Few words on Skype

I've always thought that whenever you distribute software or a service that does not need a central server that is under your control, people will always find ways to break that software or service for various reasons - to use it for free (think of Windows), use it for prohibited in the EULA purposes ( A good example would be ripping a movie or an Audio CD and distributing the ripped content).

I've always thought that even when having a central server but distributing clients (client applications) to the users would be hard to enforce the policy you want - ICQ guys (Mirabillis, now AOL if I'm not mistaken) would like you to use the official ICQ client because they sell ads (ads are shown in message windows), but I'm not using the official client and many others aren't.

So the perfect solution (in my opinion) would be to sell an online service - like what google is doing - search, gmail, ads, picasaweb, calendar, reader, gtalk are only a few that I'm using (without the ads). There are offline/thick client applications that google has, no doubt, but the majority is online with a thin client (browser).

Well guess what, there are companies that have a business with an offline client (thick client) that are doing their best to avoid all these problems.

All the other popular (and maybe unpopular) messenger networks have their protocol studied and many free and not so free clients written (trillian, pidgin, qip....., even online: meebo....). All of them, icq, gtalk, hotmail, yahoo, ... except for one - Skype.

Think, why is there no other client for the Skype network? Not even for chatting. There is no other that I know of. And I've searched.

Here's an article that explains why:
http://www.secdev.org/conf/skype_BHEU06.handout.pdf

It is kind of freaky - these guys have made everything they can think of to make it as hard as possible to reverse engineer the client, the protocol, the whole idea.

Skype is amazingly hard to debug and investigate - it has parts of it's code  compiled at runtime, it checks timestamps to see if there's a breakpoint. It calculates pointers at runtime to avoid debuggers. It has bogus code inserted, some code encrypted, all is really well obfuscated.

It's the same with the protocol - encrypted, hard to detect, hard to stop/filter by an administrator.

Even freakier - they have skype clients acting like proxies or routers for other clients - your client may be one. There are 20 000 worldwide.

The author says there is no antivirus that could detect a virus or a trojan if there was one. Skype client is the perfect blackbox - freaky.

They can read what ever they want from your machine and transmit it back to their servers and since the protocol is unreadable nobody would know.

Skype guys did a good job at protecting their business, but they created something far more capable that could be used for far more (how to characterize it) undocumented and unwilling-by-the-user things.

Leave a Reply

Your email address will not be published.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.