Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Bug Communications

Did Russian Hackers Crash Skype? 108

Posted by kdawson from the flicking-a-domino dept.
An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.
This discussion has been archived. No new comments can be posted.

Did Russian Hackers Crash Skype? More

Did Russian Hackers Crash Skype?

Comments Filter:

  • Re:Look (Score:3, Insightful)

    by nevali ( 942731 ) on Saturday August 18, 2007 @08:58PM (#20281579) Homepage
    If you use strncpy(), you make sure the string has a terminator if you're going to need one.

    It's really that simple. Every specification which explains strncpy() says as much.

    Using strncpy() as specified is infinitely safer than using a function which blindly copies characters forever irrespective of your buffer size.

    Posting five examples of "the author doesn't understand C arrays or strncpy()" isn't an argument for strncpy() being horrifically unsafe, it's an argument that for every single programming construct, there are five programmers out there who are guaranteed to fuck them up.

    The worst thing is, this is first-grade C programming. If you don't understand this stuff, you need to go back and learn how arrays and strings work.

    Next week: why memcpy() on overlapping buffer regions can eat your cat!

  • Re:Look (Score:4, Insightful)

    by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Saturday August 18, 2007 @09:03PM (#20281621) Homepage
    It's very rare for it to be okay to not write a trailing 0 terminator, or need unused buffer space padded with 0's. and that's exactly what the 'n' functions can do - the number of coders who don't know this and choose to blindly assume the functions protect them is astounding.

    Really, though. If you need the buffer space, you need the buffer space. Truncation is usually not an option. This is sloppy coding, but not due to lack of using 'n' functions. Resize as needed or reject the request if it gets too big.
  • My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master.

    This is a pretty good example of why centralised network topologies such as Skype, MSN, etc. are a really Bad Idea. It doesn't take much to take down the entire network.

    SIP, XMPP, SMTP, etc are all examples of distributed topologies - there is centralised service required(*) for these networks - if one service provider's network falls over it only affects a small number of users rather than taking out *all* the users using that protocol.

    (* Yes, they all require the root name servers, but these days the root name server architecture is pretty resillient through the use of technologies such as anycase. Certainly a lot more resillient than any one organisation could hope to achieve for their own propriatory protocols).

    They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently!

    This is not really a question of preparation - it's a question of a sensible network design. The Skype network (and most other propriatory services) is a flawed design _because_ they want to have control of every aspect of the network. Open protocols are generally designed to allow interoperation of independent autonomous networks so an outage of this magnetude is pretty much impossible.

  • Re:Skype has to change for eavesdropping law (Score:3, Insightful)

    by ultranova ( 717540 ) on Sunday August 19, 2007 @10:16AM (#20285521)

    What she doesn't seem to get is that the CIA isn't some kid hanging from her drainpipe and fiddling with alligator clips. When they listen in on your phone, you don't know about it.

    Unless, of course, they want her to know about it, in order to encourage self-censorship.

    Same with Skype. If they were to install CALEA compliance software, it would certainly not result in two days of downtime. There would be no outside sign that it had ever happened.

    Again, you're assuming that secrecy is desired. It isn't. If you make people think they are being watched at all times (which is simply impossible - there's no way to process that much data in any useful manner), they will soon start avoiding all behavior which, while legal, might be potentially embarassing or suspicious if brought to light. You don't need to remove all privacy, you just need to make people think that they have no privacy in order to reap the benefits.

    Never attribute to incompetence that which is adequately explained by malice.

  • Re:Just watch the Skype blogs... (Score:3, Insightful)

    by raju1kabir ( 251972 ) on Sunday August 19, 2007 @04:25PM (#20287711) Homepage

    The Skype blog had info being posted all during the outage, and will have a summary of what happened soon. They never indicated it was anything related to any outside intrusion.

    Then you know it's true; nobody's ever lied on a blog before.

Slashdot Top Deals

Any circuit design must contain at least one part which is obsolete, two parts which are unobtainable, and three parts which are still under development.

Close