Did Russian Hackers Crash Skype? 108
An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.
Re:Look (Score:3, Insightful)
It's really that simple. Every specification which explains strncpy() says as much.
Using strncpy() as specified is infinitely safer than using a function which blindly copies characters forever irrespective of your buffer size.
Posting five examples of "the author doesn't understand C arrays or strncpy()" isn't an argument for strncpy() being horrifically unsafe, it's an argument that for every single programming construct, there are five programmers out there who are guaranteed to fuck them up.
The worst thing is, this is first-grade C programming. If you don't understand this stuff, you need to go back and learn how arrays and strings work.
Next week: why memcpy() on overlapping buffer regions can eat your cat!
Re:Look (Score:4, Insightful)
Really, though. If you need the buffer space, you need the buffer space. Truncation is usually not an option. This is sloppy coding, but not due to lack of using 'n' functions. Resize as needed or reject the request if it gets too big.
Re:They hired DoS specialists against their own us (Score:4, Insightful)
This is a pretty good example of why centralised network topologies such as Skype, MSN, etc. are a really Bad Idea. It doesn't take much to take down the entire network.
SIP, XMPP, SMTP, etc are all examples of distributed topologies - there is centralised service required(*) for these networks - if one service provider's network falls over it only affects a small number of users rather than taking out *all* the users using that protocol.
(* Yes, they all require the root name servers, but these days the root name server architecture is pretty resillient through the use of technologies such as anycase. Certainly a lot more resillient than any one organisation could hope to achieve for their own propriatory protocols).
They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently!
This is not really a question of preparation - it's a question of a sensible network design. The Skype network (and most other propriatory services) is a flawed design _because_ they want to have control of every aspect of the network. Open protocols are generally designed to allow interoperation of independent autonomous networks so an outage of this magnetude is pretty much impossible.
Re:Skype has to change for eavesdropping law (Score:3, Insightful)
Unless, of course, they want her to know about it, in order to encourage self-censorship.
Again, you're assuming that secrecy is desired. It isn't. If you make people think they are being watched at all times (which is simply impossible - there's no way to process that much data in any useful manner), they will soon start avoiding all behavior which, while legal, might be potentially embarassing or suspicious if brought to light. You don't need to remove all privacy, you just need to make people think that they have no privacy in order to reap the benefits.
Never attribute to incompetence that which is adequately explained by malice.
Re:Just watch the Skype blogs... (Score:3, Insightful)
Then you know it's true; nobody's ever lied on a blog before.