topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 6:57 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Skype users: beware (silver needle in the skype)  (Read 26328 times)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Skype users: beware (silver needle in the skype)
« on: May 15, 2006, 06:43 AM »
Finally, some skilled people have taken the time to disassemble SKYPE - quite a task, since it's heavily obfuscated and encrypted.

The PDF is an interesting read, but for normal users the most interesting point is that it quite seems like Skype is exploitable for arbitrary code execution. This means: DANGER WILL ROBINSON!

EDIT 2013-Jan-25: added "(silver needle in the skype)" to thread title so it's more searchable.
- carpe noctem
« Last Edit: January 25, 2013, 11:49 AM by f0dder »

zridling

  • Friend of the Site
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 3,299
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #1 on: May 15, 2006, 05:07 PM »
I had an odd thing happen this past week. I have 20 Euros on my account and when I went to top up, Skype told me I had too much and would have to use it all until I could top-up again. Turns out they are making all US/Canada out calls free for the rest of the year. Woohoo!
« Last Edit: May 15, 2006, 05:47 PM by zridling »

Cpilot

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 293
    • View Profile
    • Bite Notes
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #2 on: May 15, 2006, 06:41 PM »
When I first looked at this, what came to my mind was whether these "skilled people" had permission from Skype to dissassemble it.
Skype End User License Agreement

Article 2 License and Restrictions
2.3 No Modifications. You will not undertake, cause, permit or authorize the modification, creation of derivative works, translation, reverse engineering, decompiling, disassembling or hacking of the Skype Software or any part thereof.
If not then it is a clear violation of the EULA.
The next thing to consider is if there is any exposure to any site that links to the end product of an obvious violation of the license as set forth on the above page?


Tekzel

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 228
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #3 on: May 15, 2006, 06:54 PM »
That is a pretty common clause in just about every EULA these days, and I have to wonder if it is even legal?  I thought it was legal to reverse engineer software for compatibility, at least I think it used to be, but then these days (with the DMCA and such) who knows.

Cpilot

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 293
    • View Profile
    • Bite Notes
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #4 on: May 16, 2006, 01:25 AM »
That is a pretty common clause in just about every EULA these days, and I have to wonder if it is even legal?  I thought it was legal to reverse engineer software for compatibility, at least I think it used to be, but then these days (with the DMCA and such) who knows.
-Tetzel
Oh I see :-\
Then it's perfectly alright to violate someones rights to their intellectual property because your not sure it's legal?
For the record in the U.S. it is a felony to reverse engineer a patented or copyrighted piece of software without permission.
On a moral note, who designated these little pieces of crap as the software police?
And why is it alright to violate someones property? That's what Skype is, someone else's property.
These clowns have no more right to to do this than a burglar has the right to break into your home.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #5 on: May 16, 2006, 04:55 AM »
Cpilot, I think you're missing the bigger picture here.

Malicious people will try to break into any software they can, permission or not, for malicious deeds. This could be for installing botnets that can be used for DDoS and spamming, it could be to empty your account, or whatever. Even if it was just to pop up a note every 3 hours saying "you should take a rest", I doubt you'd like any unauthorized software installed on your machine. And obviously, these bad guys don't care about the law.

Without people doing disclosure, public or not, a bad guy could have a botnet with five hundred thousand zombies without anybody knowing. This would be *bad*, considering that skype is used in all kinds of places, and some with a lot of bandwidth. Lots of bandwidth and *very* wide distribution would make it *very* hard to stop an attack... I assume that even if your own machine wasn't affected, you wouldn't be too happy if the root DNS servers of the internet were taken down.

If you bother to look through the PDF, you will realize that it contains enough information to show that there are serious security holes, but there's nothing that can be copy-and-pasted to make an exploit. Thus, no kiddie attack waves.

I think this disclosure is good, but I think it would have been better to give Skype a month to fix the bugs and migrate users before releasing. As it is now, Skype will be battling the clock to get a fix out before somebody does something terrible. I'm glad I don't personally run Skype.

Even if there wasn't any exploit, I think the analysis is an interesting read - if you're a network administrator, knowing that Skype "steals" your bandwidth, generates random traffic, and tries to overcome firewalls is good knowledge.

PS: many EULAs contain statements that are conflicting with existing law, and you also have to realize that American law does not cover the entire globe, whether you like it or not.
- carpe noctem

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #6 on: May 16, 2006, 05:02 AM »
very well said f0dder, i would associate myself with your comments.

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #7 on: May 16, 2006, 07:06 AM »
Thank you very much for the heads up and enlightning, f0dder!
IMO, it's important for people to know this kind of stuff.
Though, i do recognize that skype has reasons not to allow their code to be cracked.
But if their code is not good, they really should correct it.
The best thing to do would be just what f0dder mentioned, inform skype about the vulnerability, and give them a dead line to fix it.

Cpilot

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 293
    • View Profile
    • Bite Notes
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #8 on: May 16, 2006, 11:12 PM »
very well said f0dder, i would associate myself with your comments.
-mouser
If you feel that way then I would consider this, if I were a shareware author and were approached by a site and forum to donate a few copies of my product or offer a discount to the users of said site, who then after perusing such found posts by someone who criminally pointed people to a URL that contained hacked information. Possibly even of my own software, then I would definitely reconsider offering anything to said site.
Allowing these types of postings is basically tacit approval by donationcoder of hacking and cracking of software.

I would therefore think that donationcoder should place a disclaimer on the site warning people that hacking and cracking of their code is encouraged and approved by the administration and not to expect users to honor their EULA.

I should think this to be only fair.

As far as fodders "reasons". :harhar:
They're B.S.
There are already tools out there to test applications for bandwidth usage and memory leaks etc. without ripping someones code apart in violation of the EULA.
Also under U.S. law the infraction is committed by using a U.S. server to link to the criminal activity.
Vandals are vandels irregardless of their "higher" intentions. A crime is a crime.
He like a few others believe that they can do as they please with other peoples property.
« Last Edit: May 17, 2006, 12:18 AM by Cpilot »

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #9 on: May 17, 2006, 03:43 AM »
Personally I think intellectual rights should be respected for all developers and certainly hacking for illegal or purely selfish motives is wrong.

However there is a very big BUT ...

Without third parties looking at code and background activities of applications Virus, Trojan and other kinds of malware would go completely unchecked. Almost all security issues are discovered by people monitoring things that software companies would probably prefer that they didn't - and most of this monitoring goes on in direct contradiction of EULAs.

As a simple example ... how many security holes in Windows and Internet Explorer would have been found if people hadn't been hacking about? Microsoft specifically deprecate hacking their code in their EULAs and I'm sure they would prefer not to have people embarassing them that they have found yet another 30 issues this week - but who benefits from this behaviour.

The logical extension is that if a virus writer applies copyright to his code (and writes it in the US) then provided he is not stealing or doing something positively illegal then no one should have any form of redress ???

While the bad guys are hacking around I think it is absoultely necessary that the good guys should also be hacking about.

This is really the strongest argument for open source across the board (not that it will happen).

brotherS

  • Master of Good Ideas
  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 2,260
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #10 on: May 17, 2006, 04:18 AM »
[...]
I should think this to be only fair.

As far as fodders "reasons". :harhar:
They're B.S.

[...]

Also under U.S. law [...] A crime is a crime.
You don't need to be rude just because you can't agree with f0dder here...

Regarding U.S. laws: maybe you've heard that they are a few countries on the same planet that don't share all of the U.S. opinions. And even in the U.S. there are legal entities that test all kinds of products to protect customers. They don't only look at the products or use them, they often disassemble them to look at the core of things.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #11 on: May 17, 2006, 04:23 AM »
There are already tools out there to test applications for bandwidth usage and memory leaks etc. without ripping someones code apart in violation of the EULA.
Sorry, but you don't really have a clue what the PDF I linked to was about, do you? Checking *just* the bandwidth usage (amount of bytes/second transferred) as well as unmatched allocations/deallocations can be done trivially, yes. But this is NOT what this is about.

This is about detecting whether Skype is trojanizing your system, exactly what information it is relaying when it should be idle, and getting buffer overflows fixed so that evil people can't zombify your machine. To do this, sorry to break your illusions, Reverse Engineering has to be applied.

You should really be thankful that it's the good guys that found out this information first, before the bad guys were able to trojanize all the Skype clients in the world.

And do realize that the PDF has nothing to do with "Hacking" or "Cracking". It doesn't remove any copy protection or license scheme (because Skype doesn't have any). It's Reverse Engineering, and it has uncovered a very grave problem with the Skype software. I don't think you realize just how bad those flaws are.

He like a few others believe that they can do as they please with other peoples property.
Not really. But I do believe that somebody has to make sure the software companies aren't pulling dirty tricks behind our backs, and I think it's nice that there's white/grey-hat security analysts rather than just the virus/malware fringe who reverse engineer. Otherwise you'd be victimized a lot more often by the spammers and scammers... there will always be bad people trying to attack any piece of software they can, simply because they can profit from it. Software companies don't have the time and motivation to go through their entire million-lines of sourcecode, but you can bet your ass that some hacker in russia or china will.

I still think it's wrong that the PDF was disclosed before SKype had been notified and given due time to fix their bugs. A more tactful approach would have been posting "Skype users beware: you are highly exploitable. Skype has been notified, and in 30 days we will do full disclosure."

PS: US-based security companies reverse engineer code all the time too, regardless of the DMCA. They have to.
- carpe noctem

Cpilot

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 293
    • View Profile
    • Bite Notes
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #12 on: May 17, 2006, 07:54 AM »
f0dder,
I am truly not interested in convincing you of my position, it's wasted effort.
Sorry, but you don't really have a clue what the PDF I linked to was about, do you?
Again I could really care less what you believe my understanding of the pdf is.
My position is that the unauthorized hacking of someone else's software/property is theft. Theft is theft, no matter what country your in. Apparently you have no concept of this and have been practicing your rationalizations for a long time.

You don't need to be rude just because you can't agree with f0dder here...
I find this one almost too funny for words. You got someone linking to pirated, illegally obtained information and your worried about who's being rude?
 :wallbash:

While the bad guys are hacking around I think it is absolutely necessary that the good guys should also be hacking about.
And who determines who are the good guys and bad guys?
If it's such a boon then how come we don't see websites with "Hack my code please"? Instead of EULA's that specifically prohibit this sort of stuff.

The bottom line is this, how realistic do think it is that a shareware author would care to participate with a group of people who feel that a EULA don't mean anything? Who have no respect for their property?




Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 873
    • View Profile
    • linkerror
    • Donate to Member
Re: Skype users: beware
« Reply #13 on: May 17, 2006, 07:57 AM »
Thanks for the info, f0dder!

lol, cpilot. so you think that everyone should just cover their eyes and plug their ears and be good citicens and obey the nice totalitarian policestate law until some terrorist finds the bug exploits it :D

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #14 on: May 17, 2006, 08:15 AM »
While the bad guys are hacking around I think it is absolutely necessary that the good guys should also be hacking about.

And who determines who are the good guys and bad guys?
If it's such a boon then how come we don't see websites with "Hack my code please"? Instead of EULA's that specifically prohibit this sort of stuff.

The bottom line is this, how realistic do think it is that a shareware author would care to participate with a group of people who feel that a EULA don't mean anything? Who have no respect for their property?

To me this is a bit of a no brainer:

Bad guys - people who write Trojans/Viruses etc. to steal from users, hijack their computers for various reasons including spamming the world at your expense, people who steal identities, credit card details etc., people who do malicious damage for the fun of it

Good guys - people who try to find some of the flaws in software to stop the bad guys doing what they are doing.

No one on this forum is suggesting that software should be ripped off in anyway - in fact if you read the comments of others in this thread in other parts of the forum you will read many items arguing precisely the opposite.

Yes US law says you can't reverse engineer copyright material - but we live in a real world where reverse engineering takes place, and not everyone is American. If only the bad guys do it we will be in real trouble.

I presume your computer does not run behind a firewall (that could break some EULAs), you don't run AntiVirus software, AnitTrojan software or any AntiSpyware products because they all break EULA conditions either during production, everyday producing updates or when they are actually running on your system.

Finally do you actually read EULAs? If you took them all seriously you would never install a piece of software on your computer (including but not limited to the operating system). Windows EULA explicitly gives Microsoft the right to do practically anything to your system without your knowledge or permission - can anyone really take such a thing seriously? I have even seen EULAs that specifically remove your right to uninstall the software or block its access to the internet !!!
« Last Edit: May 17, 2006, 08:19 AM by Carol Haynes »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #15 on: May 17, 2006, 09:39 AM »
My position is that the unauthorized hacking of someone else's software/property is theft. Theft is theft, no matter what country your in.
If the reverse engineering (not hacking - hacking means breaking into websites) is done to "register" software in an unauthorized way or to steal trade secrets, I agree with you. That's not what's being done in this case, though.

Apparently you have no concept of this and have been practicing your rationalizations for a long time.
Whose sh** are you buying into? Let me guess, Guru H****?

I wish everybody trusted Big Brother as much as you do, we'd have a nice totalitarian Orwellian society  :-*
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #16 on: May 17, 2006, 09:40 AM »

The logical extension is that if a virus writer applies copyright to his code (and writes it in the US) then provided he is not stealing or doing something positively illegal then no one should have any form of redress ???
-Carol Haynes (May 17, 2006, 03:43 AM)

Technically, they are covered by copyright automatically in the US even if they don't register or provide a copyright notice of any sort. As soon as it is offered to the public they are automatically covered until 70 years after their death.

Under current law, works are covered whether or not a copyright notice is attached and whether or not the work is registered.
-http://www.law.cornell.edu/wex/index.php/Copyright

EULA is a double edged sword. In some cases you are damned if you do and damned if you don't violate it.

I have been heavily involved rather recently with an issue pertaining to reverse engineering someone else's abandoned software in an effort to save a huge online chat community with millions of users from extinction.

They relied upon said software in order to build & run this community. Some have suggested reversing the software and modding it to keep it working. We decided against this approach and would rather create our own software as a replacement, even though it would be much easier to modify the original .exe. Unfortunately, most of the research into the protocols used by said software was done by those that have reversed parts of it. This is a sticky situation for the developers on the new client/server and we have had to toss out any valuable information gained by the work of reversers.

Our temporary solution is to replace/modify a file on the user's pc that isn't covered by any type of copyright in order to keep the original, unmodified software working...the system's hosts file. I was even the one that had to do the research to find out if it was legal to remove Microsoft's copyright notice from a Windows hosts file, for the creation of the first hosts patch installer. (it is if you are replacing the original file with a *nix hosts file, which is the same file without the copyright notice)

We are very serious about not violating the EULA in this case, as we will most likely end up getting sued by the RIAA any way for keeping a chat community, similar to what is found on IRC, alive. All we want is the ability to gather and express our rights to free speech in the manner in which we have become accustomed to doing so, which unfortunately is with a proprietary protocol. If we violate some EULA in the process, we will surely lose and end up being sued by more than one party, namely the original developers of the software and the RIAA, and all our work will have been in vain. (it's a P2P application)

What makes things even harder is the fact that the original developer wasn't very good with issuing patches to correct flaws and exploits that were discovered, back before he abandoned the whole thing.
We have had to create our own patches all along to protect ourselves and our chat community and those that don't even run or have ever even heard of the software. And some of them were rather nasty flaws that could be easily exploited to take over the pc's of millions users in one shot and run any code you choose.

Patching the flaws ourselves could be considered a breech of the EULA, if you really stop & think about it...but think of what could have happened if we didn't. We could have ended up with a few million zombie pc's attacking everyone and spreading malware, spam, etc.

Cpilot

  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 293
    • View Profile
    • Bite Notes
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #17 on: May 17, 2006, 10:40 AM »
Whose sh** are you buying into? Let me guess, Guru H****?
For the record it's yours that I'm not buying into.

I wish everybody trusted Big Brother as much as you do, we'd have a nice totalitarian Orwellian society

This isn't about trusting big brother, this is about self appointed watch dogs who find nothing wrong with destroying someone elses property.
If you feel your on such solid ground then how bout emailing the owners of Skype and asking them how they feel about it?
Give em your name and point em to the link? Explain to them about the "favor" that was done for em?


mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #18 on: May 17, 2006, 10:46 AM »
ok guys, let's keep it civil here please  :huh:

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #19 on: May 17, 2006, 12:00 PM »
This isn't about trusting big brother, this is about self appointed watch dogs who find nothing wrong with destroying someone elses property.
Exactly what are the people behind the PDF destroying? They're helping repair, before real damage is done and hell breaks loose.

If you feel your on such solid ground then how bout emailing the owners of Skype and asking them how they feel about it?
Give em your name and point em to the link? Explain to them about the "favor" that was done for em?
I doubt they would answer, and I'm pretty sure they're already aware of the PDF. And it's not exactly doing them a favour (doing them a favour would be contacting them with specific details and give them 30 days to fix before public disclosure). It's doing end-users a favour, though, by pointing out that there's severe security flaws in the Skype software.

But I guess you wouldn't mind the root DNS servers being taken down, or your online banking system being exploited.
- carpe noctem

quantumrider

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 18
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #20 on: May 19, 2006, 03:13 PM »
f0dder:

Couldn't you just ignore the ignorant? That would spare all of us an exposure to some seriously childish views.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #21 on: May 19, 2006, 03:17 PM »
f0dder:

Couldn't you just ignore the ignorant? That would spare all of us an exposure to some seriously childish views.
Sorry.
- carpe noctem

NickW

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 22
    • View Profile
    • Donate to Member
Thanks ...
« Reply #22 on: May 19, 2006, 03:48 PM »
Thanks to all of you.
This forum has entertained and amused me - most I've laughed all day!
I think I love listening to people arguing!
I think you need to turn this around and ask people what they suggest.
Of course it's illegal ... but would you be happier if all of those many faulty products (and we're not just talking about software) were never highlighted and made to be fixed?
What about the bigger picture?
I'm sure the "outing" of corrupt politicians, companies, etc is probably done in a rather questionable manner but would you prefer if they were never brought to light?
Most products (especially physical products e.g. cars, fridges, tvs, etc etc etc) are reverse-engineered by the competition to see how it works so that they can then make a better product without a lot of the development cost. Of course it's illegal but everybody does it and it's become "accepted".
Beware the government which makes it illegal to question what they're doing. Something the UK Labour government have been trying to do in some absurd situations in the name of anti-terrorism.
Why should software companies be able to do this?
Anyway, back to the real point of this forum, enlightening us all ... does anybody know if Skype are doing something about this? Should I stop using Skype (for the time being)?
Nick
PS  This one really bugs me - it's "you're" - it means "you are" - "your" refers to possession as in "your views are questionable" which is different to "you're talking rubbish" - get it?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Skype users: beware
« Reply #23 on: May 19, 2006, 03:56 PM »
Anyway, back to the real point of this forum, enlightening us all ... does anybody know if Skype are doing something about this? Should I stop using Skype (for the time being)?
I hope they're doing something. IMHO disclosures like the above PDF shouldn't be made until the "guilty" company has been contacted and you've verified they're doing something (or until the "guilty" company hasn't responded for some reasonable timeframe). I really don't want the kiddie fringe to get an unfair advantage before there's a solution - especially not with serious problems like this!

PS  This one really bugs me - it's "you're" - it means "you are" - "your" refers to possession as in "your views are questionable" which is different to "you're talking rubbish" - get it?
I'm bugged by errors like that myself, but I make them all the time :)
- carpe noctem

NickW

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 22
    • View Profile
    • Donate to Member
Re: Skype users: beware
« Reply #24 on: May 19, 2006, 04:04 PM »
Yep, probably wasn't a good idea to start a grammar discussion as I'm sure there's somebody out there who will dissect my posts and explain how awfully written they are - bring it on!
I totally agree with you about initially informing Skype of this problem. Maybe they did?
I visited Skype's website and could find no mention of problems or that document.