Re: OT - My last one to this thread - Skype + Tox - Re: [gentoo-dev] Re: maintainer-needed@ packages need you!
Hi, On Wed, 10 Sep 2014 07:50:05 +0200 J. Roeleveld wrote: I'm talking about the following research: https://www.google.com/url?sa=trct=jq=esrc=ssource=webcd=1cad=rjauact =8ved=0CB4QFjAAurl=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-eur ope-06%2Fbh-eu-06-biondi%2Fbh-eu-06-biondi-up.pdfei=9jAPVJH1AafnygOOiIHgDg usg=AFQjCNHeILDYY4k-nUUw8vPmUCJ86Eywbgbvm=bv.74649129,d.bGQ Of course, skype protocol was likely changed since that time, but I really doubt that functionality for remote execution of arbitrary code was removed. That research was from 2006. Over 8 years ago. Do you avoid using Bind because of all the security bugs it had in 2006? What about OpenSSL, that one had a big one not too long ago. And I'm sure I can find plenty of exploits for the Linux kernel based on the versions in use in 2006. The Skype protocol has changed a lot over the years and older versions of the protocol have been deprecated and removed. There is a large difference between mistake, bug and deliberately added functionality. As research shows, remote code execution was deliberately added. What was a bug is a mistake that allowed third-party to use this feature without proper keys. If it is still in there, I'm certain it would be known, considering the amount of people using Skype these days. Ablosute majority of these people are not IT specialists and even for those that are, skype is extremely hard to decrypt, diassemble and study, as one can see from the work above. Most probably that nobody cares to spend several months of full-time employment to analyze modern skype versions again. Best regards, Andrew Savchenko pgpX4weNr1fq4.pgp Description: PGP signature
OT - My last one to this thread - Skype + Tox - Re: [gentoo-dev] Re: maintainer-needed@ packages need you!
On Tuesday, September 09, 2014 08:59:41 PM Andrew Savchenko wrote: My last response to this, as it is getting too OT Hello, On Sun, 07 Sep 2014 17:51:46 +0200 J. Roeleveld wrote: It probably works, provided all your contacts also use it. As long as the vast majority of my contacts use Skype and Yahoo, I will not be able to switch. If Kopete (and other generic IM clients) would add support for tox, then it would be easier. There is a tox plugin for pidgin in tox-overlay. That's nice for pidgin users. When others follow, uptake will be easier. Which trojan injection are you talking about? I'm talking about the following research: https://www.google.com/url?sa=trct=jq=esrc=ssource=webcd=1cad=rjauact =8ved=0CB4QFjAAurl=https%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-eur ope-06%2Fbh-eu-06-biondi%2Fbh-eu-06-biondi-up.pdfei=9jAPVJH1AafnygOOiIHgDg usg=AFQjCNHeILDYY4k-nUUw8vPmUCJ86Eywbgbvm=bv.74649129,d.bGQ Of course, skype protocol was likely changed since that time, but I really doubt that functionality for remote execution of arbitrary code was removed. That research was from 2006. Over 8 years ago. Do you avoid using Bind because of all the security bugs it had in 2006? What about OpenSSL, that one had a big one not too long ago. And I'm sure I can find plenty of exploits for the Linux kernel based on the versions in use in 2006. The Skype protocol has changed a lot over the years and older versions of the protocol have been deprecated and removed. If it is still in there, I'm certain it would be known, considering the amount of people using Skype these days. -- Joost
