[cooldeal]

Reminds me of this HN post.

"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins" https://news.ycombinator.com/item?id=5502028

One of the choice top HN comments:

"Why does Skype even have any clickable links in it at all if Microsoft can't be bothered to keep the obvious malware out?"

Another comment:

"Re the conclusion: to protect yourself, don't run an OS that will silently install software just because you clicked on a blue link in a program published by the OS vendor. Steve Ballmer should be jailed as an accessory for allowing this."

Damned if they do, damned if they don't.

[VikingCoder]

The browser follows the link. The browser can absolutely be checking for malware links, and warning you before you follow them. And you should be able to configure your browser to not do that, if you don't want it to.

So, it's not "damned if they do, damned if they don't," from my point of view, they have to do it in the right place. Within Skype itself is absolutely not the right place.

[username3]

The article doesn't mention which browser the reader and colleagues used to open the link. It could be IE checking the links and not Skype.

[jdmichal]

It's not even using a HTTP GET request that a browser would. It's a HTTP HEAD request.

[MichaelApproved]

"and warning you before you follow them"

L.O.L. Warnings are ignored so often they're practically useless.

[recoiledsnake]

When the viral infection is spreading at 4000 messages a minute, by the time the Skype team informs the IE, Chrome, Firefox, Opera anti-spam teams and waits for them to add it to their blacklist, they might as well not do anything.

What's wrong with scanning links in chat for malware on the Skype servers so that they can immediately stop such messages from spreading?

[VikingCoder]

Skype team should be able to inform IE team at roughly the speed of light.

Chrome team does a pretty good job of finding malware themselves.

What's wrong with scanning links is the scanning part. A third party has NO BUSINESS in seeing any of the bytes in my conversation.

If I'm a political dissident in a repressive country, I don't want MS to have the OPTION of handing my conversation over to my government.

[etha]

Your government wants them to have that option. Why should MS listen to you and not your government?

[gurkendoktor]

I think the problem is that we are getting the worst of all worlds right now: successful malware, messages can only be sent when both sides are online (why, if there is a middle-man??), and messages are being snooped on. Oh and clients still display them out of order.

Unlike, say, FB messages, Skype has always felt so brittle and unreliable that I hoped it was peer-to-peer, and this news came as a bigger shock.

[mr_luc]

Okay, first, I'll just say it: I'll bet Microsoft has a team of developer-relations/pr people commenting on HN. HN is so important to the startup world, and Microsoft sees tech evangelism as war ...

https://news.ycombinator.com/threads?id=cooldeal

Maybe it's not you, but I bet it's happening.

[tptacek]

1998 Slashdot called and wants its comment back.

[qompiler]

It might be a call from 1998 but the halloween documents are real. You are really naive or just stupid if you think these kind of operations arn't being executed till this day.

http://en.wikipedia.org/wiki/Halloween_Documents

[cooldeal]

You mean I could get paid for what I do for free?! I didn't know that, damn!

If there is such a team on HN, they're doing quite a shitty job by the looks of it. Even a review of the Surface is routinely flagged off the front page for daring to be on the same page as a new Chromebook announcement.

[mikeash]

They could distribute a list of malicious URLs to the clients and do the checking locally.

They could ensure that clicking a link doesn't compromise your system.

There is no inherent conflict between privacy and security here, not like you're making it out to be.

[spiffytech]

> They could distribute a list of malicious URLs to the clients and do the checking locally.

A list of essentially every known malicious link on the entire Internet? I speculate that would be quite a few gigabytes in size, and would only get larger if they wanted to store the links in some data structure that could be scanned in a practical amount of time. And said list wouldn't be complete, either- it would only cover known links that Microsoft had seen before, and would only record their malicious state at the time of the last scan, not now.

> They could ensure that clicking a link doesn't compromise your system.

These sorts of vulnerabilities often come from obscure and surprising places (e.g., their TrueType font parsing code), from blocks of code that have been around for a decade or two without the vulnerability being noticed. Identifying security vulnerabilities is notoriously hard, even when you're not contending with the complexity and scale of Windows and all its associated applications.

There's an argument to be had about the acceptability of the privacy/security tradeoff Microsoft could provide by eavesdropping on your conversations, but your implication that such a tradeoff is mostly or entirely avoidable is untrue.

[mikeash]

Despite the objections you raise, Google manages to detect malicious URLs without sending everything to their own servers:

http://blog.alexyakunin.com/2010/03/nice-bloom-filter-applic...

Instead of worrying about how impossible this idea is, I'd suggest looking at how others are accomplishing it.

[pessimizer]

>an OS that will silently install software just because you clicked on a blue link in a program published by the OS vendor

They're not damned if they don't do this. Not doing this would solve the problem. What's your point?

[jlgreco]

I don't think either removing clickable links nor fixing "OS that will silently install software just because you clicked on a blue link" should only be possible by allowing themselves to eavesdrop.