linux

[White+Flame]

So yes, Skype is trying to preserve its revenue stream, which is secured only by secrecy of the protocols used by the proprietary Skype software.

Not at all. Afaik, their revenue stream comes from upsell services tied to POTS interfacing and voicemail. Just because you know the client protocol does not mean you can access those services for free; they're tied to account balances that Skype maintains outside of the client connectivity.

Re:Skype on Linux

[gerddie]

<quote>It does some suspicious things too, like reading /etc/passwd. </quote>
I have a surprise for you:

strace ls -l 2>&1 | grep passwd
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4

Spam/phishing is just an excuse

[MtHuurne]

If a spammer or phisher would reverse engineer a protocol, it's very unlikely they would publish about it, since that would help their competition. It is possible that spammers or phishers will use the results of reverse engineering of course, but if your protection against malicious activities consists of a secret protocol then you should consider implementing real security instead of blaming the reverse engineering.

In any case it's clear that Skype doesn't want third party clients to interoperate with their own, so instead of getting into a cat and mouse game it would be more useful to improve existing open source VOIP clients so Skype can be replaced altogether.

If Skype really cared about spam or phishing...

[Dr.+Spork]

Why do I keep getting the same inane message from "Natalia", posted from various temporary accounts? I've blocked every account it's come from; I'm sure many have. Is Skype really too slow to get the hint? Jesus, make the spammers work a bit to change a word here and there! It's shocking to me how little Skype cares about spam and phishing in their network. My point is, you can do all the spam and phishing you want with the native client, because Skype apparently does nothing to stop even the clumsiest of spammers who know how to solve a capcha. So their alleged interest to protect their users was conveniently discovered when the possibility of competition suddenly arose.

Re:Skype Skype

I'm British, I have friends all over the country and no-one has ever used or heard this term being used as you describe it. I think you've either mixed Britain up with a very small regional part of Britain or have the wrong word.

Re:"Oops! We broke the Linux client . . .sorry!"

[fuzzyfuzzyfungus]

I suspect that it depends on where they plan to slot Skype into their list of product offerings.

If it becomes part of some 'enterprise' offering, playing cat-and-mouse would likely not be a sensible strategy. Corporate/institutional customers hate petty version churn of the sort needed to keep constantly breaking 3rd parties and they have a fairly low likelihood of going with 'unofficial' software. They may well keep globbing on new features(as with Office document formats, Sharepoint tie-ins, etc.); but corporate customers are conservative enough that even the perception that 3rd party clients are not feature-complete and 100% compatible usually keeps them well away, and the few exceptions are likely to either be impecunious contrarians or competing titans(eg. IBM) large enough to make an issue of it if you play dirty.

If it becomes a "Live" consumer offering, playing cat-and-mouse is at least an option, since the consumer market has largely learned to suck up their auto-updates when told(and isn't behind a firewall that blocks them, and doesn't need to open a ticket with IT to install them...) It still isn't totally clear what their motivation would be(since they would still control the skype-out gateways, where the money is, and having third parties voluntarily make your network more popular among markets you don't feel like serving doesn't seem like an obviously bad thing(though they might keep the banhammer hovering, just to ensure that people license the rights to embed skype in wifi VOIP phones and whatnot from them, rather than go 3rd party...)

If it becomes a consumer-electronics thing, affiliated with xbox or Windows Phone, it seems to be some sort of ontological obligation to lock it down as hard as possible, just on principle, just because that is how they roll in console-land.