| « Identify Skype Users in HTTP Traffic | Skype's Biggest Secret Revealed » |
DDoS etc
There seem to be some questions that a lot of people want answered urgently, as our post has caused a lot of stir and confusion:
1. No, we did not take our blog offline since the last post. We are not hackers and we have nothing to be afraid of. Our database simply got DDoSed on top of all the extra heavy traffic it could hardly handle. I wonder what hackers we may have pissed off…
2. My name is in fact Sean O’Neil. It is not a monicker, not a pseudonym and I am not known under any other names, maybe online nicknames like everyone else. If someone at Skype has confused me with somebody else, that can happen. Nevertheless, I am still just me. I do not know anyone at Skype. I’ve only had the pleasure of talking to its new CISO or at least to someone calling himself Adrian who knew how much RAM I had on my computer and where I was located - Skype discloses all that information along with a hash of your Windows serial number to its servers on every connection.
3. I am not Mother Theresa, but no matter how much dirt people may find on me, the simple fact is, all the ciphers I have reverse engineered and published [anonymously until now] for everyone’s benefit were correct. I will tell which ones at the conference. The world could replace them with real or at least better security. Most people just didn’t know who to thank for it and the corporations who had cheated their clients by [always knowingly] selling them fake security didn’t know who to try to sue for exposing their dirty secrets. Now they do. My reputation as a reverse engineer - all those algorithms - speaks for itself. No one can destroy that.
4. I am not a hacker despite some news articles calling me that. I am not a spammer either. I hate spam like everyone else. I don’t know any spammers either. Ew! I am a cryptologist and a reverse engineer, and as you can see, I am good at it.
5. The published Skype RC4 IV expansion algorithm is ALL one needs to decrypt the traffic between Skype clients and supernodes. There is no key. I repeat, there is no secret key to break. It doesn’t matter if this algorithm is secure or not either. That’s all there is. It’s an *obfuscation* layer. Its “security” was mere securing an impossibility for others to design Skype-compatible applications by making sure no one can encrypt or decrypt Skype packets without the algorithm we have published. That is why it was so heavily obfuscated inside Skype binaries, better protected than anything I’ve ever seen in my career - it was protecting Skype monopoly. Yes, it is a monopolstic tactic. But it will not work anymore. Do not worry if Skype changes the protocol. It did not take us 10 years to reverse engineer it out of Skype, only a few days. If they ever change it, we will publish the update immediately.
6. This publication was not meant to harm Skype security. It doesn’t. On contrary. It will allow antivirus and firewall companies to add ability to scan Skype traffic for vulnerability exploits. The compression algorithm required to complete the decoding of Skype packets will be published in December this year at 27C3. Our work and all these publications are perfectly legal. Everyone’s ability to provide compatibility with other products is their legal right, at least according to the competition law. Skype will also benefit financially from all the network administrators no longer being afraid to use it on their networks because their firewall and antivirus software can finally see inside the packets and they can finally put it under control - monitor it, throttle it or even block it if necessary.
7. Our publication does not affect privacy of Skype calls, messages or file transfers. They are still encrypted with AES with 256-bit secret keys negotiated using 1024-bit RSA algorithm authenticated with a 2048-bit RSA key of the Skype server. It is all quite secure. Do not panic.
8. We will publish a little more next month, maybe a little demo program that can decrypt Skype UDP packets and check their CRC-32 checksum.
Cheers! 
19 comments
'Hackers built the Internet.' /from the hacker-howto by ESR/
Keep it going, I don't see any reason not to! *cheers*
Excellent job.
Don't get me wrong, I do like Skype and use it but not for the enterprise.
Cheers!
yaxzone: If you want to block skype by merely blocking the fixed servers and supernodes in your firewall, you must know that if a skype user has already logged in successfully before, they will be able to continue using skype via numerous dynamic supernodes operating as proxies.
You also need to block ports 80 and 443 for all those IP addresses.
Yes, I like skype too, but I also appreciate the enterprise needs and policies. If it is not clear, the 200 fixed supernodes are hard-coded into skype executables. If anyone needs the full list of them from the previous versions of skype, feel free to contact me.
This is more heavily guarded.
can you give an advice to those others wanting to get better at reversing ?
keep up the good work
www.netDOTsecurityDOTorg/article.php?id=876
Sean: I see; I was trying to approximate the potential loss in confidentiality. Doesn't seem so grave if it's just the control channel (at least till now ;)).
since you can't be contacted via mail I'm using the only channel we have so far :-)
Is there a chance that you release your skype code under an open source license? I'd prefer GPL or Affero GPL. Otherwise it's nearly impossible to base open source code on this, one of the next big things would probably be a wireshark dissector. And a free client would be very nice.
BTW: I can use your code to decrypt TCP Skype traffic with the help of publications mentioned on the wikipedia article on skype (e.g. a skype pcap log from the wireshark homepage) see blog.runtux.com/2010/08/25/167/ but not UDP. Any hints? And for TCP there are some open questions, too...
Ralf
Comment feed for this post
