Domain: secdev.org
Stories and comments across the archive that link to secdev.org.
Comments · 12
-
Re:So, do we get source code now?
Part of the work have already been done here if you are intrested:
http://www.secdev.org/conf/skype_BHEU06.handout.pdf -
Re:But they are hackers
Open the SDK, Apple. Allow the legal unlocking,
Opening the SDK doesn't necessarily imply legal unlocking, given that "unlocking", when talking about a mobile phone, refers to allowing it to work on arbitrary networks, not to allowing third-party apps on it.
and make it easy for people to write apps
...and hard for Apple to change UIKit, for example, if they decide that the version of UIKit in the current release of Handheld OS X needs cleaning up in ways that break binary compatibility with that version.
and then sell them for them on iTunes.
At least one application I would have liked to have had on my iPhone yesterday, to try to figure out why its connection to the Wi-Fi network at the restaurant I was at wasn't working, isn't "sold" (and, yes, there have been earlier versions of it that ran on handhelds, and, yes, somebody did ls -l
/dev on a jailbroken 1.0.2 iPhone and the usual four initial instances of my favorite device were there). -
Re:Actually, won't help anyway
Obfuscation of binaries is, regrettably, an increasingly refined art. I would take a look at this, a presentation about how Skype does a lot of it's obfuscation, to see the state of the art today. Admittedly, this is Skype, with resources, know-how and a lot of people, but it's quite possible to make reverse engineering difficult. It's just usually not worth it.
-
Original CanSecWest presentation
The CanSecWest presentation that started all this is available here.
-
Not to defend Microsoft, but...
Let's look at this list. (Disclaimer: I have never used Windows Vista.)
Adobe Systems Inc.'s entire line of graphics and multimedia software I don't know about this one, but I wouldn't be surprised if it had something to do with stuff like the Netopsystems FEAD Optimizer. Symantec Corp.'s security products The software that's notorious for digging its claws into the depths of your operating system? Gee, I'm so surprised that it doesn't work the same as it does on XP. the Mozilla Foundation's open-source Firefox Web browser Firefox uses XUL for widgets, so it probably doesn't behave like a native app. Skype Ltd.'s free voice-over-IP software Skype contains a bunch of weird anti-reverse-engineering code. I'm not surprised if it doesn't work perfectly without changes. OpenOffice.org It doesn't support open standards like Microsoft OpenXML. *snark* -
link to info on skype protocol
Lots of info on how skype works, including that the people who run skype could evesdrop on conversations, the possibility of using skype to relay non skype traffic and an overflow security hole (hopfully now fixed) were revealed four months ago.
Silver needle in the Skype at Blackhat Europe -
Re:Skype IS a security risk
Skype is a security risk: see this talk (handout notes) for an analysis of how and why Skype is insecure and a potential vehicle for the most extensive botnet ever.
-
Re:Skype IS a security risk
Skype is a security risk: see this talk (handout notes) for an analysis of how and why Skype is insecure and a potential vehicle for the most extensive botnet ever.
-
Re:ports
That's not even close to being true. This presentation from Black Hat Europe 2006 gives a decent description of how to recognize and block it (and even a high level description of how to hack it if you were so inclined): http://www.secdev.org/conf/skype_BHEU06.handout.p
d f -
Re:Skype on alternative platforms
But you could use alternative open source software like ekiga. Also after reading how skype works http://www.secdev.org/conf/skype_BHEU06.pdf , you maybe frightened by all the obscurity behind it.
-
Re:The AOL of VOIP
That's a very uninformed statement. Skype is far from desperate. Did you see how much money eBay bought them for? Skype-to-Skype calls are free, and the more people that use Skype, the cheaper it gets. Call quality is very good, there are no restrictions on call length, it includes conference calls and video, instant chat, file sharing, etc.
The largest problems with Skype are security-related. Hackers can use Skype to relay TCP communications, effectively hacking networks from inside the firewall. And since the communication to the Skype client is encrypted and obfuscated (and it is very difficult to determine which traffic is actually Skype traffic), you can make it impossible to trace the traffic back to the hacker. Here's a link to a Black Hat Europe presentation on the subject:
http://www.secdev.org/conf/skype_BHEU06.handout.pd f (In case you can't tell from the ".pdf" at the end of the filename, that links directly to a PDF. ;-) -
Skype can be turned into a botnet ...
... is what some smart people demonstrated at BlackHat Europe: Silver Needle in the Skype