Did Russian Hackers Crash Skype?

An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.

Look

[TheRealMindChild]

strncpy

They hired DoS specialists against their own users

[rpp3po]

Skype's login servers usually don't carry much load compared to the mass of traffic routed directly between all nodes via P2P. My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master. I bet Slashdot wouldn't be prepared for all of its users connecting at the same time, either. But it needs not to. It is never going to happen (why should it? - well how about December 1st, 1AM UTC everybody?). With Skype it's different. They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently! Obviously they weren't prepared. If you watched the aftermath closely you could see that they started filtering by IP on day two. Only a certain number of clients were allowed to connect per IP range. They probably hired super expensive DoS emergency contractors to get this back up. A hack is still possible, but I rather guess that it brought the network down, but did not keep it from coming back up. That was Skype's own fault.

Skype has to change for eavesdropping law

[Burz]

It probably has more to do with Skype retooling for eavesdropping requirements under the new wiretap law. Skype handles a lot of international traffic, encrypted and often in a P2P fashion, so a major change is necessary in order to comply.

From what little I know about Skype, the network can cause both parties in a Skype-Skype call to route through a third party, a supernode (this is done to defeat firewall complications). So perhaps they would be able to start routing all USA-international traffic through in-house supernodes where the stream could be tapped. (Anyone want to correct me? Clarify?)

What really happened !!!

[Anonymous Coward]

It wouldn't surprise me to learn that Skype shut down their OWN servers at the request of
a "big Brother" agency, for the purpose of installing "Big Brother" software on both the
server(s) and eventually the clients (because now a trojan is installed) into everyone's
system with a "knock knock" protocol that would activate a "wiretap" to capture your
voice, images, and text. That's why we had to DL that "new copy" they wanted us to have.

Now I know you folks think I'm full if shit... I hope the heck I am but there is now
something the "skype hackers" can check out to see if it's really true. I suppose a really
good reverse engineering effort would find something like that.

Why would the Russkies want to mess up Skype, they use it more then anyone else.

Skype and Patriot act maybe not hackers?

[goga_russian]

Original author: Mathaba Skype Problems: Coincidence or Result of Architecture Fix for the U.S. State? Posted: 2007/08/17 From: Mathaba Is it considerable coincidence, or a sign of modifications which would inevitably be difficult to execute without significant disruption? Around 2 weeks ago the Bush administration pushed through Congress a law to bolster the government's ability to intercept electronic communications without a court order. The so-called Protect America Act, which passed both the House and Senate by wide margins just before Congress went on its August recess, allows the government to intercept the phone calls and e-mails of people in the United States who communicate with people overseas, and for the first time, allows the government to intercept communications between foreigners which are merely routed through the United States, as well as conversations of Americans traveling abroad. The new law expanding the government's spying powers gives the Bush Administration a six-month window to install possibly permanent back doors in the nation's communication networks. Prior to the law's passage, the nation's spy agencies, such as the National Security Agency and the Defense Intelligence Agency, didn't need any court approval to spy on foreigners so long as the wiretaps were outside the United States. Now, those agencies are free to order services like Skype, cell phone companies and arguably even search engines to comply with secret spy orders to create back doors in domestic communication networks for the nation's spooks. Other nations like Australia have similar legislation in place already or on the books. Skype presents a challenge to spooks, not so much because of its alleged encryption which could possibly be broken by backdoor access or weaknesses in a system that has not received much independent review and is updated almost daily, but because of its essential peer-to-peer (P2P) nature which makes monitoring of communications more difficult. To enable compliance with the new U.S. laws, which also include that the service providers such as Skype are not allowed to report these activities and are to be immune from prosecution claims for example for violation of the U.S. constitutional or legal rights to privacy, it would be necessary to ensure that the Skype super-nodes are upgraded with software modifications to ensure more centralised routing and easier access to monitoring. The fact that Skype has not had a serious outage in many years of operation until just two weeks after the passage of this new law could be mere coincidence, but otherwise could point to just such upgrades and modifications having been performed, and gone wrong. Messing with the Skype super nodes is no light matter, and the Skype P2P technology developed in Estonia was a closely guarded secret. U.S. company eBay, which owns also PayPal, faces allegations of compromise on security and privacy issues. It purchased Skype for some 5 billion dollars last year. Most of the original Skype programmers have since left the company and changing the P2P algorithms to allow compromise could be a tricky and risky business whilst around 8 million users are online, and may have simply gone wrong. The choice of words by Skype in revealing its problems - software and "algorithms" - also lends credence to this theory: algorithms are typically used in automated encryption systems. The original Skype protocol which had received an independent review and generally received the thumbs up for security implementation has long since been modified hundreds of times with automatic updates to most clients now being in force, thus there would be nothing to guarantee that those systems had not since been hopelessly compromised. Skype's C.E.O. had promised an interview with Kurt Sauer for Mathaba News last year, but the interview never materialised. Several attempts were made to establish communication, but were ignored. When it was brought to his direct attention that a company with significant Israeli involvement was compromising the security of