How far does this go? Do people need to worry about microsoft IIS web servers with SSL, exchange servers? I think the spooks have been watching "Person of Interest" too much to think such things are cricket. Or one might be more inclined to drop skype in protest. So there is adium4skype which allows you to use OTR with your skype contacts and using skype as the transport. (Yes I confirmed via my own localhost HTTP get as web dev environments are automatic in various ways). Now are they just hoovering up the skype IMs via the new microsoft central server architecture having back doored skype client to no longer have end2end encrption (and feedind them through echelon or whatever) or is this the client that is reading your IMs and sending selected things to the mothership.ītw their HEAD request was completely ineffective per the weak excuse microsoft offered in the article at top my php contained a meta-refresh which the head wont see as its in the html body. (The gap between the two requests is because I did some work on the web server as the SSL cert was expired and I didnt want that to prevent it working, nor something more script like with cgi arguments as in the article). It took about 45mins until the hit came so they must be batched. I was using skype on ubuntu, my Ian on the other end was using MAC OSX. To my surprise I see this two entries in the apache SSL log:Ħ5.52.100.214 – – " HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 –Ħ5.52.100.214 – – " HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 – Passed a username password via ?user=foo& password=bar to the php one and sent the links to Ian Grigg who I saw was online over skype with strict instructions not to click. Setup an non-indexed /dev/urandom generated long filename, and saved it as php with a meta-refresh to a known malware site in case thats a trigger, and a passive html with no refresh and no args. And the date on the article is a couple of days old, but I tried it anyway. Now I've worked with a few of the german security outfits before, though not Heise, and they are usually top-notch, so if they say its confirmed, you generally are advised to believe them. – not only is skype eavesdropping but its doing head requests on SSL sites that have urls pasted in the skype chat!
The method by which they confirmed is kind of odd I was disappointed the rumoured skype backdoor is claimed to be real, and that they have evidence.
0 kommentar(er)
