Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did Russian Hackers Crash Skype?

Posted by kdawson on from the flicking-a-domino dept.

An anonymous reader sends us to the www.xakep.ru forum where a poster claims that the worldwide Skype crash was caused by Russian hackers (in Russian). The claim is that they found a local buffer overflow vulnerability caused by sending a long string to the Skype authorization server. You can try Google's beta Russian-to-English translation, but the interesting part is the exploit code, and that's more readable in the original. The Washington Post reports that Skype has denied this rumor.

2 of 108 comments (clear)

  1. Re:Look by PhrostyMcByte · · Score: 3, Insightful

    It's very rare for it to be okay to not write a trailing 0 terminator, or need unused buffer space padded with 0's. and that's exactly what the 'n' functions can do - the number of coders who don't know this and choose to blindly assume the functions protect them is astounding.

    Really, though. If you need the buffer space, you need the buffer space. Truncation is usually not an option. This is sloppy coding, but not due to lack of using 'n' functions. Resize as needed or reject the request if it gets too big.

  2. Re:They hired DoS specialists against their own us by FireFury03 · · Score: 3, Insightful

    My guess is they just got overrun because they were not prepared for the worst case: ALL clients trying to connect AT THE SAME TIME to their master.

    This is a pretty good example of why centralised network topologies such as Skype, MSN, etc. are a really Bad Idea. It doesn't take much to take down the entire network.

    SIP, XMPP, SMTP, etc are all examples of distributed topologies - there is centralised service required(*) for these networks - if one service provider's network falls over it only affects a small number of users rather than taking out *all* the users using that protocol.

    (* Yes, they all require the root name servers, but these days the root name server architecture is pretty resillient through the use of technologies such as anycase. Certainly a lot more resillient than any one organisation could hope to achieve for their own propriatory protocols).

    They should have been prepared for the case, that whenever their network would be down for whatever reason all clients would try to connect concurrently!

    This is not really a question of preparation - it's a question of a sensible network design. The Skype network (and most other propriatory services) is a flawed design _because_ they want to have control of every aspect of the network. Open protocols are generally designed to allow interoperation of independent autonomous networks so an outage of this magnetude is pretty much impossible.

    --
    http://blog.nexusuk.org