Why Does Skype Read the BIOS? 327
pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"
About figures (Score:5, Insightful)
Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.
Too much to ask I guess.
Re:Processor info? (Score:5, Insightful)
Go to the source (Score:5, Insightful)
Might I suggest mailto:info@skype.net [mailto]
I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.
Re:About figures (Score:3, Insightful)
Comment removed (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:Random generator? (Score:2, Insightful)
Re:Serves You Right (Score:4, Insightful)
Re:Identification? (Score:3, Insightful)
Re:Finally... (Score:5, Insightful)
So yeah it's a closed standard because, not for the first time, a company sitting down to design a protocol and infrastructure from scratch often comes up with something remarkably better than designed-by-commitee products.
Now I'm not saying everyone should dump stuff and go to Skype, I still find their service haphazard and buggy at best particularly when using the Skype in/out functionality. However I think a bit of respect is due for a company that realised the killer application and went on to deliver in a consumer friendly manner that was genuinely useful and, more or less, single handedly forged the entire consumer idea of net phones full stop.
Re:Goddammit ! It is FREE so what do you care ? (Score:5, Insightful)
Re:They could have used Win32 calls (Score:3, Insightful)
It makes sense to try and keep the code as cross platform as possible.
If Win32 isn't available you're probably running on a proper OS that wouldn't let you map the BIOS anyway, so they might has well have used the Win32 calls in the first place.
It's just an example of poor programming.
Re:Serves You Right (Score:2, Insightful)
Yah right. Do you have any idea how few good coders there are? Now add that to the chance they happened to write nothing but open source (yah, cause you can make so much money doing that). See the picture? Reality: Most open source code is written by semi-good coders - which means, oh boy, walking the code is gonna be an exercise in torture (it's only one step below that when it is good code, btw).
Coders do NOT like to walk through other peoples code. (Yah yah whatever, someone will claim they do. I call horse pucky) And then again, why would you trust some other person. The ONLY way this 'open-source' code is safe is because YOU take the time to read through, analyze and understand what it's doing. That's a joke. SURE having it as open source AFTER something bad happens is nice - you've got the 'bad' code sitting right there. But this idea that BECAUSE it's open source, it's not doing anything bad....well that's right up there with since it's a Mac it must be safe. Wait, you probably think that too as it's the same sort of kool-aid.
Re:Goddammit ! It is FREE so what do you care ? (Score:5, Insightful)
Re:Don't like it one bit. (Score:5, Insightful)
Re:What about Macs ? (Score:2, Insightful)
Re:What about Macs ? (Score:2, Insightful)
So, Skype censors text messages in China, and has some kind of blacklist there too. That's news to me. Scary.
I also didn't realize companies go to such lengths to obfuscate their code. Putting all that work into obfuscation seems pointless as somebody is going to be able to undo it, as demonstrated by the link. As pointed out there, the fact that it's obfuscated is what makes it interesting to understand. Like the act of reading the bios, it hints that there's something sinister hidden (like censorship).
Re:Don't like it one bit. (Score:3, Insightful)
Bruce Potter pointed this out at DefCon 14 this past year. He noted that, with TPM, you can basically be assured of a protected path from bootup until your OS takes control through signing the bootloader. In theory, this makes it possible for computers to effectively be tamper-proof. Trojaning the bootloader would be immediately noticed (in the case of signing) or impossible (in the case of encrypting--though the machine's BIOS would have to support something like that.
I encourage you to try to find his talk online. It definitely opened my eyes. Before, much like you, I felt that TPM was only useful for restricting ones rights. Now that I realize that there is another potential use, my opinion is certainly different.
As Bruce says, TPM is not evil, it is a tool.
Re:Don't like it one bit. (Score:4, Insightful)
Your explanation otherwise... it's like citing the vitamins and minerals in a poisoned apple. Apples where you are forbidden to have anything but an apple with a cyanide pill inside. The TPM is explicitly designed to secure the computer against the owner, the TPM technical specification even explicitly refers to the owner as an "attacker" to be defended against. Yes, I have read the entire (several hundred pages) TPM technical specification.
You very can easily get *all* of the benefits for the owner, including the secure startup you reference, and eliminate the cyanide pill and eliminate *all* of the abuses, from virtually identical hardware that is *not* secured against the owner.
The problem with the TPM, the cyanide pill that makes it inherently evil, is the fact that the owner is forbidden to know his own master key. In technical terms we are talking about the PrivEK - Private Endorsement Key. (* footnote)
Take absolutely identical hardware with absolutely identical capabilities, and simply offer people the option to receive a printed copy of their PrivEK (their master key) along with their machine when they buy it. Simple as that. It is identical hardware with identical capabilities to secure your computer for you. The mere fact that you may *know* your own master key (if you wanted it) does not alter that functionality. However the fact that you can know your master key then means that your computer cannot be secured against you. With your master key you can control and alter your security settings at will. With your master key you can override any lockout and escape any lock-in. With your master key you can ensure you can unlock your own encrypted files if you need to.
The Trusted Computing Group and the Trusted Computing specifications absolutely *forbid* you to ever get your master key. They forbid you to have an apple without the cyanide pill inside. A poisoned apple is not a "neutral tool" because it has vitamins and minerals in it... not when you are being forbidden to have normal nutritious non-poisoned apples. Not when you could so easily get all of the benefits and eliminate all of the abuses.
(*)Footnote: Being able to know your PrivEK is the minimum to guarantee you can maintain full control over your computer, but for very technical reasons only knowing your PrivEK leads to a more complex and less secure solution. You really want both your PrivEK and your RSK - Root Storage Key. Aside from the option to get a printed copy of your PrivEK, the chip should gain a single added function - the ability to output the RSK encrypted to the PrivEK. That keeps the RSK properly secured and only usable in conjunction with the PrivEK.
-