There have been many analyses of Skype’s behaviour over the years (the most famous perhaps is from Baset and Schultzrinne), but as far as Vulture Central is aware, nobody has yet gone so far as to reverse-engineer the whole kit-and-caboodle. That’s the claim being made by Efim Bushmanov on this blog, where he offers his reverse- …
Microsoft should have waited a few months, with all the bad publicity they could have probably picked up Skype for a lot less $$
Does this really matter though?
Apart from the fact that we don't have any details of the efficacy of this software, we haven't yet heard from Microsoft. Is it not possible that this actually won't really rock the boat? Mind you, there is a certain ghoulish part of me that hopes it does.
not this issue
Think he is referring to the report that Egyptian security services were able to evesdrop on skype conversations during Arab spring protests. Of course they just installed zero day malware that listened to audio stream after decryption on the client which is more an indictment of winblows than skype.
That would have defeated the whole reason
MS wanted to "buy a verb" and to make a good show in front of their shareholders.
If they had waited for the Skype hubbub to die down they would not have "bought a verb" and shareholders would have asked why they bought something as outdated as Skype.
IANAL so bear with me here....
But isn't it OK to reverse engineer proprietary protocols in the EU for the purposes of interoperability something along those lines?
A protocol is different
I hope somebody explains this in more detail, but a protocol is really only a description that you
implement in your own program your own way.
That may have been ok if that was all he had done. From the sounds of it, he de-compiled the binary back into source code and then posted it to the internet, which is a flagrant breach of copyright.
Re: isn't it OK [...] in the EU
IANAL either, but I have "A Guidebook to Intellectual Property" here (ISBN 0-421-48730-5) published in 1993 (yeah, I know) and it says...
"Nor is it an infringment to convert a program from a high-level language to a low-level one (i.e., decompile it) [sic] or copy it by doing so, provided it is necessary to decompile it to create an independent program which can be operated with the existing one and the information is not used for any other purpose. Also, it is not an infringement to do things necessary to use the program such as correcting errors in programs unless that is specifically forbidden by contract. These exceptions derive from an EC directive and they were inserted into the Copyright, Designs and Patents Act 1988 by a statutory instrument made under the European Communities Act."
So unless those rights have been rolled back, it doesn't need to be a particularly clean room to produce a reverse engineered version. Of course, if you were to use the "compatible" version of the software to cheat Skype out of revenue, that might fall foul of the "not used for any other purpose" bit. As I said, IANAL and I've no idea how courts actually interpret these rights in a commercial setting.
@ Mark Berry
I'd highly doubt it, otherwise you could rip every technology off, ever made; for example, I've removed the DRM from my XBOX / PS3 / MAC so I can run the code on a x86 machine.
Also there is a very good change it will infringe on a shit load of patents (compression and encryption of RTP streams for example).
The letter from the lawyers is in the post.
>s I said, IANAL and I've no idea how courts actually interpret these rights in a commercial setting.
..on whether it's a Texas lawyer or not :)
"he de-compiled the binary back into source code"
That's not technically possible, nor will it ever be.
Probably he used IDA to disassemble to Assembler code, then hand commented the code/ converted to high level. That's a shedload of work, and if his finished project interoperates with Skype, then it's a very impressive piece of work.
"Also there is a very good change it will infringe on a shit load of patents (compression and encryption of RTP streams for example)."
IANAL but I don't think that would matter in the EU as software isn't covered and as your examples are effectively mathematical algorithms I'm not entirely sure they can be patented either.
No it is *not* impossible
Given a binary executable, you could generate some Source Code which, when compiled, would produce an identical binary.
Sure, that probably wouldn't be the same as the original Source Code -- maybe not even in the same language, even -- as a natural consequence of the many-to-one mapping from source code to binaries. But the important thing is, it would compile to produce an identical binary.
Yes, but M$ still has the cash and lawyers to bury you so deep in lawsuits that even should you mount a defence, you will be broke long before you get the cases dismissed. And they can afford to send threatening legal letters to any hoster that would float your notSkype service, killing your network. And the PR machine to mount a campaign making out your notSkype is really a security risk, a way to introduce trojans and other nasties to regular Skype users, and only used by paedophiles/terrorists/<insert unwanted-types-of-the-week here>. Meanwhile, they have more than enough coders to add a small tweak to the Skype code which will leave your notSkype users unable to connect to proper Skype.
Never underestimate the ability of lots of cash.
Since many compilers convert the source code, say for a for-loop, into machine code in only a few ways, one can often recognize the source idiom from the disassembly. Possibly at a higher level, one could write a program to recognize strings of machine code that correspond to the source code keywords/control structures.
Any optimization, that say removes code out of a loop*, would still leave the loop to be recognized.
* an empty for-loop can be replaced with code to set the loop variable to its final value
> "he de-compiled the binary back into source code"
> That's not technically possible, nor will it ever be.
...you go on to talk about dissassemblers...
These tools/techniques have been around for a long time and are suprisingly effective with some less strippy languages such as java. Of course, getting the original source code back is nigh on impossible (think, breaking an egg and then trying to put it back together) but this doesnt mean you cannot get effective code that works in the same way - modelling the broken pieces of said egg and producing your own model that whilst similar in function and design is not the original...
Skype has had some pretty good protections built into the code from what i hear, to stop exactly this kind of analysis. So well done. And, its about time :)
Re: Mark Berry
"I'd highly doubt it, otherwise you could rip every technology off, ever made"
There's a distinction between inter-operability and cloning. In this case, one side would claim that the reverse engineering permitted inter-operability with Skype's network and the other side would claim that it cloned Skype's client software.
all the kings men
He posted it as a torrent. So if there's demand, no amount of money threatening ISPs will shut down distribution of it. And remember that Skype is a P2P protocol. ISPs are not required to 'host' anything.
On the other hand, I agree that a small protocol change could quickly make this moot for a while. Assuming there's anything in this release even worth defeating.
Yet it does appear that a game of cat and mouse has begun. My guess is that the well known duplicity of Skype's founders will ensure that open source Skype protocol does leak out.
Never assume that legal money entirely trumps the will of skilled, motivated individuals fighting an asymmetric war. Sony may have learned that lesson recently.
I'm trying to figure out if it would be more entertaining for it to be authentic, or a scam to spread malware.
Cleanest room conditions.
"Bushmanov would at the very least have to demonstrate that he worked without a copy of the software to hand"
Doesn't he just need to prove that he didn't have a copy of the original source code nor worked on one in a previous life?
What's the point of reverse engineering if you don't have a copy that you can compare against?
Must be a RIAA/MPAA drive-by shooting.
I had the same thought as you.
Certainly "clean room" emulators don't pretend they've never had the console they're emulating, just that they didn't extract the firmware and decompile it in order to reproduce the functionality.
The rules change depending on where one is. I think the rules in the article are for the USA and don't apply to the EU. Anyone know what the EU rules are? Can the article be updated with the EU rules?
If he did all this legally, I hope MS do respond and I hope they get told where to shove their complaint.
MS Previous response
"If he did all this legally, I hope MS do respond and I hope they get told where to shove their complaint."
When the messenger wars were on, and everyone was trying to make a messanger client that worked with the others, MS just changed the protocol each week and forced you to download the new version; cutting off the others (although they then added automatic downloading and executing files which got me off that treadmill very fast!)
However this time there are a few people or forked out for Skype hardware, and I'm not sure if they can be updated as easily.
This could bring Skype back to asterisk, and to libpurple too!
If it's all true of course.
Incoming Skype to SIP please
If this means that someone can hack together a simple Skype to SIP converter (within Asterisk is OK with me), and especially if I can run it on my QNAP, this gets my vote!
Skype to Sip
Never tried any of these but..,
From the reports of people who looked at the files
It just looks like this guy downoaded Skype binaries decrypted by some security research company, run (apparently pirated versions of) IDA and hex-rays decompiler on them and posted the results online without much input from himself.
Looks like his idea of getting 5 mins of fame worked, but this doesn't show any particular skill on his part, except ability to search for bootleg copies of expensive software.
Pigeons, meet Cat.
I really hope that the inevitable pidgin plug-in is indeed called 'cat'.
"It’s hard to replicate perfectly the behaviour of any software under completely clean-room conditions, and probably even harder to prove that such conditions existed."
If that were the case then I would have expected the developers of Samba to have been beaten in the court case of a few years ago. Andrew Tridgell and his co-workers seem to have avoided all such unpleasantness when they reverse engineered SMB and actually produced a better implementation of the protocol.
Not having seen Bushmanov's work I would not like to say how he did it, but it was possibly not done illegally.
As far as I understand reverse engineering it self is not illegal. What''s illegal is re-writing proprietary software to which you've had access to the source code as former/current employee for example and then only if it can be proven that you lifted code.
But if the original code is assembly language then the decompilation will result in you viewing something very close to the original code.
This is why they (Compaq?) needed a clean room implementation when copying the PC BIOS.
I believe it may be illegal in the USA, but pretty much everywhere else specifically states that it is totally legal and a license agreement can not prevent that (for example the UK). In fact I believe that some (germany?) actually go as far as to state that it is illegal to try to place such restrictions in the license agreements in the first place (obviously not really enforced).
Why bother. Just stick to open and industry standard SIP VoIP protocols. Far easier for hardware manufacturers to implement and supported in many routers for QoS, in homes, ISPs and corporate environments.
Skype is a bloated resource intensive P2P based protocol.
re: Just stick to SIP
That is a great idea if you control all ends of the network that you will use, but when you have 20 or 30 regular contacts that are all on Skype and expect to be able to IM, voice call and video call with you, as well as see when you are online - that is not so easy!
The Microsoft Way
"... but when you have ... regular contacts that are all on... and expect to be able to ..."
I think I've seen that business model before.
Skype Online is Offline
Skype problems seem to be growing. In the UK since 2nd June the Skype online numbers have stopped working ( http://heartbeat.skype.com/2011/06/problems_calling_to_online_num.html )
So small businesses who have bought a phone number via Skype can expect a quiet time.
As usual the the usual meaningless "we are working hard" estimated fix time.
I think it was Phoenix who first rev. engd. IBM BIOS.
They had 2 sets off geeks (as it were) in 2 separate rooms. One lot shouted out (so to speak) what the BIOS did, step by step, and the other lot wrote NEW code to emulate.
If they had been unfortunate to write, by coincidence, the same code, the judge would never have believed that it was innocent.
Who care? Skype is far from being the only internet phone/video protocol. It isn't even the first company to produce a net-to-phone system (remember Net2Phone?). It just seems to be the most successful commercial venture in that space, whereas its competitors failed.
So why do I care about a reverse-engineered Skype protocol? There are plenty of open-source VOIP protocols I can use if I want one.
Who cares about *.docx?
There are plenty of open document formats too. Nobody needs to use MS propritary protocols.
Unfortunately some people do use proprietary protocols and interacting with them is impossible if you just stick with open protocols.
All he needs to do is release it with a licence that prohibits use where it's illegal, such as the US, if MS object.
They'll probably turn a blind eye to it because as far as I know, to use Skype to call out, you have to give them money, and I doubt if that can be bypassed. If they've just relieved themselves of the need to maintain the Linux version they'll be happy, and can continue with the Windows development with a few crumbs to the Mac crowd.
Could the sudden Skype system / server instabilities
... be caused by their staff running for other jobs knowing most will be made redundant anyway???
If Skype had not just been purchased by MS if some of these comments would change? What if it were still a darling of the startup crowd and Bushamov did this? Would it still not be a big deal?
Binary and decompiling
In the 1970 we had to do a lot of that from machine code to assembly.
Tedious but not difficult. Why because it was part of the job so you do not fuck around with words like difficult.
The ability to read machine code as your native language is not considered important to day, I suppose only real hakkers are good at it.
The idea that you can hide something bye releasing only the binary is silly, it is all there to be read if you have the time, ability and interest to do it.
Of course, to day, the size of the pie is much much larger than long ago, but the again there is perhaps more money for that to day too.
Anybody around who understand this 2,10 0.7.15 or 3.05 0.2.7
AMD had to do a real clean room implementation for the machine code in the Intel "clones" but they did it in no time and using only one programmer. It is all in the "Inside Intel" book.
All the legal stuff, and how the wind blows to day in each different country, is of course an other question.
Why by hand ?
Did you have no dissassembler in the 1970s ?. One of the first 'big' FORTH programs I wrote was a 6809 dissassembler which only took about 8K od source code including ~ 4K of data table. Given that the 6809 had anything up to ~6000 op codes ( it had multi-byte op codes for some addressing modes before anyone asks ) depending on how you looked at it I thought that was quite neat. Mind it ran a tad slowly but served it's purpose.
How soon will Microsoft blow?
One of the big arguments against relying on proprietary encryption algorithms and software has always been the lack of peer review. Do I trust these people to not have screwed up and left a hole you could drive a bus through?
I've long been of the belief that, no matter how good at something I think I am, that there is always someone out there that is better. I have screwed up in the past and I will do so again. I also believe that the less people that check my work, the less chance there is that someone will say "Hang on a minute..." This is why I believe small, closed teams to be a bad thing.
I guess this is where we will find out just how good (or bad) Skype's security is and whether it has any obvious back doors or weaknesses engineered into it.
Phoronix quotes a PR representative for Skype:
"This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."
- +Comment Anti-Facebook Ello: Here's why we're still in beta. SPAMGASM!
- Analysis Windows 10: One for the suits, right Microsoft? Or so one THOUGHT
- Vid+Pics Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
- Xbox hackers snared US ARMY APACHE GUNSHIP ware - Feds
- George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests