Slashdot Log In
Why Does Skype Read the BIOS?
Posted by
kdawson
on Wed Feb 07, 2007 03:02 AM
from the phone-home dept.
from the phone-home dept.
pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Processor info? (Score:5, Interesting)
Re:Processor info? (Score:5, Insightful)
Parent
Re:Processor info? (Score:5, Informative)
As a former BIOS coder, I'll second that. Even if the BIOS did store some system specific info in Flash (on Embedded BIOSs sometimes this is done because CMOS is not reliable), there is NO way that Skype would know the format/place/meaning of this. It would be specific to a certain build of a specific BIOS for a specific board by a specific vendor.
In any case, the method described to dump the BIOS is not very likely to get anything close to the complete, original BIOS image to begin with. By dumping memory at F000:0000 through F000:FFFF, a 16 bit DOS program, under Windows, will get the memory resident part of the BIOS. Most BIOSs are far bigger than 64KB and the memory resident part is the decompressed runtime part, which is nothing like what the actual BIOS image looks like at boot time.
They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.
Parent
Re:Processor info? (Score:5, Informative)
Fact 2: That's usually where the SMBIOS pointer is found.
Fact 3: It's easy (and the only way really) to scan for SMBIOS and find it.
Fact 4: SMBIOS *does* often contain serial numbers and hardware details.
Parent
Don't like it one bit. (Score:5, Interesting)
This seems pretty logical. Since they got rid of that hackneyed scheme a while back to give each processor a serial number (wait -- did they get rid of that?), some sort of hash of the BIOS memory, plus the Ethernet MAC, plus the HD serial number, all concatenated together, is probably as close to a unique identifier as you're likely to find on a "per machine" basis.
That said, it doesn't make me feel any better. I wasn't a fan of the processor serial number concept, and not just because it was a serial number in the processor; there were serious privacy concerns with any uniquely identifying, per-machine serialization concept, and that's true whether it's a dedicated number that's being used, or some sort of combination of semi-unique factors.
It's just one more piece of information, sitting in a database somewhere, that could be subpoenaed and used to generally cause trouble. Particularly given how close-mouthed the Skype people are about how their network actually operates (e.g. their alleged encryption, peer to peer communications), I'm not ready to run right out and trust them.
I wonder if it would be possible to run Skype in a sandbox, where the information it's fed could be carefully controlled? On further thought, I wonder what happens when you run it in VMWare or Wine? Do they actually pass information about the hardware up to guest applications? It seems like this behavior would be one that the user should be given an option about, at the very least; I can only think of a few programs who have any reason to be getting the drive serial number, or the Ethernet MAC address, and for the most part they are not userland apps.
Parent
Re:Don't like it one bit. (Score:5, Insightful)
Parent
Re:Processor info? (Score:5, Informative)
GetSystemInfo() in Win32 and GetNativeSystemInfo() in WoW64 will give you some CPU information:
It will tell you if your running on Intel, IA64 or AMD64, it will also identify 386, 486 and Pentium, Processor Level and Stepping and processor Revision. I think this will be sufficient in most cases to identify the CPU.
Parent
Re:Processor info? (Score:5, Interesting)
Parent
Re:Goddammit ! It is FREE so what do you care ? (Score:5, Insightful)
Parent
Re:Goddammit ! It is FREE so what do you care ? (Score:5, Insightful)
Parent
Theres... (Score:5, Funny)
we are not spying on you. we swear.
oh btw.. your wife is cheating on you.
Dammit! (Score:5, Funny)
Parent
To prevent abuse? Usage statistics? (Score:5, Interesting)
Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.
Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.
Re:To prevent abuse? Usage statistics? (Score:5, Funny)
Parent
Here's a question for you.... (Score:5, Informative)
Parent
Re:Here's a question for you.... (Score:5, Insightful)
What proccessor speed do the majority have? What OS? How much RAM? How much harddrive space?
It's important to know about who you're making software for. Did you know Skype is owned by Paypal and eBay now? Asterisk and what? What SIP providers? What solution exactly? -- Asterisk is not a easy solution to setup compared to Skype. The end user can setup Skype, but Asterisk? I doubt it.
Parent
Re:Here's a question for you.... (Score:5, Funny)
Within weeks you'll be writing advanced dial plans to do things like ring all the phones in a department or divert calls to your mobile if you haven't picked up in twelve rings, and you'll have DHCP and TFTP set up so each phone on the network can configure itself at switch-on. Then it'll all be working exactly how you want it to, with nothing for you to do except occasionally unplug and replug a misbehaving telephone.
About a year or eighteen months later, you will want to add a simple new feature. Unfortunately, by this time you will have forgotten altogether how you set everything up in the first place.
Parent
Re:Here's a question for you.... (Score:5, Funny)
O
-+-
| <- You
/ \
Parent
Re:To prevent abuse? Usage statistics? (Score:5, Informative)
Parent
About figures (Score:5, Insightful)
Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.
Too much to ask I guess.
Operating Systems, Applications, and Trust (Score:5, Interesting)
Right on!
Coming from the Mac world, where I know there's most often no technical reason why an app couldn't just be drag-and-drop "installed" (i.e. just copy the app bundle to wherever the hell you want it and run it from there), I raise a suspicious eyebrow every time I download some program which should be entirely a userland thing (a game, a document or media editor or player of some sort, etc) which insists that I run an installer program that asks me for an admin password. I feel like asking the devs, "Why exactly do you need write access to anything outside your app bundle? Give me a damn good reason why I should entrust my system to you."
I want my OS to serve me like I want my government to serve me: stay out of my way unless I ask it for something (and have useful services available for the asking), except to keep people from doing bad things to me and my property, in which case I want it to proactively defend me. This means that no programs are running that I don't want running or don't know are running; nothing can *get* running without my telling it to or at least granting it permission to; and no files get written anywhere, perhaps outside of a few sandbox areas like the user's Preferences folder, without my permission.
OSX does most of this right already. The only more-stringent thing I would really ask for is that installers/etc which ask for an admin password not just get blanket permission to do whatever they want; I'd prefer it if the system instead told me, for each item the app wanted to install, that:
"The application FooBar wants permission to create the folder "Beezelbub" in System/Library/YourMom/. The justification it provides for this is:
Beezelbub is a video codec needed to play cutscenes in FooBar: The Quest For Metasyntax.
Do you wish to allow FooBar to create this item? [Yes] [Yes To All] [No] [No To All]."
And if you click one of the "Yes" buttons, THEN it prompts you for an admin password.
Of course, the app would be allowed to write whatever the hell it wants into folders it creates, so you don't have to get this prompt for every one of the thousand little files that some library or codec might include, unless those files are scattered to the winds and not in one nice neat package like they should be. Currently existing apps of course would not have such justification strings built into them, but even still, this would be a more secure way that would allow users who care to selectively allow the installation of crap on their system. And of course, users who don't care can always say "Yes To All" and be no worse off than they are today.
But users like me would feel much less suspicious, no longer wondering "what the heck does this installer want with my admin password? Why does this program need an installer in the first place?"
A related thing I might like would be if the system notified me any time any program tried to open up a network connection of any sort; to which I could say "allow", "always allow" (for trusted things), "disallow", or "always disallow" (for things you think are spyware). Include similar justification strings as the above dialogue does. This would work well to combat any sort of trojan spyware you might have gotten (that is, programs you downloaded and installed yourself, which are sending data to someone that you don't want it to send; since the way O
Parent
Re:About figures (Score:4, Interesting)
Parent
Re:About figures (Score:5, Funny)
Parent
Go to the source (Score:5, Insightful)
Might I suggest mailto:info@skype.net [mailto]
I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.
Done (Score:5, Interesting)
Dear Sir/Madam,
As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ [slashdot.org] this morning that Skype appears to read the system bios on start up.
While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.
Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.
What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?
I look forward to your response,
Yours,
Andrew Simpson
Parent
Re:Done (Score:5, Funny)
Thank you for inquiring about Skype service. Please let me be you informed about our respect for the privacy of you. Skype wants only good things for the customers of Skype and only uses information for good things, not bad things.
Sincerely,
Apu Nahasapeemapetilon
Skype. Take a deep breath.
P.S.
Now that you have a deep breath taken, you should really see a doctor about that rash and ask your daughter about where she's *really* going this weekend (hint: it's not the Tijihuana Bible Camp). And whatever you do, don't ever come home early on a Wednesday unless you want a nasty surprise. That's the day the missus "gets the carpet cleaned."
Parent
Why does it read the BIOS? (Score:5, Funny)
Why does Skype read the BIOS? (Score:4, Funny)
To know what's written there.
What about Macs ? (Score:4, Interesting)
Thanks
Re:What about Macs ? (Score:4, Insightful)
The amount of information required to teach one how to use a debugger and understand it goes far beyond the amount of text Slashdot would even allow in a single post. However there are many websites on Google that can help you learn with this matter.
Good hunting.
Parent
Re:What about Macs ? (Score:5, Informative)
Ollydbg still works though.
Parent
Re:What about Macs ? (Score:5, Informative)
http://www.recon.cx/en/f/vskype-part1.pdf [recon.cx]
http://www.recon.cx/en/f/vskype-part2.pdf [recon.cx]
Parent
Re:What about Macs ? (Score:5, Funny)
There's really no need. Macs are secure by default even when running Windows.
In the unlikely event that a rogue piece of software does manage to send out some of your personal info, an electronic version of Steve Jobs will shoot down the wire after it and destroy the packets before they reach their destination. Probably using one of those frisbees out of Tron.
Parent
Copyright on the BIOS ??? (Score:4, Interesting)
If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.
Look what they try to do if you or I copy someone's code ...
They could have used Win32 calls (Score:4, Interesting)
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.
Re:They could have used Win32 calls (Score:5, Interesting)
It makes sense to try and keep the code as cross platform as possible.
However the question we all have is why?
Possibilitys include user statistics, i would guess internet cafe's would have large numbers of accounts on a small number of PC's, but most accounts will be used at home or possibly on holiday. So maybe it is the marketing department that is interested.
A less sinister reason may be to combat fraud, recently I noticed that Skype have introduced monthly caps on the skype out credit you can buy. Perhaps there is an issue or potential issue of fraudulent use of credit cards to buy credit.
would be some protection for them if some user claims that his credit card details were stolen, and used to buy skype credit. With the bios code you could probably identify fraud on the part of that user when there is a dispute and the credit card company is refusing to pay. For skype to be able to say well we believe that user did incur these charges since we have it on record that the PC used was used both before and after the disputed dates for making calls on this account.
and finally lets face it skype isn't that secure all it takes is for you to know my username and password and you can make free calls on my account.
actually when you think about it attacking the username password system on skype should be fairly trivial at least it should be noticable when someone starts bruteforcing username password combinations.
when you think about it, take your wireless laptop or pda war driving.
connect to unsecured network
brute force a username password
make free calls world wide.
with the ability to blacklist the particular pc used for the attack it becomes a lot more difficult and expensive
to compromise user accounts.
Parent
Tracing (Score:5, Interesting)
NSA conspiracy (Score:5, Interesting)
Re:bad history? (Score:5, Informative)
Parent
Re:bad history? (Score:5, Informative)
Parent
Re:bad history? (Score:5, Funny)
Parent
Re:bad history? (Score:5, Informative)
Parent
Re:bad history? (Score:5, Informative)
Of course thie gave bad publicity to both Intel and Skype after AMD issued a subpoena [slashdot.org] against Skype and the fact that it was discovered that the software simply checked the processor ID and enabled the feature based on that. A patched version [slashdot.org] was also released which bypassed this artificial limitation.
Parent
Re:Hmmm.....what could you do with this? (Score:5, Funny)
Parent
Re:Hmmm.....what could you do with this? (Score:5, Funny)
A++++++ A PLEASURE TO BE SPIED ON! WOULD HAVE PERSONAL INFORMATION STOLEN AGAIN!
Parent
Re:Hmmm.....what could you do with this? (Score:4, Informative)
That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!
Parent
Re:Serves You Right (Score:4, Insightful)
Parent
Nah, you are being silly (Score:5, Funny)
I will only eat in restaurants that have a double door to the kitchen and a rabid security guard preventing entry. Everyone knows that the best kitchens never allow you to see what goes on inside. That is un-hygienic.
Neither do I ever check under the hood of my car. My wife insisted on that, she assured me she made sure the brakes work just fine afer she adjusted them with the box-cutter. So that is alright and she waved me goodbye so nicely, together with the poolboy, as I drove away for a week trip across the mountains.
Checking the work of a software company? Pah, next thing you will be insisting that the bible is translated into your native tongue so you can read it for yourselve and not have to rely on your religious leader to tell you what is inside it. INFIDEL!
Parent
Re:Finally... (Score:5, Insightful)
So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.
Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.
Parent
Re:Finally... (Score:5, Informative)
The audio quality over my MacBook, through a public WiFi network, through a very restrictive firewall, across the net, through another anally restrictive corporate firewall, across a nearly saturated WAN, to my client's desk is much, much better than using my digital mobile phone.
The ease of use is great. We whip together video calls or conference calls all the time and never have to worry about getting a third party involved to set it up for us.
Being able to call out is fabulous also. I've spent a lot of time in ICU's lately where I'm not able to use the mobile phone, but am able to use the WiFi network. It is very neat to be able to phone from an ICU to pretty much anyone (Skype or phone) with the option for video if they are on Skype also.
The Jabber community just hasn't gotten their stuff together quick enough. There was plenty opportunity to beat Skype to market, but no one else, using open protocols, got the job done. I wish they would have.
Joe
Parent