今天我在 skype 里面发文件的时候看到提示信息是:xxx sent file "xxx" to members of this
chat,我突然想,是否如果同一帐号有同时登录存在的时候,提示信息不同呢?这样是否可以用于鉴别自己的 skype
帐号是否有同时登录存在呢?试验了一下,并没有不同。失望。
因为 skype 基于 p2p,估计这一同一帐号多重登录而用户无法察觉的问题很难彻底解决。简单的方法是 skype
改软件协议,登录的同时也通知 skype
服务器。我想这本来就在做,为何不利用这一点来提供帐号同时登录的信息提示呢?从多年前就有这个问题,至今不解决,skype
公司究竟是什么想法呢?可见他们把用户的隐私和信息安全置于非常次要的地位。其次下面的文摘中还提到 skype 搜集你的 BIOS 和主板序列号。
http://www.skype-gadgets.com/webtown/2007/02/possible_soluti.html
The Blog known as Skype-watch.com, Skype-gadgets.com.
Jan's tech blog all about : p2p, IT-security, web 2.0., Skype, VoIP,
living in Malaysia, internet, web. Testing a lot of gadgets here also.
If it has not been tested here, it probably does not work (very well).
16 February 2007
possible solution to multiple login with skype
Hudson Barton suggests a possible solution to multiple login
http://homepage.mac.com/hhbv/blog/Security/Security.html
[但是这个网页失效了。但是這里的 audio podcast 里面解释了 Hudson Barton 的想法
http://www.blueboxpodcast.com/2007/03/blue_box_53_sky.html
就是利用 skype paypal 的功能。paypal 只能同时有一个登录,这样就可以看到是否有其他地址同时登录。
]
I still think that the solution for problem must be found from within,
but anyways. Acting on the symptoms via plugins, trick and others
thinking might help for a while..
http://www.skype-gadgets.com/webtown/2007/02/somebody_notice.html
08 February 2007
Somebody noticed that Skype Reads Your BIOS and Motherboard Serial
Number. But is it really that big an issue ?
Important enough to mention it here. Read this entry by myria.
If this is all true (we will know once it is better documented, I
guess) this then means that too many “confidential data” are located on
one spot. Phonenumber, email-address, skype ID, bios-info and
Motherboard number. Really. Talking about breach of privacy… if this
data would be send to the Skype server. Now we have a situation whereby
skype add-on could be made that can read this information and tunnel it
somewhere.
On the other hand I think this does not mean a lot.
Listen to this :
“ Every piece of software written for the last 10 years that needs
to identify a session with better granularity than just the password
(i.e. multiple logins) has done the same and nobody is getting a
hard-on about them. It is also common to use nonrandom numbers present
in your system to augment your passwords. Not a big deal. Somebody just
wants to become famous.
Now the thing that I would get my
feathres ruffled about would be the sporadic existence of the
mysterious 1.com file! You could use probably some hair brained
algorithm using the time stamps etc but would you not agree that it
would be a lot easier to use a number that is fixed to your hardware
and publicly available? Which component changes least often on your
machine? Motherboard. :et's use the mobo serial number. Why not?
I'm not saying that this is how Skype uses it, but it could be. I am
not a conspiratory theorist. I leave that to those who are more
interested in it. I'm just looking at it as a programmer. It really is
not a big deal.
Let's assume that there is a sinister purpose for this... Can you
tell me what on earth would Skype do with 150million motherboard serial
numbers either for fun or for profit?”
So let’s wrap up the counterhype on the Skype hype.
and here the original link/posting :
“ Users of Skype that run 64-bit versions of
Windows like me probably have noticed that when starting Skype, the following
dialog box appears:
The program or feature “\??\C:\Documents and Settings\Myria\Local
Settings\Temp\12\1.com” cannot start or run due to incompatibility with
64-bit versions of Windows. Please contact the software vendor to ask
if a 64-bit Windows compatible version is available.
Well, that’s weird. Skype’s trying to run a .com file, which won’t
work on Win64 because there’s no NTVDM. Let’s try opening it in Hex
Workshop. Access denied? OK, I’ll terminate Skype to read it. Still
can’t?! This thing is really starting to annoy me. I’ll use WinDbg to
terminate winlogon.exe to force a kernel panic. I reboot and NOW I can
read the damn file.
An unreadable executable file coming from Skype sounds interesting,
so I look at it. It’s 46 bytes long. For copyright reasons I can’t post
the file or a complete disassembly. However, I can describe the program
in terms of 16-bit DOS C:
int main(void)
{
fwrite((const void far*) 0xF0000000, 1, 0xFFFF, stdout);
fwrite((const void far*) 0xF000FFFF, 1, 1, stdout);
return 0;
}
It’s dumping your system BIOS, which usually includes your
motherboard’s serial number, and pipes it to the Skype application. I
have no idea what they’re using it for, or whether they send anything
to their servers, but I bet whatever they’re doing is no good given
their track record.
In 32-bit Windows NT, including Vista, the kernel permits NTVDM to
make a read-only mapping of the BIOS at address 000F0000. This allows
DOS programs running under NTVDM to make use of the BIOS. That’s how
this 46-byte program is capable of sending the BIOS to the Skype
application, and also explains why they use this mechanism to begin
with.
If they hadn’t been ignorant of Win64’s lack of NTVDM, nobody
would’ve noticed this happening. “
source
08 February 2007 in Networking / Security, VoIP / Skype | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c37769e200d8342caca453ef
Listed below are links to weblogs that reference Somebody noticed that
Skype Reads Your BIOS and Motherboard Serial Number. But is it really
that big an issue ?:
»
Skype
is doing what??? from Realtime Community | Unified Communications
Thanks to Jan for this breaking hot oneSomebody noticed that Skype
Reads Your BIOS and Motherboard Serial Number. What PR-answer will we
get now ?Important enough to mention it here. Read this entry bymyria.
If this is all true (we will know once...
[Read
More]
Tracked on 08 February 2007 at 10:33 AM
Comments
Feed You can follow this conversation by subscribing to the comment
feed for this post.
Every plugin developer probably already can read the bios or any other
information on a system. Actually every developer can do that. if you
install software you always take a calculated risk.
Skype has the advantage that when your run the plugin the first time
Skype will intercept it and warn you.
This whole BIOS reading is not important at all because probably many
other developers do this too. Like reading harddisk serial numbers for
licensing etc.
It would be a problem if they would send it over the Internet.
Posted by: Hans Blaauw | 08 February 2007 at 08:37 PM
I think it's just so they accurately say how many installs there have
been. A simple unique identifier, regarding the machine it was
installed on. Maybe it helps for when they can say how many are online?
I know of a couple of network based apps and systems where they take
your network card's MAC address to identify you and therefore control
your account to an extent - for good reasons, mind.
Posted by: Kosso | 08 February 2007 at 08:21 PM
相关的,在一台机器上登录几个不同的 skype 帐号:
http://www.google.com/search?q=+site:forum.skype.com+know+skype+multiple+login
http://www.google.com/search?q=know+skype+multiple+login
Multiple logins on one computer I want to login multiple users on one
computer at the same time
http://forum.skype.com/index.php?showtopic=239121
下面的网页提到如何用 skype 多帐号登录作 podcast 的有趣构思:
Skype Journal: Multiple Logins
http://skypejournal.com/blog/2005/02/multiple_logins_1.html
iPod Radio and Skype (Unbound Spiral)
http://www.henshall.com/blog/archives/001099.html
iPod RadioonSkypeJan2005.pdf (application/pdf Object)
http://www.henshall.com/docs/iPod%20RadioonSkypeJan2005.pdf