

Silver Needle in the Skype - jeff18
http://www.secdev.org/conf/skype_BHEU06.handout.pdf

======
dlsspy
This is insanity. They're giving away the software, but have put incredible
amounts of engineering into making sure nobody can know how it works. The
parts where they make money have little to nothing to do with this.

I've stopped paying for skype service because of the features they force me to
have on. One of my "final straw" bugs has been opened since 2007. And it's
trivial. How much anti-reverse engineering work has gone in since then?

I'm sure I'd pay them again if I could actually do my own build of a skype
client with some of the behaviors I don't like modified.

~~~
MichaelGlass
one of the nice things about skype is that it always works. Have a firewall?
Skype will find a way through it. If it were completely reverse engineered, it
might be easier to filters its traffic. they say they can DOS skype on a
network but at what cost?

~~~
dlsspy
I don't agree that exploiting firewall bugs justifies so much effort in
keeping me from understanding what's running on my computer vs. just making it
better.

------
Keyframe
I have lots of shit installed on my computers (no really, shit - not stuff). I
don't have problems with, like some people have, Silverlight or whatever
people refuse to install for whatever reasons. But one thing I don't have
installed is skype. Skype, for some reason, just scares me and doesn't feel
right. I can't explain it. I had it installed on one of my laptops while I was
travelling heavily and it felt like computer was bogged down by it, even
though it had almost nothing installed on it. Call me paranoid - and I never
am.

~~~
tensor
Summary: irrational fear of Skype.

------
ShabbyDoo
So, why did Skype go to all this trouble? It seems that their main asset is
the brand and ownership of the user database. So, why would it matter to them
if alternative clients were built? It's not as if SIP-based services were not
an alternative.

Perhaps Skype went to all this trouble to achieve network effects? If it was
easy to block Skype traffic, maybe it would not have become the "standard" it
is today. The it-just-works feature was likely most critical to success, and
that might only have been achieved through obfuscation.

So, I get the network-level obfuscation, but I don't see a case for code
obfuscation. Why should Skype care if it owns the client? It's not like
they're pushing ads upon their users or otherwise marketing too heavily.

------
shrughes
It would be interesting to see what a comparison of the obfuscation techniques
of Continuum, Kazaa, and Skype would look like.

------
alq
Excellent analysis, must have been quite an exciting project to hack skype
into bits to understand the countermeasures.

------
thristian
This looks like a brief fast forward through the Vanilla Skype presentations
by the same authors. If you want to know even more of the terrible details,
the slide PDFs are linked from the bottom of the "Skype protocol" page on
Wikipedia:

    
    
        http://en.wikipedia.org/wiki/Skype_protocol

------
MichaelGlass
very interesting but also (very) old news.

