The source code of Skype is said to be here:Read more: http://skype-open-source.blogspot.com/Some words about how to test thishttp://skype-open-source.blogspot.com/2 ... -this.html
Skype reverse-engineered and open sourced
How soon will Microsoft blow?
By Richard Chirgwin • Get more from this author
Posted in VoIP, 3rd June 2011 04:00 GMT
Skype Protocol Cracked
Security researcher publishes reverse engineered source code in the wake of reports that Middle Eastern governments have Skype-eavesdropping tools.
By Mathew J. Schwartz InformationWeek
June 03, 2011 12:13 PM
...Typically, copyright law makes an exception for reverse engineering software, provided it's done correctly. One of the most famous examples of reverse engineering done right happened in the 1980s, when Phoenix Technologies wanted to build a BIOS that was compatible with IBM's proprietary BIOS...
...Another famous reverse engineering case involved Andrew Tridgell, who studied Microsoft's Server Message Block (SMB) protocol until he understood it well enough to write Samba. This open source code now enables Unix, Linux, and Mac OS X systems to communicate with Microsoft Windows networks and clients, including Active Directory domains...
How long the code will remain online is anyone's guess. As TheNextWeb notes:
It is against the Skype’s terms to reverse engineer its software but both US and European laws state that it is legal if it helps in terms of interoperability, if the technology is also not patented. Whether Skype will be able to force researcher to either remove the files or put pressure on the company hosting them is not fully known.http://thenextweb.com/microsoft/2011/06 ... -publicly/
Meanwhile, I'm sure a good number of folks will be downloading the source code to see what they can learn...
P.S. The Hacker News discussion thread on this topic is also worth a readhttp://news.ycombinator.com/item?id=2611299
Reverse engineering of the Skype protocol by inspecting/disassembling binaries is prohibited by the terms and conditions of Skype's license agreement. However there are legal precedents when the reverse-engineering is aimed at interoperability of file formats and protocols. In the United States, the Digital Millennium Copyright Act grants a safe harbor to reverse engineer software for the purposes of interoperability with other software. In addition, many countries specifically permit a program to be copied for the purposes of reverse engineering.http://en.wikipedia.org/wiki/Skype_protocol
Clean room design
(also known as the Chinese wall technique) is the method of copying a design by reverse engineering and then recreating it without infringing any of the copyrights and trade secrets associated with the original design. Clean room design is useful as a defense against copyright and trade secret infringement because it relies on independent invention. However, because independent invention is not a defense against patents, clean room designs typically cannot be used to circumvent patent restrictions.
The term implies that the design team works in an environment that is 'clean', or demonstrably uncontaminated by any knowledge of the proprietary techniques used by the competitor.
Typically, a clean room design is done by having someone examine the system to be reimplemented and having this person write a specification. This specification is then reviewed by a lawyer to ensure that no copyrighted material is included. The specification is then implemented by a team with no connection to the original examiners.http://en.wikipedia.org/wiki/Clean_room_design
Some technical information is available here:http://en.wikipedia.org/wiki/Skype_protocolhttp://www.cs.columbia.edu/~salman/skype/
NSA offering 'billions' for Skype eavesdrop solution
Business model for P2P firm at last?
By Lewis Page • Get more from this author
Posted in Government, 12th February 2009 11:32 GMT
Whether or not NSA offered 'billions' for Skype eavesdrop solution, the money was paid by Microsoft.
Wall Street Journal: Mideast Uses Western Tools to Battle the Skype Rebellion
JUNE 1, 2011
...In March, following the Egyptian revolution that toppled President Hosni Mubarak, some activists raided the headquarters of Amn Al Dowla, the state security agency, uncovering the secret memo about intercepting Skype calls. In addition, 26-year-old activist Basem Fathi says he found files describing his love life and trips to the beach, apparently gleaned from intercepted emails and phone calls.
"I believe that they were collecting every little detail they were hearing from our mouths and putting them in a file," he says.http://online.wsj.com/article/SB1000142 ... 20038.html
Let us forget about Windows trojans. The simplest solution is "man-in-the-middle" http://en.wikipedia.org/wiki/Man-in-the-middle_attack
You can easily simulate man-in-the-middle eavesdropping in your "home laboratory". The simplest scenario: three Linux computers, Zfone, Twinkle, and FreeSwitch. In short: two SIP clients (e.g. Twinkle) and FreeSwitch server as "man-in-the-middle" (FreeSwitch should be compiled with encryption support). It this case, however, you can easily detect "man-in-the-middle" eavesdropping through the help of Zfone (authentication phrases would not match).
Skype does not have such an "authentication phrase". Right?
This means that you cannot detect "man-in-the-middle" attacks.
The same is true for SSL (HTTPS, for example). You can, of course, examine certificates (as it is advised by "Security Now!"), but...
There are said to be magic tools which may ensure the security of your SSL connections (do not believe!):
...what this does is this alerts you to, if there were a man-in-the-middle attack, if your employer or your school district or somebody were changing certificates on you and using a different cert in order to filter your SSL traffic, this would pick it up. And there's no way you could be fooled because the certificate would change, even if the issued name were the same, for example, if a government was going to play this game, and we talked about a story recently where some governments were trying to use fraudulent certificates, presumably to monitor their citizens, even though they were over SSL connections. So this prevents that, or at least alerts you that something fishy is going on, and then also helps to interpret what it is. http://www.grc.com/sn/sn-304.htm
Now imagine that you get an upgrade of Skype from Microsoft, for example:
Code: Select all
$ yaourt -Syu --aur
:: Synchronizing package databases...
==> Software upgrade (new version) :
community/skype 18.104.22.168-1 -> 22.214.171.124-1
==> Continue upgrade ? [Y/n]
==> [V]iew package detail [M]anually select packages
Do you really want to have Microsoft software installed on your Linux box?
It may not be a kind of backdoor, or spyware, but nobody knows...
It is not difficult to prevent such an upgrade:
Code: Select all
$ sudo nano /etc/pacman.conf
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
IgnorePkg = skype