A researcher named Efim Bushmanov claims to have reverse engineered
the Skype protocol.
"My aim is to make Skype open source," he said in a blog
post, which included links to download executable files
compatible with Skype versions 1.4, 3.8, and 4.1, plus IDA Pro
disassembly database files, and source code.
Bushmanov said he decided to publicize his efforts in the wake of a
story published this week in the
Wall Street Journal,
detailing how Middle Eastern countries' security agencies possessed
tools that enabled them to eavesdrop on Skype communications. He's
also hoping to recruit more people to help him finish the Skype
reverse engineering, which he says isn't yet complete.
In response, Skype appears to be preparing for a fight. "This
unauthorized use of our application for malicious activities like
spamming/phishing infringes on Skype's intellectual property," said
the company in an emailed statement. "We are taking all necessary
steps to prevent/defeat nefarious attempts to subvert Skype's
experience. Skype takes its users' safety and security seriously
and we work tirelessly to ensure each individual has the best
possible experience."
But is Bushmanov operating in the clear? Typically, copyright law
makes an exception for reverse engineering software, provided it's
done correctly. One of the most famous examples of reverse
engineering done right happened in the 1980s, when Phoenix
Technologies wanted to build a BIOS that was compatible with IBM's
proprietary BIOS.
To protect itself against accusations that it had copied IBM's
BIOS, Phoenix created a team that used a Chinese wall approach.
Namely, the team observed the IBM BIOS, and described everything it
did without referencing any code. Next, a different team of
developers with no previous BIOS experience of any kind took the
first group's specifications, then wrote their own BIOS, ultimately
enabling companies to begin building IBM-compatible PCs.
Another famous reverse engineering case involved Andrew Tridgell,
who studied Microsoft's Server Message Block (SMB) protocol until
he understood it well enough to write Samba. This open source code
now enables Unix, Linux, and Mac OS X systems to communicate with
Microsoft Windows networks and clients, including Active Directory
domains.
Key to Tridgell's work, however, was that "he didn't decompile any
of Microsoft's code. He simply watched the traffic generated by SMB
implementations until he understood it well enough to produce an
alternative implementation," said Paul Ducklin, Sophos' head of
technology for Asia Pacific, in a blog post.
Has Bushmanov done his reverse engineering by the book, as Tridgell
did with Samba? "If Bushmanov hasn't taken this 'clean'
approach--and the presence of IDB files (IDA Pro disassembly
databases) amongst his published downloads suggests that he has
not--then this could end up in an interesting legal battle," said
Ducklin.
But recent court cases involving device or software modifications
haven't always ended in manufacturers' favor, legally or otherwise.
Notably, in January, Sony sued well-known hacker George Hotz (aka
Geohot), together with 100 other people (mostly unnamed), alleging
that they'd "jailbroken" the PlayStation 3, circumventing its
security measures in violation of the Digital Millennium Copyright
Act and allowing people to play unauthorized or pirated games. In
March, Sony settled with Hotz. Terms of the settlement were not
disclosed, although Hotz agreed to not publish any further, related
code.
Sony claimed victory, but it was short-lived, as the company soon
began suffering a crippling series of data breaches in apparent
retaliation for its lawsuit.
Skype, of course, was recently acquired by Microsoft for USD 8.5
billion, which means that the next move in this case is
Microsoft's. But an open source version of Skype may actually
benefit Microsoft, said Ducklin. For starters, it might quiet Skype
critics who want to know the security protocols it relies on.
Furthermore, it might prevent people from building Skype
competitors, instead treating Skype as a standard, and creating
their own clients.
"Microsoft could simply give up on the existing Linux and OS X code
bases without creating any bitterness amongst those communities,"
he said. "They'd be able to take up the software development
reins--just as gung-ho open sourcers are supposed to if they don't
like what's already on offer."