Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Does Skype Read the BIOS?

kdawson posted more than 7 years ago | from the phone-home dept.

Security 327

pfp writes "Myria at pagetable.com, among others, noticed that Skype reads the machine's BIOS code on startup. This probably would've gone unnoticed if the operation didn't fail on 64-bit windows. From the post: 'It's dumping your system BIOS, which usually includes your motherboard's serial number, and pipes it to the Skype application. I have no idea what they're using it for, or whether they send anything to their servers, but I bet whatever they're doing is no good given their track record... If they hadn't been ignorant of Win64's lack of NTVDM, nobody would've noticed this happening.'"

Sorry! There are no comments related to the filter you selected.

Processor info? (5, Interesting)

Ledsock (926049) | more than 7 years ago | (#17917774)

This is a random guess, but it could be part of skype determining the make and model of your CPU. They had made a deal with Intel a while back to only allow large conferences on their processors, and the BIOS reading could be part of that or anticipation of other deals to come.

Re:Processor info? (5, Insightful)

repvik (96666) | more than 7 years ago | (#17917870)

Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board. Especially since there's easy ways to identify the CPU. I bet windows has a syscall that gives you CPU information.

Re:Processor info? (3, Informative)

Anonymous Coward | more than 7 years ago | (#17918414)

If I remember correctly Windows has no syscall for that. But CPUID and RDTSC are user mode instructions (*) and do all one needs for cpu identification and more.

(*) = I don't know if CPUID is user mode under any OS or is dependent on some setting. RDTSC is user mode under Windows but not under Linux (there is some bit in some CRx register or whatever that determines whether RDTSC is privileged or not).

Oh but you can get CPU information easily (1)

blowdart (31458) | more than 7 years ago | (#17918880)

Actually you should be able to get the CPU information via WMI calls, the WIN32_Processor tree exists for that very reason. And that would work on 64bit windows too.

Re:Processor info? (4, Informative)

49152 (690909) | more than 7 years ago | (#17918970)

Not entirely correct.

GetSystemInfo() in Win32 and GetNativeSystemInfo() in WoW64 will give you some CPU information:
It will tell you if your running on Intel, IA64 or AMD64, it will also identify 386, 486 and Pentium, Processor Level and Stepping and processor Revision. I think this will be sufficient in most cases to identify the CPU.

Re:Processor info? (5, Informative)

slashdot.org (321932) | more than 7 years ago | (#17918560)

Reading your BIOS to determine CPU ain't gonna be useful. I doubt any BIOSes store info on which CPU is on the board.

As a former BIOS coder, I'll second that. Even if the BIOS did store some system specific info in Flash (on Embedded BIOSs sometimes this is done because CMOS is not reliable), there is NO way that Skype would know the format/place/meaning of this. It would be specific to a certain build of a specific BIOS for a specific board by a specific vendor.

In any case, the method described to dump the BIOS is not very likely to get anything close to the complete, original BIOS image to begin with. By dumping memory at F000:0000 through F000:FFFF, a 16 bit DOS program, under Windows, will get the memory resident part of the BIOS. Most BIOSs are far bigger than 64KB and the memory resident part is the decompressed runtime part, which is nothing like what the actual BIOS image looks like at boot time.

They are most likely using this in combination with other more or less 'unique' things to identify a specific machine. It wouldn't surprise me if after this some people would do a more in-depth analysis of their code and find out that it also reads the serial number of the harddrive and gets the MAC address of the Ethernet adapter.

Re:Processor info? (0)

Anonymous Coward | more than 7 years ago | (#17918716)

Thats correct:

int GetSystemMetrics(SM_SLOWMACHINE); // TRUE if the computer has a low-end (slow) processor; FALSE otherwise.

Re:Processor info? (2, Informative)

Anonymous Coward | more than 7 years ago | (#17917916)

That's an interesting guess but probably wrong. The x86 instruction set has an instruction (which can be run directly from user-mode) that gives the make and model of the processor. Skype almost certainly uses that.

Reading the BIOS only gives information about the motherboard. With great difficulty, it might be possible to determine what processor familes the motherboard supports, but I'm not sure how.
                --Justin

Re:Processor info? (2, Informative)

Anonymous Coward | more than 7 years ago | (#17917984)

No need for reading the BIOS. Just call the CPUID [wikipedia.org] instruction.

Re:Processor info? (3, Informative)

lachlan76 (770870) | more than 7 years ago | (#17918010)

The CPU is identified with the CPUID [wikipedia.org] instruction, not with any sort of BIOS access. Such a scheme would be wasteful and more complex.

Goddammit ! It is FREE so what do you care ? (0, Funny)

Anonymous Coward | more than 7 years ago | (#17919114)



Goddammit ! It is FREE so what do you care ? Ebay has to make some money back somehow ! So it sells some of your personal details . So what ? It's FREE !

Re:Processor info? (0)

Anonymous Coward | more than 7 years ago | (#17918076)

Not a chance. CPU info you get from the instruction CPUID.

bad history? (3, Interesting)

chimpo13 (471212) | more than 7 years ago | (#17917786)

What is Skypes bad history?

Re:bad history? (5, Informative)

Anonymous Coward | more than 7 years ago | (#17917818)

I think he was talking about the company who owns it. They also made kazaa, which was full of spyware and other harmful malware.

Re:bad history? (2, Funny)

turing_m (1030530) | more than 7 years ago | (#17917842)

Thanks for pointing that out. Looks like I may have to get rid of skype, as useful as it may be sometimes.

Re:bad history? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17918224)

Yea, make sure to move out of your country too, because your government's broken.

Re:bad history? (5, Informative)

Ledsock (926049) | more than 7 years ago | (#17917864)

While it is true that the developers were responsible for Kazaa, currently Skype is owned by eBay. They bought them on Oct. 14, 2005 for around $2.6 billion.

Re:bad history? (5, Funny)

pboulang (16954) | more than 7 years ago | (#17917900)

That's even worse!

Re:bad history? (2, Funny)

Hobbex (41473) | more than 7 years ago | (#17917880)

I think he was talking about the company who owns it. They also made kazaa
Ebay made Kazaa? Somebody better tell the record companies...

Re:bad history? (5, Informative)

anethema (99553) | more than 7 years ago | (#17917890)

Actually, the original Kazaa (which WAS dev'd by the same people as skype) was -not- full of spyware and adware. Kazaa was made an atrocity by Sharman, who still owns it.

Re:bad history? (5, Informative)

Cocoshimmy (933014) | more than 7 years ago | (#17918002)

They could be referring to the time where Skype would only allow 10-way conference calling on dual-core Intel processors [slashdot.org] . Those running AMD processors could only have 5-way conference calls. At the time they cited the "technical superiority" of Intel processors over AMD ones.

Of course thie gave bad publicity to both Intel and Skype after AMD issued a subpoena [slashdot.org] against Skype and the fact that it was discovered that the software simply checked the processor ID and enabled the feature based on that. A patched version [slashdot.org] was also released which bypassed this artificial limitation.

Theres... (5, Funny)

Anonymous Coward | more than 7 years ago | (#17917792)

nothing to see here. move along.

we are not spying on you. we swear.

oh btw.. your wife is cheating on you.

Re:Theres... (0)

Anonymous Coward | more than 7 years ago | (#17917852)

Damn that woman! I'm gonna have to go put her in her place. But really I find this news heartening,since I havent yet met my wife yet, but it is good to know she exists. Now..whereabout did you see her?

Hmmm.....what could you do with this? (-1, Troll)

PoconoPCDoctor (912001) | more than 7 years ago | (#17917828)

Searching Google on "skype reads BIOS" turns up some scary hits.

The first is to a Blackhat conference. [blackhat.com]

The second details how multiple BIOS profiles [bjorn3d.com] can be stored on some Asus motherboards -

"ASUS O.C. Profile
The motherboard features the ASUS O.C. Profile that allows users to conveniently store or load multiple BIOS settings. The BIOS settings can be stored in the CMOS or a separate file, giving users freedom to share and distribute their favorite overclocking settings.

Be afraid. Be very afraid.

Re:Hmmm.....what could you do with this? (5, Funny)

BitHive (578094) | more than 7 years ago | (#17917920)

Yeah, I'm shaking in my shoes thinking that eBay might steal my identity and sell my files to the government because their software might theoretically be able to read my bus speed and AGP window size.

Re:Hmmm.....what could you do with this? (0)

Anonymous Coward | more than 7 years ago | (#17918282)

Be afraid. Be very afraid.
Of what? Skype will know I overclocked my CPU? Oh no! Now they can use that information to kill me!

To prevent abuse? Usage statistics? (5, Interesting)

Cocoshimmy (933014) | more than 7 years ago | (#17917832)

What better unique identifier than the system bios? Ip addresses are becoming less reliable since many people use wireless internet and mobile phones for skype.

Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc. This could be combined with the survey results regarding phone quality they ask you to take after every few calls. In the end it could result in a better product and better service. Of course many other software products already do this (such as firefox, ms windows, ms office) but they are more open about it and at least give you the option of participating.

Re:To prevent abuse? Usage statistics? (5, Funny)

QuantumG (50515) | more than 7 years ago | (#17917994)

Yeah, and those bastards, requiring some sort of unique number to identify people using a telephone! Who ever heard of such trickery!

Here's a question for you.... (5, Informative)

Khyber (864651) | more than 7 years ago | (#17917996)

I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy. Dunno if it's true, or not, but personally, I don't want you trying to identify what the hell makes up my system. Perhaps I'm building it SECRETLY for a fucking reason. You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer. If Skype did that, they'd lose not every bit of faith from me, but I'd go tell my company that I work for, which uses SKYPE on a regular basis. I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.

Re:Here's a question for you.... (-1, Offtopic)

Arivia (783328) | more than 7 years ago | (#17918290)

I love that new first-person shooter! It thinks my three-year old bargain bin card is from the top of today's line! Never mind the five frames per second, my screenshots look great!

*computer spurts and sparks, sending out a plume of smoke*

Alternatively:

"Daddy, why is the computer making a horrible screeching sound?"
"Don't worry, Timmy, that's just it trying to write information beyond the bounds of the hard disk!"

Re:Here's a question for you.... (5, Insightful)

Ash-Fox (726320) | more than 7 years ago | (#17918354)

I once read somewhere that the only identifying information that you could legally acquire, being installed on someone's computer, was MAC, IP, and Nickname. Anything else (Pentium 3 fiasco, anyone?) constituted a breach of privacy.
I doubt it. Besides, one can change their Mac address, IP address and 'Nickname' without replacing hardware.

You don't need to know what CPU or HDD I have installed - the only reason you would want to would be to directly target advertisements at their own users, concerning their own fucking hardwaer.
Or maybe... Just maybe... They could make design decisions based on the majority of users.

What proccessor speed do the majority have? What OS? How much RAM? How much harddrive space?

It's important to know about who you're making software for.

If Skype did that, they'd lose not every bit of faith from me
Did you know Skype is owned by Paypal and eBay now?

I can guarantee you that IT is so stupid they'd drop Skype and install Asterisk on a whim if I told them too, since I usually end up having to fix their intranet when it goes down.
Asterisk and what? What SIP providers? What solution exactly? -- Asterisk is not a easy solution to setup compared to Skype. The end user can setup Skype, but Asterisk? I doubt it.

Re:Here's a question for you.... (5, Funny)

ajs318 (655362) | more than 7 years ago | (#17918614)

Asterisk is very easy to set up. You just have to be good at setting Asterisk up. The way to get good at setting Asterisk up is to set Asterisk up. For your first assignment, use just two hardware SIP phones. Once you have got them talking to each other, then you can think about adding more phones and things like POTS gateways.

Within weeks you'll be writing advanced dial plans to do things like ring all the phones in a department or divert calls to your mobile if you haven't picked up in twelve rings, and you'll have DHCP and TFTP set up so each phone on the network can configure itself at switch-on. Then it'll all be working exactly how you want it to, with nothing for you to do except occasionally unplug and replug a misbehaving telephone.

About a year or eighteen months later, you will want to add a simple new feature. Unfortunately, by this time you will have forgotten altogether how you set everything up in the first place.

Re:Here's a question for you.... (0)

duc0n (1046240) | more than 7 years ago | (#17918768)

"Asterisk is very easy to set up. You just have to be good at setting Asterisk up." Circular logic, anyone? //dUc0N//

Re:Here's a question for you.... (5, Funny)

Anonymous Coward | more than 7 years ago | (#17918906)

Joke ---->
    O
   -+-
    |  <- You
   / \

Re:To prevent abuse? Usage statistics? (1)

suv4x4 (956391) | more than 7 years ago | (#17918280)

What better unique identifier than the system bios?

Any random persistent data with equal or greater size? In facts the odds of BIOS data matching other copy of BIOS data is much higher than two randomly generated numbers of the same size because of the much lower entropy.

Why read the BIOS for this, what if you change your BIOS setup or motherboard? Your theory doesn't stand under closer scrutinity.

Especially since Skype doesn't lock the accounts to a specific PC.

Re:To prevent abuse? Usage statistics? (3, Interesting)

Cocoshimmy (933014) | more than 7 years ago | (#17918472)

First let me point out that this is just a theory. Second, if you read my entire comment then you would see that I agree that there are potentially other explanations for why they collect this information.

The chances of BIOS data matching up exactly, while not as low as two random numbers of length equal to the BIOS data, are still very low. Imprinted in the BIOS is the image itself, the manufacturer, the model, and other system information. What random persistent data that you speak of can be consistently harvested on all machines after every reboot? The only other information available perhaps is the MAC address.

As for why they would read the BIOS for this. Your BIOS and/or motherboard are not things that you change every day, let alone every 5 minutes. If for example, your account logs 2 or 3 motherboards being used over one month or even one week, not a big deal. But, if your account logs 10-15 different motherboards within the HOUR, then something is likely wrong and they would investigate. Skype would likely check this against other information which it collects from the system.

As for your last point, yes, skype does not lock accounts to a specific PC. In fact, you can be logged into Skype from multiple computers simultaneously. This would allow you to be logged in on your desktop, your laptop, and your windows mobile phone all at the same time and send/answer calls from whichever system is most convenient. However, as I mentioned earlier, if you gave your skype account password to several friends and had 10-15 unique computers connected within the hour, then it could indicate abusive behaviour.

Chances are that this data could be used for other things, which I pointed out in my original post. However, your arguments against this particular theory, do little to refute it.

Re:To prevent abuse? Usage statistics? (4, Informative)

evilviper (135110) | more than 7 years ago | (#17918318)

Of course they could just be collecting system info such as the system manufacturer, processor type, number of processors, sound card, etc.
That's complete nonsense. Windows has a perfectly standard way of finding out about system devices. Reading the BIOS would tell you almost none of the things you listed to begin with.

Re:To prevent abuse? Usage statistics? (1)

Cocoshimmy (933014) | more than 7 years ago | (#17918526)

Yes, you are right, it does not tell you everything about the system. I did not mention that the BIOS is likely just ONE of the things that Skype reads from. Skype could also be accessing the PCI config space and the system registry to learn more about the system. After all just because they were only caught accessing the BIOS, it does not mean that is the only system information they collected.

Re:To prevent abuse? Usage statistics? (0)

Anonymous Coward | more than 7 years ago | (#17918730)

Skype is probably just looking for abusive users who sign up for their low margin unlimited calling plan only to share it with their relatives and friends accross the world. If they say detect say 5 different machines calling 5 different people all within a span of 10 minutes, then something is likely wrong.
I would not mind this too much as long as the data is hashed before getting sent.

About figures (5, Insightful)

TopSpin (753) | more than 7 years ago | (#17917866)

Wouldn't it be nice of the Operating System helped you protect it from intrusive applications? No, you don't get to silently spam half baked crap into /etc/rc.d/init.d just because the you actually need sufficient privilege to do some other thing on install. No, my registry is NOT a free-for-all; you get to put just what you need in there and not go on a fishing expedition or 'fix' stuff you're not compatible with. No, the BIOS isn't for you because you're just a VOIP app and have no business whatsoever mucking around with the nonvolatile CMOS I need to boot. No, I don't need a fourth JVM crammed into my PATH, thanks.

Vendors would be forced to detail the mucking around they do, probably leading to much less mucking around in general. Indifferent users could just do what they always do and bang on the 'accept/yes/ok' widgets. Those of us who know enough to care (or get paid to) would then have an actual chance.

Too much to ask I guess.

Re:About figures (0, Offtopic)

jimicus (737525) | more than 7 years ago | (#17918054)

Or you buy a Mac.

Pros: You don't wind up with a corrupted registry and DLL hell because every app ships with its own copies of the libraries it needs.

Cons: Every app is, to all intents and purposes, statically linked. (OK, it isn't, but in terms of disk space it may as well be). Takes up more disk space.

With disk space being measured in cents/gigabyte, who cares?

Re:About figures (3, Insightful)

albertost (1019782) | more than 7 years ago | (#17918132)

Pros: You don't wind up with a corrupted registry and DLL hell because every app ships with its own copies of the libraries it needs.
If Microsoft did that, noone would consider that a "pro"

Re:About figures (3, Interesting)

Ash-Fox (726320) | more than 7 years ago | (#17918300)

Cons: I don't like the:
  • interface
  • scheduler (Multitasking on the latest OS X seems rather terrible with just a single core, even if you have a lot of RAM)
  • amount of ram required just to run things smoothly (I've ran the entire KDE 3.5 desktop [Linux], on 265MB of RAM without really noticing performance issues)
  • licensing
  • mac hardware (sorry, but I don't like hardware that emits high pitch noises -- Not many people can hear it, but I can. Nor do I like a brand that I have repeatedly have had 'logicboard failures' on)
  • Lack of hardware support (Non-Apple)
  • Poor quality customer service (yes, I have used Apple)
  • Proprietory (closed-source) file formats that make it difficult to migrate to anything else
  • The poor support of X11 (clipboards, drag and drop... I get better on Windows solutions for heavens sakes)

Need I go on?

Re:About figures (0)

Anonymous Coward | more than 7 years ago | (#17918516)

If this is offtopic, shouldn't the grandparent post be modded down instead?

Re:About figures (0)

Grey Ninja (739021) | more than 7 years ago | (#17918540)

Bravo. Sometimes I think I'm the only one on Slashdot who thinks that way about Apple. Quite honestly, I prefer Windows to Mac OS, for pretty much exactly the reasons you've just laid out. (I'm a full time Linux user).

Re:About figures (1)

Agram (721220) | more than 7 years ago | (#17918356)

Disk space is cheap, but most countries (apart from U.S.) still have fast Internet connection fees assessed by the amount of downloaded/uploaded content. So, while DLLs have had their share of hits and misses (my experience tells me this is more of a hype these days than truth), I still prefer to download a 3MB version of Gimp for Win32/Linux, rather than a 82.6MB version of Gimp for OSX which still requires X11 (40+MB) and possibly Fink with its libs (another 8MB plus libs which I estimate at 20MB).

Re:About figures (1)

Corporate Troll (537873) | more than 7 years ago | (#17918536)

but most countries (apart from U.S.) still have fast Internet connection fees assessed by the amount of downloaded/uploaded content.

We do? Hey, I live in Europe and actually in a country where fast internet connections are expensive compared to the neighbouring countries. (Mainly because our market is so small) Now, I pay about 30€/month for unlimited Internet. While it's not exactly cheap, you get unlimited internet for much much less in countries like Belgium, France, and Germany....

I do realise that "the rest of the world" is more than just Europe, so, I might be wrong....

Re:About figures (3, Interesting)

giorgiofr (887762) | more than 7 years ago | (#17918650)

The problem is not with disk space, but with unnecessary duplication of functions, which leads to having different versions of the same libs on your system, some of which might have security holes. Besides, it's totally unelegant and contrary to all concepts of modularization. Might as well ship a VM for every app.

Re:About figures (2, Interesting)

Tom (822) | more than 7 years ago | (#17918416)

Too much to ask I guess.
SELinux allows you to fine-tune permissions to extreme detail, including everything you used as example (or at least the Linux-equivalent, as far as registry, etc. is concerned).

Problem: The complexity isn't for the faint of heart. So no distribution for the general public will actually use it as fine-grained as it allows you to be.

Gentoo emerge (1)

backwardMechanic (959818) | more than 7 years ago | (#17918476)

Try Gentoo. Apart from fanboy overtweakers, it provides just the kind of installation control you're asking for, via emerge. Emerge builds the new app in a sandbox, then transfers it to your running system. You then run etc-update to update your config files. If the install wants to modify files in 'protected' directories (/etc, /etc/init.d, etc.), it will ask you before making the changes. Sometimes it's a pain in the ass (327 files to update...), but at least you get to see what's going on.

Re:Gentoo emerge (1)

High Hat (618572) | more than 7 years ago | (#17919050)

Actually, the "config file protection" feature is not really meant as a security measure.

Its purpose is to prevent upgraded packages from overwriting your hand-crafted configuration files on install, allowing you to decide which version to keep or even do an interactive merge of your old config file and the new one that came with the system.

I would not depend on it as a security tool for the fact that at least dispatch-conf, but if memory serves right also etc-update will both automatically merge configuration files that were not previously installed. I'm not sure if those tools will also automatically overwrite configuration files that have not been modified since install - but it would at least make sense and seems rather gentooish.

So while configuration protection is rather useful, it is actually quite short sighted to rely on it for security during package installation (called "merging" in gentoo).

Interesting usage statistics (1)

280Z28 (896335) | more than 7 years ago | (#17917898)

They could use this for tracking the number of computers the program is installed on, which would work independently of current user, IP, or even reinstalls. Combined with other things this could be a unique and interesting statistic that's hard (impossible) to test by other methods.

Random generator? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17918008)

could it be that skype uses bios data to generate random numbers for the crypted communication layer?

Re:Random generator? (2, Insightful)

ZX3 Junglist (643835) | more than 7 years ago | (#17918446)

There's not anything more random in the BIOS than there is somewhere unprotected.

Ah! A primitive form of humor. (2, Funny)

B3ryllium (571199) | more than 7 years ago | (#17918018)

Wait, I know the answer to this one!!

Because it was stapled to the punk rocker's face!!!1

Go to the source (5, Insightful)

ZX3 Junglist (643835) | more than 7 years ago | (#17918030)

Has anyone asked them for their explanation? I feel now would be a good time for them to exercise their right to tell us why they do this.
Might I suggest mailto:info@skype.net [mailto]

I would do so I myself, but I assume there's a paying Skype user here who would garner a bit more attention than I would.

Done (5, Interesting)

adpsimpson (956630) | more than 7 years ago | (#17918558)

Dear Sir/Madam,

As a Skype customer (adpsimpson) and software developer who has used skype-out from across the world to stay in touch with folk at home, I read with some interest on http://slashdot.org/ [slashdot.org] this morning that Skype appears to read the system bios on start up.

While I am aware that there are legitimate reasons that some software may do this, I cannot immediately think what a VOIP application would require the data for.

Using closed source software is always a second-best from my point of view, especially in terms of privacy and transparency of the software's function - this in fact is what led me to Skype, since it runs on Linux. As such I am slightly concerned about unexpected application behaviour.

What does Skype do with this information? Is it transmitted across the network in any form? Is it identifiable?

I look forward to your response,

Yours,
Andrew Simpson

Re:Done (1)

Pond823 (643768) | more than 7 years ago | (#17918836)

Mod parent up (I'm out of points)

Re:Go to the source (0)

Anonymous Coward | more than 7 years ago | (#17918756)

May I suggest that in this instance it might not be such a great idea to "garner a bit more attention" from ANYONE

Anybody else getting real tired of this stuff? (0, Interesting)

Anonymous Coward | more than 7 years ago | (#17918046)

It seems as if we exist solely to be data-mined. The whole "consumers, not citizens" viewpoint of business and politics is getting old. Is it time for the next revolution yet?

Why does it read the BIOS? (4, Funny)

dangitman (862676) | more than 7 years ago | (#17918070)

Because it's bored and can't find a good book.

Why does Skype read the BIOS? (3, Funny)

OpenSourced (323149) | more than 7 years ago | (#17918078)

...
To know what's written there. ...

What about Macs ? (4, Interesting)

warrior_s (881715) | more than 7 years ago | (#17918086)

Can someone tell me how can I check if its doing the same on my Macbook?
Thanks

Re:What about Macs ? (3, Insightful)

Ash-Fox (726320) | more than 7 years ago | (#17918228)

Use a debugger.

The amount of information required to teach one how to use a debugger and understand it goes far beyond the amount of text Slashdot would even allow in a single post. However there are many websites on Google that can help you learn with this matter.

Good hunting.

Re:What about Macs ? (5, Informative)

descil (119554) | more than 7 years ago | (#17918342)

Skype won't run if you have softice installed on windows. Pretty funny - I guess they don't want you to look.

Ollydbg still works though.

Re:What about Macs ? (5, Informative)

mrogers (85392) | more than 7 years ago | (#17918668)

Skype contains encrypted code, self-modifying code, timing loops to detect whether it's running inside a debugger, and any number of other tricks to prevent reverse engineering. Which hasn't stopped people trying:

http://www.recon.cx/en/f/vskype-part1.pdf [recon.cx]
http://www.recon.cx/en/f/vskype-part2.pdf [recon.cx]

Re:What about Macs ? (-1)

Anonymous Coward | more than 7 years ago | (#17918260)

A Mac doesn't have a BIOS... it's a PC only thing

Re:What about Macs ? (1)

Ash-Fox (726320) | more than 7 years ago | (#17918436)

Many Dells have EFIs too, with BIOS compatibility mode. I don't really see the problem with getting Skype to attempt to read using EFIs compatibility modes.

Re:What about Macs ? (3, Interesting)

apt_user (812814) | more than 7 years ago | (#17918286)

That's a good point. Intel Macs don't have a BIOS, they use Intel EFI (The old PPC Macs used OpenFirmware). How does Skype react to running in XP under parallels?

Re:What about Macs ? (1)

LuminaireX (949185) | more than 7 years ago | (#17918504)

It's my understanding that Mac systems do not use BIOS, but EFI

Re:What about Macs ? (5, Funny)

Slashcrap (869349) | more than 7 years ago | (#17918754)

Can someone tell me how can I check if its doing the same on my Macbook?

There's really no need. Macs are secure by default even when running Windows.

In the unlikely event that a rogue piece of software does manage to send out some of your personal info, an electronic version of Steve Jobs will shoot down the wire after it and destroy the packets before they reach their destination. Probably using one of those frisbees out of Tron.

some gizmo users around? (0, Offtopic)

esiminch (899049) | more than 7 years ago | (#17918114)

I wonder what gizmoproject is reading on my sys?

Sorry whats the big deal? (2, Interesting)

Timberwolf0122 (872207) | more than 7 years ago | (#17918212)

Read my bios settings, I have no problem with this. There is no information on my BIOS that I would consider sensitive, maybe a touch of chargin if if turns out I have my RAM config set wrong(?) but thats it.

Writing to my BIOS.... now thats a different matter and one I would take exception to.

Re:Sorry whats the big deal? (0, Offtopic)

descil (119554) | more than 7 years ago | (#17918380)

Skype is evil! Skype is SkyNet in a diminutive disguise!

And your BIOS is totally a unique identifier of You (well, your machine). Ever noticed that your disks hardware etc are all listed there?

I don't know about you but I don't like the idea of giving all my preferences/traits/consumption habits to big corporate interests who might have the voice recognition software set on words like "money" and "bill gates" and "kill"... it just doesn't bode well for my future. The reality is that the amount of data you could glean from what a person talks about is worth a tiny amount, but when you have that data for a million people, it's a survey, and suddenly it's worth billions of dollars of investment revenue.

Investors, not lawyers, are the devil. Lawyers are your friend.

(Bill Gates, I'm coming for You...)

Re:Sorry whats the big deal? (1)

speculatrix (678524) | more than 7 years ago | (#17918400)

Writing to my BIOS.... now thats a different matter and one I would take exception to.

indeed, this is why I always, if possible, use both the write-protect jumper on the motherboard (if it exists) as well as disabling write in the cmos/bios settings.

Re:Sorry whats the big deal? (1)

GeekDork (194851) | more than 7 years ago | (#17918652)

Writing to my BIOS.... now thats a different matter and one I would take exception to.

Writing there should be considered a fundamental flaw of the operating system. If the OS manages to boot, there is no need at all to change any values in the configuration. If the OS doesn't manage to boot, there is no way at all to change any values in the configuration. QED ;-)

Granted, with the floppy drive being on the way out, I can see kind of a problem for BIOS updates.

Re:Sorry whats the big deal? (1)

scumbaguk (918201) | more than 7 years ago | (#17918778)

Bootable usb sticks.....

Copyright on the BIOS ??? (3, Interesting)

Alain Williams (2972) | more than 7 years ago | (#17918366)

It took a minute for the penny to drop, but is it not downloading the BIOS code rather than the system setup info held in CMOS ?

If that is the case then transmission of that BIOS back to Skype HQ must be a breach of Phoenix/... copyright.

Look what they try to do if you or I copy someone's code ...

Why Does Skype Read the BIOS (1)

zuhaifi (1060950) | more than 7 years ago | (#17918378)

There's someone teach the skype 'reading'

Identification? (1)

Alkonaut (604183) | more than 7 years ago | (#17918456)

Couldn't it just be that they want to identify individual computers? If they can read a serial number from the motherboard then they don't have to count that computer again? The actual number of installations made (and used) is quite important for a company whose stock price depends on the number of customers but whose product is free to download...

Re:Identification? (2, Insightful)

AndrewStephens (815287) | more than 7 years ago | (#17918722)

Good theory, in theory the SMBIOS tables (which is what I think they are trying to read) can contain serial numbers for the motherboard, etc. But in practice these fields are often blank or change after every BIOS update, making them useless for identification.

Re:Identification? (1)

Barny (103770) | more than 7 years ago | (#17918920)

Correct! Buy a copy of sisoft sandra, and get it to display mobo info, all my ASUS boards are 123456789000, and Gigabyte boards don't even have a serial number at all.

Hrmm, this Asus board allows me to put an mp3 into it for the "power on" sound (no I am not joking), if I put a copyrighted file in there, and they snarf it without the artists permission (and they sure as hell didn't ask me, or suggest I shouldn't put it there for them to get) can we get the RIAA to sue them?

Re:Identification? (1)

MooUK (905450) | more than 7 years ago | (#17918816)

Surely using a MAC address, which is supposed to be entirely unique (yes, it can be changed, but it's close enough) and isn't hard to read, would be a more effective route?

Serves You Right (1, Troll)

ajs318 (655362) | more than 7 years ago | (#17918530)

If you run closed-source software on your machine, then you deserve everything you get.

If the suppliers of software weren't ashamed of it, they would gladly show you what was inside, beaming with pride as you carefully inspected each immaculately-tooled part. If they won't let you look, it's always for one of two reasons. Either it's doing something they don't want you to know about (*cough* ActiveX *cough*), or it's so badly written that they wouldn't want to admit to it (*cough* StarOffice *cough*).

Stick to open standards like SIP and IAX. Only download Skype if you're planning to try to force it open.

Re:Serves You Right (1)

tsa (15680) | more than 7 years ago | (#17918608)

Can I have some of what you're smoking?

Re:Serves You Right (1)

ajs318 (655362) | more than 7 years ago | (#17918656)

Judging by your e-mail address, you probably can get a better smoke locally.

Now that we've both tried to be funny and failed, which bits ecactly were you taking issue with?

Re:Serves You Right (3, Insightful)

animaal (183055) | more than 7 years ago | (#17918702)

If you run closed-source software on your machine, then you deserve everything you get
support that isn't limited to that old open-source favourite advice, "RTFM"?

Nah, you are being silly (4, Funny)

SmallFurryCreature (593017) | more than 7 years ago | (#17918732)

I will only eat in restaurants that have a double door to the kitchen and a rabid security guard preventing entry. Everyone knows that the best kitchens never allow you to see what goes on inside. That is un-hygienic.

Neither do I ever check under the hood of my car. My wife insisted on that, she assured me she made sure the brakes work just fine afer she adjusted them with the box-cutter. So that is alright and she waved me goodbye so nicely, together with the poolboy, as I drove away for a week trip across the mountains.

Checking the work of a software company? Pah, next thing you will be insisting that the bible is translated into your native tongue so you can read it for yourselve and not have to rely on your religious leader to tell you what is inside it. INFIDEL!

Re:Serves You Right (1)

ndg123 (801212) | more than 7 years ago | (#17918734)

I'd agree about the hiding of undesirable behaviours, for example spying to collect personal data or detecting piracy whilst invading privacy.
I don't think many suppliers making those decisions are particularly aware of code quality, since so few of them measure it properly, and so that is less likely to be a reason for keeping it closed or even obfuscated. Some of the (other) reasons I can think of are:
i) misguided view that the lines of code are intellectual property which have a uniqueness and value which in itself must be protected. Most programs just ain't that smart or unique. Its the overall design and features/functions which differentiate the product, not the detail of how those are implemented.
ii) hackers can't see the code, its less vulnerable. true, this will keep out non-l33t haxxors, but not military or organised crime talents.
iii) they know this is bog-standard stuff, or possibly could contain routines or code snippets which have been copied from other sources and its cheaper to hide it than re-write or pay royalties.
I'm sure there are others, but I need to get on with some work now !

They could have used Win32 calls (3, Interesting)

AndrewStephens (815287) | more than 7 years ago | (#17918678)

I don't know why Skype is reading the BIOS, others have speculated that they are trying to generate a unique key from the SMBIOS tables or perhaps lock certain features to certain processors. Sounds plausible I guess.
What I do know is the Skype programmers are überl4m3rz; the BIOS can be mapped into a process's address space using perfectly good Win32 calls. Resorting to calling a COM program to read the memory is an incredibly cheap hack, and obviously a badly tested one.

Re:They could have used Win32 calls (4, Interesting)

blackest_k (761565) | more than 7 years ago | (#17919028)

you make the assumption there that win32 calls are available, I'm running Linux.

It makes sense to try and keep the code as cross platform as possible.
However the question we all have is why?

Possibilitys include user statistics, i would guess internet cafe's would have large numbers of accounts on a small number of PC's, but most accounts will be used at home or possibly on holiday. So maybe it is the marketing department that is interested.

A less sinister reason may be to combat fraud, recently I noticed that Skype have introduced monthly caps on the skype out credit you can buy. Perhaps there is an issue or potential issue of fraudulent use of credit cards to buy credit.

would be some protection for them if some user claims that his credit card details were stolen, and used to buy skype credit. With the bios code you could probably identify fraud on the part of that user when there is a dispute and the credit card company is refusing to pay. For skype to be able to say well we believe that user did incur these charges since we have it on record that the PC used was used both before and after the disputed dates for making calls on this account.

and finally lets face it skype isn't that secure all it takes is for you to know my username and password and you can make free calls on my account.

actually when you think about it attacking the username password system on skype should be fairly trivial at least it should be noticable when someone starts bruteforcing username password combinations.

when you think about it, take your wireless laptop or pda war driving.

connect to unsecured network
brute force a username password
make free calls world wide.

with the ability to blacklist the particular pc used for the attack it becomes a lot more difficult and expensive
to compromise user accounts.

Skype is from Kazaa's founders (0, Redundant)

otisg (92803) | more than 7 years ago | (#17918692)

It's important to remember that Skype comes from the same people who brought us Kazaa. It's the DNA.

seeding a random function (2, Informative)

quench (187533) | more than 7 years ago | (#17918698)

well getting hardware information of this kind could practically be used as seed for random numbers.
why always feed it with zero or get-ticks-since reboot?
bye

Finally... (1, Troll)

owlstead (636356) | more than 7 years ago | (#17918706)

This will generate some much needed criticism of Skype. It's not only that it is closed source, it's a closed protocol as well. I presume every Skype phone will have to pay nice amount of royalties.

Basically Skype is not much more than VOIP. What it has going is a lot of hype, a cool name and an efficient way of doing the networking. But even then I have always been very sceptical of Skype. Unfortunately I haven't seen this reflected in real life. People simply buy Skype phones - even ones that only know how to do Skype - without realizing they are setting up a new monopoly again.

And, as you can see, monopolies can do really bad stuff. Maybe this will turn out to be nothing spectacular, but who says that the next time this will be the case? It's not that I hold eBay in such a high esteem either (although this is mostly gut-feeling).

Re:Finally... (0)

Anonymous Coward | more than 7 years ago | (#17918842)

I, me, mine. Who's self-serving now?

Need, the mother of invention. (0)

Anonymous Coward | more than 7 years ago | (#17918746)

Too bad there are no open source alternatives that are fully interoperable with Skype. This seems like a great opportunity for the FOSS community, but why aren't there any takers?

reading.....bios.... (1)

antik2001 (535940) | more than 7 years ago | (#17918932)

Hmm, what software is reading my BIOS.... Windows does....Linux DOES! OMG I see conspiracy! /me is pressing power button and runs away.... AAARRRRGH!!! HELPPP!!!

Tracing (5, Interesting)

ignorent (857223) | more than 7 years ago | (#17918978)

Perhaps the federal government requires them to make all phone calls traceable?

Linux, non Admin accounts on Windows? (0)

Anonymous Coward | more than 7 years ago | (#17919026)

On Linux most people run Skype as a normal user - it won't allow things like opening the BIOS etc. there. Also I doubt Windows allows the non-Admin user to open/read BIOS.

So whatever it is be doing must be for functionality which is not significant or necessary for that matter.

Fraud (1, Flamebait)

samj (115984) | more than 7 years ago | (#17919124)

This is almost certainly relating to fraud - sometimes Skype offer free credit and using something akin to a poor man's Trusted Platform Module (TPM) makes them sleep better at night knowing the hordes aren't running them up a big phone bill.

This is not to excuse this behaviour, both in terms of them for asking for the information and of the operating system for giving it to them!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?