Comments on: Skype's IP-leaking security bug creates denial-of-service cottage industry

By: Nathan Hornby

Nathan Hornby — Sun, 24 Mar 2013 04:47:00 +0000

It’s got bugger-all to do with ‘means’, I was talking about impact.

Is this really debatable?

By: SomeDude

SomeDude — Sun, 24 Mar 2013 03:43:00 +0000

So if I understand, “individuals and executives” is code for “people of little means and people of plentiful means”. Got it.

By: dragonfrog

dragonfrog — Sat, 23 Mar 2013 23:16:00 +0000

Yeah – if you DDOS the president of Verizon, they’ll get some serious resources behind DDOS resistance. If you DDOS someone’s mum, she’s quite likely to be dropped as a customer by her ISP, because it’s much easier for them than protecting her.

By: dragonfrog

dragonfrog — Sat, 23 Mar 2013 23:12:00 +0000

The bug is not that your IP is leaked when a call is established. The bug is that even if you don’t answer, or even if you have blocked a particular Skype account from being able to call you, the IP address is still revealed.

This is entirely unnecessary – Skype could be engineered so that your IP address is only revealed to the caller when you accept the call.

By: Gilbert Wham

Gilbert Wham — Sat, 23 Mar 2013 16:24:00 +0000

It’s just distinguishing two different subjects referred to earlier in the sentence, and the respective threats to both. Stalkers tend to stalk individuals, not corporations.

By: invictus

invictus — Sat, 23 Mar 2013 15:02:00 +0000

Not to mention the latter being able to apply far greater pressure on M$. I note Skype does promote its services specifically for business settings. There must be a corporation or two out there who'll sit up and take notice of this glaring security hole, right? Right?

By: Cowicide

Cowicide — Sat, 23 Mar 2013 13:37:00 +0000

Yep, not to mention an Achilles’ heel for security over the years as well.

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 13:26:00 +0000

Hopefully, it’s been an unreliable POS for years.

By: Cowicide

Cowicide — Sat, 23 Mar 2013 13:23:00 +0000

Guess we can say bye to Skype! ;D

By: Cowicide

Cowicide — Sat, 23 Mar 2013 13:20:00 +0000

Strange, it shows compatibility with Safari in Windows, but not Safari on Mac. Never seen that before. Guess for now have to use Chrome, Firefox Nightly on Mac?

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 13:20:00 +0000

It really is super cool.

Our primary involvement is design (we’re an agency) but I’ll pass it on!

By: Cowicide

Cowicide — Sat, 23 Mar 2013 13:17:00 +0000

Very cool! Good luck!

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 13:08:00 +0000

Just spotted a reference to WebRTC – that’s the ticket.

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 13:07:00 +0000

I believe so yes!

(I’m working on a product in a ‘non-technical’ capacity that’s launching next month)

By: Cowicide

Cowicide — Sat, 23 Mar 2013 13:04:00 +0000

This?

http://code.google.com/p/sipml5/

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 12:57:00 +0000

“Is their privacy somehow more important than other peoples’?”

I wouldn’t say it’s more ‘important’, but it’s potentially a lot more destructive.

DDOSing your mum is likely to have a different affect to DDOSing the president of Verizon.

Kind of a given isn’t it?

By: Nathan Hornby

Nathan Hornby — Sat, 23 Mar 2013 12:55:00 +0000

Some new in-browser SIP options coming soon thanks to new browser technology. Stay tuned.

By: SomeDude

SomeDude — Sat, 23 Mar 2013 12:33:00 +0000

this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

I can’t figure out what the intent was when mentioning “executives”… are they not individuals, and therefor already covered by the earlier phrasing? Is their privacy somehow more important than other peoples’?

By: Cowicide

Cowicide — Sat, 23 Mar 2013 09:44:00 +0000

It’s a shame for people that purchase a static IP address. Seems like if you use Skype, you should change to a dynamic IP address while you’re doing it. Or, better yet, don’t use Skype at all until they get around to fixing this security bug.

If they never fix it, find a different service; Let them go out of business, they deserve it for this kind of gross ineptitude.

By: alexk

alexk — Sat, 23 Mar 2013 03:55:00 +0000

If you had bothered to read the article, you would have seen that it doesn’t talk about getting the ip from a direct connection. That required that you have added someone and initiated a direct connection with him.
These sites use a modified client that creates a debug log from where you can extract the last known IP the client has connected from.

By: Aleknevicus

Aleknevicus — Sat, 23 Mar 2013 03:44:00 +0000

Using your phonebook analogy…

Even though you give your phone number to selected people, you still might want an unlisted number.

There are many reasons why you don’t want *everyone* to have access to the information you give to certain parties.

By: merreborn

merreborn — Sat, 23 Mar 2013 01:57:00 +0000

Isn’t this inherent in skype’s P2P nature? How exactly do you propose you hide your IP in a P2P network?

Bittorrent is essentially prone to the same problem: you expose your IP to your peers. The only difference is bittorrent doesn’t happen to tie a username to your activities.

But you could just as easily open a service like this to DDOS everyone downloading a specific piratebay torrent, for example.

Bitcoin and spotify might be similarly exploitable.

Initiating a direct file transfer via most IM clients similarly exposes IP addresses.

“Leaking your IP” seems like a bit of a trumped-up threat. The phonebook also “leaks your telephone number”, but that’s the cost you pay for direct connections…

By: EH

EH — Sat, 23 Mar 2013 01:14:00 +0000

The “someone’s home” is a weird construction, are these tools used amongst and against finance workers?