Main Area and Open Discussion > Living Room

Skype users: beware (silver needle in the skype)

<< < (2/8) > >>

f0dder:
Cpilot, I think you're missing the bigger picture here.

Malicious people will try to break into any software they can, permission or not, for malicious deeds. This could be for installing botnets that can be used for DDoS and spamming, it could be to empty your account, or whatever. Even if it was just to pop up a note every 3 hours saying "you should take a rest", I doubt you'd like any unauthorized software installed on your machine. And obviously, these bad guys don't care about the law.

Without people doing disclosure, public or not, a bad guy could have a botnet with five hundred thousand zombies without anybody knowing. This would be *bad*, considering that skype is used in all kinds of places, and some with a lot of bandwidth. Lots of bandwidth and *very* wide distribution would make it *very* hard to stop an attack... I assume that even if your own machine wasn't affected, you wouldn't be too happy if the root DNS servers of the internet were taken down.

If you bother to look through the PDF, you will realize that it contains enough information to show that there are serious security holes, but there's nothing that can be copy-and-pasted to make an exploit. Thus, no kiddie attack waves.

I think this disclosure is good, but I think it would have been better to give Skype a month to fix the bugs and migrate users before releasing. As it is now, Skype will be battling the clock to get a fix out before somebody does something terrible. I'm glad I don't personally run Skype.

Even if there wasn't any exploit, I think the analysis is an interesting read - if you're a network administrator, knowing that Skype "steals" your bandwidth, generates random traffic, and tries to overcome firewalls is good knowledge.

PS: many EULAs contain statements that are conflicting with existing law, and you also have to realize that American law does not cover the entire globe, whether you like it or not.

mouser:
very well said f0dder, i would associate myself with your comments.

jgpaiva:
Thank you very much for the heads up and enlightning, f0dder!
IMO, it's important for people to know this kind of stuff.
Though, i do recognize that skype has reasons not to allow their code to be cracked.
But if their code is not good, they really should correct it.
The best thing to do would be just what f0dder mentioned, inform skype about the vulnerability, and give them a dead line to fix it.

Cpilot:
very well said f0dder, i would associate myself with your comments.-mouser
--- End quote ---
If you feel that way then I would consider this, if I were a shareware author and were approached by a site and forum to donate a few copies of my product or offer a discount to the users of said site, who then after perusing such found posts by someone who criminally pointed people to a URL that contained hacked information. Possibly even of my own software, then I would definitely reconsider offering anything to said site.
Allowing these types of postings is basically tacit approval by donationcoder of hacking and cracking of software.

I would therefore think that donationcoder should place a disclaimer on the site warning people that hacking and cracking of their code is encouraged and approved by the administration and not to expect users to honor their EULA.

I should think this to be only fair.

As far as fodders "reasons". :harhar:
They're B.S.
There are already tools out there to test applications for bandwidth usage and memory leaks etc. without ripping someones code apart in violation of the EULA.
Also under U.S. law the infraction is committed by using a U.S. server to link to the criminal activity.
Vandals are vandels irregardless of their "higher" intentions. A crime is a crime.
He like a few others believe that they can do as they please with other peoples property.

Carol Haynes:
Personally I think intellectual rights should be respected for all developers and certainly hacking for illegal or purely selfish motives is wrong.

However there is a very big BUT ...

Without third parties looking at code and background activities of applications Virus, Trojan and other kinds of malware would go completely unchecked. Almost all security issues are discovered by people monitoring things that software companies would probably prefer that they didn't - and most of this monitoring goes on in direct contradiction of EULAs.

As a simple example ... how many security holes in Windows and Internet Explorer would have been found if people hadn't been hacking about? Microsoft specifically deprecate hacking their code in their EULAs and I'm sure they would prefer not to have people embarassing them that they have found yet another 30 issues this week - but who benefits from this behaviour.

The logical extension is that if a virus writer applies copyright to his code (and writes it in the US) then provided he is not stealing or doing something positively illegal then no one should have any form of redress ???

While the bad guys are hacking around I think it is absoultely necessary that the good guys should also be hacking about.

This is really the strongest argument for open source across the board (not that it will happen).

Navigation

[0] Message Index

[#] Next page

[*] Previous page