Congrats for such a gr8 work.
U told that you are going to publish sample code to encrypt decrypt skype packets.when can we expect that?It will be really useful to know more about the skype.

Some:

1) I am not going to fuck off. I apologize for the inconvenience to your ego, but I am not going anywhere.

2) Numerous Skype spamming groups already have access to the entire Skype user base along with all their profiles and IP addresses, and

3) How does obtaining IP addresses of a few Skype users help spammers??? It's completely useless to them. They need millions of addresses every day. Our project is of interest only to the law enforcement agencies, private investigators and to the curious.

Please, fuck off. It wold be spam-service.

Visitor: I don't see why not. I'll put it on the todo list.

Alan: Good idea, thank you.

please make twitter account for your corporation

Will you support russian e-currencies like webmoney and yandex money?

Amazing! they don't even use https to protect user's info. Thanks for the information! Reposted on habrahabr.ru

Hi Sean,
since you can't be contacted via mail I'm using the only channel we have so far :-)
Is there a chance that you release your skype code under an open source license? I'd prefer GPL or Affero GPL. Otherwise it's nearly impossible to base open source code on this, one of the next big things would probably be a wireshark dissector. And a free client would be very nice.

BTW: I can use your code to decrypt TCP Skype traffic with the help of publications mentioned on the wikipedia article on skype (e.g. a skype pcap log from the wireshark homepage) see blog.runtux.com/2010/08/25/167/ but not UDP. Any hints? And for TCP there are some open questions, too...

Ralf

You may, but it won't be much. You are underestimating the complexity of the work required to perform even the simplest task in skype protocol. It's insanely complicated. You need a lot more than mere traffic encryption to be able to talk to skype servers, supernodes and peers. But yes, you can use the function we published as the "unknown key engine" mentioned in http://en.wikipedia.org/wiki/Skype_protocol#Obfuscation_Layer to encrypt/decrypt skype packets.

Men, you did an amazing job! Congratz!
I'm looking for info to write a basic Skype client, may I do that? I mean, with the files that you already released, may I write at least a software that sucessfully encrypt a packet before send it to the skype servers?
I'm just looking for yes/no answer, nothing more :)

Thanks!

I'll comment just so that this misinformed reader doesn't confuse anyone else.

1. Dr. Berson was never given the Skype in use to analyse. He was given sources of Skype 1.3 that cannot even login to the Skype network because it uses a different protocol, not only different servers. 1.3 did not work for many years. The earliest version of Skype that can currently login to the network and communicate with other users and supernodes is 1.4 as long as it tells Skype servers that its version is at least 2.6.

Every security expert knows very well that even a slightest modification to the communication protocol can introduce security holes, not only exploitable vulnerabilities and/or intentional backdoors. Skype 1.4 and up have never been publicly analysed.

However, the current publication is not even related to Dr. Berson's analysis or any of the security holes/vulnerabilities/backdoors in Skype. Its publication will soon reveal to everyone just how insecure Skype really is despite all its cryptography. Even if it's not apparent yet. Besides encrypting people's conversations, they chose security by obscurity instead of the real security. They must have had their reasons...

2. A couple of reverse engineering teams barely getting past the top encryption/checksum layers and through the Skype's RC4 and proprietary compression layers and then quitting can hardly be called "ample" or "successful reverse engineering". If you want to claim that what we are publishing has been published before, please provide references. The fact is, this algorithm has never been published or even properly extracted out of Skype before, i.e. in a clean C form, without the heavy anti-reverse-engineering obfuscation of this traffic obfuscation function. Those who have ever tried to extract it out of Skype know what I'm talking about. This is new because until now, the public had no way to decrypt Skype traffic. In a week or two, we will publish sample code to show everyone how to decrypt intercepted Skype packets using the algorithm we have published here.

3. Of course, a few teams have indeed successfully reverse engineered Skype and are quietly using their secret capabilities. We cannot possibly "stay tuned" to their "channels" as they are keeping their work and all their results completely secret, just as we did.

4. We are not academics and this is not Hollywood. We are not publishing results of our work to get our five minutes of fame. If you have stumbled upon this article and the attached C code means nothing to you, this entire publication was not for you. Seek executive summaries somewhere else. If you are still reading this and still want to understand what on Earth we are talking about, it's the "unknown key engine" mentioned in the Wikipedia article describing whatever little has been published so far about the Skype protocol.

This is news? So perhaps you didn't read Dr. Berson's report on the cryptography in Skype, published some years back. And there have been ample successful RE of various Skype clients. Maybe you just aren't tuned to the right channel. But you have a *fantastic* self-promotion headline there, buddy. Pff.

Yes of course.

Interesting! Is it possible to wean off anymore information from Skype?

Security through obscurity has always failed. This is what history teaches. Instead of using that stupid crap RC4 code, move to AES256. Security through obscurity is just yelling "hey look at us we're dumb and stupid enough not to learn from history of cryptography. woo woo!"

How can you decrypt LONG Skype RC4 streams with HEAVY keys, if you can NOT decrypt a VERY short sentence with a VERY short key ? I'm sure, this whole site is just a big HOAX , and snatch...

Voila':

This is a very short sample message.
+
and this is very short sample key
=
te2tj_8o0hJOwF8bJiEqnkP120cKG"mcZ4xOhJUWOTOinahp

[quote]
hi, can i buy a commercial license of this code. My company need a program can broadcast about 10000 skype user in few minute. so we need your code for improve our program.

i wait for your reply(contact me by email)!
thanks !
[quote]

Hi, i'm a developer , not a spammer ^^, all user who received message from us, are my company's customer. And i'm serious about this

This is great.

hi, can i buy a commercial license of this code. My company need a program can broadcast about 10000 skype user in few minute. so we need your code for improve our program.

i wait for your reply(contact me by email)!
thanks !

Not at all. What you've read here applies to every single version of Skype, from its first version to its latest release 4.2.0.169. It only does not apply to the Java versions of Skype that use different servers, a slightly different protocol and different encryption.