A couple of people have pointed me to the “Skype DoS exploit code” that has been published. I had seen that, but I’m not convinced it works as simple as that. Some of the information around it doesn’t make completely sense (such as using the term ‘server’, when they’re referring to super nodes I guess, and since supernodes are just regular user machines annexed by the Skype network, they supposedly run the same software, don’t they? So why doesn’t it take down the client the exploit is run on?

Also I’d bet that someone has tried feeding the Skype client long URIs before; that is one of the most popular ways of seeing if some software can break. You know, Buffer Overflow [wikipedia] is probably the most common class of security issues (maybe second only to PHP programming errors or SQL injection by now, though, with so many people with too little expertise writing webapps in PHP)

Others probably are wondering why I’m writing so much “against” Skype.

There are numerous reasons:

  • The whole P2P thing isn’t necessary, they could use real servers
  • Skype is a pain for every network admin (and thus a users nightmare, since the admin might decide to just block any traffic that could be Skype, and enforce the use of HTTP proxies etc. and thus limiting other applications as well)
  • Skype uses all kinds of shady coding techniques in their client to obfuscate what their application is actually doing
  • Skype is a security risk
  • Skype is a memory hog (it uses 10 times as much memory as my other IM client, who does ICQ, MSN, Yahoo, Google Talk and tons of others!)
  • It’s a resource hog (it wakes up 200 times as second for nothing, thus preventing my CPU from using power saving states efficiently)
  • It’s a closed protocol and network, while there are open industry standards such as SIP [wikipedia] and H.323 [wikipedia] that can do much more than Skype
  • It’s UI is crap (especially Linux version 1.4 is a serious degradation vs. version 1.3), contrary to any usability best practises
  • Their API is crap. I’d call that “raping” the DBus API what they’re doing (basically they’re offering a DBus interface that is just a transport wrapper for a text-based ‘telnet-like’ API. You know, DBus interfaces are meant to have meaningful functionality (like ‘make a phone call’) and not meant to be just “send data to the skype application”)
  • They don’t tell the truth. Like e.g. what has really been happening these days. Or what their software really does (see ‘obfuscation’ above and search for “Silver Needle In The Skype”)

And, honest, there is nothing in Skype that other apps wouldn’t offer, or had been offering before except being really aggressive at getting through firewalls without any user intervention.