Keeping Non-Corporate Instant-Messaging Alive?

dc_cypher asks: "Soon after I read these two articles, I stumbled across a secure unified IM client powered by Bantu on a Sprint site. While many people are turning to electronic communications to enhance (and protect) their reachability in the midst of the recent terrorist activities, what can we do to keep these useful non-corporate alternatives from being legally and financially slaughtered, only to end up joining their file-sharing bretheren in the internet graveyard?"

Jabber

[tzanger]

I was forced out of ICQ since their servers now drop packets not coming from v7 clients and LICQ is definately not v7; hell I don't even think it's being developed anymore.

AOL is blocking non-proprietary clients and the others out there are too small to worry about... I've switched to Jabber (using the Psi client).

Why Jabber? Interoperability. I can connect to a dozen other IMs as necessary. Right now I'm "cheating" ICQ by using the AIM transport which seems to work alright. But the biggest reason I like Jabber is that I also have the server source, and have my own Jabber server for my company.

Sure there are only 2 people on it right now but that's the point -- It's totally decentralized. I can get a hold of any other jabber client by searching THEIR server. You don't need to be on the same server to communicate. Very cool.

Jabber has a few interesting transports too like IRC and email. If it doesn't have what you want, write it, as the spec is open and will stay that way.

I was avoiding Jabber for a long time for several reasons: the clients were all GTK or Java or BUTT UGLY, they were big big big, and petty much all the clients popped up new messages. That's a royal pain in the ass when you actually use your computer. Psi has the option to just raise the window but it took focus too. I helped hack Psi so that its "Raise window" didn't take focus which is exactly what the old ICQ and LICQ did. Perfect. I can type away at 100WPM and if a message comes in I don't end up spilling half the paragraph into the IM window. I can shrink it small like ICQ/LICQ. The Psi developer promises to try and add in global-key support so I can map alt-backspace to pull up the next message. That's all I need in an IM.

That's my solution for closed-source proprietary bullshit IM protocols: route around them. Jabber is a great way to do so becuase it's decentralized and totally open.

As far as secure IM clients go...

[ShaunC]

You won't see many secure IM clients unless they were written outside the US. I wrote a secure peer2peer instant messaging client, i.e. you connect directly to your buddy instead of going through someone's server. The program Blowfish encrypts all IMs, supports variable bit-length keys between 32 and 448 bits, and allows the conversants to change the key at any time by setting a new password. Good luck eavesdropping!

Now, all that said, have you ever tried to get a program like this approved by the US government? I've spent hours poring over the BXA website, as well as the GPO's archive of EAR regulations, trying to figure out exactly what license exception I should apply for. After all the reading and research I've done, I've gotten nowhere. I sent an inquiry to the BXA's crypto folks and haven't heard back. I looked in Usenet and found twenty different answers. I did see it mentioned that if I release the program as open source I don't even have to get it licensed, but I couldn't verify that at BXA's site.

From what I gather, if I want to distribute the program I'd probably have to set a fixed key, or at the very least cap the key length at 160 bits. Then I'd have to apply under one of several license exception categories, though I don't know which; and if you apply for the wrong one, oops, sorry, you wasted your time documenting how your program meets the EAR requirements. Supposing I managed to apply properly, I may have to wait 30 days before making the program available; meanwhile my spec (and perhaps source code) is in someone else's hands.

$DEITY forbid I want to charge a shareware fee for the program, then I have to figure out whether it's classified as ENC Retail, ENC Non-Retail, etc. Or if I have the arms-trafficking gall to try and distribute the program with 448 bit capability - assuming that was approved, mind you - I'd have to implement some method of checking the IP address of each potential downloader to make sure they're inside the US... And then what happens if someone's using a proxy?

All in all I don't have the time to deal with this shit. And so I gave up (I get the feeling this is exactly what the whole mess is meant to encourage). I've given the program to some friends whom I can personally vouch for as US residents. Other than those few people, it'll probably never see the light of day. Unfortunate, but I wouldn't say it's the Big IM Players' fault that secure IM clients aren't taking off. They'd be everywhere if it wasn't such a hassle.

(BTW if anyone has had success getting a Blowfish program licensed for export, please reply with your secret!)

Shaun