Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
284 comments
Internet Provider
by
Anonymous Coward
·
· Score: 0
witch to, IMHO, a better client such as gaim
How about switching to better providers first?
Re:Internet Provider
by
Chess_the_cat
·
· Score: 2, Informative
You don't have to be an AOL subscriber to use AIM.
Failure to understand the point of a comment on your part does not constitute idiocy on mine.
Major erratum in article
by
Eponymous+Cowboy
·
· Score: 5, Informative
Unfortunately, the article this story links to has a rather large mistake. It states:
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
This is completely and totally wrong.
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
Redirect response codes
Meta redirect tags
Frames
iframes
Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.
The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
-- It's hard for thee to kick against the pricks.
Re:Major erratum in article
by
alexatrit
·
· Score: 2, Interesting
That error being noted, most users of AIM that I know will click on just about anything.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Interesting
Indeed. A simple proof of concept: If you use AIM, click here to see your away message set, from your web browser. (No "message=" bit set here in this example; that's just plain mean.)
And, of course, if it can be done by clicking such a link from your browser, it can be done by any of the means listed in the parent post.
Re:Major erratum in article
by
shird
·
· Score: 3, Insightful
And, ahem, how do you get to that launch page in the first place? magic?
Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.
Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
-- I.O.U One Sig.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
And, ahem, how do you get to that launch page in the first place? magic?
No, not magic. The same way people get most spyware these days: Google.
Do pretty much any search on Google these days, and a good 50% of the results on the first page will install spyware on your PC if you're using an unpatched version of Internet Explorer. There was an article about this just the other day on Slashdot. It's impossible to know which search result links from Google install spyware and which don't.
So, now even someone with all the latest IE patches, or someone who is using Firefox and thinks they are safe, needs to worry if they have AIM installed on their system.
Re:Major erratum in article
by
Ieshan
·
· Score: 3, Insightful
Right, because no one who uses AOL Instant Messenger ever visits websites without trying.
Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".
Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
You said so yourself, after a search in google you "would have to click on the URL to trigger the vulnerability..." exactly as the article says.
The point is, just chatting on AIM is not going to have some worm that exploits this thing rip through your system and the entire AOL network.
-- I.O.U One Sig.
Re:Major erratum in article
by
glenkim
·
· Score: 2, Interesting
you're right.. i made a page that crashes AIM. when i first ran the page though, an error message pops up that says a buffer overrun was detected. does that mean that the code wouldn't have executed anyway?
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
The dangerous bit isn't with the AIM side of this exploit. The dangerous bit is with the browser side.
This is a MAJOR security hole that affects all web browsers for anyone who has AIM on their system. Firefox, Opera, IE; doesn't matter. This is no different from the earlier Shell exploit that required a Firefox patch.
The key point here is that people aren't going to get any advance notice that their system is about to be owned. They don't have to specifically click some strange-looking link; just do any random Google search and look at some of the top-ten results.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
Errmm.. no. Welcome to the world of spyware. Where on an infected computer, you can have 50+ popups an hour without ever even opening IE. Don't you think that just one of those popups *could* have a "hack your aim" url?
Duh.
Re:Major erratum in article
by
EnderWiggin99
·
· Score: 1
"Dear Esteemed Sir;
I am wantonly writing on behalf of the Sneider family of the Democratic Republic of Congo. It seems a substantial sum of money has been locked away..."
And the key point of the article was an attacker couldnt take advantage of it in an 'automated' way - it requires manual intervention.
"which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said. "
The original poster said:
"This is completely and totally wrong."
But it is not. It does make it harder, because just using AIM wont get you 'own3d', you have to visit a malicious URL, regardless of how easily it may be to get people to visit such a URL.
-- I.O.U One Sig.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
In those cases you are already 'own3d' so that is irrelevant. If they could get the spyware on your machine in the first place, you should consider your system completely compromised, as it could have done potentially anything.
Most spyware contains backdoors and automated updates etc, so that have complete control of your system in the first place.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
The "This is completely and totally wrong" bit referred to the beginning of the quoted section, not the end. I quoted the whole sentence for context. -EC
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
Bosh, just look at the recent combination server-side/client-side worms. This is a great way to get the client-side parts installed on computers. Full automated, no clicking involved, once websites are owned:
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
Does this violate the RFC for HTTP?
If so, would not something like FW1 NG AI protect you?
http://checkpoint.com/appint/appint_application_ la yer.html
Re:Major erratum in article
by
moonbender
·
· Score: 2, Insightful
The dangerous bit isn't with the AIM side of this exploit. The dangerous bit is with the browser side.
Not really. A browser seeing an internet protocol it doesn't know how to use basically has two choices: ignore it or let somebody else worry about it. Ignoring it is not a Good Thing, since there clearly are cases where externel URLs are useful (mail:, news:, ed2k:, irc:, and so on). And considering there already is a database of protocols and installed programs that handle them in the Windows registry it makes a lot of sense to use it and let the program associated with the protocol deal with it.
Opera apparently has gone a middle route for some time now, since it allows you to specify trusted external protocols and associated applications. Protocols not on that list are ignored (I assume). This works very well, but of course it's really quite redundant, the same things already in the registry. Unfortunately there are protocols in the registry that shouldn't be, such as the shell thingie discussed some weeks ago.
No, the fault really totally lies with AIM in this case. For one thing, it should be blindingly obvious that having urls like aim:goaway?message=x are really insane, even if they worked as advertised without any bugs: it effectively allows any site you visit to set you AIM status. And potentially other things depending on what other commands the protocol knows (aim:run?)... And of course the buffer overflow is also an AIM bug.
Re:Major erratum in article
by
Causemos
·
· Score: 5, Informative
Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Was the error message produced by AIM? Many AV programs attempt to detect common exploit strings like a long series of "A"s, which are commonly used to fill up a buffer in an exploit.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 0
Sorry, this doesn't work.
Have you actually tried this?
Once you reboot, the registry key is right back. Or simply delete the registry key, stop aol aim, restart it, and the key is back.
Quit spreading false information!!!!!
At least it is on the version of AIM I am running.
Re:Major erratum in article
by
AnyoneEB
·
· Score: 1
I remember that past AIM viruses often worked by infecting through a browser exploit and changing the infected user's profile or away message to be a link to the browser exploit (sometimes just the link, sometimes with something like "visit this cool link"). Although this is an AIM exploit and not a browser exploit, the same strategy could be used.
-- Centralization breaks the internet.
Re:Major erratum in article
by
xsupergr0verx
·
· Score: 1
One major one is called buddypicture.net from the site of the same name.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
AIM is not the "default configure on windows". It is, however, a non-standard configuration on some OS (like Windows - is OS X effected, too?). Now, we ARE talking a bug in the base code of AIM versus a third-party plugin for GAIM. That's apples and oranges...or really, a banana. You know:
Go Apple!
Go Orange!
GO BANANA!
more buffer over flows
by
RLW
·
· Score: 5, Insightful
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
Re:more buffer over flows
by
maximilln
·
· Score: 2, Insightful
When are we going to learn to incorporate bounds checking in to everything ?
I always validated my input, even when learning to program BASIC out of the C=64 User's Guide and the advanced Programmer's Reference Guide in my early teens before taking any formal classes in it. I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
-- +++ATHZ
99:5:80
Re:more buffer over flows
by
bs_testability
·
· Score: 3, Insightful
I'm not having any more luck getting developers to incorporate self test, bounds checking,
and testability access points than I am trying to get my kids to eat vegetables.
Even tying bonuses to it motivates few.
Re:more buffer over flows
by
Bedouin+X
·
· Score: 3, Interesting
I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
the+unbeliever
·
· Score: 1
Does your CPU support it?
(read: Are you running an Athlon 64?)
Re:more buffer over flows
by
Bedouin+X
·
· Score: 1
Yeap 3000+
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
pjt33
·
· Score: 3, Insightful
When everyone uses Java or OCAML rather than C(++).
Re:more buffer over flows
by
Anonymous Coward
·
· Score: 0
If only sombody could come up with a managed framework that could do that, and perhaps provide decent APIs with support for multiple languages - you could call it.Net or something;)
Re:more buffer over flows
by
Proaxiom
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
Re:more buffer over flows
by
Anonymous Coward
·
· Score: 0
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
Sounds like the programmers were just ignorant, which usually results in a very dangerous situation, no matter what you're developing.
Simple answer, use C#/.NET with managed code. No more buffer overflows.
Re:more buffer over flows
by
delus10n0
·
· Score: 1
When I learned about interacting with SQL (of the MS variety), one of the first things I learned was to escape single quotes to double quotes. I'm amazed that today programmers still make the mistake of not escaping/cleaning what they're sending to their SQL server.
-- Not All Who Wander Are Lost
Re:more buffer over flows
by
maximilln
·
· Score: 1
The hard part is identifying all the assumptions we have to validate against
If I didn't personally initialize the variable then I must explicitly define, through validation, what type of information that variable is carrying. It's not that tough.
They assumed input wouldn't contain any, without realizing they were so assuming
I think the only thing that was assumed is that the input had been validated by the routine or program which generated it. We're faced with a quandry: validate everything and waste code redundantly re-validating input which _SHOULD_ have been validated or risk security flaws.
This leads to another argument in favor of open source: If the code is open source then a programmer can check that the variable was properly validated. Proprietary code probably causes massive migraines for programmers who have deadlines to meet and can't spend the next month re-validating every struct array that comes out of the kernel. Imagine having a program that displays the current time in the upper right hand corner... should you have to validate the time returned by "date" or "hwclock"? In open source you can ensure that those registers can't be hijacked. In proprietary code you can either spend time running a brute force fault test (hehehe... yeah right) or assume that the data will always contain what you think it will.
-- +++ATHZ
99:5:80
Re:more buffer over flows
by
Anonymous Coward
·
· Score: 0
Looks like somebody is on a budget!
Re:more buffer over flows
by
Bedouin+X
·
· Score: 1
Yes sir.
But I bought the CPU to play Doom 3 and as such, the 3000+ does me fine. Especially compared to ANY Intel chip.
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
ManxStef
·
· Score: 1
Or Delphi (Object Pascal), C# (Delphi v2 - Microsoft poached Anders Hjelsberg from Borland), Python, Ruby, and several other languages that handle strings in a more sensible way (though the overheads are higher so, as always, it's a tradeoff).
Re:more buffer over flows
by
the+unbeliever
·
· Score: 1
I wish I had your budget. I just built an Athlon XP-M 2500+ system;/
Re:more buffer over flows
by
Anonymous Coward
·
· Score: 0
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
Speak for yourself! I'm still using a fairly old machine, and I routinely get stuff up in the 90-100% CPU usage range.
You don't NEED to check bounds on every array access. You NEED to be aware of your assumptions, and never code drunk. If you can't write code in C++ without buffer overflows, programming isn't for you. It's not hard at all, ask any competent C++ programmer. (no, don't ask C# programmers, Java programmers, Python, PHP, Ruby, etc.)
In fact, give me your job, then I can afford a better machine.
Re:more buffer over flows
by
Evil+Adrian
·
· Score: 1
Surprised no one responded that Microsoft's NX protection is evil and will rip you off.
--
evil adrian
Re:more buffer over flows
by
sp0rk173
·
· Score: 1
Ada does it with minimal overhead.
Re:more buffer over flows
by
Anonymous Coward
·
· Score: 0
Start firing them.
Re:more buffer over flows
by
NuclearDog
·
· Score: 0
I wish I had your budget, even. My fastest computer is a Athlon 1.8 GHZ with 256 MB RAM. Before this one the fastest I had was a 433 MHZ.
Sadder yet, is my server is a PII 233MHZ with 96 MB RAM.
I'd kill to be able to afford an AMD64 or something.
Miranda IM... Open source, free, and has a much nicer native look & feel to it than GAIM does on Windows.
Re:Solution
by
Anonymous Coward
·
· Score: 1, Funny
I've been "using" Jabber for like 2 years now. Unfortunately I am the ONLY one "using" it. Everyone I talk to uses yahoo, msn, or aim. I still keep myself logged into to Jabber via gaim, but I can't convince people to even try Jabber. What's your secret? Bribery? Black mail?
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
Re:But....
by
LostCluster
·
· Score: 1, Informative
The problem isn't a link within an AIM away note, it's an abuse of a link format within a webpage that is supposed to set an away note.
A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
You have misunderstood. AIM on Windows registers a protocol handler so that it's possible to run various AIM commands by opening URLs beginning with "aim:". One of those commands is "goaway" which sets the status to Away and sets a message. The code that implements the command doesn't check the length of the message in the URL. Frankly I think it's a large security and privacy risk to register such a protocol handler in the first place.
Unless someone wanted to create a internet worm-like problem, they *could* do what you're saying, but, the exploit isn't "catchable" through clicking links in away messages. You click a link ANYWHERE on the web and it will execute arbitrary code on your pc. Your away message, if formed by a link using the exploit, would probably look like mumbled garbage.
Re:But....
by
Anonymous Coward
·
· Score: 0
To answer your question, even tho it's been pointed out that it doesn't really address the issue: yes, many people put links to, say, funny cartoons, or weird sites, or even classic bash.org quotes in their away msgs. if it's topical and/or illuminating to my life, it goes. i don't use aim either, but trillian automatically turns URLs into clickable links, i'm sure other clients do too.
why the fuck is that function even allowed or needed. I dont need my browser interfacing with AIM.....the only semi useful one would be the one to open a window to send a message but even then....
"Do many people put links in away messages anyway?"
They do now...
Hmm, each AOL user who visits my website gets an advertisement for it inserted into their away message... decisions, decisions. And they're AOL users, so I don't even care if they decide not to return to my website.
Needs user assistance
by
LostCluster
·
· Score: 3, Informative
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
Actually, that's a mistake in the article. See this post for details. Or, if you use AIM, click here to see your away message set automatically, from your web browser. Scary, huh?
Re:Needs user assistance
by
Ieshan
·
· Score: 2, Insightful
The real solution is to teach people not to accept ActiveX Downloads and other such things without reading the screen.
I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.
I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one or two ActiveX Components on the ENTIRE (effing) INTERNET that need to be installed.
Teaching people basic computer security along with their basic computer skills is a useful and worthwhile thing.
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
the user somehow has to get fooled into visiting an unsafe site for the whole process to start.
Actually, it's not hard, and it's basically automatic.
There was an article just the other day on Slashdot about this exact topic.
Basically the idea is that a good 30-50% of the results on the first page for Google searches on almost any topic nowadays will install spyware on your PC if you have an unpatched version of IE. Now with this exploit, ANYONE running AIM needs to worry, even if they are using an entirely different browser, like Firefox.
Re:Needs user assistance
by
grayson_DEV
·
· Score: 1
"... there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it."
Good rule, if it wasn't for a couple of problems - for a start this is AOL users, not exactly the group most renouned for net-savvyness and reluctance to click every link in sight. Even the length of the URL isn't an indicator with services like shorturl, and I could write a two line perl script that could turn an innocuous looking URL into a redirect to something much nastier (and the chances are it'd work so fast they wouldn't even notice).
URL length isn't really a good measure of safety, nor is the link the browser displays (which can be obscured with javascript in most cases anyway)
Re:Needs user assistance
by
gad_zuki!
·
· Score: 1
Yeah, read the screen. Where will you find the information you need like:
1. This is spyware which will download more spyware.
2. This is poorly written and will cause you a lot of problems.
3. There is no uninstaller, or the this is a severe pain to uninstall. Good luck, sucker!
In other words, spyware promotes itself like typical free software people expect. I think your argument would only make sense if there was a legal responsibility to say the above things in normal non-legalese non-techese speak. But please, don't let the facts get in the way of end-user bashing.
If I was handing out free snowcones on the street with a small asterisk next to "free" that said "also contains Methylenedioxymethamphetamine", do you think people would eat it just because Ecstacy is tough to understand in medical terms?
Surely not.
People are smart enough to know that all things come at a cost.
Re:Needs user assistance
by
NuclearDog
·
· Score: 0
Yeah, people are generally in a diffirent mindset in these situations.
Most people on a computer just think "It's a computer. I shouldn't have to know anything about it at all to use it. It should read my mind and automagically do everything for me." People getting free stuff from that 'nice gentleman on the corner' are generally going to be more suspicious, wether you put a notice up saying it contained ecstacy or not.
ND
-- This statement is forty-five characters long.
GAIM? Fire too
by
ShatteredDream
·
· Score: 2, Informative
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Or Adium, a quite nice interface that can use your adressbook to display informations (and a picture) about your chat partners
They are all directly installable via the "darwinports" port system
-- Spelling mistakes: My is english spoken not tongue of mother.
Re:GAIM? Fire too
by
slamb
·
· Score: 2, Interesting
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium. I'm a little biased, but it has a great UI. (See the About page for screenshots.) libgaim backend, so support for many protocols.
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list.
I know that most of my less knowledgeable friends that use AOL would instantly click a URL from someone on their buddy list. I am not so sure they would do it from a random IM.
Re:Don't forget about Trillian for Windoze users
by
netsavior
·
· Score: 1
the free version of Trillian crashes if you try to use it to connect to Yahoo messenger, the pay version does not have such a problem.
Re:Don't forget about Trillian for Windoze users
by
Lisandro
·
· Score: 1
I have to agree. I really like GAIM, but it doesn't hold a candle to Trillian, IMHO. The best multi-protocol IM client, in any platform i've tried.
Kopete is also nice, if you're into KDE.
Re:Don't forget about Trillian for Windoze users
by
Captain+Segfault
·
· Score: 1
Trillian is nice and all, but it does not have UTF-8 support in the free version.
As a gaim user, this pisses me off, because it affects my communications with friends using trillian.
Gaim has no problem with UTF-8, nor does the official client.
Re:Don't forget about Trillian for Windoze users
by
Anonymous Coward
·
· Score: 0
there's a patch for that. several, actually, one for each time yahoo breaks their protocol. go find it at ceruleanstudios.com.
Re:Don't forget about Trillian for Windoze users
by
Anonymous Coward
·
· Score: 0
Trillian is nice, but the file transfer feature isn't quite functional.. Hopefully they resolve this issue in future releases.
Jabber & Google
by
MarcoPon
·
· Score: 3, Insightful
I just hope that Google launch a Jabber based IM system; it will be a major boost to the adoption of Jabber's servers as an open standard.
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
Oh, I can just see the tin foil hats coming out for that idea... if Google were to do an IM program they'd most definitely want to display AdWords ads based on the conversation.:)
so they won't use jabber. Of course it's open and they can implement it fairly easy. BUT why the heck should the Programmers of Psi, Gaim, Imcom, Kopete, TKGabber,... implement this? Why wouldn't i throw this spam-featuer away from the code after they implemented it (after smoking some real bad shit)
So they will stick together with a commercial Network. A big one. And after that this network will allways change the protocol, so that all the not offical Clients will not be able to connect. So it's even harder to convince anybody to change. Except everybody switches away from this "major"network.
I'm not so sure the Jabber system would work so well with Google. With Jabber (IIRC) all communications go through a central server. Apart from the privacy concerns, that'd be a helluva lot of bandwidth. Jabber servers are really meant to be implemented at the ISP/company/campus/whatever level. That would still work with having identical email addresses and JID's. Google would either have to come up with some geographically-based set of virtual servers (which they probably already do!) or modify the Jabber system to be more peer-to-peer like other IM protocols. i.e The central server is used for tracking user status, searching, etc while the actual communications go directly from user to user.
if google were to have a bot listen to the conversation and target their ads on gmail at me better, i wouldn't mind - its not as if google's ads are intrusive.
as long as somebody (person) wasn't listening to my messages, i wouldn't mind. if you did, you could always use encryption anyway.
If the tin foil hat crowd are botherd about this, why dont they mind using cable internet - on that, your packets get sent to everybugger in the neighborhood, like eithernet with a hub, not a switch.
either that or they could get a nice tin foil theme for their jabber client.
Other clients will not be a problem. Google can simply implement a web based client, and put targeted Ads on that.
Aside from the web client, one can then freely connect with any Jabber client he want/like, if & when he'll find that more convenient.
I really don't know, but isn't that also true of AIM, unless you directly connect? I know it's easy to have AIM conversations when both parties are behind NAT firewalls that don't allow inbound connections, but I'd have to forward a port to transfer files.
A possible motivation would be more advertising. They could append a text add to the bottom of incoming messaged. Also, that would give them one more playing field to compete with Yahoo on. It's an application that they can have on every client's computer to get information to them... They may put RSS feed notification in it just so they can get you to click a link and see another ad. There's a lot of nifty things they could do with XMPP, but who knows if they'll venture into it.
That said, I really wished it would help, but to most people, it would just be another messenger that isn't compatible with their's. I plan on fighting this IM thing as much as I can too. I plan on branding an XMPP client and running a server for the place where I work for getting info out to their clients. The business is such that they advise people on Stock/Option trades, so speedy delivery may give them an advantage over just E-Mail. Right now, they use Yahoo for a lot of stuff, and for no good reason. Since our clients need to run applications on their computers to get at other services, I'm going to roll them in there together.
The best thing that could happen is a better XMPP server. Have you ever tried to run a XMPP server and keep all the gateways up. There is no real seperation, even when you have different processes. Back when I was running one, the Y! gateway would find a way to take the whole thing down, and I was the kind of guy that had XFree86 4.0 straight off the CVS running just fine. I think it should be so easy to install and extend that there is no excuse to not run it as your company-wide messenger, and you should be ostracized from/. and SF.net for not being reachable via XMPP. Slashdot should notify my of any replies to this message via XMPP!
Maybe we should start with/. Why not give away a @slashdot.org JID with a subscription... I might actually buy one then. Strike a blow for open standards!
Maybe we should start with/. Why not give away a @slashdot.org JID with a subscription... I might actually buy one then. Strike a blow for open standards!
IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.
If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (actually coding) flaws.
On the other hand, if these companies were not hired for security reviews, will this sort of 'discovery' (paranoia here:) cause a DMCA backlash?
I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 2, Insightful
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Re:I use Gaim because it's the best in Linux
by
Anonymous Coward
·
· Score: 0
Version 0.8.1 does not mean it is beta. It's just a version number to identify from other releases. I doubt there will be any change in the development as it turns 1.0.0
Re:I use Gaim because it's the best in Linux
by
LiMikeTnux
·
· Score: 1, Insightful
"Gaim is only in version 0.81"
IE is only in version 6.0, firefox is in 0.9.3, which has less holes and is actually fixed within a few days?
just goes to show release numbers dont mean much in terms of readyness
-- yap
Re:I use Gaim because it's the best in Linux
by
Rethcir
·
· Score: 1
I've been using Gaim under windows for a while, and it's pretty stable (as of version.79,.80 craps on me with a GTK error) and has a ton of great features. My only complaints are that you have to keep the window pretty wide horizontally in order to avoid having a scrollbar on the bottom, and that your saved away messages should be only one click away rather than nested inside the away button menu, and also I'd like if you could have the option to shrink the buddy icons in the buddy list if you choose to view them there. Other than those niggles i think that it's a fantastic program, it's been running on my computer nearly nonstop since April or so, and best of all no ads or spyware! I should try and download the source and do something about those little things.
Re:I use Gaim because it's the best in Linux
by
the_rev_matt
·
· Score: 5, Informative
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Re:I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 1
well you have been very lucky. My experience with it is that it is shaping up to be something awesome but as of right now it isn't worth pissing off users with it. It would gain a bad name and I just don't want people associating Gaim with unpolished and bug-ridden.
I have had my fair share of Gaim crashes when receiving an email notification (MSN) with international characters in its subject. I've had version 0.78 crash on me for no reason whatsoever. I've also had no progress bar when sending files up until 0.81 and before that it sometimes appeared and never went away. There are still lots of things that need to be dealt with before this program is usable for the majority of users. A small annoying bug could turn them away from using Gaim for good even if the next.01 increment would fix that bug and make the sofware perfectly alright for their usage. Better to be safe and make people see the show once it's ready for the road.
Re:I use Gaim because it's the best in Linux
by
Pastis
·
· Score: 1
version number has nothing to do with reliability. There are many software out there using a 0.x version number and who are better than software over the 1.0 mark in the same domain.
Gaim works fine most of the time, and I've advised it successfuly to many windows users, who have no idea how their computer works let alone what open source is.
of course there are the occasional disconnections, but that only require to click reconnect.
Re:I use Gaim because it's the best in Linux
by
Hoch
·
· Score: 1
The problem with this philosophy is that you are subjecting your friends to the torture of the default clients by not informing them of alternatives. Run aim, msn, etc. for 5 minutes and you will remember all the reasons that it is worth suffering through bugs to use gaim. I am 5 for 6 at converting my friends to using gaim. I personally waited a long time for the windows port, using trillian. The main thing that people seem to like about gaim is that it has an uncluttered interface instead of the 10,000 useless, redundant and downright annoying buttons in aim, msn, (trillian), etc. Gaim does something that most software neglects to do, keep it simple.
-- 2*31*37*263
Re:I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 1
hey as much as I am a philantrope and hate seeing my friends suffer I feel there is nothing bad with letting them suffer. When they do discover Gaim, and it is bug free and very usable, I'll even install it for them. But I don't want to ruin Gaim's reputation by prematurely migrating my friends to it when it is sub-par.
GAIM? Trillian?
by
Black.Shuck
·
· Score: 3, Informative
Re:GAIM? Trillian?
by
Anonymous Coward
·
· Score: 0
i have to 2nd this post. miranda is a very nice win32 small,clean IM app. ive got aim,icq,msn,yahoo running in it fine. imported all my old contacts/history fine from ICQ or Trickian.
less memory usage and crashing by far then trillian. and its free!
or... for win32bies...
by
doppleganger871
·
· Score: 3, Informative
I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.
--
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Re:Kopete vs Gaim
by
Anonymous Coward
·
· Score: 0
It does work out of the box, provided you have either GNUTLS (used by lots of little miscellaneous programs) or Mozilla (or just its libnss) installed.
Kopete needs an SSL library installed too, suprise! It just uses a different one (konqueror's I'd guess)
The win32 package comes with this, so you've probably got either a braindead binary package, a super stripped-down system, or you're whining over a build-dependency.
Yep, I didn't have Mozilla. I do now, so maybe I'll try again. Sure, I could probably just download the damn ssl thing, but I'm tired of downloading crapheap upon crapheap upon crapheap to satisfy little "application" dependencies. This isn't win32... though I would imagine that a modern win32 installer would be kind enough to include required dll's and such.
--
"Would it kill you to put down the toilet seat?" -- Maya Angelou
read the FAQ's on gaim.sf.net. there's a section covering SSL. you have to edit a file and run a command or two, cant remember what they are, as i use amsn now (amsn.sf.net)
I solve the problem of missing dependencies by using a package manager to automatically download and install dependencies. There are many distros that support this by default, maybe yours does too?
-- I'll probably be modded down for this...
Coincidental...
by
GillBates0
·
· Score: 4, Interesting
I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too:)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
-- An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Re:Coincidental...
by
Anonymous Coward
·
· Score: 0
they do release solaris binaries, but not as often
Re:Coincidental...
by
Anonymous Coward
·
· Score: 0
At our workplace, the best IM service \ client is.... nothing. We have forbidden the use of any IM in the workplace and I think that is the best decision for our business. Show me one person using IM at work for business purposes and I'll show you 10 more goofing off talking to their buddies. Every workplace is different, but I would never implement an IM solution without some ability to monitor \ record the communications. No, we're not big brother, but you need to have a way to cover the business' butt from the rogue employee and your butt for making the recommendation.
Re:Coincidental...
by
accessdeniednsp
·
· Score: 3, Informative
And don't forget about the gaim-encryption plugin!
http://gaim-encryption.sf.net
Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
Re:Coincidental...
by
Anonymous Coward
·
· Score: 1, Insightful
Gaim also sucks in a lot of ways.
Its support for non-aol protocols is between half-way decent and crap (though some, like IRC have recently improved a lot... hence half-way decent).
Gaim (at least recently, a month or two ago... things do change quickly) still can't handle multiple prescenses in Jabber (although now that AIM has a similar thing I wouldn't be surprised if Gaim fixed that--it used to be that it would diconnect if a new presence connected).
Buddy Pounce is cool. It was the reason I started using it many moons ago. Nothing really new has been added that's been innovative, which on one hand is sad, but on the other hand indicates it has matured. Gaim-e is nice but it's also nice to have automatic key generation (granted this has the problem of MITM attacks that Gaim-e and its gpg based solution doesn't have).
Also, the Gaim code is horrible. This is most likely because of its integration with GTK but pretty much everything -- including protocol back ends -- are intrinsically tied to the front end which makes it in my mind poorly designed.
But whatever works, right?
(speaking of which--as for 'best IM service' I'd suggest Jabber, which you may have already decided on... built-in support for SSL connections, most clients support end-to-end encryption with PGP also, and you can have multiple sign-ins using different 'resources' such as different machines. I'd suggest using Psi though as it (in my opinion) is the most feature complete Jabber client. It is also cross platform. Gaim of course also supports Jabber. )
since nobody said it, beware of when providers upgrade protocols for "security" reasons. you might end up with a few days without it.
Re:Coincidental...
by
Anonymous Coward
·
· Score: 0
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too:)) (emphasis mine)
Sounds like you made a proper, un-biased decision.;-)
Seriously though, you might want to think about it a bit more pragmatically.
Gaim has some issues: - typical Open Source user interface: quirky, unintuitive and buggy (this is not a flamebait, I'm actually evaluating Gaim for my own use right now and I will report my findings back to any developer that is interested). - Risk of support of the protocol disapearing if you use MSN or Yahoo's protocol. Yes, eventually they will reverse engineer it, but some companies are not happy when a communication system goes down for several days. - The Buddy Pounce feature sounds like a feature that is vulnerability prone. I don't have any proof, but if I wanted to compromise Gaim, that's where I'd start looking. - Unproven security. You can't compare Gaim with MSN or Yahoo messenger. It simply hasn't had the pounding yet. Perhaps it will stay relatively obscure (I'd guess it probably falls within the less than 1% market share), in which case it may never get the attention of black hats.
Gaim's protocol plugins have been clean of any GTK code for at least several months now. And Jabber's "built-in" SSL support is not always secure, since it does not ensure that the other party is also connected to a SSL enabled Jabber server.
Actually, the fact that Gaim is open about security issues is much more encouraging than the silence given by AOL....
-- feh. stuff.
Re:Gaim security
by
Xoder
·
· Score: 2, Informative
None of those are recent. There's one that's dated august 4, but it only refers to gaim 0.75 and earlier (and many versions of Trillian, I might add!). 0.81 is here, and dear goodness is it tasty! (AIM file sending now works [slowly, but AIM-ftp was always slow])
-- The previous sig has been removed due to/. protecting your best interests
Seriously, its easier to ignore people you don't want to deal with if they know you don't use away msgs.
Do alternative clients handle voice?
by
Anonymous Coward
·
· Score: 0
Slightly off-topic, but do any of the alternative clients for AOL, ICQ, Yahoo or MSN messenger handle voice? My parents never learned to type (learning to type Far-eastern languages IS a major undertaking), so they rely on the voice capabilities of the IM's.
Re:Do alternative clients handle voice?
by
mattyrobinson69
·
· Score: 1
gaim recently forked to get this functionality. search on sf.net for it
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Ah, so true, its ridiculous to expect (most) AIM users to not click on a clink, I know my sister can't help herself, she almost binned a perfectly good laptop because it was browsing the internet incredibly slowly. The reason? So loaded down with spyware it could barely run calc. I cleaned it up and it runs perfectly.
Re:oh god
by
Anonymous Coward
·
· Score: 0
Now where is that "My Sister uses Linux " in caps signature with obsure reference to "whor" when you need it.
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
-- The war with islam is a war on the beast
The war on terror is a war for peace
It alwasys (sic) seems to me like the unauthorized clients are a generation behind the real ones.
Of course they are. You can't write the support until you've got a spec to write to, and you don't get that until the authorised client is published. OTOH this is/. - a lot of us share files using scp, for example. I know I don't care whether or not my IM client supports file transfers, or anything beyond text messages for that matter.
I'm sure you already know this, but gaim-vv is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.
As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins...
-- You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
Well seeing how I never use audio or video, gaim's the better client for me simply because it can auto-save transcripts and doesn't have flash ads. Although I wish they'd implement a decent scroll-back history feature like ICQ. I can't count the number of times with Windows AIM where I've accidently closed a window full of flight information or something and have to try to get it again somehow.
Actually, I *really* wish that all my friends had just stuck with ICQ instead of jumping to AIM (which was faster at the time), but what can you do...
Re:gaim
by
Anonymous Coward
·
· Score: 0
And none of them can keep up with the quality of video/video in iChat.
I've never used ICQ, but for quick history you can use the "History" plug-in which comes with Gaim. Every time you open a conversation window, it displays the log of your previous conversation with that person on top (it makes all the text black and puts a to separate it from your current conversation).
-- Centralization breaks the internet.
Something other than Struts?
by
llamalicious
·
· Score: 0, Offtopic
Hey FK, long time no msg.
Anyhow, I'm getting ready to start work on an enterprise size portal system (non Slashdot related) and if you're considering Struts old, can you give me any insight into state-of-the-art with MVC in Java...?
I've just started getting into Struts as it looks like a great way to maintain scalability and have code/html separation, without to much of an insane learning curve.
Why does every article mentioning a piece of software have to mention a FLOSS alternative in the blurb?
Re:Why allways plugging FLOSS?
by
dave420
·
· Score: 1
Because it's slashdot! Damn anyone to hell who has a problem with recommending buggy alternatives to people running polished finalised software with very minor bugs! Damn them to hades!:-P
Because FLOSS software has always spread by word-of-mouth. Commercial vendors have a thing called a budget and part of it will be money for advertising and other promotional gimmicks. Most FLOSS doesn't have any of that but still need to "get the word out". It's just different methods used by two different systems of software development. I'm a long-time Linux and FLOSS user/supporter so I usually know about the things they mention. But occasionally someone will mention a package or project I haven't heard of before. It's useful information.
okay that joke would have worked, if for instance AIM was anywhere near a polished piece of anything. but seriously, AIM isnt even in the same league as gaim
Re:Why allways plugging FLOSS?
by
dave420
·
· Score: 1
Apart from the fact AIM has been around for years, is incredibly stable, ISN'T BETA, and has a real, professional support team working to keep it that way. I know people here love to defend their open-source apps, but really. Objectivity doesn't hurt.
Re:Why allways plugging FLOSS?
by
Lehk228
·
· Score: 1
yes minor flaws such as Arbitrary remote exploits, that's nothing to worry about there. Now gaim is terrible, a clever h4x0r could find out your USER NAME for a while before the leak was fixed.
-- Snowden and Manning are heroes.
Re:Why allways plugging FLOSS?
by
tepples
·
· Score: 1
Now gaim is terrible, a clever h4x0r could find out your USER NAME for a while before the leak was fixed.
You don't need to be a clever cracker, as last time I checked, user names (but not passwords) were public. Profile links to my web site, which links to my e-mail address, which contains my (public) user name.
Re:Why allways plugging FLOSS?
by
lboxman
·
· Score: 1
Dude...I think you missed the joke...
-- Regexes are like cocaine. The first hit is pretty good, but afterwards you try to use them to solve all your problems.
They should have a cheerful voice say "Welcome to Hell" when you join an AIM chat room. Bugs galore. YM has buggy chatrooms ("conferences") too, but AIM is much, much worse.
Did you know that you can add AIM contacts to your contact list on ICQ, and vice versa?
Much handier for keeping message archives, and much less exploitable... and less intrusive also.
For those who don't want to use GAIM, Trillian, or Miranda.
The AIM client is ugly and stupid; I can't believe people still use it anyway.... unless they've "gotta have their AOL" even though they've "graduated" to a real ISP.
Feh.
-- [an error occured while processing this directive]
-- [an error occured while processing this directive]
Re:I use the ICQ client.
by
hawaiian717
·
· Score: 1
Older versions of ICQ can't talk to AIM, and vice versa. Personally, I expect sooner or later ICQ will cease to be a separate service from AIM; ever since AOL purchased ICQ the two have gotten more and more alike... ICQ uses AIM's OSCAR protocol now.
-- End of Line.
Proxy Servers...
by
barcodez
·
· Score: 0, Offtopic
I can't get Gaim to work through our company proxy servers where as Yahoo and MSN native clients do so fine. I have tried all the proxy settings available. Our proxy server is an MS ISA server... *shudder*.
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Eh, Trillian is shareware trash for newbies who don't know any better.
How on Earth did this flamebait get rated highly?
Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.
Except that Trillian has nice features, a nice interface, really good technical support, and all the features I want. Yeah, I guess I'm a newbie though... only been working with computers for 20 years.
-- Ironically, the word ironically is often used incorrectly.
I mostly use GAIM, but only because I work on Linux. Excellent as GAIM is, it's not a patch on Trillian. Trillian is one of the few utilities I've splashed out cash for the full version for. It's a great bit of software.
Funny how trillian has none of the features I want, and the interface is so "nice" that it takes 5 minutes to do anything, if you can do it at all. And then they try to convince you that it would be a good idea to pay money for that crap when the free alternatives are better?
Funny how trillian has none of the features I want
Yikes, I can tell this is going to be an unbiased review... literally, NONE of the features you want? Give me a fucking break, man.
the interface is so "nice" that it takes 5 minutes to do anything
How can one even argue with such ambiguous garbage? How about an example of something taking a long time to perform in Trillian? I use it all the time and am anal about things like that, and have had no issues. It's also very easy to write plugins for Trillian, to extend it.
If I wanted, I could install a skin to make it look like Gaim, but honestly, why would anyone want their application to look like it uses Gtk?
-- Ironically, the word ironically is often used incorrectly.
Gaim is teh suck
by
Anonymous Coward
·
· Score: 0
AIM users are by huge majority, windows users. GAIM for windows is broken. It crashes too much. The program just isn't stable. I used it for a few weeks and just didn't like it at all.
ICQ is the only real chat program out there. It's got all the features of AIM plus more plugin features and the ability to send offline messages that users can pick up later when they log on (without you having to be online).
ICQ will also allow you to add AIM names to your list now, but you can't do things like file transfer with AIM users.
They're owned by the same company, so I don't understand why they're not better incorporated into one another.
that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
{thongue in cheek mode:ON} Apparently you have no idea what Open Source Software is either {/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too. The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc...)
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
-- "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is a common problem with OSS. The versioning system is *broken*. And, what is worse (and very common among the OSS community), OSS developers blame the users, not themselves for the misunderstandings.
Previous to many of these OSS projects gaining prominence, "1.0" was commonly accepted as the milestone where basic functionality was fully working. The software may not be "done", but it was usable and things would Just Work. This was a de-facto standard used by almost all commercial vendors, which was handed down to students of programming, and even into software engineering textbooks. OSS dev guys just said hey screw that...13454 is the point where the software became usable, its up to the users to figure that.
1.0 made sense. now... its virtually meaningless. I have no idea if a.9 version is as good as firefox or as crappy as a piece of software in Beta. 1.0 for OSS somewhat resembles the 3.0 of MS, aka the version when things are finally done well.
Practices like this and others are what entrenching OSS as for "programs for programmers" and keeping them off my family's start menu. Which is fine by me, but the general goal of OSS seems to be for general acceptance among all users. If you disagree, explain, and also explain how I should be interpreting the "intuitive" versioning systems of many pieces of OSS software.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
"Wait till it hits 1.0 before telling people to use it."
Gaim will most likely never "hit 1.0". To me, 1.0 means "this will work. forever. It's completley stable."
Because Gaim depends heavily on servers speaking closed protocols whose whims we have no control over, there's no way I can guarantee that Gaim will work, even tomorrow.
Indeed, if Gaim were released as a 1.0 version any of the several times it's been considered, neither MSN or Yahoo! would work in it right now.
So, to stress that no version of Gaim is guaranteed to work, Gaim's version number is always 0.x where x is the number of releases made since the first one way back in 1998.
Gaim is almost six years old. It's certainly highly usable, stable, and featureful. The only change to version numbers being seriously considered is dropping the 0. and making the next version Gaim 82, for example.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
1.0 made sense. now... its virtually meaningless. I have no idea if a.9 version is as good as firefox or as crappy as a piece of software in Beta. 1.0 for OSS somewhat resembles the 3.0 of MS, aka the version when things are finally done well.
This is not an OSS problem; it's a problem with software in general. Your attack is misdirected.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
I've tried Gaim a number of times in Windows, and each time I get disgusted and stop using it. I usually IM on my laptop, which experiences network disconnects. Gaim presents modal dialogs notifying me of each an every of these network events. And, it seems to crash on me not infrequently either. I don't want to get involved in the development process and submit bugs/fixes, I just want it to work. AOL AIM just works, so I use it.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
I've tried Gaim in the past and it sucked. I'm using Trillian now and it sucks too, just not as much. Maybe I should try Gaim again, but I do have other things to do than try new versions of IM clients every week.
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
Heh, and part of the reason they don't go to 1.0 is so they have an excuse when people complain about bugs/missing features. "Well yeah, it's not done yet!"
The first decently-sized OS project I did, I started with 1.0 alpha 1. When I felt it had a good feature set, I switched to 1.0 beta 1. When that got to a good stability, 1.0. That's how it's meant to be IMO. If you versions stuff with 0.x, you better have design goals, a (fairly) fixed metric that defines what 1.0 will be. Otherwise you'll just keep pushing it off.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
{thongue in cheek mode:ON}
thong in cheek? At least we know why you were away.
Re:Gaim works
by
Anonymous Coward
·
· Score: 0
Did you try it lately? In the newest versions you can configure the autologin plugin to avoid these messages. Of course the messages should have been switched of as default, but at least you can get the right behavior is you want it.
gaim usability has improved a lot. The program is still behind the average gnome standard, but the program is definitely not disgusting.
My only grudge is that when I start gaim it takes a while before the buddy window appears. This means that have to wait to be able to place the buddy window where I want it. Preferable the buddy windows should appear just after the login window has appeared. This way I wouldn't have to wait.
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
Re:Client for your IM needs
by
phuturephunk
·
· Score: 1
Make it a one click install and maybe you'll have a shot of someone (other than someone with extensive computer expertise) adopt it.
Re:Client for your IM needs
by
dave420
·
· Score: 1
Or, just download Trillian, and do all of that without touching the command line.
Rule of thumb: Everyone on/. will recommend a solution infinitely more complex than that they suggest replacing
Re:Client for your IM needs
by
xiando
·
· Score: 1
End users don't need to install or know much about Bitlbee, but to use it they they must be able to:
a) (install and) use a IRC client, OR
b) use a web browser
I've heard there is something called MIRC for Windows, apparently it's very simple. I've also heard Windows comes with something called Internet Explorer.
Re:Client for your IM needs
by
phuturephunk
·
· Score: 1
This is what I was getting at. Thank you for clarifying. There's a term for this sort of behavior, but I can't remember what it is.
I usually refer to it as the Germanization of things, pulled from the fact that most German cars are too over-engineered for their own good.
Re:Client for your IM needs
by
dave420
·
· Score: 1
I think Germanization is a bit harsh:)
Americanization is probably a better term from a global perspective;)
Re:Client for your IM needs
by
Anonymous Coward
·
· Score: 0
i cant call Screen a window manager since i've been using TWIN (text mode window manager) from twin.sourceforge.net
it has the same basic functions (detach,etc) but it lets you have many terminals open in an X like text mode. move them around, roll up, upper/lower, etc. ive been using it for years, i love it.
I'd switch to gaim..
by
Anonymous Coward
·
· Score: 2, Insightful
but the UI is pretty lousy
Bugfree OSS
by
brianerst
·
· Score: 5, Informative
Re:Bugfree OSS
by
signingis
·
· Score: 2, Interesting
What was the response time for developers to release fixes for GAIM? We're going on 3 weeks now for AOL to release the fix for AIM. Not to mention that some of the vulnerabilities in GAIM were found in older versions of the program when upgrades were available.
--
I prefer a void in conversation to a vacuous one.
Re:Bugfree OSS
by
brianerst
·
· Score: 3, Informative
Well, according to e-matters, a series of 8 different buffer overflow bugs were disclosed to gaim developers on January 4, 2004. A new gaim client (0.75) was released on January 10, but this only fixed one of the overflows and introduced four new ones.
On January 15, gaim development was emailed patches for all 11 existing bugs. A patch was added to CVS that evening, but there was no 0.76 release and no public disclosure by gaim dev (at least on their Sourceforge page - there may have been something sent to the mailing list). On January 23, e-matters let gaim dev know that they would release the bug report on January 26. On January 25, gaim dev replies that there is no timeframe for a 0.76 or bug-fix release. On January 26, e-matters publishes the bug report.
On January 28, gaim dev responds with a note saying they are far from a 0.76 release and provides a link to the FreeBSD source patch. Not much use to your average teenage Windows IMer. There may have been an executable patch, but I can't find any evidence of one.
On April 1, gaim release 0.76, the first release with the bug fixes is released. This has taken so long because:
This is no slam on gaim - the devs have lives outside of gaim and I'm glad they're providing a great OSS client. But like anything, there are pros and cons to both OSS and commercially developed software. Assuming that OSS is always more responsive, more bugfree, and better in every other way is naive. There are tradeoffs involved in libre software - most are well worth it, but there can be downsides occassionally too.
Browser does matter.
by
Chuck+Chunder
·
· Score: 2, Informative
Opera for example doesn't just action any URL type.
It will only pass on those that have been configured to be trusted.
-- Boffoonery - downloadable Comedy Benefit for Bletchley Park
Umm is this not a user issue?
by
matth
·
· Score: 1
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
Re:Umm is this not a user issue?
by
TEMM
·
· Score: 1
You can make it happened automatically by making the page redirect automatically to that url.
Re:Umm is this not a user issue?
by
d3ad1ysp0rk
·
· Score: 1
Correct me if I'm wrong
Ok.
The point is, the software is supposed to stop things like this from happening. That's the whole point of having error classes, form validation, and the whole 9 yards.
They thought "well, the only way to get a away message is by entering it into the text box we provide, so theres no need to check the length", but like usual, they were wrong, since it can be sent via links/redirects.
Re:Umm is this not a user issue?
by
matth
·
· Score: 1
Yes, yes... I understand that... I kinda like the whole aim: thing. It allows me to join chat rooms from websites, also lets me have websites that set rotating away messages.
I'm still not sure how this is an issue exactly. If you are clicking a link you should be checking where it goes before you click it(yes I do).
Yes, they should do length checking, but I wouldn't say this is entirely an AIM issue, as much as a user education issue.
I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one.
Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
-- Did you ever notice that *nix doesn't even cover Linux?
Gaim not a full-featured alternative
by
mccalli
·
· Score: 3, Insightful
The smug "switch to Gaim" comment rather let the side down there, I think. Gaim is not a full-featured replacement. The particular deficiency I'm referring to is common to many alternative IM clients - yes, they all handle chat but very few go the whole hog and support video chats. Alternative MSN client supporting video? Not that I can find, though I'd be happy to be proved wrong here.
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Re:Gaim not a full-featured alternative
by
McBeer
·
· Score: 1
-- Hikery.net - The best hiking site ever. Made by yours truly.
Re:Gaim not a full-featured alternative
by
mccalli
·
· Score: 1
MSN messenger supports video chat.
Well yes, but that's not an alternative client - it's the official one. Unofficial ones are needed to integrate multiple accounts, and also to operate on different platforms. And NetMeeting is drastically NAT unfriendly - not its fault, just the protocol it implements.
At this moment, for example, I have iChat and Fire open. The reason I have iChat open is purely for the AV side of things - Fire can't handle that.
On Windows, I have Messenger installed too, again to handle video conferencing. I know of no alternative which can do that, and I'd love one - video-conferencing with MSN user on my Mac would be a great boon to me, but MS's official Mac client can't handle that. As it is, I have to persuade people to install AOL 5.5 or put away my laptop and go use the desktop PC upstairs. Can't move the PC over to Linux either - same reason, no AV support for IM networks.
I should point out that I use this feature a lot, so it really does matter to me.
I primarly use GAIM for AIM/MSN at the same time with logging. However I need to keep AIM installed to send/receive files; you would think the file capabilities would be working in win32. It is a PITA.
Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new versions of Gaim on top of old ones, and you won't loose your settings. Also, Gaim can run along the "real" IM programs, so if you don't like Gaim it's a 30 second uninstall. THe benefits are worth the "risk" of trying it out.
This "hole" is just smoke for AOL paid infections
by
woodsrunner
·
· Score: 0, Troll
This exploit seems minor compared to the spyware installed by default with AIM. How can AOL say they protect you against viruses and then install Gator et al by default on your box?!
I am pretty sure the animated pop up warning about spy ware on your computer, the one with the animation of bugs fornicating, is installed via AIM as well. How can AOL call themselves a family company?
Saying there is a security hole in AIM is like saying there is a type of virus that attacks people with AIDS. No duh. AIM is a major vector of problems and probably should be classified as a virus.
Thank you for your time. I'll stop ranting now before I even get into that annoying infection called Messenger.
Re:This "hole" is just smoke for AOL paid infectio
by
Anonymous Coward
·
· Score: 0
Have you ever even used messenger? In no way does it install spyware; ad-aware and spybot'll both confirm that on my machine. Stop spreading FUD.
Sure, its a great client
by
imtheguru
·
· Score: 1
> seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones.
Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).
And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature software typically delivers a better user experience. That said, it should be noted that Gaim has been and still remains one of the mostactive projects on sf.net. Should tell you something about the pace of development.
> Back when file sharing was big, gaim could not do it.
So are you admitting to file transfers being a passing fad?;) Gaim did support file transfers on different protocols at different times. Look at the changelog
version 0.11.0-pre5 (02/26/2001) -- Rewritten file transfer for TOC
version 0.75 (01/09/2004) -- Yahoo! file transfer (Tim Ringenbach)
version 0.76 (04/01/2004) -- Jabber file transfer
version 0.76 (04/01/2004) -- IRC file transfer (Tim Ringenbach)
version 0.79 (06/24/2004) -- Added MSN file transfer (Felipe Contreras)
version 0.80 (07/15/2004) -- Drag a file into the buddy list or a conversation to send it to that buddy
I know that much of the file transfer functionality for Msn and Y! protocols has been added just last month. But, to be perfectly honest, i didn't miss this feature, coz i use email to send/receive files. IMAP beats having to write firewall rules.
> Then buddy icons, gaim could not do it. No gaim can do those,
version 0.11.0-pre12 (05/29/2001) -- Can receive buddy icons in Oscar
version 0.45 (10/04/2001) -- Can choose buddy icon to send (for Oscar)
version 0.63 (05/16/2003) -- MSN protocol plugin was rewritten, has experimental buddy icon support, and MSN Mobile support.
version 0.79 (06/24/2004) -- Yahoo buddy icon support
version 0.79 (06/24/2004) -- Dragging an image file into the Modify Account dialog will set that as a buddy icon.
Earlier buddy icons could only be set for AIM/ICQ (2001-2003). Now i can drag an image onto the "modify account" dialog of any account and I get an instant buddy icon.
> but the big thing is voice and video, gaim cant do those.
Sure it can. Check out gaim-vv. It is a fork of gaim with the aim of bringing Voice and Video to the gaim experience. Its not perfect, but its not moving backwards either.
I think you should test drive a recent gaim.
Cheers,
imtheguru
-- Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
hmph
by
Anonymous Coward
·
· Score: 0
Gaim is shit. Use Trillian Pro. That is all.
Re:This "hole" is just smoke for AOL paid infectio
by
Anonymous Coward
·
· Score: 0
AOL has nothing to do with Gator. If you remotely had a clue of what you were talking about, someone might bother to listen to you. Clearly that is not the case.
there'd be security holes in a third rate app from a third rate company!
Re:This "hole" is just smoke for AOL paid infectio
by
HFXPro
·
· Score: 1
You must have not used AIM lately. It doesn't install gator, but while installing aim if your not paying attention it will install both weatherbug and WildTangent? Ever try removing Wild Tangent from your control panel after having removed what you thought was all components. That was a nightmare.
-- Reserved Word.
a more secure approach
by
feepcreature
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters:-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
-- Paul
"Say no to feeping creaturism"
nasty, but good for you...
by
feepcreature
·
· Score: 1
I'm not having any more luck getting developers to incorporate self test, bounds checking,
and testability access points than I am trying to get my kids to eat vegetables.
Nice analogy:-)
Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...
-- Paul
"Say no to feeping creaturism"
Why didn't they use anything like Vstr?
by
tepples
·
· Score: 1
Even C and C++ have mechanisms for safe string handling. C++'s std::vector and std::string types can be configured with buffer checking, and judicious use of a decent string handling library can solve the problem for C. Thus, I see the problem as programmer ignorance of the available libraries rather than any inherent defect in the languages themselves.
Re:Why didn't they use anything like Vstr?
by
Anonymous Coward
·
· Score: 0
Well, it seems this flaw in particular is really caused by dummies who are doing things like:
char buf[1024]; strcpy(buf, user_input);
Anyone dumb enough to do this has no place using C.
You're right, the problem is programmer ignorance. But I don't think using special string libraries will solve the problem of incompetent programmers who really don't know how code works. It will only mask it.
Re:Why didn't they use anything like Vstr?
by
Vreejack
·
· Score: 1
This seems to be the philosophy behind Java: it assumes that programmers are stupid, thus bounds-checking is automatic.
What does this say about Java programmers? That the stupid ones fo a better job in Java than C++
-- "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
Re:Why didn't they use anything like Vstr?
by
Anonymous Coward
·
· Score: 0
Well, I dunno... I like Java. It's pretty clean, and it's C-like enough to the point where I can get work done. Sure, it's a little obnoxious at times, and as a C guy sometimes I find myself wishing I could do C-isms and pointer tricks. But, if you're doing a project that exclusively useses classes, it can be nicer to work with than C++, which is hackish by comparison.
Of course, C is an awesome language. C++ I'm not as keen on. If you're going to use a lot of C++-isms, you might as well be using Java.
Re:Why didn't they use anything like Vstr?
by
sorbits
·
· Score: 1
Of course, C is an awesome language. C++ I'm not as keen on. If you're going to use a lot of C++-isms, you might as well be using Java.
All the things I love about C++ is missing from Java
Generic code/templates, operator overloading, implicit type conversion, RAII, introduce own types which feel 100% as "build into the language" etc.
Probably you only view C++ as the ability to have member functions...
Re:Why didn't they use anything like Vstr?
by
Anonymous Coward
·
· Score: 0
You can do fine without those features though:
Generic code/templates: All Java types are wrapped by Object Operator overloading: that's really more of a convenience...
You can get your work done without templates and operators.
Re:This "hole" is just smoke for AOL paid infectio
by
Anonymous Coward
·
· Score: 0
Im using aim 5.5 - im just very careful about what it installs, and make certain that weatherbug and wildtangent don't creep onto my machine. The price of using WinXP is eternal vigilance...or something
Yet another reason to switch to, IMHO, a better client such as gaim....Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.
Agile Messenger works in your mobile. You dont have to stuck on your seat, but you can roam freely and also see people.
Works quite well in N-Gage. The cheapest business class phone available. (yes, I can hear somebody whining when n-gage is mentioned. Stop crying and buy a bigger memory card for it, so you don't have to change it.)
Re:Gaim?
by
Anonymous Coward
·
· Score: 0
Actually this experience is exactly what I "enjoy" when using almost any OSS program.
I really don't see how someone can recommend any OSS program as a 100% secure now and forever replacement for AIM. It's simply not possible.
My little pet project;-)
It has a pretty complete OSCAR implementation, skinnable GUI, logging, talking while away, and runs straight from the binary (no install).
I always knew that aol messenger sucked balls. This is just another thing to prove that. I really don't understand why so many people use that? Perhaps the reason why is because there are many dumb people in the world that use aol as their ISP. So, since most of the hot chicks are dumb, and therefore they use aol, all the people started using aol messenger so they can talk to them? Thats my theory about that. I mean, nobody in their right mind would use aol otherwise. Next time you look at the aol messenger, just check out all the stupid ads that that thing has! And those annoying sounds! People should really look around at different messengers. Miranda kicks ass for example (even if you gotta use aol protocol), Yahoo messenger is great: small, fast, clean, no ads, and it has tons of features. Even msn messenger didn't have ads last time I used it! You think aol messenger doesn't suck? Yes it does, just look at ICQ! ICQ was the best messenger for a long time until aol bought them out and ruined them. Now it sucks. Aol sucks balls.
Next time you look at the aol messenger, just check out all the stupid ads that that thing has! And those annoying sounds!
I know you're trolling, but I'll bite anyway. I haven't seen an AIM ad in a long, long time. Of course, maybe that's because I'm running AIM version 4.8.2616 (Copyright 2001), which you can download at oldversion. It supports all of the AIM essentials, including messaging (obviously), chat, file transfer, stock ticker, IM Image, "AIM Phone" voice chat, and all the craptastic buddy icons your friends can find.
I don't know what sort of bloated junk they're pumping out as the AIM client these days, but ignore it. You're smart enough not to fall for some sort of viral IM, so forget the "latest and greatest," even with a vulnfix. Get one of the legacy builds. 4.8 works fine, has no ads, and oh - it allows you to change or disable the sounds.
Slickest, smallest, least intrusive messaging app I've ever found, and it has the most intuitive UI of any I've tried (including both Gaim and Trillian). That's why I use AIM and not ICQ, MSN, Yahoo, etc.
-- "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Another reason to use GAIM? I think not...
by
StrandedOrg
·
· Score: 1
Why all the AOL bashing?
by
huchida
·
· Score: 4, Funny
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
I have the same problem with crashes when I send or receive a file... and they only fixed AOL Direct IM very recently (1 or 2 revisions ago), but "fixed" means it sort of works, i.e. if someone sends me a direct IM request and they are behind a NAT, it doesn't work, but I can send them a request and it works (according to changelog it's supposed to do that behind the scenes nowadays, but it doesn't). AIM handles it fine. So what I do is run AIM under wine with secur32.dll downloaded from the web. It doesn't redraw perfectly, but it works reliably. When I ran AIM installer inside wine it failed, but it extracted the program, so I just copied the temporary tree before dismissing the installer.
Open Source Pimpdaddio
by
Mulletproof
·
· Score: 2, Interesting
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
There's more. This January, 12 remotely exploitable buffer overflow bugs were found in Gaim. Less than a week ago, the SuSE security team found another remotely exploitable buffer overflow. (Scroll down.) Those found in January should be fixed as far as I can tell.
gaim crashes all the time
by
Anonymous Coward
·
· Score: 0
I used gaim while on linux, up until a month ago when I switched back to windows to do Unreal development. Gaim crashed a lot, especially with file transfers, which is something I use quite frequently for sheer convience in beta testing mods/maps. A windows user friend of mine recently started using it because someone was raving about, just like on slashdot, and until last week it consistently crashed every other time I tried to send him a file. Not my idea of fun or his, the only reason he uses it is because it's easy to set the away message and stay away even when responding to people..
Is switching to a supposedly better product really the best idea for this sort of situation? I mean, I'm no expert in this kind of study, but it appears to me that whatever is most popular falls victim to the most attacks. While there are flaws in Windows, security problems exist anywhere there are enough people looking for them. I often here reports of vulnerabilities in programs like SendMail (or at least I used to), and a great novel was written about a non-Windows based securtiy error. (The Cuckoo's Egg or something like that).
Is it reasonable to assume that if Gaim, Yahoo Messenger, or any other instant messenger became the most popular (measuring popularity in usage) then wouldn't it risk the same scrutiny that befalls AIM?
This question doesn't come from biased motivations either. I'm wondering if there has been a study how much scrutiny is placed on a software product in relation to its popularity in usage.
Perhaps this would call for moderation in all things software? Diversification of your software portfolio? Crazy stuff.
Yes! Best Win32 client ever!!
by
Anonymous Coward
·
· Score: 0
Not only is Miranda open source under the GPL, but it has an awesome plugin interface, loads of third party utilities, and doesn't hog your RAM.
I just wish it was better-known...
How many usability holes?
by
aclidiere
·
· Score: 1
To me, the biggest flaw in AIM is its user interface. It's ugly, it's hard to learn, it's painful to use. I'm sure there's a hundred obvious usability mistakes.
And, why does a company like AOL feels the need to violate my window real estate with ads? (Animated ads!! Movies!!) (Tip to block ads: Set a firewall rule to block any communication with the server ads.web.aol.com)
What is sad is that Gaim doesn't seem to do much better than AIM. Though more efforts were made on the look, the GUI is still messy. (See the menus, the preference dialog, too many dialogs, etc.)
This already had it's posting over the weekend, but... say you're chatting it up nicely at Starbucks or what-have-you on the wireless network. You're web-browsing while you're at it when - Wham! - someone injects a webpage into your browsing session with a redirect to an aim: URL with the buffer overflow. You've just been AirPwn'd
Supposedly trusted but hacked sites could also be used to inject malicious content. Case In Point: The most recent Bagel virus making the rounds used a binary file called 2.jpg as it's method of downloading itself to new victims. Even though it had the.jpg extension, it was an exe. Most of the hacked websites that it downloaded from were Polish or Russian, but one notable exception: http://financial.washingtonpost.com.
I'd say it's always safer to remove the vulnerability than to live in denial about having vulnerable vectors open. Hackers, like Love, will always find a way.
-- -AutoNiN
Re:Needs user assistance - NOT!
by
Autonin
·
· Score: 1
This has been stated several times already, but because this posting is at '+4, Informative' I have to comment.
With respect to the author, this should be "-4, Ignorant". The AIM: URL protocol handler is incorporated into the operating system (Yay for Browsers integrated into the OS!) and so *any* program that calls the AIM: URL will in turn be sent to AIM for handling and overflowing.
To reiterate: You *don't* necessarily have to click anything at all. Hover over links ALL DAY LONG, but get one HTTP re-direct, one Javascript imbedded in a hacked website, and you're OWNED.
http://site.n.ml.org/info/naim/
NAIM is everything I need in an aim client, and more. Encryption, console based, irc+lily+icq compatible, been around forever, etc, etc.
And dont forget, combined with screen, its extremely portable.
Sorry to be so overblown.. just tired of the mess
by
woodsrunner
·
· Score: 1
You're right, it does ask to install, but most people go with defaults.... there is some popups that seem to come in through AIM that require stuff like Dead AIM to stop them since they are activated by launching AIM.
I generally don't use the products. Mostly just GAIM on Linux. Lately I've been stuck running XP and I haven't bothered to figure out how to remove Outlook or Messenger. Just pulled Messnger off the start button so it doesn't launch everytime I use that menu.
I am mostly just amazed at the amount of crud that goo's up normal users boxes. It's boggling to me and I know how to fix it and avoid it... for the average person it must be demoralizing.
no wonder nobody's becoming computer scientists anymore... too many darn pop ups!
-- THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE
ALSO FUCK BETA, ~NYORON
Questions about upgrade paths
by
babbage
·
· Score: 1
The original article has left me a little bit confused. It is implied that the bug is with the AIM client, and not the protocol, but is that actually the case? Do we know for sure that other clients -- such as Gaim or iChat -- are not affected by the problem here?
And if the problem is just with AIM, and everyone that doesn't want to switch clients has to stay with AIM, are we really stuck with the standard AOL-IM suite that the company has been distributing lately? You know, the one that comes bundled with Weatherbug, which as far as I can tell will install itself with AIM whether or not you want it, and is damned near impossible to remove. Is that really what we're looking at here? Because that sucks big time.
If this is really the case, then hell with it, I'm going to put Gaim on everyone's desktop at work if AIM exploits become a problem. I'll bet most people probably won't notice the difference, and some will even like that it can be used to talk to the company's internal Jabber server, or other chat protocols.
But even without that, being able to avoid the mandatory spyware is fine by me...
Here's a Proof of Concept exploit for the aim hole. It produces an Internet Shortcut (.url) or just the URI (i.e.:aim:goaway?=message...) to a file.
http://www.icestormcity.com/sugar/aimuri.c
Why an Internet Shortcut (an IE favorite)? This exploit won't work as a link in IE, it needs to be longer than IE will allow. Firefox will send it through, but it corrupts my memory addresses and stuff. I dunno what's going on (maybe it's sending in Unicode?). It theoretically could (you can click the link and crash aim) execute arbitrary code, but it'd be harder. Never tried it on other browsers, or email clients. That's why you can just save the URI, which can be popped into a link.
Really, all this uproar is kind of unwarranted, since it doesn't work in IE. Of course, maybe there is some other way to get IE to do it.
Slashdot Mirror
witch to, IMHO, a better client such as gaim
How about switching to better providers first?
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
It's hard for thee to kick against the pricks.
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)
Wasnt a exploitable bug just found in gaim ? Or to be accurate in the "festival" plugin... See: http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml
Spelling mistakes: My is english spoken not tongue of mother.
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.
Those rebels deserve whatever they get.
away for good?
There are no atheists when recovering from tape backup.
Jabber
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Click here or a puppy gets stomped!
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list.
I know that most of my less knowledgeable friends that use AOL would instantly click a URL from someone on their buddy list. I am not so sure they would do it from a random IM.
http://www.trillian.cc
Think Gaim but pretty!
blah, blah, blah
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
Bye!
SeqBox
IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.
If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (actually coding) flaws.
On the other hand, if these companies were not hired for security reviews, will this sort of 'discovery' (paranoia here:) cause a DMCA backlash?
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Miranda. Choice is good. :)
They can use Trillian, too.
-- Liberalism is a mental disorder.
Fortunately, most of AOL users are known to be savvy enough to find some work-around until patches are available.
I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Gaim's security doesn't look very good either. Switch if you like, but don't expect it to be any more secure.
Thank goodness I downloaded SP2, since it will obviously keep my computer safe from this problem.
It's the bestest thing ever!
I don't use away messages you insensitive clod!
Seriously, its easier to ignore people you don't want to deal with if they know you don't use away msgs.
Slightly off-topic, but do any of the alternative clients for AOL, ICQ, Yahoo or MSN messenger handle voice? My parents never learned to type (learning to type Far-eastern languages IS a major undertaking), so they rely on the voice capabilities of the IM's.
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Slashdot sucks
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
The war with islam is a war on the beast
The war on terror is a war for peace
Hey FK, long time no msg.
Anyhow, I'm getting ready to start work on an enterprise size portal system (non Slashdot related) and if you're considering Struts old, can you give me any insight into state-of-the-art with MVC in Java...?
I've just started getting into Struts as it looks like a great way to maintain scalability and have code/html separation, without to much of an insane learning curve.
Why does every article mentioning a piece of software have to mention a FLOSS alternative in the blurb?
Did you know that you can add AIM contacts to your contact list on ICQ, and vice versa?
Much handier for keeping message archives, and much less exploitable... and less intrusive also.
For those who don't want to use GAIM, Trillian, or Miranda.
The AIM client is ugly and stupid; I can't believe people still use it anyway.... unless they've "gotta have their AOL" even though they've "graduated" to a real ISP.
Feh.
[an error occured while processing this directive]
I can't get Gaim to work through our company proxy servers where as Yahoo and MSN native clients do so fine. I have tried all the proxy settings available. Our proxy server is an MS ISA server... *shudder*.
I don't use aim, nobody I know uses aim.
----
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Walkthrough of registry fix for AIM hack
Look like a good reason to upgrade to trillian to me.
Davak
AIM users are by huge majority, windows users. GAIM for windows is broken. It crashes too much. The program just isn't stable. I used it for a few weeks and just didn't like it at all.
ICQ is the only real chat program out there. It's got all the features of AIM plus more plugin features and the ability to send offline messages that users can pick up later when they log on (without you having to be online).
ICQ will also allow you to add AIM names to your list now, but you can't do things like file transfer with AIM users.
They're owned by the same company, so I don't understand why they're not better incorporated into one another.
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
wouldn't this be a good way to test the new DEP in SP2?
My personal preference:
screen + aterm + irssi + bitlbee
Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere
aterm is a nice terminal for X11.
irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC, there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page.
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
More: BitlBee Guide - Talk to msn, icq and jabber contacts using any IRC client.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
9/11: Never forget it was a false-flag operation
but the UI is pretty lousy
We can all sleep better now.
Opera for example doesn't just action any URL type. It will only pass on those that have been configured to be trusted.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one. Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Why not Jabber at:
http://www.jabber.org/
+1 if i had a mod point...
I primarly use GAIM for AIM/MSN at the same time with logging. However I need to keep AIM installed to send/receive files; you would think the file capabilities would be working in win32. It is a PITA.
Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new versions of Gaim on top of old ones, and you won't loose your settings. Also, Gaim can run along the "real" IM programs, so if you don't like Gaim it's a 30 second uninstall. THe benefits are worth the "risk" of trying it out.
http://gaim.sourceforge.net/
This exploit seems minor compared to the spyware installed by default with AIM. How can AOL say they protect you against viruses and then install Gator et al by default on your box?!
I am pretty sure the animated pop up warning about spy ware on your computer, the one with the animation of bugs fornicating, is installed via AIM as well. How can AOL call themselves a family company?
Saying there is a security hole in AIM is like saying there is a type of virus that attacks people with AIDS. No duh. AIM is a major vector of problems and probably should be classified as a virus.
Thank you for your time. I'll stop ranting now before I even get into that annoying infection called Messenger.
Have you ever even used messenger? In no way does it install spyware; ad-aware and spybot'll both confirm that on my machine. Stop spreading FUD.
Trillian
Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).
And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature software typically delivers a better user experience. That said, it should be noted that Gaim has been and still remains one of the most active projects on sf.net. Should tell you something about the pace of development.
> Back when file sharing was big, gaim could not do it.
So are you admitting to file transfers being a passing fad?
- version 0.11.0-pre5 (02/26/2001) -- Rewritten file transfer for TOC
- version 0.75 (01/09/2004) -- Yahoo! file transfer (Tim Ringenbach)
- version 0.76 (04/01/2004) -- Jabber file transfer
- version 0.76 (04/01/2004) -- IRC file transfer (Tim Ringenbach)
- version 0.79 (06/24/2004) -- Added MSN file transfer (Felipe Contreras)
- version 0.80 (07/15/2004) -- Drag a file into the buddy list or a conversation to send it to that buddy
I know that much of the file transfer functionality for Msn and Y! protocols has been added just last month. But, to be perfectly honest, i didn't miss this feature, coz i use email to send/receive files. IMAP beats having to write firewall rules.> Then buddy icons, gaim could not do it. No gaim can do those,
A quick search of the changelog reveals this:
- version 0.11.0-pre12 (05/29/2001) -- Can receive buddy icons in Oscar
- version 0.45 (10/04/2001) -- Can choose buddy icon to send (for Oscar)
- version 0.63 (05/16/2003) -- MSN protocol plugin was rewritten, has experimental buddy icon support, and MSN Mobile support.
- version 0.79 (06/24/2004) -- Yahoo buddy icon support
- version 0.79 (06/24/2004) -- Dragging an image file into the Modify Account dialog will set that as a buddy icon.
Earlier buddy icons could only be set for AIM/ICQ (2001-2003). Now i can drag an image onto the "modify account" dialog of any account and I get an instant buddy icon.> but the big thing is voice and video, gaim cant do those.
Sure it can. Check out gaim-vv. It is a fork of gaim with the aim of bringing Voice and Video to the gaim experience. Its not perfect, but its not moving backwards either.
I think you should test drive a recent gaim.
Cheers, imtheguru
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
Gaim is shit. Use Trillian Pro. That is all.
AOL has nothing to do with Gator. If you remotely had a clue of what you were talking about, someone might bother to listen to you. Clearly that is not the case.
there'd be security holes in a third rate app from a third rate company!
You must have not used AIM lately. It doesn't install gator, but while installing aim if your not paying attention it will install both weatherbug and WildTangent? Ever try removing Wild Tangent from your control panel after having removed what you thought was all components. That was a nightmare.
Reserved Word.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Paul "Say no to feeping creaturism"
Nice analogy :-)
Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...
Paul "Say no to feeping creaturism"
Even C and C++ have mechanisms for safe string handling. C++'s std::vector and std::string types can be configured with buffer checking, and judicious use of a decent string handling library can solve the problem for C. Thus, I see the problem as programmer ignorance of the available libraries rather than any inherent defect in the languages themselves.
Im using aim 5.5 - im just very careful about what it installs, and make certain that weatherbug and wildtangent don't creep onto my machine. The price of using WinXP is eternal vigilance...or something
Yet another reason to switch to, IMHO, a better client such as gaim. ...Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.
my blog
Agile Messenger works in your mobile. You dont have to stuck on your seat, but you can roam freely and also see people.
Works quite well in N-Gage. The cheapest business class phone available.
(yes, I can hear somebody whining when n-gage is mentioned. Stop crying and buy a bigger memory card for it, so you don't have to change it.)
Actually this experience is exactly what I "enjoy" when using almost any OSS program.
I really don't see how someone can recommend any OSS program as a 100% secure now and forever replacement for AIM. It's simply not possible.
TerraIM
;-)
It has a pretty complete OSCAR implementation, skinnable GUI, logging, talking while away, and runs straight from the binary (no install).
My little pet project
TerraIM - my pet AIM client project.
I always knew that aol messenger sucked balls. This is just another thing to prove that. I really don't understand why so many people use that? Perhaps the reason why is because there are many dumb people in the world that use aol as their ISP. So, since most of the hot chicks are dumb, and therefore they use aol, all the people started using aol messenger so they can talk to them? Thats my theory about that. I mean, nobody in their right mind would use aol otherwise. Next time you look at the aol messenger, just check out all the stupid ads that that thing has! And those annoying sounds!
People should really look around at different messengers. Miranda kicks ass for example (even if you gotta use aol protocol), Yahoo messenger is great: small, fast, clean, no ads, and it has tons of features. Even msn messenger didn't have ads last time I used it!
You think aol messenger doesn't suck? Yes it does, just look at ICQ! ICQ was the best messenger for a long time until aol bought them out and ruined them. Now it sucks. Aol sucks balls.
http://www.securityfocus.net/bid/10865/info/
Stranded.org
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
I have the same problem with crashes when I send or receive a file... and they only fixed AOL Direct IM very recently (1 or 2 revisions ago), but "fixed" means it sort of works, i.e. if someone sends me a direct IM request and they are behind a NAT, it doesn't work, but I can send them a request and it works (according to changelog it's supposed to do that behind the scenes nowadays, but it doesn't). AIM handles it fine. So what I do is run AIM under wine with secur32.dll downloaded from the web. It doesn't redraw perfectly, but it works reliably. When I ran AIM installer inside wine it failed, but it extracted the program, so I just copied the temporary tree before dismissing the installer.
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
You need a FREE iPod Nano
Three words: Cross Site Scripting
There's more. This January, 12 remotely exploitable buffer overflow bugs were found in Gaim. Less than a week ago, the SuSE security team found another remotely exploitable buffer overflow. (Scroll down.) Those found in January should be fixed as far as I can tell.
I used gaim while on linux, up until a month ago when I switched back to windows to do Unreal development. Gaim crashed a lot, especially with file transfers, which is something I use quite frequently for sheer convience in beta testing mods/maps. A windows user friend of mine recently started using it because someone was raving about, just like on slashdot, and until last week it consistently crashed every other time I tried to send him a file. Not my idea of fun or his, the only reason he uses it is because it's easy to set the away message and stay away even when responding to people..
...hack, no wonder it's #1!
Maybe because it's a protocol and not an AIM client (or any other kind of client, for that matter).
I'm pretty sure it asks you if you want to install Weatherbug, at least with the newer versions.
I started using Trillian a while ago now when I started finding myself using AIM to chat with one group of people and Yahoo another.
I find it works well (except when yahoo updates something and breaks it for a few days) and they do a good job with updating it. I'd recommend it.
Is switching to a supposedly better product really the best idea for this sort of situation? I mean, I'm no expert in this kind of study, but it appears to me that whatever is most popular falls victim to the most attacks. While there are flaws in Windows, security problems exist anywhere there are enough people looking for them. I often here reports of vulnerabilities in programs like SendMail (or at least I used to), and a great novel was written about a non-Windows based securtiy error. (The Cuckoo's Egg or something like that).
Is it reasonable to assume that if Gaim, Yahoo Messenger, or any other instant messenger became the most popular (measuring popularity in usage) then wouldn't it risk the same scrutiny that befalls AIM?
This question doesn't come from biased motivations either. I'm wondering if there has been a study how much scrutiny is placed on a software product in relation to its popularity in usage.
Perhaps this would call for moderation in all things software? Diversification of your software portfolio? Crazy stuff.
I just wish it was better-known...
To me, the biggest flaw in AIM is its user interface. It's ugly, it's hard to learn, it's painful to use. I'm sure there's a hundred obvious usability mistakes.
And, why does a company like AOL feels the need to violate my window real estate with ads? (Animated ads!! Movies!!)
(Tip to block ads: Set a firewall rule to block any communication with the server ads.web.aol.com)
What is sad is that Gaim doesn't seem to do much better than AIM. Though more efforts were made on the look, the GUI is still messy. (See the menus, the preference dialog, too many dialogs, etc.)
Please, I know someone that uses GAIM and the fucking program can't even paste hyperlinks properly.
Just because something is FREE doesn't mean it's GOOD.
But please enlighten me, someone, anyone, why is GAIM so much better than the official AIM client?
evil adrian
Just do it. A rare, well-written and well-balanced post.
This already had it's posting over the weekend, but... say you're chatting it up nicely at Starbucks or what-have-you on the wireless network. You're web-browsing while you're at it when - Wham! - someone injects a webpage into your browsing session with a redirect to an aim: URL with the buffer overflow. You've just been AirPwn'd
.jpg extension, it was an exe. Most of the hacked websites that it downloaded from were Polish or Russian, but one notable exception: http://financial.washingtonpost.com.
Supposedly trusted but hacked sites could also be used to inject malicious content. Case In Point: The most recent Bagel virus making the rounds used a binary file called 2.jpg as it's method of downloading itself to new victims. Even though it had the
I'd say it's always safer to remove the vulnerability than to live in denial about having vulnerable vectors open. Hackers, like Love, will always find a way.
-AutoNiN
This has been stated several times already, but because this posting is at '+4, Informative' I have to comment.
With respect to the author, this should be "-4, Ignorant". The AIM: URL protocol handler is incorporated into the operating system (Yay for Browsers integrated into the OS!) and so *any* program that calls the AIM: URL will in turn be sent to AIM for handling and overflowing.
To reiterate: You *don't* necessarily have to click anything at all. Hover over links ALL DAY LONG, but get one HTTP re-direct, one Javascript imbedded in a hacked website, and you're OWNED.
-AutoNiN
http://site.n.ml.org/info/naim/ NAIM is everything I need in an aim client, and more. Encryption, console based, irc+lily+icq compatible, been around forever, etc, etc. And dont forget, combined with screen, its extremely portable.
You're right, it does ask to install, but most people go with defaults.... there is some popups that seem to come in through AIM that require stuff like Dead AIM to stop them since they are activated by launching AIM.
I generally don't use the products. Mostly just GAIM on Linux. Lately I've been stuck running XP and I haven't bothered to figure out how to remove Outlook or Messenger. Just pulled Messnger off the start button so it doesn't launch everytime I use that menu.
I am mostly just amazed at the amount of crud that goo's up normal users boxes. It's boggling to me and I know how to fix it and avoid it... for the average person it must be demoralizing.
no wonder nobody's becoming computer scientists anymore... too many darn pop ups!
That's what makes it so dangerous.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The original article has left me a little bit confused. It is implied that the bug is with the AIM client, and not the protocol, but is that actually the case? Do we know for sure that other clients -- such as Gaim or iChat -- are not affected by the problem here?
And if the problem is just with AIM, and everyone that doesn't want to switch clients has to stay with AIM, are we really stuck with the standard AOL-IM suite that the company has been distributing lately? You know, the one that comes bundled with Weatherbug, which as far as I can tell will install itself with AIM whether or not you want it, and is damned near impossible to remove. Is that really what we're looking at here? Because that sucks big time.
If this is really the case, then hell with it, I'm going to put Gaim on everyone's desktop at work if AIM exploits become a problem. I'll bet most people probably won't notice the difference, and some will even like that it can be used to talk to the company's internal Jabber server, or other chat protocols.
But even without that, being able to avoid the mandatory spyware is fine by me...
Hmmm.....
DO NOT LEAVE IT IS NOT REAL
Here's a Proof of Concept exploit for the aim hole. It produces an Internet Shortcut (.url) or just the URI (i.e.:aim:goaway?=message...) to a file.
http://www.icestormcity.com/sugar/aimuri.c
Why an Internet Shortcut (an IE favorite)? This exploit won't work as a link in IE, it needs to be longer than IE will allow. Firefox will send it through, but it corrupts my memory addresses and stuff. I dunno what's going on (maybe it's sending in Unicode?). It theoretically could (you can click the link and crash aim) execute arbitrary code, but it'd be harder. Never tried it on other browsers, or email clients. That's why you can just save the URI, which can be popped into a link.
Really, all this uproar is kind of unwarranted, since it doesn't work in IE. Of course, maybe there is some other way to get IE to do it.
-sugar