Category: IT Security

Posted on

A comment on Skype’s outage-related official statement

So, at the end of the day, Skype explained the reason for the outage that broke its P2P network. To make a long story short, the point is that Skype relies upon a closed source approach (that slows the bug finding process) and on Microsoft technologies that, in that specific case, create the problem. This reinforces my early assumption, that crash cause was Skype design instead of a unpredictable problem. It simply unacceptable that an outage of that dimension has been provoked by the inability of an operating system to patches itself without always rebooting. And who did that choice should account for it.

Right, Skype is very clear in repeating that Microsoft has nothing to do with the Big Crash. Nevertheless, it raises some suspect, to me, reading statement such as: “The Microsoft Update patches were merely a catalyst – a trigger – for a series of events that led to the disruption of Skype, not the root cause of it.” or “Microsoft has been very helpful and supportive throughout.” or, again, ? “In short – there was nothing different about this set of Microsoft patches.”, “The Microsoft team was fantastic to work with”. But this PR stuff doesn’t change the basic stuff: Skype is the next component of a “vulnerable society”, where problems, risks and damages are created mainly by the ICT companies – instead of the “dangerous criminals” that fall under than unspecified label of ? “hackers”.

Posted on

Skype outage raises again network design issues

Recent Skype outage, apparently fault of a denial-of-service attack on the Skype centralized login infrastructure, raises again the intrinsic flaw of designing a service or an application (even partially) based on a centralized network topology.

As the recent facts show, offering a service with a Single Point of Failure creates a “domino effect” whose legal implications (in terms of damages suffered by paying clients) might bear unforeseen consequence. The “flawed-by-design” kind of liability might, indeed, lead to a class action against Skype for having knowingly chosen to build their service on a technical structural weakeness.

Of course, I imagine that should that issue be taken into Court, ICT expert witnesses will play the major role in addressing the underlying technical issues.

Posted on

Italian Data Protection Law badly injured… whoduneit?

Last June 5, 2007 the Italian Camera dei deputati (roughly, a sort of US “lower house” equivalent) passed a law to excuse Small Medium Enterprises (SME) employing no more than 15 people from the enforcement of mandatory security measures to protect personal data. To enter in full force the law need to be approved by the Senate, whose decision is exepcted in the very next weeks.

This law has been proposed because – as matter of fact – from 1996 to present days Italian Data Protection Law has become just a bureaucratic issue, made of form to fill, with no actual attention to substantive issus. And – that is worse – the Italian Data Protection Authority did almost nothing in the last twelve years to stop this trend.

The proposed SME’s exemption arouse the furious reaction of ICT security lobbies who claimed that this law endagers the whole Italian communication network “safety”.  ?This is a grossly misleading claim since data protection law only deals with a limited subset of data an the security measures related provisions basically provide “paper based security”.

True problem is that – on the contrary – Italian Data Protection Law has been drafted and enforced with a distinctive lack of ? “reality check”, whose result is that now the Parliament is stepping back on its foot.