Skype Protocol Has Been Cracked

nsrCZ writes "The Skype core protocol has been reverse-engineered by a Chinese company. The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it. If it's true, then it could affect the whole eBay/Skype business in many ways, including that they might not get their piece of the emerging Chinese cake." From the article: "By cracking the Skype protocol, the company claims it can also block Skype voice traffic, Paglee said. 'They could literally turn the lights off on Skype in China very, very quickly,' said Paglee, who is also a lawyer and engineer, speaking from California on Friday. The company could transfer the technology to the Chinese government, which has continually sought ways to tighten its filtering and control over the Internet. So far, the company doesn't have any plans to market its blocking capabilities, Paglee said."

Net Neutrality

[hansamurai]

They could sell it to US Telco companies and make a little profit too.

Why would a protocol be closed anyway?

[otis wildflower]

I mean in this day and age, depending on the secrecy of a closed protocol running on top of an open network for a business model seems pretty... dumb... Though obviously they are also trying to do services (like SkypeOut) which make much more sense, what is the value in having a proprietary protocol, when something like SIP (maybe an updated version that supports P2P negotiation) is out there? I mean it's not like the OSS world is playing catch-up this time (like, say, Jabber is compared to AIM's installed and active user base)..

Just curious...

Isn't that sweet?

[botzi]

"Even if it was possible to do this, the software code would lack the feature set and reliability of Skype,"

Don't you just love when people speak with certainties about yet unreleased things? Sure, it may well lack it for about 24 days. Then what happens? I'm not convinced that people would base stand alone software on that protocole anyway. More likely soe SIP clients would implement the protocole as an add on.

If it were patented

[mocm]

they couldn't make it closed. That is the purpose of patents.

Blocking

[slashkitty]

Do you really have to "crack" the protocol to block the traffic? Were their packets that well disguised?

Re:Does it really matter?

[Anonymous Coward]

i totally agree - i see this on our network with ntop -with all sorts of weird people (wanadoo, universities, etc.) connected to a local user on weird ports doing as you say, 'who knows what ...' -i wouldn't be surprised if it's being used to distribute SPAM sending bots, hidden proxies, bandwidth theft, bit torrents, spyware, etc.

link to info on skype protocol

[throwaway18]

Lots of info on how skype works, including that the people who run skype could evesdrop on conversations, the possibility of using skype to relay non skype traffic and an overflow security hole (hopfully now fixed) were revealed four months ago.

Silver needle in the Skype at Blackhat Europe [secdev.org]

No one should use Skype anyway

[Bromskloss]

Good point in the FAQ of standards based (H.323, SIP) communications program (text, audio, video) Ekiga:

Ekiga is not compatible with Skype and will never be as long as their protocol will stay proprietary. We do not think using closed protocols for communications is a good thing.

The Skype's the Limit

[Doc Ruby]

A real patent of Skype's protocol (if a protocol patent could be considered "real") would have published all the details, precisely to protect by law what Skype instead protects by secrecy.

Of course China's mafia government would have found ways to to protect their local "infringers" if it gave them control over Skype's important telecom traffic.

An open protocol using open software from more than a single (point of failure) source is a lot more reliable in the face of large scale attackers, like a government. SIP and IAX are safer.

Re:Open Source?

[spyrochaete]

If Skype was open source would they have had the leverage to enable free calls within North America until the end of this year? Even if so, is it wise or ethical to make such a powerful technology open source? There is potential for abuse when you open up any technology, but I think the subject gets even touchier when it's a free gateway to technology everyone in the continent uses (PSTN).

Patent != secrets!

[headqtrs]

You cannot keep a protocol secret if you patent it because in the patent you have to document everything. This concept does not seem to be clear to the writer of the article.

Re:I'd assumed they'd done this already.

[Anonymous Coward]

yes they are already blocking http://anonet.org/ [anonet.org] and all of its subdomains but intermitantly, its a great tool, i just hope the chinese doesn't block VPN's next! for those in china, use tor to access the site, same goes for those in the _peoples republic of amerika, franKe, germEny oh and soon engFand.

Re:Patent != secrets!

[Andy Dodd]

Yeah. In the case of Skype, legality of reverse engineering the protocol would depend on the EULA of the software being reverse engineered.

I'm sure Skype's EULA forbids reverse engineering the protocol, thus Skype has legal grounds to sue whoever reverse engineers the protocol for violating the license agreement.

Re:Innovation

[Jeremy Erwin]

Perhaps I'm being unrealistically naive, but the original concept of the patent system was "full disclosure for protection". During the patent term, manufacturers would have to obtain a license to duplicate the patented object, but after those 17 years were up, no assistance (engineering or otherwise_ from the original inventor would have been necessary-- because the invention had been fully disclosed.

If skype had patented its system, it would have had to disclose elements of its protocols which would make it quite easy for any espionage shop to infiltrate, route around or otherwise frustrate.

Consider, for instance, a lock manufacturer. Their cylinders are described in exquisite detail in their patents. A person skilled in the art of lock-picking might find their patents to be of particular interest. But if the lock incorporates security mechanisms which defeat all potential attacks, it doesn't matter if they are disclosed.

However, if the companies key manufacturing division and distribution network are infiltrated, then a duplicate key can probably be manufactured with a modicum of difficulty. That's why such practices are not disclosed in the patent, and are usually subject to "trade secret" regulations.

P.S. I'm not so sure that the NSA and CIA let IP laws get in the way of espionage.

Re:link to info on skype protocol

[numatrix]

Mod parent up!

1) Almost all (if not every bit) of this is not new information, it was already broken in the above referenced article.

2) Blocking the traffic was already described in the article, all the Chinese government had to do was read the paper some time ago instead of waiting for these schmucks to "discover" it.

3) If you read the paper you'll see how much work Skype goes through to make it hard to dissassemble their code and protocols. I'm sure if blocking in China becomes an issue they'll have the same smart people who did it the first time further obfuscate things (of course, for all the same reasons I'm not a fan of the Skype software to begin with, but that's another story).

Re:Innovation

[f0rtytw0]

oh if only I could mod you up

Reverse engineering

[wiredlogic]

Reverse engineering is always legal. The only question is whether you have the right to do anything with the results of such activity. You can only infringe a patent directly if you engage in the commercial sale of products using patented technology.

You can be found guilty of contributory infringement if you publish detailed information about how to go about infringing a patent. This is a shady area though, since the patent itself already describes the technology in question so it boils down to an evaluation of the individual's intent.

Re:It could indeed.

[regen]

The interesting thing is since skype uses encryption and encryption use by private citizens is illegal in China, just using skype could get you arrested. But then again, if the Chinese government wants to arrest a citizen in China they just do it and can find (or make up) a reason for the arrest afterwards.

Re:Interoperability

[Oliver Defacszio]

Skype, much like DVDs prior to CSS getting cracked, wasn't useful.

Hear that, everyone?

If you're one of the millions who found a ton of value in Skype before it was cracked, you were very, very wrong, because this anonymous Internet jackass has said so. No matter how valuable you think Skype was before, it really wasn't.

You know all the money you saved on long distance calling since Skype dropped the fees behind North American calls? That didn't happen either.

But, as you'll guess, now Skype will become useful, as it will become interoperable with some piece of garbage OSS code that will be orphaned within five seconds of its Alpha version being released. Now that's value.

Re:link to info on skype protocol

[throwaway18]

Almost forgot, An analysis of the skype protocol from 2004 [arxiv.org]

Re:Tapping

[Antique Geekmeister]

I agree with you. Skype, due to its central corporate authentication of the RSA keys for customers, is ripe for law-enforcement mandated man-in-the-middle attacks. Without publising their protocol and any safeguards they've embedded in it, such as a public RSA key repository similar to those used by many GPG users, it's technologically easy for them to authenticate a centralized key upon request for NSA, CIA, FBI, or my aunt-Matilda-if-she-asks-them-nicely tap in the center of any conversation connection.

For all such transactions, whether they are SSL, SSH, or some proprietary technology like Skype, you have to trust the site that holds the server keys or the people that write the software not to embed backdoors or fake keys to allow tapping. There are even technical reasons to permit such forgery: web-proxies for high-availability banking transactions, for example, may want to have their SSL keys multi-hosted. I've sat in on discussions about exactly that sort of approach and its security consequences.

Anyone who assumes that Skype conversations is immune from a legal wiretap order or even an unconstitutional Patriot Act order that Skype dare not publish due to the Patriot Act's nature is engaging in wishful thinking. If you want real end-to-end encryption, you have to have personal control of the key exchange. In fact, that's how PGPphone used to work, if you can still lay your hands on a copy of it. It just never got broadly enough deployed, or provided the convenience and computer->cheap telephone call services that Skype provides.

Re:Innovation

[babbling]

Why should Skype have patented this, and how does this negatively affect Skype?

Skype don't get their money from people installing their client, they get their money from people paying for the extra services like SkypeOut, SkypeIn, and so on. They should regard maintaining the Skype clients as an unwanted hassle. What they really want is as many people as possible connecting to their servers and using the extra services. This is separate from the protocol.

If I was an executive at Skype, I would view this as a good thing for the company. It's only going to result in more users. It's strange that Skype didn't voluntarily open up their protocol earlier!

Re:Wouldn't it depend on perspective?

[DerekLyons]

The interesting thing is, that although the protocol is closed, it is not patented and thus it is not against the law to crack it.

I'm sure Skype's lawyers might see this differently.

Skype's lawyers can see it however they want - but in this instance, they have no legal leg to stand on. It's not illegal to replicate something protected as a trade secret. (It *is* illegal to steal or 'borrow' it, or to hire employees from a rival to 'work on your own _x_'.)

PGP Phone

[Civil_Disobedient]

In fact, that's how PGPphone used to work, if you can still lay your hands on a copy of it.

Oh, I'm sure you can find it floating around somewhere [slashdot.org].

Re:Innovation

[saleenS281]

So exactly where has China innovated?

Automobiles they have "chery" whose entire line-up are shoddy copies [paultan.org] of cars already produced by other manufacturers.

We have Huawei, who has literally stolen Cisco's router code [microscope.co.uk] to make a "competing product".

And then we have their military who happened to... yes steal [theepochtimes.com] their designs as well (at least the stuff they didn't just purchase from Russia and reverse engineer).

So exactly what are these innovations taking place in China you wanted to defend?

BTW, there's PLENTY more examples to prove how they don't innovate at all, just steal/reverse engineer/copy others if you need them.

Re:Innovation

[init100]

And bearing in mind that the current administration has declared that treaties it has willfully signed are not binding upon it, as that violates American legal sovereignity.

This is interesting, especially since the Bush administration recently pressured the Swedish government to close down The Pirate Bay, referring to American copyrights. According to the Swedish national television, the US threatened with WTO sanctions if we do not adhere to signed treaties. Looks like hypocrisy to me.

Not that I care about The Pirate Bay (apart from their legal [thepiratebay.org] page), I do care about hypocrisy in politics though.

Re:Innovation

[tomstdenis]

Yeah, well you have to look at the audience... You got mostly white males in the ages of 16-24. They think they know everything about anything and therefore can easily feel comfortable shooting off about entire peoples they have never met. The fact that they're american doesn't help either :-)

On the flipside some of the stereotypes and comments are well deserved. I mean, read comp.lang.c for a week. You'll get a lot of "I have to write this program and I don't have the first damn clue" types of posts, amazingly enough mostly from India. Look at phishing stats, they're mostly organized by people in Eastern block countries. That's not conjecture or hyperbole that's the truth. China does have a track record for more than just reverse engineering. Classic IP violations are more common than in other nations [although I wouldn't say it's epidemic like some people suggest].

So like all nonsense there is some element of truth to it.

Tom

Re:Blocking

[jroysdon]

However, this makes the assumption that all someone is doing is voice. If you looked at my ssh tunnels over tcp/443, it has everything I'm doing going through it (essentially like a VPN), and it is all to the same remote box that proxies what I do.

I don't think NARUS can tell when voice calls start and stop if I'm running remote Terminal Services (RDP and/or Citrix), other VPNs to other customers (within the SSH), web traffic, email, steaming music (last.fm [www.last.fm]. While I'm very unique, and what I do is unique, I don't think TS and/or steaming music is unique. My workflow involves constant open VPNs with SSH and/or telnet and/or RDP. With it all run over a single SSH over TCP/443, there is no way to break down what is going on by traffic signatures, unless I do nothing but the voice call. However, I always have debugs and remote desktop running in the background coming in.

I think a NARUS box only works if it can see where the traffic is really going to. Since I proxy/tunnel all my traffic to a host I have on a DS3, it would be totally blind without being able to see what traffic is coming out of that host (which has tunnels of many of my users coming out).