Microsoft should have waited a few months, with all the bad publicity they could have probably picked up Skype for a lot less $$
There have been many analyses of Skype’s behaviour over the years (the most famous perhaps is from Baset and Schultzrinne), but as far as Vulture Central is aware, nobody has yet gone so far as to reverse-engineer the whole kit-and-caboodle. That’s the claim being made by Efim Bushmanov on this blog, where he offers his …
Think he is referring to the report that Egyptian security services were able to evesdrop on skype conversations during Arab spring protests. Of course they just installed zero day malware that listened to audio stream after decryption on the client which is more an indictment of winblows than skype.
IANAL either, but I have "A Guidebook to Intellectual Property" here (ISBN 0-421-48730-5) published in 1993 (yeah, I know) and it says...
"Nor is it an infringment to convert a program from a high-level language to a low-level one (i.e., decompile it) [sic] or copy it by doing so, provided it is necessary to decompile it to create an independent program which can be operated with the existing one and the information is not used for any other purpose. Also, it is not an infringement to do things necessary to use the program such as correcting errors in programs unless that is specifically forbidden by contract. These exceptions derive from an EC directive and they were inserted into the Copyright, Designs and Patents Act 1988 by a statutory instrument made under the European Communities Act."
So unless those rights have been rolled back, it doesn't need to be a particularly clean room to produce a reverse engineered version. Of course, if you were to use the "compatible" version of the software to cheat Skype out of revenue, that might fall foul of the "not used for any other purpose" bit. As I said, IANAL and I've no idea how courts actually interpret these rights in a commercial setting.
"he de-compiled the binary back into source code"
That's not technically possible, nor will it ever be.
Probably he used IDA to disassemble to Assembler code, then hand commented the code/ converted to high level. That's a shedload of work, and if his finished project interoperates with Skype, then it's a very impressive piece of work.
Given a binary executable, you could generate some Source Code which, when compiled, would produce an identical binary.
Sure, that probably wouldn't be the same as the original Source Code -- maybe not even in the same language, even -- as a natural consequence of the many-to-one mapping from source code to binaries. But the important thing is, it would compile to produce an identical binary.
Since many compilers convert the source code, say for a for-loop, into machine code in only a few ways, one can often recognize the source idiom from the disassembly. Possibly at a higher level, one could write a program to recognize strings of machine code that correspond to the source code keywords/control structures.
Any optimization, that say removes code out of a loop*, would still leave the loop to be recognized.
* an empty for-loop can be replaced with code to set the loop variable to its final value
> "he de-compiled the binary back into source code"
> That's not technically possible, nor will it ever be.
...you go on to talk about dissassemblers...
These tools/techniques have been around for a long time and are suprisingly effective with some less strippy languages such as java. Of course, getting the original source code back is nigh on impossible (think, breaking an egg and then trying to put it back together) but this doesnt mean you cannot get effective code that works in the same way - modelling the broken pieces of said egg and producing your own model that whilst similar in function and design is not the original...
Skype has had some pretty good protections built into the code from what i hear, to stop exactly this kind of analysis. So well done. And, its about time :)
I'd highly doubt it, otherwise you could rip every technology off, ever made; for example, I've removed the DRM from my XBOX / PS3 / MAC so I can run the code on a x86 machine.
Also there is a very good change it will infringe on a shit load of patents (compression and encryption of RTP streams for example).
The letter from the lawyers is in the post.
"Also there is a very good change it will infringe on a shit load of patents (compression and encryption of RTP streams for example)."
IANAL but I don't think that would matter in the EU as software isn't covered and as your examples are effectively mathematical algorithms I'm not entirely sure they can be patented either.
Yes, but M$ still has the cash and lawyers to bury you so deep in lawsuits that even should you mount a defence, you will be broke long before you get the cases dismissed. And they can afford to send threatening legal letters to any hoster that would float your notSkype service, killing your network. And the PR machine to mount a campaign making out your notSkype is really a security risk, a way to introduce trojans and other nasties to regular Skype users, and only used by paedophiles/terrorists/<insert unwanted-types-of-the-week here>. Meanwhile, they have more than enough coders to add a small tweak to the Skype code which will leave your notSkype users unable to connect to proper Skype.
Never underestimate the ability of lots of cash.
He posted it as a torrent. So if there's demand, no amount of money threatening ISPs will shut down distribution of it. And remember that Skype is a P2P protocol. ISPs are not required to 'host' anything.
On the other hand, I agree that a small protocol change could quickly make this moot for a while. Assuming there's anything in this release even worth defeating.
Yet it does appear that a game of cat and mouse has begun. My guess is that the well known duplicity of Skype's founders will ensure that open source Skype protocol does leak out.
Never assume that legal money entirely trumps the will of skilled, motivated individuals fighting an asymmetric war. Sony may have learned that lesson recently.
"I'd highly doubt it, otherwise you could rip every technology off, ever made"
There's a distinction between inter-operability and cloning. In this case, one side would claim that the reverse engineering permitted inter-operability with Skype's network and the other side would claim that it cloned Skype's client software.
"Bushmanov would at the very least have to demonstrate that he worked without a copy of the software to hand"
Doesn't he just need to prove that he didn't have a copy of the original source code nor worked on one in a previous life?
What's the point of reverse engineering if you don't have a copy that you can compare against?
The rules change depending on where one is. I think the rules in the article are for the USA and don't apply to the EU. Anyone know what the EU rules are? Can the article be updated with the EU rules?
If he did all this legally, I hope MS do respond and I hope they get told where to shove their complaint.
"If he did all this legally, I hope MS do respond and I hope they get told where to shove their complaint."
When the messenger wars were on, and everyone was trying to make a messanger client that worked with the others, MS just changed the protocol each week and forced you to download the new version; cutting off the others (although they then added automatic downloading and executing files which got me off that treadmill very fast!)
However this time there are a few people or forked out for Skype hardware, and I'm not sure if they can be updated as easily.
It just looks like this guy downoaded Skype binaries decrypted by some security research company, run (apparently pirated versions of) IDA and hex-rays decompiler on them and posted the results online without much input from himself.
Looks like his idea of getting 5 mins of fame worked, but this doesn't show any particular skill on his part, except ability to search for bootleg copies of expensive software.
"It’s hard to replicate perfectly the behaviour of any software under completely clean-room conditions, and probably even harder to prove that such conditions existed."
If that were the case then I would have expected the developers of Samba to have been beaten in the court case of a few years ago. Andrew Tridgell and his co-workers seem to have avoided all such unpleasantness when they reverse engineered SMB and actually produced a better implementation of the protocol.
Not having seen Bushmanov's work I would not like to say how he did it, but it was possibly not done illegally.
I believe it may be illegal in the USA, but pretty much everywhere else specifically states that it is totally legal and a license agreement can not prevent that (for example the UK). In fact I believe that some (germany?) actually go as far as to state that it is illegal to try to place such restrictions in the license agreements in the first place (obviously not really enforced).
Skype problems seem to be growing. In the UK since 2nd June the Skype online numbers have stopped working ( http://heartbeat.skype.com/2011/06/problems_calling_to_online_num.html )
So small businesses who have bought a phone number via Skype can expect a quiet time.
As usual the the usual meaningless "we are working hard" estimated fix time.
I think it was Phoenix who first rev. engd. IBM BIOS.
They had 2 sets off geeks (as it were) in 2 separate rooms. One lot shouted out (so to speak) what the BIOS did, step by step, and the other lot wrote NEW code to emulate.
If they had been unfortunate to write, by coincidence, the same code, the judge would never have believed that it was innocent.
Who care? Skype is far from being the only internet phone/video protocol. It isn't even the first company to produce a net-to-phone system (remember Net2Phone?). It just seems to be the most successful commercial venture in that space, whereas its competitors failed.
So why do I care about a reverse-engineered Skype protocol? There are plenty of open-source VOIP protocols I can use if I want one.
All he needs to do is release it with a licence that prohibits use where it's illegal, such as the US, if MS object.
They'll probably turn a blind eye to it because as far as I know, to use Skype to call out, you have to give them money, and I doubt if that can be bypassed. If they've just relieved themselves of the need to maintain the Linux version they'll be happy, and can continue with the Windows development with a few crumbs to the Mac crowd.
In the 1970 we had to do a lot of that from machine code to assembly.
Tedious but not difficult. Why because it was part of the job so you do not fuck around with words like difficult.
The ability to read machine code as your native language is not considered important to day, I suppose only real hakkers are good at it.
The idea that you can hide something bye releasing only the binary is silly, it is all there to be read if you have the time, ability and interest to do it.
Of course, to day, the size of the pie is much much larger than long ago, but the again there is perhaps more money for that to day too.
Anybody around who understand this 2,10 0.7.15 or 3.05 0.2.7
AMD had to do a real clean room implementation for the machine code in the Intel "clones" but they did it in no time and using only one programmer. It is all in the "Inside Intel" book.
All the legal stuff, and how the wind blows to day in each different country, is of course an other question.
Did you have no dissassembler in the 1970s ?. One of the first 'big' FORTH programs I wrote was a 6809 dissassembler which only took about 8K od source code including ~ 4K of data table. Given that the 6809 had anything up to ~6000 op codes ( it had multi-byte op codes for some addressing modes before anyone asks ) depending on how you looked at it I thought that was quite neat. Mind it ran a tad slowly but served it's purpose.
One of the big arguments against relying on proprietary encryption algorithms and software has always been the lack of peer review. Do I trust these people to not have screwed up and left a hole you could drive a bus through?
I've long been of the belief that, no matter how good at something I think I am, that there is always someone out there that is better. I have screwed up in the past and I will do so again. I also believe that the less people that check my work, the less chance there is that someone will say "Hang on a minute..." This is why I believe small, closed teams to be a bad thing.
I guess this is where we will find out just how good (or bad) Skype's security is and whether it has any obvious back doors or weaknesses engineered into it.
Phoronix quotes a PR representative for Skype:
"This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."
At one time, reverse engineering was a proud and sensible tradition in the US, but starting in the 1980s, Japanese giants began suing small companies for the practice, not winning in court but driving little 1 or 2 man firms out of business.
Shutting down reverse engineering stifles competition and open standards. If this trend continues, small independent companies won't be able to make radiator caps.
Biting the hand that feeds IT © 1998–2019