An open source clone of Skype?

OSS specific Linux discussion (x86/amd64)

Moderators: cesium, dev, kodachi, hannu

An open source clone of Skype?

Postby igorzwx » Wed Feb 02, 2011 3:10 pm

http://forum.skype.com/index.php?showtopic=70936&view=findpost&p=3267893
It is on tracks. Here is a PoC about an open source client that implement the Skype protocol (Login, Presence, Contacts, Chat) and show interaction of that client with the Skype Network.
http://www.youtube.com/watch?v=9xW-BYayh7w


Is it going to support OSS4?

Cesium! Could you please explain what is going on?
igorzwx
Supporter
 
Posts: 987
Joined: Sun Jun 28, 2009 9:31 pm

Re: An open source clone of Skype?

Postby cesium » Wed Feb 02, 2011 4:14 pm

Someone has reversed engineered the protocol. Since I can't find any code, I don't know what it supports, but adding OSS support (if it's not there) should not be difficult - it was easy to add for mangler...
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Re: An open source clone of Skype?

Postby igorzwx » Wed Feb 02, 2011 5:16 pm

cesium wrote:Someone has reversed engineered the protocol. Since I can't find any code, I don't know what it supports, but adding OSS support (if it's not there) should not be difficult - it was easy to add for mangler...


It seems that a certain person named LunaticDog knows something about the code
http://forum.skype.com/index.php?showto ... &p=3305583

There was also a kind of discussion: http://www.schneier.com/blog/archives/2 ... ptogr.html
igorzwx
Supporter
 
Posts: 987
Joined: Sun Jun 28, 2009 9:31 pm

Re: An open source clone of Skype?

Postby igorzwx » Fri Jun 03, 2011 9:01 pm

The source code of Skype is said to be here:

http://skype-open-source.blogspot.com/2011/06/skype-protocol-reverse-engineered.html
Thursday, 2 June 2011
Skype protocol reverse engineered, source available for download
Downloads:
skype_part1_binaries.zip
skype_part2_ida.zip
skype_part3_source.zip

P.S. Here is a torrent file:
http://thepiratebay.org/torrent/6442887

And github:
https://github.com/skypeopensource/


Read more: http://skype-open-source.blogspot.com/

Some words about how to test this
http://skype-open-source.blogspot.com/2 ... -this.html

See also:

http://www.theregister.co.uk/2011/06/03/open_sourcing_skype/
Skype reverse-engineered and open sourced
How soon will Microsoft blow?
By Richard Chirgwin • Get more from this author
Posted in VoIP, 3rd June 2011 04:00 GMT


http://www.informationweek.com/news/security/vulnerabilities/229900123
Skype Protocol Cracked
Security researcher publishes reverse engineered source code in the wake of reports that Middle Eastern governments have Skype-eavesdropping tools.
By Mathew J. Schwartz InformationWeek
June 03, 2011 12:13 PM

...Typically, copyright law makes an exception for reverse engineering software, provided it's done correctly. One of the most famous examples of reverse engineering done right happened in the 1980s, when Phoenix Technologies wanted to build a BIOS that was compatible with IBM's proprietary BIOS...

...Another famous reverse engineering case involved Andrew Tridgell, who studied Microsoft's Server Message Block (SMB) protocol until he understood it well enough to write Samba. This open source code now enables Unix, Linux, and Mac OS X systems to communicate with Microsoft Windows networks and clients, including Active Directory domains...


http://www.disruptivetelephony.com/2011/06/an-older-version-of-skype-reverse-engineered-and-made-open-source.html?utm_source=twitterfeed&utm_medium=twitter
How long the code will remain online is anyone's guess. As TheNextWeb notes:

It is against the Skype’s terms to reverse engineer its software but both US and European laws state that it is legal if it helps in terms of interoperability, if the technology is also not patented. Whether Skype will be able to force researcher to either remove the files or put pressure on the company hosting them is not fully known.
http://thenextweb.com/microsoft/2011/06 ... -publicly/


Meanwhile, I'm sure a good number of folks will be downloading the source code to see what they can learn...

P.S. The Hacker News discussion thread on this topic is also worth a read
http://news.ycombinator.com/item?id=2611299


Legal issues
Reverse engineering of the Skype protocol by inspecting/disassembling binaries is prohibited by the terms and conditions of Skype's license agreement. However there are legal precedents when the reverse-engineering is aimed at interoperability of file formats and protocols.[8][9][10] In the United States, the Digital Millennium Copyright Act grants a safe harbor to reverse engineer software for the purposes of interoperability with other software.[11][12] In addition, many countries specifically permit a program to be copied for the purposes of reverse engineering.[13]
http://en.wikipedia.org/wiki/Skype_protocol


Clean room design (also known as the Chinese wall technique) is the method of copying a design by reverse engineering and then recreating it without infringing any of the copyrights and trade secrets associated with the original design. Clean room design is useful as a defense against copyright and trade secret infringement because it relies on independent invention. However, because independent invention is not a defense against patents, clean room designs typically cannot be used to circumvent patent restrictions.

The term implies that the design team works in an environment that is 'clean', or demonstrably uncontaminated by any knowledge of the proprietary techniques used by the competitor.

Typically, a clean room design is done by having someone examine the system to be reimplemented and having this person write a specification. This specification is then reviewed by a lawyer to ensure that no copyrighted material is included. The specification is then implemented by a team with no connection to the original examiners.
http://en.wikipedia.org/wiki/Clean_room_design


Some technical information is available here:
http://en.wikipedia.org/wiki/Skype_protocol
http://www.cs.columbia.edu/~salman/skype/

http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
NSA offering 'billions' for Skype eavesdrop solution
Business model for P2P firm at last?
By Lewis Page • Get more from this author
Posted in Government, 12th February 2009 11:32 GMT


Whether or not NSA offered 'billions' for Skype eavesdrop solution, the money was paid by Microsoft.

Wall Street Journal: Mideast Uses Western Tools to Battle the Skype Rebellion
JUNE 1, 2011
...In March, following the Egyptian revolution that toppled President Hosni Mubarak, some activists raided the headquarters of Amn Al Dowla, the state security agency, uncovering the secret memo about intercepting Skype calls. In addition, 26-year-old activist Basem Fathi says he found files describing his love life and trips to the beach, apparently gleaned from intercepted emails and phone calls.
"I believe that they were collecting every little detail they were hearing from our mouths and putting them in a file," he says.
http://online.wsj.com/article/SB1000142 ... 20038.html


Let us forget about Windows trojans. The simplest solution is "man-in-the-middle" http://en.wikipedia.org/wiki/Man-in-the-middle_attack
You can easily simulate man-in-the-middle eavesdropping in your "home laboratory". The simplest scenario: three Linux computers, Zfone, Twinkle, and FreeSwitch. In short: two SIP clients (e.g. Twinkle) and FreeSwitch server as "man-in-the-middle" (FreeSwitch should be compiled with encryption support). It this case, however, you can easily detect "man-in-the-middle" eavesdropping through the help of Zfone (authentication phrases would not match).

Skype does not have such an "authentication phrase". Right?
This means that you cannot detect "man-in-the-middle" attacks.
The same is true for SSL (HTTPS, for example). You can, of course, examine certificates (as it is advised by "Security Now!"), but...
There are said to be magic tools which may ensure the security of your SSL connections (do not believe!):

...what this does is this alerts you to, if there were a man-in-the-middle attack, if your employer or your school district or somebody were changing certificates on you and using a different cert in order to filter your SSL traffic, this would pick it up. And there's no way you could be fooled because the certificate would change, even if the issued name were the same, for example, if a government was going to play this game, and we talked about a story recently where some governments were trying to use fraudulent certificates, presumably to monitor their citizens, even though they were over SSL connections. So this prevents that, or at least alerts you that something fishy is going on, and then also helps to interpret what it is. http://www.grc.com/sn/sn-304.htm


Now imagine that you get an upgrade of Skype from Microsoft, for example:

Code: Select all
$ yaourt -Syu --aur
Password:
:: Synchronizing package databases...

==> Software upgrade (new version) :
community/skype        2.2.0.25-1    -> 2.2.0.35-1

==> Continue upgrade ? [Y/n]
==> [V]iew package detail   [M]anually select packages
==> --------------------------------------------------
==>

Do you really want to have Microsoft software installed on your Linux box?
It may not be a kind of backdoor, or spyware, but nobody knows...
It is not difficult to prevent such an upgrade:

Code: Select all
$ sudo nano /etc/pacman.conf

# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
IgnorePkg   = skype
igorzwx
Supporter
 
Posts: 987
Joined: Sun Jun 28, 2009 9:31 pm


Return to Linux

Who is online

Users browsing this forum: Google [Bot], Yahoo [Bot] and 1 guest

cron