Russian reverse engineers Skype; uploads source to public

Saturday, June 11, 2011

Skype logo.

A Russian programming researcher Efim Bushmanov uploaded the Skype source on Blogspot, Torrent, and Github last Tuesday. Bushmanov said that his release engineering work is "not finished," and stated that the purpose of its release is "community involvement."

Bushmanov said that his motivation was a story in the Wall Street Journal which described possible eavesdropping on Skype by governmental agencies. The upload to public would allow people to participate with further work on the reverse engineering which is not yet finished.

Skype responded by a promise to support security of the Skype users and to investigate and prevent the attacks this can cause: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience."

Some public said that Microsoft is to blame for the lack of stability of Skype since its acquisition plans were announced in the beginning of May. However, Microsoft has no operational control over Skype servers yet. The acquisition is planned to be finished by the end of 2011. Microsoft's response included a note that despite that they have some Windows code shared with Russian government, they would fear to share Skype code, and make strong attempts to keep it unavailable to third parties.

Information Week magazine commented that the release can be legal if no part of the work involves copying the original code from Skype servers.

Paul Ducklin, head of technology for security company Sophos, noted the presence of IDA Pro (Interactive Disassembler) files in the downloads published by Bushmanov, indicating that his reverse engineering had not been conducted in a "clean room" fashion. The project included shared files which were enough for the tech company Hex-Rays to verify that the version of IDA Pro used was pirated.