Slashdot Mirror
New AIM Offering "end to end" Encryption
MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..
Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
I shall go and tell the indestructible man that someone plans to murder him.
AIM is very insecure by nature. I downloaded Ethereal, a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh
Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.
--
the strongest word is still the word "free"
Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.
Tarsnap: Online backups for the truly paranoid
iChat, which connects to AOL instant messager service, uses SSL to encrypt my end to the server. You can't sniff what i'm sending, and if the receipent is using SSL also, you can't sniff what she's reveiving, unless you are on AOL's server, or somewhere inbetween AOL servers where the message might be routed in plain text,.
Well IM is starting to become the most common form of electronic communication and it is generally taking the place of E-Mail for a lot of situations. Although most of the time now it is for personal communication. But IM can have more business application which needs encryption for Business to Business communication (to prevent corporate espionage) and also to do business over IM, such as customer support or placing an order over IM (say for some custom orders that normally have to be over the phone) so encryption is very important for IM. And it is worth it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
I started to try and work on it, but it was too tricky. Anyone interested in helping out?
Get your own free personal location tracker
For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.
I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.
Thawte originally promised to move the database outside of the US if the US ceased to have adequate privacy protections in law. After the Patriot Act, they should have done so, but they didn't. Thawte today is just a front for Verisign, which, among other things, operates a national wiretapping service for law enforcement and others.
... One company, VeriSign Inc., offers a one- stop, turnkey solution to help telecom carriers comply with CALEA.
VeriSign's nationwide signaling network infrastructure, digital certificate technology and secure data centers enable it to provide a scaleable service bureau solution that saves carriers significant capital expense and virtually eliminates administration costs involved in meeting the legal, technical and operational requirements of CALEA.
Using Verint Systems Inc.'s STAR-GATE, a solution that provides the means to access and deliver intercepted communications content and call data to law enforcement agencies, VeriSign offers a streamlined solution that meets the needs of wireline, wireless and cable telephony carriers. Puri explains that once contracted by the carrier, VeriSign becomes the primary point of contact for law enforcement. "Once we receive the order ... it's completely hands off for the carrier."
Among the orders NetDiscovery processes are historical call records, pen registers or trap and trace (real-time call data as it occurs), as well as wire taps from both law enforcement and national security agencies. The company's personnel are set up to handle classified orders, having attained the appropriate government security clearances, Puri says.
In addition to eliminating a carrier's need to maintain such personnel, NetDiscovery also eliminates the need to connect to the thousands of agencies with authority to request information.
The solution supports circuit switches and beginning this quarter it will support packet-based gear, such as soft switches. The company is working with Cisco Systems Inc. to support its soft switches, routers and gateways. ...
In addition to Cisco, VeriSign is working with four other "market-leading" vendors to ensure support for their packet-based offerings, it says. ...
"Almost every provider has some sort of packet-based hardware, so support for packet under CALEA is critical. It cuts across all types of carriers from wireline to wireless to cable MSOs," he says.
The company is looking also at solutions for ISPs and their gear (routers, gateways, etc.) although they are not included under CALEA, Puri adds.
Verisign just had a session on wiretapping for ISPs at Supercomm. Basically, Verisign runs the US's wiretapping infrastructure. They thus can't be trusted as a security provider.
1 Sharp zaurus
+
1 copy of kismet
==
1 transcription of the entire chat session
Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.
AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.
Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?
You can't judge a book by the way it wears its hair.
As a Fire developer myself, I thought that I could contribute a little more to this. We have started to participate in a discussion on the best way to do encryption over IM protocols. This discussion can be found here: http://www.chat.solidhouse.com/smsn/. The GAIM-E author has even contributed to this discussion.
Also, we have drastically improved the way that the GPG encryption is handled. It now works on more protocols and will be more consistent. My favorite is that we now correctly recognize a gpg installed by fink.
Here is how I invision this in the end. Assuming that AOL didn't use PGP (or GPG), then we (OS Client Authors) should try to support their protocol, along with PGP (or GPG) which would be considered more secure.
Glad to run across another satisfied Fire user.
You see? It's like I've always said. You can get more with a kind word and a 2x4 than you can with just a kind word.