lostwebsite.net blog

So Skype is evil because it’s proprietary?

It’s not hard to find rumors about spyware being deployed with the Skype VOIP software. What is hard to find amongst those rumors are concrete facts. Most of the rumors seems to be unsubstantiated, and some other are based on interpretation on the EULA of Skype. I won’t bother with the later case since legalese is not a language I speak.

This blog is one of the few blog around that take seem to take the matter seriously and brings forward something looking like a real proof that Skype may be stepping over the boundary of user privacy.

For the people who don’t read french, I will summarize the article. The author’s hypothesis is that when a new profile is registered through the Skype desktop client, the software accesses bookmarks stored in the user’s Mozilla Firefox profile. Since it’s not immediately obvious why Skype needs to be doing that, he concludes that the Skype software must be sending that information home for data warehousing, or some other shady practices.

For proof he shows his data that he obtained using the strace command on Linux. strace is a lovely, lovely utility I’ve learned to master in the last few years. It is an utility which shows the system calls that are used by a Linux application. strace is not hard to use but its output can be very voluminous and difficult to decipher. This is not the case here.

…Naaah

The data he obtained looked inoffensive to my eyes just 2 seconds after examining it (I won’t claim I’m the first that saw that: several commenter have pointed it to him).

The blogger singles out several calls to stat64(), which is a system call returns information about a file like its size and last modifications or last access date.

[pid 23964] stat64("/home/phil/.mozilla/firefox/bstiq480.default/bookmarkbackups/bookmarks-2008-12-17.json", {st_mode=S_IFREG|0600, st_size=41718, ...}) = 0
[pid 23964] stat64("/home/phil/.mozilla/firefox/bstiq480.default/bookmarkbackups/bookmarks-2008-12-20.json", {st_mode=S_IFREG|0600, st_size=42052, ...}) = 0

An higher level view of the data shows that Skype actually calls stat64() on all files on the the Mozilla profile of the user, and call open() on the directories he finds, then call getdents() to obtain the list of entries in that directory and so on…. Like any software recursively scanning the filesystem would do. The scan in the profile is stopped at the moment the software finds the user preference file.

This is easily explainable: Skype tries to install a FireFox plugin. It seems the Windows version has an option in the installer to disable that plugin but I have not found the same option in the Skype package.

So, Skype does search inside the user’s Firefox profile, but the only thing he does with the result it obtains is the installation of a plugin for the user’s convenience. It’s not even useful to search the place where it might be sending data since there is no data to send other that what it gathered through its registration wizard.

The final nail can be driven in the coffin on this theory by simple listing all the files opened by Skype during registration. None of the files contain personal information. You can see list of opened files I have extracted from the strace output at the end of this post.

Not evil on an evil operating system either…

Those results have been independently confirmed on Windows by DrFrakenstein, a twitterful, but blogless Code Ninja. He used Process Monitor and confirmed me roughly the same behavior but targeted at Internet Explorer.

So, probably not evil…

I can’t conclude this post by saying that Skype doesn’t include spyware. I simply spent one hour examining very limited data on the activity of the software during registration. Yet, I’m confident enough about my result to keep recommending its use to my family. Use Free alternatives such as Ekiga if you give high important to software freedom. It’s a opinion I respect. Just make sure you have something better that crappy strace analysis before dissing good but proprietary software.

See for yourself…

Here are the data I have obtained by running strace during Skype account creation server.

• The strace data
• The list of files Skype opens

Since I love some good shell-one-liner action, here is the command that extracts the list of opened files from the strace data.

grep open skype.trace | perl -ne '/\"(.*)\"/ && print $1."\n"' | sort | uniq

I find it amazing how your own brain can fool you sometimes. I did not dig this subject very much but I have been intrigues by studies about how people can suggest things to individuals and make them believe in it like it was their own and like it has always been true.

In some circumstances, you can create and believe in your own false memory. This post is about an interesting example of how that has happened to me yesterday night.

At the beginning of the year, I have bought an Asus N10E laptop. It’s a sweet little machine, like a cross between a netbook and a laptop. There is nothing exotic in the configuration of that laptop. The N10 serie of laptops have models that include fancier options. If you look on the net, you will find reviews of the fancier models (see a revew of the N10J). Most of them include a Bluetooth module.

Yesterday, I felt like linking my laptop to my N800 using Bluetooth. I thought it would be like, and that I need needed was to learn how to activate the link and that user-friendly programs would do the rest. I was mistaken. Linux did not detect the Bluetooth device at all. Since I build my own kernel, I decided to check my kernel configuration against other known good configuration for similar models but failed to find anything I would be missing. At that point, I decided to boot back in Windows, thinking I would find more information about Bluetooth there.

At this point, I began to lose patience. Windows had no information about the Bluetooth device in the laptop. I tried reinstalling a few drivers and programs. I even checked the laptop manual, something I seldom do, to see how to activate Bluetooth. It was failure. The normal documented way to activate Bluetooth failed. The Bluetooth device drive was even missing. The BIOS did not have the option to activate or deactivate it.

I began to worry why was my Bluetooth module not working. After all, I had vivid rememberance of the shiny Bluetooth icon displayed on the OSD when I pressed the WLAN hotkey on my laptop.

I first suspected that some experiment I had done in Linux went awry and disabled the Bluetooth module for good, something that could happen by extrapolating from some forums posts on similar problems…

My Occam Razor safety device finally kicked in and I began suspecting I was the source of the problem more than the computer was. After further research, I had to come to this conclusion…

There was probably no Bluetooth module in that laptop!

I write probably for correctness, because the only way to know for sure would mean opening the laptop and search its guts for the Bluetooth chip.

The memory I had of seeing the Bluetooth icon was probably manufactured by my own certitude of that laptop having the Bluetooth option combined with the screen shots of the icon in the laptop manual. The certitude was created by myself using incorrect information since the reviews you can read of this laptop usually talk about Bluetooth, but they usually don’t use of the particular model I own. Some N10E might also have a Bluetooth module pre-installed since it’s an optional feature of the model. Add the fact that the laptop has a Bluetooth led and you have all the ingredients you need to think this laptop would have the Bluetooth module. NCIX, the place from where I ordered the laptop, make no mention of Bluetooth support.

I don’t want to sound overly clever and say I’ve learned my lesson. It’s just too easy to mix up memories with other information. This is just a simple example of what can happen. I feel good about the fact that I was able to sit back and consider that my certitudes might have been fabricated by myself.