Why Does Skype Read the BIOS?

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

Processor info?

[Ledsock]

This is a random guess, but it could be part of skype determining the make and model of your CPU. They had made a deal with Intel a while back to only allow large conferences on their processors, and the BIOS reading could be part of that or anticipation of other deals to come.

Re:Processor info?

[repvik]

Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board. Especially since there's easy ways to identify the CPU. I bet windows has a syscall that gives you CPU information.

Re:

[Anonymous Coward]

If I remember correctly Windows has no syscall for that. But CPUID and RDTSC are user mode instructions (*) and do all one needs for cpu identification and more.

(*) = I don't know if CPUID is user mode under any OS or is dependent on some setting. RDTSC is user mode under Windows but not under Linux (there is some bit in some CRx register or whatever that determines whether RDTSC is privileged or not).

Re:Processor info?

[49152]

Not entirely correct.

GetSystemInfo() in Win32 and GetNativeSystemInfo() in WoW64 will give you some CPU information:
It will tell you if your running on Intel, IA64 or AMD64, it will also identify 386, 486 and Pentium, Processor Level and Stepping and processor Revision. I think this will be sufficient in most cases to identify the CPU.

Re:Processor info?

[aonaran]

Maybe reading the BIOS will tell them if you are running Skype in a virtual machine that emulates an Intel processor which keep Skype from being fooled into running 10 connections on AMD.

Re:Processor info?

[slashdot.org]

Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board.

As a former BIOS coder, I'll second that. Even if the BIOS did store some system specific info in Flash (on Embedded BIOSs sometimes this is done because CMOS is not reliable), there is NO way that Skype would know the format/place/meaning of this. It would be specific to a certain build of a specific BIOS for a specific board by a specific vendor.

In any case, the method described to dump the BIOS is not very likely to get anything close to the complete, original BIOS image to begin with. By dumping memory at F000:0000 through F000:FFFF, a 16 bit DOS program, under Windows, will get the memory resident part of the BIOS. Most BIOSs are far bigger than 64KB and the memory resident part is the decompressed runtime part, which is nothing like what the actual BIOS image looks like at boot time.

They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.

Re:Processor info?

[Anonymous Coward]

Fact 1: 0xF0000-0xFFFFF are the SHADOWED copy of BIOS on almost every BIOS. It's write-enable-able.

Fact 2: That's usually where the SMBIOS pointer is found.

Fact 3: It's easy (and the only way really) to scan for SMBIOS and find it.

Fact 4: SMBIOS *does* often contain serial numbers and hardware details.

Don't like it one bit.

[Kadin2048]

They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.

This seems pretty logical. Since they got rid of that hackneyed scheme a while back to give each processor a serial number (wait -- did they get rid of that?), some sort of hash of the BIOS memory, plus the Ethernet MAC, plus the HD serial number, all concatenated together, is probably as close to a unique identifier as you're likely to find on a "per machine" basis.

That said, it doesn't make me feel any better. I wasn't a fan of the processor serial number concept, and not just because it was a serial number in the processor; there were serious privacy concerns with any uniquely identifying, per-machine serialization concept, and that's true whether it's a dedicated number that's being used, or some sort of combination of semi-unique factors.

It's just one more piece of information, sitting in a database somewhere, that could be subpoenaed and used to generally cause trouble. Particularly given how close-mouthed the Skype people are about how their network actually operates (e.g. their alleged encryption, peer to peer communications), I'm not ready to run right out and trust them.

I wonder if it would be possible to run Skype in a sandbox, where the information it's fed could be carefully controlled? On further thought, I wonder what happens when you run it in VMWare or Wine? Do they actually pass information about the hardware up to guest applications? It seems like this behavior would be one that the user should be given an option about, at the very least; I can only think of a few programs who have any reason to be getting the drive serial number, or the Ethernet MAC address, and for the most part they are not userland apps.

Re:Don't like it one bit.

[Gr8Apes]

the original hardcoded MAC address is always visible to the OS somehow. Just changing the setting does not lose that information.

I was under the impression that there was no such thing as a hard-coded number. Why do I say this? Because one fine day many years ago I received a shipment of 100 ethernet cards all with identical MACs. That was one fun day as those cards rolled out into the network...

Processor serial numbers are about as innocuous as a privacy concern as if you used your grocery store loyalty card. To say that someone is going to target you because you have a certain loyalty to the grocery store is ludicrous.

I don't share your ambivalence, yet agree with your point. They might haul you into jail, however, for buying large amounts of plastic forks, rubbing alcohol, and a couple of other items though.

Uniquely identifying systems is ESSENTIAL to the current internet and DRM problems.

Wrong. It's completely irrelevant and impossible to uniquely identify a system on the internet. It is ESSENTIAL to have unique connections. Identity is essential for law enforcement types, not the internet. For instance, do I care that I connect to machine 1 or 1,000,000 of those answering for google.com? DRM in this scenario is irrelevant, and any argument in support of that is already terminally flawed. (DRM's problems are that DRM exists at all)

Just think, if a processor serial number had become a standard, they may not have decided so fast that they needed TPM and per-machine iTunes authorizing so hackneyed, and so on. Of course you can be uniquely identified on the internet. How much crazy hashing crap like this would it have made totally unecessary?

TPM exists purely to serve DRM. See above. QED.

Re:

[Sancho]

TPM has a distinctly separate use, even within open source computing.

Bruce Potter pointed this out at DefCon 14 this past year. He noted that, with TPM, you can basically be assured of a protected path from bootup until your OS takes control through signing the bootloader. In theory, this makes it possible for computers to effectively be tamper-proof. Trojaning the bootloader would be immediately noticed (in the case of signing) or impossible (in the case of encrypting--though the machine's BIOS would ha

Re:Don't like it one bit.

[Alsee]

No, the TPM design is indeed inherently evil.

Your explanation otherwise... it's like citing the vitamins and minerals in a poisoned apple. Apples where you are forbidden to have anything but an apple with a cyanide pill inside. The TPM is explicitly designed to secure the computer against the owner, the TPM technical specification even explicitly refers to the owner as an "attacker" to be defended against. Yes, I have read the entire (several hundred pages) TPM technical specification.

You very can easily get *all* of the benefits for the owner, including the secure startup you reference, and eliminate the cyanide pill and eliminate *all* of the abuses, from virtually identical hardware that is *not* secured against the owner.

The problem with the TPM, the cyanide pill that makes it inherently evil, is the fact that the owner is forbidden to know his own master key. In technical terms we are talking about the PrivEK - Private Endorsement Key. (* footnote)

Take absolutely identical hardware with absolutely identical capabilities, and simply offer people the option to receive a printed copy of their PrivEK (their master key) along with their machine when they buy it. Simple as that. It is identical hardware with identical capabilities to secure your computer for you. The mere fact that you may *know* your own master key (if you wanted it) does not alter that functionality. However the fact that you can know your master key then means that your computer cannot be secured against you. With your master key you can control and alter your security settings at will. With your master key you can override any lockout and escape any lock-in. With your master key you can ensure you can unlock your own encrypted files if you need to.

The Trusted Computing Group and the Trusted Computing specifications absolutely *forbid* you to ever get your master key. They forbid you to have an apple without the cyanide pill inside. A poisoned apple is not a "neutral tool" because it has vitamins and minerals in it... not when you are being forbidden to have normal nutritious non-poisoned apples. Not when you could so easily get all of the benefits and eliminate all of the abuses.

(*)Footnote: Being able to know your PrivEK is the minimum to guarantee you can maintain full control over your computer, but for very technical reasons only knowing your PrivEK leads to a more complex and less secure solution. You really want both your PrivEK and your RSK - Root Storage Key. Aside from the option to get a printed copy of your PrivEK, the chip should gain a single added function - the ability to output the RSK encrypted to the PrivEK. That keeps the RSK properly secured and only usable in conjunction with the PrivEK.

-

Re:

[Anonymous Coward]

That's an interesting guess but probably wrong. The x86 instruction set has an instruction (which can be run directly from user-mode) that gives the make and model of the processor. Skype almost certainly uses that.

Reading the BIOS only gives information about the motherboard. With great difficulty, it might be possible to determine what processor familes the motherboard supports, but I'm not sure how.
                --Justin

Re:

[Anonymous Coward]

No need for reading the BIOS. Just call the CPUID [wikipedia.org] instruction.

Re:

[lachlan76]

The CPU is identified with the CPUID [wikipedia.org] instruction, not with any sort of BIOS access. Such a scheme would be wasteful and more complex.

Re:Goddammit ! It is FREE so what do you care ?

[morie]

so it is free but still requires something from me. To me, that is the difference between free and not free. Hence, skype seems not to be free, but to be paid for with information.

Re:Goddammit ! It is FREE so what do you care ?

[aesova]

That's a reasonable perspective, but if you are, as you say, "paying with information," wouldn't you prefer that your decision to do so be an informed one? After all, Skype doesn't appear to be particularly straightforward with this information, and therefore your payment is taken without your knowledge, which could be considered by some to be fraudulent.

bad history?

[chimpo13]

What is Skypes bad history?

Re:bad history?

[Anonymous Coward]

I think he was talking about the company who owns it. They also made kazaa, which was full of spyware and other harmful malware.

Re:

[turing_m]

Thanks for pointing that out. Looks like I may have to get rid of skype, as useful as it may be sometimes.

Re:

[BrokenHalo]

I've wondered about Skype for a while since I discovered that the Skype Linux client doesn't really close when you exit the program. It leaves a process there which you have to kill before the program will restart properly again. If they were doing anything underhand with that orphaned process, I guess it was pretty dumb to make its presence that obvious, but given the general calibre of their programming (at least wrt the Linux client), it would hardly be surprising.

Damn, I've worn out yet another tinfoil

Re:bad history?

[Anonymous Coward]

How did you know he lived in France?

Re:bad history?

[Ledsock]

While it is true that the developers were responsible for Kazaa, currently Skype is owned by eBay. They bought them on Oct. 14, 2005 for around $2.6 billion.

Re:bad history?

[pboulang]

That's even worse!

Re:

[Hobbex]

I think he was talking about the company who owns it. They also made kazaa

Ebay made Kazaa? Somebody better tell the record companies...

Re:bad history?

[anethema]

Actually, the original Kazaa (which WAS dev'd by the same people as skype) was -not- full of spyware and adware. Kazaa was made an atrocity by Sharman, who still owns it.

Re:bad history?

[Cocoshimmy]

They could be referring to the time where Skype would only allow 10-way conference calling on dual-core Intel processors [slashdot.org]. Those running AMD processors could only have 5-way conference calls. At the time they cited the "technical superiority" of Intel processors over AMD ones.

Of course thie gave bad publicity to both Intel and Skype after AMD issued a subpoena [slashdot.org] against Skype and the fact that it was discovered that the software simply checked the processor ID and enabled the feature based on that. A patched version [slashdot.org] was also released which bypassed this artificial limitation.

Theres...

[Anonymous Coward]

nothing to see here. move along.

we are not spying on you. we swear.

oh btw.. your wife is cheating on you.

Dammit!

[spun]

I KNEW that bitch was using an aimbot!

To prevent abuse? Usage statistics?

[Cocoshimmy]

What better unique identifier than the system bios? Ip addresses are becoming less reliable since many people use wireless internet and mobile phones for skype.

Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.

Re:To prevent abuse? Usage statistics?

[QuantumG]

Yeah, and those bastards, requiring some sort of unique number to identify people using a telephone! Who ever heard of such trickery!

Here's a question for you....

[Khyber]

I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy. Dunno if it's true, or not, but personally, I don't want you trying to identify what the hell makes up my system. Perhaps I'm building it SECRETLY for a fucking reason. You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer. If Skype did that, they'd lose not every bit of faith from me, but I'd go tell my company that I work for, which uses SKYPE on a regular basis. I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Here's a question for you....

[ajs318]

Asterisk is very easy to set up. You just have to be good at setting Asterisk up. The way to get good at setting Asterisk up is to set Asterisk up. For your first assignment, use just two hardware SIP phones. Once you have got them talking to each other, then you can think about adding more phones and things like POTS gateways.

Within weeks you'll be writing advanced dial plans to do things like ring all the phones in a department or divert calls to your mobile if you haven't picked up in twelve rings, and you'll have DHCP and TFTP set up so each phone on the network can configure itself at switch-on. Then it'll all be working exactly how you want it to, with nothing for you to do except occasionally unplug and replug a misbehaving telephone.

About a year or eighteen months later, you will want to add a simple new feature. Unfortunately, by this time you will have forgotten altogether how you set everything up in the first place.

Re:Here's a question for you....

[Anonymous Coward]

Joke ---->
    O
   -+-
    |  <- You
   / \

Re:

[vadim_t]

What bullshit is that?

To have an application directly access the hard disk you'd need to go back to DOS. It's not possible for an application to try to write beyond the bounds the hard disk because applications don't access the hard disk on that level. Only the OS does, and even there what you say isn't possible as current disks are pretty smart and just read/write the sector the OS says, and figure out themselves where is that physically on the platter.

Same goes for your video card nonsense -- you can't br

Re:

[suv4x4]

What better unique identifier than the system bios?

Any random persistent data with equal or greater size? In facts the odds of BIOS data matching other copy of BIOS data is much higher than two randomly generated numbers of the same size because of the much lower entropy.

Why read the BIOS for this, what if you change your BIOS setup or motherboard? Your theory doesn't stand under closer scrutinity.

Especially since Skype doesn't lock the accounts to a specific PC.

Re:

[Cocoshimmy]

First let me point out that this is just a theory. Second, if you read my entire comment then you would see that I agree that there are potentially other explanations for why they collect this information.

The chances of BIOS data matching up exactly, while not as low as two random numbers of length equal to the BIOS data, are still very low. Imprinted in the BIOS is the image itself, the manufacturer, the model, and other system information. What random persistent data that you speak of can be consistent

Re:To prevent abuse? Usage statistics?

[evilviper]

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc.

That's complete nonsense. Windows has a perfectly standard way of finding out about system devices. Reading the BIOS would tell you almost none of the things you listed to begin with.

About figures

[TopSpin]

Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.

Too much to ask I guess.

Re:

[Tom]

Too much to ask I guess.

SELinux allows you to fine-tune permissions to extreme detail, including everything you used as example (or at least the Linux-equivalent, as far as registry, etc. is concerned).

Problem: The complexity isn't for the faint of heart. So no distribution for the general public will actually use it as fine-grained as it allows you to be.

Re:

[Tom]

I said it isn't for the faint of heart. :-)

I've set up enforcing mode webservers and database servers. I've had my notebook running in enforcing mode back when I was giving talks about SELinux, and put the wireless IP and root password on the board during presentations. But yes, it was tricky to get it running and many of the permissions weren't set as strict as they could've been.

The main project I've always had in mind, but never finished, was VM, just differently from yours: A very locked-down SELinux ho

Gentoo emerge

[backwardMechanic]

Try Gentoo. Apart from fanboy overtweakers, it provides just the kind of installation control you're asking for, via emerge. Emerge builds the new app in a sandbox, then transfers it to your running system. You then run etc-update to update your config files. If the install wants to modify files in 'protected' directories (/etc, /etc/init.d, etc.), it will ask you before making the changes. Sometimes it's a pain in the ass (327 files to update...), but at least you get to see what's going on.

Re:

[backwardMechanic]

I guess that's a fair point. I've never used it as a security feature, I (blindly) trust the portage tree. It's the .tgz's from some obscure corner of the web that I sorry about more. The sandbox part of the Gentoo build process is more interesting, thinking about the problem. If you use separate ebuild stages, rather than emerge, you can check the sandbox directory tree to see what has been built and what will be copied across to your main system.

Re:

[vadim_t]

Make sure you also turn on the flag that checks for collissions with other package's files (wonder why it's optional), as well as the flag to drop privileges during building.

With this, Gentoo should be able to install any random junk you find on the net, and not let it root your box. Try on a test account just in case, though.

Re:

[at_slashdot]

Look like it's time to switch to an open source application that uses open source standards. It's funny that usually people complain that they don't have alternatives, in this case OpenWengo Phone works fine and actually even better, on Linux it has video conference, Skype didn't release yet a client that does that.

Operating Systems, Applications, and Trust

[Pfhorrest]

Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

Right on!

Coming from the Mac world, where I know there's most often no technical reason why an app couldn't just be drag-and-drop "installed" (i.e. just copy the app bundle to wherever the hell you want it and run it from there), I raise a suspicious eyebrow every time I download some program which should be entirely a userland thing (a game, a document or media editor or player of some sort, etc) which insists that I run an installer program that asks me for an admin password. I feel like asking the devs, "Why exactly do you need write access to anything outside your app bundle? Give me a damn good reason why I should entrust my system to you."

I want my OS to serve me like I want my government to serve me: stay out of my way unless I ask it for something (and have useful services available for the asking), except to keep people from doing bad things to me and my property, in which case I want it to proactively defend me. This means that no programs are running that I don't want running or don't know are running; nothing can *get* running without my telling it to or at least granting it permission to; and no files get written anywhere, perhaps outside of a few sandbox areas like the user's Preferences folder, without my permission.

OSX does most of this right already. The only more-stringent thing I would really ask for is that installers/etc which ask for an admin password not just get blanket permission to do whatever they want; I'd prefer it if the system instead told me, for each item the app wanted to install, that:

"The application FooBar wants permission to create the folder "Beezelbub" in System/Library/YourMom/. The justification it provides for this is:
Beezelbub is a video codec needed to play cutscenes in FooBar: The Quest For Metasyntax.
Do you wish to allow FooBar to create this item? [Yes] [Yes To All] [No] [No To All]."

And if you click one of the "Yes" buttons, THEN it prompts you for an admin password.

Of course, the app would be allowed to write whatever the hell it wants into folders it creates, so you don't have to get this prompt for every one of the thousand little files that some library or codec might include, unless those files are scattered to the winds and not in one nice neat package like they should be. Currently existing apps of course would not have such justification strings built into them, but even still, this would be a more secure way that would allow users who care to selectively allow the installation of crap on their system. And of course, users who don't care can always say "Yes To All" and be no worse off than they are today.

But users like me would feel much less suspicious, no longer wondering "what the heck does this installer want with my admin password? Why does this program need an installer in the first place?"

A related thing I might like would be if the system notified me any time any program tried to open up a network connection of any sort; to which I could say "allow", "always allow" (for trusted things), "disallow", or "always disallow" (for things you think are spyware). Include similar justification strings as the above dialogue does. This would work well to combat any sort of trojan spyware you might have gotten (that is, programs you downloaded and installed yourself, which are sending data to someone that you don't want it to send; since the way O

Re:

[albertost]

Pros: You don't wind up with a corrupted registry and DLL hell because every app ships with its own copies of the libraries it needs.

If Microsoft did that, noone would consider that a "pro"

Re:

[TobascoKid]

Microsoft's .Net more or less does exactly that (multiple copies of DLLs)- which is one of .Net's selling points.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:About figures

[HaloZero]

265mb of RAM, eh? Where'd you get the 9mb stick?

Re:

[Agram]

Disk space is cheap, but most countries (apart from U.S.) still have fast Internet connection fees assessed by the amount of downloaded/uploaded content. So, while DLLs have had their share of hits and misses (my experience tells me this is more of a hype these days than truth), I still prefer to download a 3MB version of Gimp for Win32/Linux, rather than a 82.6MB version of Gimp for OSX which still requires X11 (40+MB) and possibly Fink with its libs (another 8MB plus libs which I estimate at 20MB).

Re:About figures

[giorgiofr]

The problem is not with disk space, but with unnecessary duplication of functions, which leads to having different versions of the same libs on your system, some of which might have security holes. Besides, it's totally unelegant and contrary to all concepts of modularization. Might as well ship a VM for every app.

Ah! A primitive form of humor.

[B3ryllium]

Wait, I know the answer to this one!!

Because it was stapled to the punk rocker's face!!!1

Go to the source

[ZX3 Junglist]

Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
Might I suggest mailto:info@skype.net [mailto]

I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.

Done

[adpsimpson]

Dear Sir/Madam,

As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ [slashdot.org] this morning that Skype appears to read the system bios on start up.

While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.

Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.

What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?

I look forward to your response,

Yours,
Andrew Simpson

Re:Done

[Fhqwhgadss]

Dear Mr. Simpson,

Thank you for inquiring about Skype service. Please let me be you informed about our respect for the privacy of you. Skype wants only good things for the customers of Skype and only uses information for good things, not bad things.

Sincerely,
Apu Nahasapeemapetilon
Skype. Take a deep breath.

P.S.
Now that you have a deep breath taken, you should really see a doctor about that rash and ask your daughter about where she's *really* going this weekend (hint: it's not the Tijihuana Bible Camp). And whatever you do, don't ever come home early on a Wednesday unless you want a nasty surprise. That's the day the missus "gets the carpet cleaned."

Why does it read the BIOS?

[dangitman]

Because it's bored and can't find a good book.

Why does Skype read the BIOS?

[OpenSourced]

...
To know what's written there. ...

What about Macs ?

[warrior_s]

Can someone tell me how can I check if its doing the same on my Macbook?
Thanks

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What about Macs ?

[descil]

Skype won't run if you have softice installed on windows. Pretty funny - I guess they don't want you to look.

Ollydbg still works though.

Re:What about Macs ?

[mrogers]

Skype contains encrypted code, self-modifying code, timing loops to detect whether it's running inside a debugger, and any number of other tricks to prevent reverse engineering. Which hasn't stopped people trying:

http://www.recon.cx/en/f/vskype-part1.pdf [recon.cx]
http://www.recon.cx/en/f/vskype-part2.pdf [recon.cx]

Re:

[apt_user]

That's a good point. Intel Macs don't have a BIOS, they use Intel EFI (The old PPC Macs used OpenFirmware). How does Skype react to running in XP under parallels?

Re:What about Macs ?

[Slashcrap]

Can someone tell me how can I check if its doing the same on my Macbook?

There's really no need. Macs are secure by default even when running Windows.

In the unlikely event that a rogue piece of software does manage to send out some of your personal info, an electronic version of Steve Jobs will shoot down the wire after it and destroy the packets before they reach their destination. Probably using one of those frisbees out of Tron.

Re:

[account_deleted]

Comment removed based on user account deletion

Sorry whats the big deal?

[Timberwolf0122]

Read my bios settings, I have no problem with this. There is no information on my BIOS that I would consider sensitive, maybe a touch of chargin if if turns out I have my RAM config set wrong(?) but thats it.

Writing to my BIOS.... now thats a different matter and one I would take exception to.

Re:

[speculatrix]

Writing to my BIOS.... now thats a different matter and one I would take exception to.

indeed, this is why I always, if possible, use both the write-protect jumper on the motherboard (if it exists) as well as disabling write in the cmos/bios settings.

Re:

[GeekDork]

Writing to my BIOS.... now thats a different matter and one I would take exception to.

Writing there should be considered a fundamental flaw of the operating system. If the OS manages to boot, there is no need at all to change any values in the configuration. If the OS doesn't manage to boot, there is no way at all to change any values in the configuration. QED ;-)

Granted, with the floppy drive being on the way out, I can see kind of a problem for BIOS updates.

Copyright on the BIOS ???

[Alain Williams]

It took a minute for the penny to drop, but is it not downloading the BIOS code rather than the system setup info held in CMOS ?

If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.

Look what they try to do if you or I copy someone's code ...

They could have used Win32 calls

[AndrewStephens]

I don't know why Skype is reading the BIOS, others have speculated that they are trying to generate a unique key from the SMBIOS tables or perhaps lock certain features to certain processors. Sounds plausible I guess.
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.

Re:They could have used Win32 calls

[blackest_k]

you make the assumption there that win32 calls are available, I'm running Linux.

It makes sense to try and keep the code as cross platform as possible.
However the question we all have is why?

Possibilitys include user statistics, i would guess internet cafe's would have large numbers of accounts on a small number of PC's, but most accounts will be used at home or possibly on holiday. So maybe it is the marketing department that is interested.

A less sinister reason may be to combat fraud, recently I noticed that Skype have introduced monthly caps on the skype out credit you can buy. Perhaps there is an issue or potential issue of fraudulent use of credit cards to buy credit.

would be some protection for them if some user claims that his credit card details were stolen, and used to buy skype credit. With the bios code you could probably identify fraud on the part of that user when there is a dispute and the credit card company is refusing to pay. For skype to be able to say well we believe that user did incur these charges since we have it on record that the PC used was used both before and after the disputed dates for making calls on this account.

and finally lets face it skype isn't that secure all it takes is for you to know my username and password and you can make free calls on my account.

actually when you think about it attacking the username password system on skype should be fairly trivial at least it should be noticable when someone starts bruteforcing username password combinations.

when you think about it, take your wireless laptop or pda war driving.

connect to unsecured network
brute force a username password
make free calls world wide.

with the ability to blacklist the particular pc used for the attack it becomes a lot more difficult and expensive
to compromise user accounts.

Re:

[Tony Hoyle]

you make the assumption there that win32 calls are available, I'm running Linux.

It makes sense to try and keep the code as cross platform as possible.


If Win32 isn't available you're probably running on a proper OS that wouldn't let you map the BIOS anyway, so they might has well have used the Win32 calls in the first place.

It's just an example of poor programming.

Finally...

[owlstead]

This will generate some much needed criticism of Skype. It's not only that it is closed source, it's a closed protocol as well. I presume every Skype phone will have to pay nice amount of royalties.

Basically Skype is not much more than VOIP. What it has going is a lot of hype, a cool name and an efficient way of doing the networking. But even then I have always been very sceptical of Skype. Unfortunately I haven't seen this reflected in real life. People simply buy Skype phones - even ones that only know ho

Re:Finally...

[Lurks]

The thing is, what Skype did was take VOIP and turn it into an actual consumer usable product. Actual real IP phones are indeed based on an open standard but it's a really really stupid standard. Seriously, buy one and visit the configuration web page for it. I've tried many with several real VOIP services and they are pretty much a pain to set up even if you do know what you're doing, and as products they're under polished and buggy. That's today, go back to when Skype started up and these things were even *worse*.

So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.

Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.

Your argument sounds familiar

[Constantine XVI]

The thing is, what Windows did was take the computer and turn it into an actual consumer usable product. Actual real computers are indeed based on an open standard but it's a really really stupid standard. Seriously, buy one and visit the man pages for it. I've tried many with several real *nixen and they are pretty much a pain to set up even if you do know what you're doing, and as products they're under polished and buggy. That's today, go back to when Windows started up and these things were even *

Re:

[Lurks]

It sounds familiar because it's a mechanism for success. However Skype is very different from Microsoft.

Equally what I could say sounds familiar is the idea that everything should be open source, open standards, difficult to use and so on. The idea of what is technically better or meets your personal mindset of technical politics is very often completely at odds with what needs to be done so people can actually use the technology in question.

Re:

[Knutsi]

In one way, Skype can be seen as a great "kick-off" for VoIP, but for widespread implementation and use that will lead to innovation, progress and integration where it is practical to have it, it should be much more open. Skype's closed protocol will harm VoIP as a communication platform for replacing the phone.

That said, Skype is easy to install, use and works really well. That is the reason I use it, my mom uses it, my girlfriend uses it, and pretty much anyone else.

Re:Finally...

[battjt]

No, the really cool thing about Skype is that it works and works very well.

The audio quality over my MacBook, through a public WiFi network, through a very restrictive firewall, across the net, through another anally restrictive corporate firewall, across a nearly saturated WAN, to my client's desk is much, much better than using my digital mobile phone.

The ease of use is great. We whip together video calls or conference calls all the time and never have to worry about getting a third party involved to set it up for us.

Being able to call out is fabulous also. I've spent a lot of time in ICU's lately where I'm not able to use the mobile phone, but am able to use the WiFi network. It is very neat to be able to phone from an ICU to pretty much anyone (Skype or phone) with the option for video if they are on Skype also.

The Jabber community just hasn't gotten their stuff together quick enough. There was plenty opportunity to beat Skype to market, but no one else, using open protocols, got the job done. I wish they would have.

Joe

Tracing

[ignorent]

Perhaps the federal government requires them to make all phone calls traceable?

Maybe it has to do with key generation

[s_p_oneil]

Anyone who tries hard to secure their app tries to find the most unique way to seed their key generation process. By grabbing a bunch of unique hardware ID's, they may simply be trying to make it more difficult for hackers to find the key generation pattern to crack your calls.

Another reason not to use Skype

[guruevi]

I refuse to use Skype since it has it's own 'standard' and is not interoperable with SIP or any other standard and open VoIP protocol. It's also closed source so you don't know what it's doing. I hope a lot of these 'privacy' breaches will be uncovered and people will start seeing the benefit of having truly open source code.

Its for the software registration

[blanks]

Most likely it is for the software registration and to check to the software is registered too / what features you have and to make sure you have a valid registration.

One of the companies I work for do the same thing. What happens is each time application is run it collects some information from the users hardware. If then makes a magic number and sends it to a web service to compare to the magic number that was created when the person registered the program.

If the numbers dont match then

IIRC

[Apreche]

Skype allows you to conference in more people if you have a newer Intel Core CPU. The easiest way to check what CPU you have, without letting you lie to Skype, is to check the BIOS. Also, checking the BIOS is code that works on all platforms. Saves them a little bit of trouble when porting Skype to the other platforms.

NSA conspiracy

[sideswipe76]

I am gonna repeat my grand conspiracy theory: It is my belief that eBay's purchase of Skype was somehow coaxed by the NSA/CIA and here is why: Ebay's purchase of Skype never made sense. Ebay could have included skypeout:// links in their auctions without spending a penny. That would be like saying slashdot can't use IM unless they buy AOL. Skype spent way above considered market value for Skype and their share holders have applied no real pressure to have it turn a profit. This makes the transaction suspicious. The reason of course if because prior to the eBay's purchase Skype was owned in Luxembourg and definitely not an ideal partner for eavesdropping on "terra'rists" (given those crazy European privacy laws). Given that the calls are encrypted, and that Skype does maintain the keys to decrypt those session, getting Skype under US subpeona power is a powerful tool for eavesdropping. Infact, because it is VoIP for most if not all of the calls, it can easily route traffic into the US were it can be picked up, decoded and monitored. Or, since it is known that open IP's become super nodes, Skype can naturally be coaxed into steering packets toward a super-node that can easily be monitored. I use to work for the company that wrote Carnivore. People got worked up over that? It was only the prototype.

Re:

[Beryllium Sphere(tm)]

Traffic analysis can be as valuable as content decryption for some purposes, and Biondi discovered that Skype's nominally encrypted call setup (as opposed to the voice encryption) was reusing an RC4 stream.

The session keys, however, are ephemeral if I'm reading Tom Berson's Skype security analysis [skype.com] correctly. See sections 3.3 and 3.4.1 in particular. The attack vector would be to impersonate one endpoint, which you could do with the Skype network private key.

Re:Hmmm.....what could you do with this?

[BitHive]

Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.

Re:Hmmm.....what could you do with this?

[zero1101]

Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.

A++++++ A PLEASURE TO BE SPIED ON! WOULD HAVE PERSONAL INFORMATION STOLEN AGAIN!

Re:Hmmm.....what could you do with this?

[Cheesey]

http://www.blackhat.com/html/bh-europe-06/bh-eu-06 -speakers.html [blackhat.com]

That Blackhat link is very interesting, thanks. Deliberate spying behaviour aside, Skype doesn't seem a very trustworthy app!

Re:

[ZX3 Junglist]

There's not anything more random in the BIOS than there is somewhere unprotected.

Re:

[tsa]

Can I have some of what you're smoking?

Re:

[Anonymous Coward]

Probably that myth that having open source gets your better, safer, bug free software - because of COURSE skilled coders are spending huge amounts of time sifting through thousands and thousands of lines of other peoples code. I mean, I've been coding for 20+ years now and it's what I like to do with my spare time.

Yah right. Do you have any idea how few good coders there are? Now add that to the chance they happened to write nothing but open source (yah, cause you can make so much money doing that). Se

Re:Serves You Right

[animaal]

If you run closed-source software on your machine, then you deserve everything you get

support that isn't limited to that old open-source favourite advice, "RTFM"?

Re:

[vadim_t]

Which is this mythical "support" people talk about?

I've NEVER heard of anybody calling MS support for say, routine Windows issues. At best, people would call the ISP when the connection went down. This is because most of those normal users don't have a clue of what a computer is, how it works, and whose fault it is when something doesn't work. They understand that their ISP provides their internet connection, so they call them, but they have no clue who to call when their computer breaks.

So they assume tha

Nah, you are being silly

[SmallFurryCreature]

I will only eat in restaurants that have a double door to the kitchen and a rabid security guard preventing entry. Everyone knows that the best kitchens never allow you to see what goes on inside. That is un-hygienic.

Neither do I ever check under the hood of my car. My wife insisted on that, she assured me she made sure the brakes work just fine afer she adjusted them with the box-cutter. So that is alright and she waved me goodbye so nicely, together with the poolboy, as I drove away for a week trip across the mountains.

Checking the work of a software company? Pah, next thing you will be insisting that the bible is translated into your native tongue so you can read it for yourselve and not have to rely on your religious leader to tell you what is inside it. INFIDEL!

Re:

[AndrewStephens]

Good theory, in theory the SMBIOS tables (which is what I think they are trying to read) can contain serial numbers for the motherboard, etc. But in practice these fields are often blank or change after every BIOS update, making them useless for identification.

Re:

[Barny]

Correct! Buy a copy of sisoft sandra, and get it to display mobo info, all my ASUS boards are 123456789000, and Gigabyte boards don't even have a serial number at all.

Hrmm, this Asus board allows me to put an mp3 into it for the "power on" sound (no I am not joking), if I put a copyrighted file in there, and they snarf it without the artists permission (and they sure as hell didn't ask me, or suggest I shouldn't put it there for them to get) can we get the RIAA to sue them?

Re:

[Tony Hoyle]

Hrmm, this Asus board allows me to put an mp3 into it for the "power on" sound (no I am not joking), if I put a copyrighted file in there, and they snarf it without the artists permission (and they sure as hell didn't ask me, or suggest I shouldn't put it there for them to get) can we get the RIAA to sue them?

No, they'll sue you for distributing it.

Re:

[MooUK]

Surely using a MAC address, which is supposed to be entirely unique (yes, it can be changed, but it's close enough) and isn't hard to read, would be a more effective route?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tweek]

If you look at the history of Kazaa, the original developers were long gone by the time Sharman started pimping the spyware. These are the same long-gone guys who developed Skype and are long gone now working on YANNP (yet another new project)