Back before Microsoft got around to making a show of “patching” the backdoor that allowed Skype resolvers to work [did they find the new backdoor yet?], many resolvers were part of sites that offered DDoS services for pennies an hour or something.
I have no reason to believe Micrsoft actually has the good will required to fully patch it, since they’ve been aware of the exploit resolvers were using for at least three years.
Way back in 1998 (so this was back when L0pht was still a thing, Attrition still mattered & the CDC was everyone’s hero) I went to an InfoSec talk given by the FBI where they were outlining a program where they would only disclose defects to companies that participated in the program.
The attendance was mainly over 60, along with a nominal group of businessmen from Big Blue, Raytheon (etc, it was in Tucson). Then there was a group of… kids basically, the local 2600 chapter, of which I was an elder statesman @ 25 (lol).
Anyway, after some goading by the local 2600 group I went with - I got into a bit of a heated debate with the speaker during the Q&A for establishing a system that would allow people like us (gesture to my fellow geeks) to infiltrate every company that didn’t participate. Further, by doing nothing more than having a front company which did, the FBI would effectively be providing us with the instructions on which exploits to use and on whom.
Nostalgia got the better of me & I took the long way around to the point, being: we’ve reached a point to where the majority of those in charge want vulnerabilities in public software and are both arrogant & ignorant enough to believe that only the good guys will know what they are & be able to use them.
Oh, & to answer your question re: Skype - as I understand it, yes. Yes they have. It’s not as good as it was before, but it’s early days yet.
The DDoSers figleaf their offerings by calling them “stress testers”… most will cheerfully attack sites other than your own.
Shocking! I thought hackers were above such shenanigans! Or was that makers?
I was looking into this well last year and trying to get people to understand just how cheap and easy it was to block a websites free speech. And that the solution was NOT a 5 dollar solution.(Cloud flare) So you could effectively shut down a political website you did not like with pocket change.
And, since pocket change to implement, and can be almost impossible to trace, that is exactly what happened to a website that I wrote for, Firedoglake.
The sad part of this is that even if we caught who did it, the way that the courts work they only look at the “damage” of it as being the monetary damage. That would come from lost revenue. And since a political website isn’t a huge ad money maker that wouldn’t amount to much.
Somebody hates the free market!
Not gonna lie, having a real world botnet take a crack at my CDN/hosting would be a stress test I’d be interested in.
Hey Cory, just a heads up: the title is misspelled. I love your books and this site. Cheers.
This topic was automatically closed after 5 days. New replies are no longer allowed.