Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Major erratum in article
by
Eponymous+Cowboy
·
· Score: 5, Informative
Unfortunately, the article this story links to has a rather large mistake. It states:
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
This is completely and totally wrong.
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
Redirect response codes
Meta redirect tags
Frames
iframes
Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.
The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
-- It's hard for thee to kick against the pricks.
Re:Major erratum in article
by
alexatrit
·
· Score: 2, Interesting
That error being noted, most users of AIM that I know will click on just about anything.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Interesting
Indeed. A simple proof of concept: If you use AIM, click here to see your away message set, from your web browser. (No "message=" bit set here in this example; that's just plain mean.)
And, of course, if it can be done by clicking such a link from your browser, it can be done by any of the means listed in the parent post.
Re:Major erratum in article
by
shird
·
· Score: 3, Insightful
And, ahem, how do you get to that launch page in the first place? magic?
Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.
Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
-- I.O.U One Sig.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
And, ahem, how do you get to that launch page in the first place? magic?
No, not magic. The same way people get most spyware these days: Google.
Do pretty much any search on Google these days, and a good 50% of the results on the first page will install spyware on your PC if you're using an unpatched version of Internet Explorer. There was an article about this just the other day on Slashdot. It's impossible to know which search result links from Google install spyware and which don't.
So, now even someone with all the latest IE patches, or someone who is using Firefox and thinks they are safe, needs to worry if they have AIM installed on their system.
Re:Major erratum in article
by
Ieshan
·
· Score: 3, Insightful
Right, because no one who uses AOL Instant Messenger ever visits websites without trying.
Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".
Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
You said so yourself, after a search in google you "would have to click on the URL to trigger the vulnerability..." exactly as the article says.
The point is, just chatting on AIM is not going to have some worm that exploits this thing rip through your system and the entire AOL network.
-- I.O.U One Sig.
Re:Major erratum in article
by
glenkim
·
· Score: 2, Interesting
you're right.. i made a page that crashes AIM. when i first ran the page though, an error message pops up that says a buffer overrun was detected. does that mean that the code wouldn't have executed anyway?
Re:Major erratum in article
by
EnderWiggin99
·
· Score: 1
"Dear Esteemed Sir;
I am wantonly writing on behalf of the Sneider family of the Democratic Republic of Congo. It seems a substantial sum of money has been locked away..."
And the key point of the article was an attacker couldnt take advantage of it in an 'automated' way - it requires manual intervention.
"which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said. "
The original poster said:
"This is completely and totally wrong."
But it is not. It does make it harder, because just using AIM wont get you 'own3d', you have to visit a malicious URL, regardless of how easily it may be to get people to visit such a URL.
-- I.O.U One Sig.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
Bosh, just look at the recent combination server-side/client-side worms. This is a great way to get the client-side parts installed on computers. Full automated, no clicking involved, once websites are owned:
Re:Major erratum in article
by
moonbender
·
· Score: 2, Insightful
The dangerous bit isn't with the AIM side of this exploit. The dangerous bit is with the browser side.
Not really. A browser seeing an internet protocol it doesn't know how to use basically has two choices: ignore it or let somebody else worry about it. Ignoring it is not a Good Thing, since there clearly are cases where externel URLs are useful (mail:, news:, ed2k:, irc:, and so on). And considering there already is a database of protocols and installed programs that handle them in the Windows registry it makes a lot of sense to use it and let the program associated with the protocol deal with it.
Opera apparently has gone a middle route for some time now, since it allows you to specify trusted external protocols and associated applications. Protocols not on that list are ignored (I assume). This works very well, but of course it's really quite redundant, the same things already in the registry. Unfortunately there are protocols in the registry that shouldn't be, such as the shell thingie discussed some weeks ago.
No, the fault really totally lies with AIM in this case. For one thing, it should be blindingly obvious that having urls like aim:goaway?message=x are really insane, even if they worked as advertised without any bugs: it effectively allows any site you visit to set you AIM status. And potentially other things depending on what other commands the protocol knows (aim:run?)... And of course the buffer overflow is also an AIM bug.
Re:Major erratum in article
by
Causemos
·
· Score: 5, Informative
Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Was the error message produced by AIM? Many AV programs attempt to detect common exploit strings like a long series of "A"s, which are commonly used to fill up a buffer in an exploit.
Re:Major erratum in article
by
AnyoneEB
·
· Score: 1
I remember that past AIM viruses often worked by infecting through a browser exploit and changing the infected user's profile or away message to be a link to the browser exploit (sometimes just the link, sometimes with something like "visit this cool link"). Although this is an AIM exploit and not a browser exploit, the same strategy could be used.
-- Centralization breaks the internet.
Re:Major erratum in article
by
xsupergr0verx
·
· Score: 1
One major one is called buddypicture.net from the site of the same name.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
AIM is not the "default configure on windows". It is, however, a non-standard configuration on some OS (like Windows - is OS X effected, too?). Now, we ARE talking a bug in the base code of AIM versus a third-party plugin for GAIM. That's apples and oranges...or really, a banana. You know:
Go Apple!
Go Orange!
GO BANANA!
more buffer over flows
by
RLW
·
· Score: 5, Insightful
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
Re:more buffer over flows
by
maximilln
·
· Score: 2, Insightful
When are we going to learn to incorporate bounds checking in to everything ?
I always validated my input, even when learning to program BASIC out of the C=64 User's Guide and the advanced Programmer's Reference Guide in my early teens before taking any formal classes in it. I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
-- +++ATHZ
99:5:80
Re:more buffer over flows
by
bs_testability
·
· Score: 3, Insightful
I'm not having any more luck getting developers to incorporate self test, bounds checking,
and testability access points than I am trying to get my kids to eat vegetables.
Even tying bonuses to it motivates few.
Re:more buffer over flows
by
Bedouin+X
·
· Score: 3, Interesting
I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
the+unbeliever
·
· Score: 1
Does your CPU support it?
(read: Are you running an Athlon 64?)
Re:more buffer over flows
by
Bedouin+X
·
· Score: 1
Yeap 3000+
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
pjt33
·
· Score: 3, Insightful
When everyone uses Java or OCAML rather than C(++).
Re:more buffer over flows
by
Proaxiom
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
Simple answer, use C#/.NET with managed code. No more buffer overflows.
Re:more buffer over flows
by
delus10n0
·
· Score: 1
When I learned about interacting with SQL (of the MS variety), one of the first things I learned was to escape single quotes to double quotes. I'm amazed that today programmers still make the mistake of not escaping/cleaning what they're sending to their SQL server.
-- Not All Who Wander Are Lost
Re:more buffer over flows
by
maximilln
·
· Score: 1
The hard part is identifying all the assumptions we have to validate against
If I didn't personally initialize the variable then I must explicitly define, through validation, what type of information that variable is carrying. It's not that tough.
They assumed input wouldn't contain any, without realizing they were so assuming
I think the only thing that was assumed is that the input had been validated by the routine or program which generated it. We're faced with a quandry: validate everything and waste code redundantly re-validating input which _SHOULD_ have been validated or risk security flaws.
This leads to another argument in favor of open source: If the code is open source then a programmer can check that the variable was properly validated. Proprietary code probably causes massive migraines for programmers who have deadlines to meet and can't spend the next month re-validating every struct array that comes out of the kernel. Imagine having a program that displays the current time in the upper right hand corner... should you have to validate the time returned by "date" or "hwclock"? In open source you can ensure that those registers can't be hijacked. In proprietary code you can either spend time running a brute force fault test (hehehe... yeah right) or assume that the data will always contain what you think it will.
-- +++ATHZ
99:5:80
Re:more buffer over flows
by
Bedouin+X
·
· Score: 1
Yes sir.
But I bought the CPU to play Doom 3 and as such, the 3000+ does me fine. Especially compared to ANY Intel chip.
-- Dissolve... Resolve... Evolve...
Re:more buffer over flows
by
ManxStef
·
· Score: 1
Or Delphi (Object Pascal), C# (Delphi v2 - Microsoft poached Anders Hjelsberg from Borland), Python, Ruby, and several other languages that handle strings in a more sensible way (though the overheads are higher so, as always, it's a tradeoff).
Re:more buffer over flows
by
the+unbeliever
·
· Score: 1
I wish I had your budget. I just built an Athlon XP-M 2500+ system;/
Re:more buffer over flows
by
Evil+Adrian
·
· Score: 1
Surprised no one responded that Microsoft's NX protection is evil and will rip you off.
--
evil adrian
Re:more buffer over flows
by
sp0rk173
·
· Score: 1
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
Re:But....
by
LostCluster
·
· Score: 1, Informative
The problem isn't a link within an AIM away note, it's an abuse of a link format within a webpage that is supposed to set an away note.
A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
You have misunderstood. AIM on Windows registers a protocol handler so that it's possible to run various AIM commands by opening URLs beginning with "aim:". One of those commands is "goaway" which sets the status to Away and sets a message. The code that implements the command doesn't check the length of the message in the URL. Frankly I think it's a large security and privacy risk to register such a protocol handler in the first place.
Unless someone wanted to create a internet worm-like problem, they *could* do what you're saying, but, the exploit isn't "catchable" through clicking links in away messages. You click a link ANYWHERE on the web and it will execute arbitrary code on your pc. Your away message, if formed by a link using the exploit, would probably look like mumbled garbage.
why the fuck is that function even allowed or needed. I dont need my browser interfacing with AIM.....the only semi useful one would be the one to open a window to send a message but even then....
"Do many people put links in away messages anyway?"
They do now...
Hmm, each AOL user who visits my website gets an advertisement for it inserted into their away message... decisions, decisions. And they're AOL users, so I don't even care if they decide not to return to my website.
Needs user assistance
by
LostCluster
·
· Score: 3, Informative
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
Actually, that's a mistake in the article. See this post for details. Or, if you use AIM, click here to see your away message set automatically, from your web browser. Scary, huh?
Re:Needs user assistance
by
Ieshan
·
· Score: 2, Insightful
The real solution is to teach people not to accept ActiveX Downloads and other such things without reading the screen.
I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.
I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one or two ActiveX Components on the ENTIRE (effing) INTERNET that need to be installed.
Teaching people basic computer security along with their basic computer skills is a useful and worthwhile thing.
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
the user somehow has to get fooled into visiting an unsafe site for the whole process to start.
Actually, it's not hard, and it's basically automatic.
There was an article just the other day on Slashdot about this exact topic.
Basically the idea is that a good 30-50% of the results on the first page for Google searches on almost any topic nowadays will install spyware on your PC if you have an unpatched version of IE. Now with this exploit, ANYONE running AIM needs to worry, even if they are using an entirely different browser, like Firefox.
Re:Needs user assistance
by
grayson_DEV
·
· Score: 1
"... there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it."
Good rule, if it wasn't for a couple of problems - for a start this is AOL users, not exactly the group most renouned for net-savvyness and reluctance to click every link in sight. Even the length of the URL isn't an indicator with services like shorturl, and I could write a two line perl script that could turn an innocuous looking URL into a redirect to something much nastier (and the chances are it'd work so fast they wouldn't even notice).
URL length isn't really a good measure of safety, nor is the link the browser displays (which can be obscured with javascript in most cases anyway)
Re:Needs user assistance
by
gad_zuki!
·
· Score: 1
Yeah, read the screen. Where will you find the information you need like:
1. This is spyware which will download more spyware.
2. This is poorly written and will cause you a lot of problems.
3. There is no uninstaller, or the this is a severe pain to uninstall. Good luck, sucker!
In other words, spyware promotes itself like typical free software people expect. I think your argument would only make sense if there was a legal responsibility to say the above things in normal non-legalese non-techese speak. But please, don't let the facts get in the way of end-user bashing.
If I was handing out free snowcones on the street with a small asterisk next to "free" that said "also contains Methylenedioxymethamphetamine", do you think people would eat it just because Ecstacy is tough to understand in medical terms?
Surely not.
People are smart enough to know that all things come at a cost.
GAIM? Fire too
by
ShatteredDream
·
· Score: 2, Informative
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Or Adium, a quite nice interface that can use your adressbook to display informations (and a picture) about your chat partners
They are all directly installable via the "darwinports" port system
-- Spelling mistakes: My is english spoken not tongue of mother.
Re:GAIM? Fire too
by
slamb
·
· Score: 2, Interesting
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium. I'm a little biased, but it has a great UI. (See the About page for screenshots.) libgaim backend, so support for many protocols.
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list.
I know that most of my less knowledgeable friends that use AOL would instantly click a URL from someone on their buddy list. I am not so sure they would do it from a random IM.
aim is a rather good protocol, i use it regularly...with the gaim client. alternative clients rule.
Don't forget about Trillian for Windoze users
by
suckass
·
· Score: 2, Informative
http://www.trillian.cc
Think Gaim but pretty!
-- blah, blah, blah
Re:Don't forget about Trillian for Windoze users
by
netsavior
·
· Score: 1
the free version of Trillian crashes if you try to use it to connect to Yahoo messenger, the pay version does not have such a problem.
Re:Don't forget about Trillian for Windoze users
by
Lisandro
·
· Score: 1
I have to agree. I really like GAIM, but it doesn't hold a candle to Trillian, IMHO. The best multi-protocol IM client, in any platform i've tried.
Kopete is also nice, if you're into KDE.
Re:Don't forget about Trillian for Windoze users
by
Captain+Segfault
·
· Score: 1
Trillian is nice and all, but it does not have UTF-8 support in the free version.
As a gaim user, this pisses me off, because it affects my communications with friends using trillian.
Gaim has no problem with UTF-8, nor does the official client.
Re:Internet Provider
by
Chess_the_cat
·
· Score: 2, Informative
You don't have to be an AOL subscriber to use AIM.
-- Support the First Amendment. Read at -1
Jabber & Google
by
MarcoPon
·
· Score: 3, Insightful
I just hope that Google launch a Jabber based IM system; it will be a major boost to the adoption of Jabber's servers as an open standard.
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
so they won't use jabber. Of course it's open and they can implement it fairly easy. BUT why the heck should the Programmers of Psi, Gaim, Imcom, Kopete, TKGabber,... implement this? Why wouldn't i throw this spam-featuer away from the code after they implemented it (after smoking some real bad shit)
So they will stick together with a commercial Network. A big one. And after that this network will allways change the protocol, so that all the not offical Clients will not be able to connect. So it's even harder to convince anybody to change. Except everybody switches away from this "major"network.
I'm not so sure the Jabber system would work so well with Google. With Jabber (IIRC) all communications go through a central server. Apart from the privacy concerns, that'd be a helluva lot of bandwidth. Jabber servers are really meant to be implemented at the ISP/company/campus/whatever level. That would still work with having identical email addresses and JID's. Google would either have to come up with some geographically-based set of virtual servers (which they probably already do!) or modify the Jabber system to be more peer-to-peer like other IM protocols. i.e The central server is used for tracking user status, searching, etc while the actual communications go directly from user to user.
if google were to have a bot listen to the conversation and target their ads on gmail at me better, i wouldn't mind - its not as if google's ads are intrusive.
as long as somebody (person) wasn't listening to my messages, i wouldn't mind. if you did, you could always use encryption anyway.
If the tin foil hat crowd are botherd about this, why dont they mind using cable internet - on that, your packets get sent to everybugger in the neighborhood, like eithernet with a hub, not a switch.
either that or they could get a nice tin foil theme for their jabber client.
Other clients will not be a problem. Google can simply implement a web based client, and put targeted Ads on that.
Aside from the web client, one can then freely connect with any Jabber client he want/like, if & when he'll find that more convenient.
I really don't know, but isn't that also true of AIM, unless you directly connect? I know it's easy to have AIM conversations when both parties are behind NAT firewalls that don't allow inbound connections, but I'd have to forward a port to transfer files.
A possible motivation would be more advertising. They could append a text add to the bottom of incoming messaged. Also, that would give them one more playing field to compete with Yahoo on. It's an application that they can have on every client's computer to get information to them... They may put RSS feed notification in it just so they can get you to click a link and see another ad. There's a lot of nifty things they could do with XMPP, but who knows if they'll venture into it.
That said, I really wished it would help, but to most people, it would just be another messenger that isn't compatible with their's. I plan on fighting this IM thing as much as I can too. I plan on branding an XMPP client and running a server for the place where I work for getting info out to their clients. The business is such that they advise people on Stock/Option trades, so speedy delivery may give them an advantage over just E-Mail. Right now, they use Yahoo for a lot of stuff, and for no good reason. Since our clients need to run applications on their computers to get at other services, I'm going to roll them in there together.
The best thing that could happen is a better XMPP server. Have you ever tried to run a XMPP server and keep all the gateways up. There is no real seperation, even when you have different processes. Back when I was running one, the Y! gateway would find a way to take the whole thing down, and I was the kind of guy that had XFree86 4.0 straight off the CVS running just fine. I think it should be so easy to install and extend that there is no excuse to not run it as your company-wide messenger, and you should be ostracized from/. and SF.net for not being reachable via XMPP. Slashdot should notify my of any replies to this message via XMPP!
Maybe we should start with/. Why not give away a @slashdot.org JID with a subscription... I might actually buy one then. Strike a blow for open standards!
Maybe we should start with/. Why not give away a @slashdot.org JID with a subscription... I might actually buy one then. Strike a blow for open standards!
IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.
If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (actually coding) flaws.
On the other hand, if these companies were not hired for security reviews, will this sort of 'discovery' (paranoia here:) cause a DMCA backlash?
I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 2, Insightful
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Re:I use Gaim because it's the best in Linux
by
LiMikeTnux
·
· Score: 1, Insightful
"Gaim is only in version 0.81"
IE is only in version 6.0, firefox is in 0.9.3, which has less holes and is actually fixed within a few days?
just goes to show release numbers dont mean much in terms of readyness
-- yap
Re:I use Gaim because it's the best in Linux
by
Rethcir
·
· Score: 1
I've been using Gaim under windows for a while, and it's pretty stable (as of version.79,.80 craps on me with a GTK error) and has a ton of great features. My only complaints are that you have to keep the window pretty wide horizontally in order to avoid having a scrollbar on the bottom, and that your saved away messages should be only one click away rather than nested inside the away button menu, and also I'd like if you could have the option to shrink the buddy icons in the buddy list if you choose to view them there. Other than those niggles i think that it's a fantastic program, it's been running on my computer nearly nonstop since April or so, and best of all no ads or spyware! I should try and download the source and do something about those little things.
Re:I use Gaim because it's the best in Linux
by
the_rev_matt
·
· Score: 5, Informative
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Re:I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 1
well you have been very lucky. My experience with it is that it is shaping up to be something awesome but as of right now it isn't worth pissing off users with it. It would gain a bad name and I just don't want people associating Gaim with unpolished and bug-ridden.
I have had my fair share of Gaim crashes when receiving an email notification (MSN) with international characters in its subject. I've had version 0.78 crash on me for no reason whatsoever. I've also had no progress bar when sending files up until 0.81 and before that it sometimes appeared and never went away. There are still lots of things that need to be dealt with before this program is usable for the majority of users. A small annoying bug could turn them away from using Gaim for good even if the next.01 increment would fix that bug and make the sofware perfectly alright for their usage. Better to be safe and make people see the show once it's ready for the road.
Re:I use Gaim because it's the best in Linux
by
Pastis
·
· Score: 1
version number has nothing to do with reliability. There are many software out there using a 0.x version number and who are better than software over the 1.0 mark in the same domain.
Gaim works fine most of the time, and I've advised it successfuly to many windows users, who have no idea how their computer works let alone what open source is.
of course there are the occasional disconnections, but that only require to click reconnect.
Re:I use Gaim because it's the best in Linux
by
Hoch
·
· Score: 1
The problem with this philosophy is that you are subjecting your friends to the torture of the default clients by not informing them of alternatives. Run aim, msn, etc. for 5 minutes and you will remember all the reasons that it is worth suffering through bugs to use gaim. I am 5 for 6 at converting my friends to using gaim. I personally waited a long time for the windows port, using trillian. The main thing that people seem to like about gaim is that it has an uncluttered interface instead of the 10,000 useless, redundant and downright annoying buttons in aim, msn, (trillian), etc. Gaim does something that most software neglects to do, keep it simple.
-- 2*31*37*263
Re:I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 1
hey as much as I am a philantrope and hate seeing my friends suffer I feel there is nothing bad with letting them suffer. When they do discover Gaim, and it is bug free and very usable, I'll even install it for them. But I don't want to ruin Gaim's reputation by prematurely migrating my friends to it when it is sub-par.
GAIM? Trillian?
by
Black.Shuck
·
· Score: 3, Informative
I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.
--
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Yep, I didn't have Mozilla. I do now, so maybe I'll try again. Sure, I could probably just download the damn ssl thing, but I'm tired of downloading crapheap upon crapheap upon crapheap to satisfy little "application" dependencies. This isn't win32... though I would imagine that a modern win32 installer would be kind enough to include required dll's and such.
--
"Would it kill you to put down the toilet seat?" -- Maya Angelou
read the FAQ's on gaim.sf.net. there's a section covering SSL. you have to edit a file and run a command or two, cant remember what they are, as i use amsn now (amsn.sf.net)
I solve the problem of missing dependencies by using a package manager to automatically download and install dependencies. There are many distros that support this by default, maybe yours does too?
-- I'll probably be modded down for this...
Coincidental...
by
GillBates0
·
· Score: 4, Interesting
I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too:)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
-- An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Re:Coincidental...
by
accessdeniednsp
·
· Score: 3, Informative
And don't forget about the gaim-encryption plugin!
http://gaim-encryption.sf.net
Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
Re:Coincidental...
by
Anonymous Coward
·
· Score: 1, Insightful
Gaim also sucks in a lot of ways.
Its support for non-aol protocols is between half-way decent and crap (though some, like IRC have recently improved a lot... hence half-way decent).
Gaim (at least recently, a month or two ago... things do change quickly) still can't handle multiple prescenses in Jabber (although now that AIM has a similar thing I wouldn't be surprised if Gaim fixed that--it used to be that it would diconnect if a new presence connected).
Buddy Pounce is cool. It was the reason I started using it many moons ago. Nothing really new has been added that's been innovative, which on one hand is sad, but on the other hand indicates it has matured. Gaim-e is nice but it's also nice to have automatic key generation (granted this has the problem of MITM attacks that Gaim-e and its gpg based solution doesn't have).
Also, the Gaim code is horrible. This is most likely because of its integration with GTK but pretty much everything -- including protocol back ends -- are intrinsically tied to the front end which makes it in my mind poorly designed.
But whatever works, right?
(speaking of which--as for 'best IM service' I'd suggest Jabber, which you may have already decided on... built-in support for SSL connections, most clients support end-to-end encryption with PGP also, and you can have multiple sign-ins using different 'resources' such as different machines. I'd suggest using Psi though as it (in my opinion) is the most feature complete Jabber client. It is also cross platform. Gaim of course also supports Jabber. )
Gaim's protocol plugins have been clean of any GTK code for at least several months now. And Jabber's "built-in" SSL support is not always secure, since it does not ensure that the other party is also connected to a SSL enabled Jabber server.
Actually, the fact that Gaim is open about security issues is much more encouraging than the silence given by AOL....
-- feh. stuff.
Re:Gaim security
by
Xoder
·
· Score: 2, Informative
None of those are recent. There's one that's dated august 4, but it only refers to gaim 0.75 and earlier (and many versions of Trillian, I might add!). 0.81 is here, and dear goodness is it tasty! (AIM file sending now works [slowly, but AIM-ftp was always slow])
-- The previous sig has been removed due to/. protecting your best interests
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Ah, so true, its ridiculous to expect (most) AIM users to not click on a clink, I know my sister can't help herself, she almost binned a perfectly good laptop because it was browsing the internet incredibly slowly. The reason? So loaded down with spyware it could barely run calc. I cleaned it up and it runs perfectly.
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
-- The war with islam is a war on the beast
The war on terror is a war for peace
It alwasys (sic) seems to me like the unauthorized clients are a generation behind the real ones.
Of course they are. You can't write the support until you've got a spec to write to, and you don't get that until the authorised client is published. OTOH this is/. - a lot of us share files using scp, for example. I know I don't care whether or not my IM client supports file transfers, or anything beyond text messages for that matter.
I'm sure you already know this, but gaim-vv is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.
As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins...
-- You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
Well seeing how I never use audio or video, gaim's the better client for me simply because it can auto-save transcripts and doesn't have flash ads. Although I wish they'd implement a decent scroll-back history feature like ICQ. I can't count the number of times with Windows AIM where I've accidently closed a window full of flight information or something and have to try to get it again somehow.
Actually, I *really* wish that all my friends had just stuck with ICQ instead of jumping to AIM (which was faster at the time), but what can you do...
I've never used ICQ, but for quick history you can use the "History" plug-in which comes with Gaim. Every time you open a conversation window, it displays the log of your previous conversation with that person on top (it makes all the text black and puts a to separate it from your current conversation).
Why does every article mentioning a piece of software have to mention a FLOSS alternative in the blurb?
Re:Why allways plugging FLOSS?
by
dave420
·
· Score: 1
Because it's slashdot! Damn anyone to hell who has a problem with recommending buggy alternatives to people running polished finalised software with very minor bugs! Damn them to hades!:-P
Because FLOSS software has always spread by word-of-mouth. Commercial vendors have a thing called a budget and part of it will be money for advertising and other promotional gimmicks. Most FLOSS doesn't have any of that but still need to "get the word out". It's just different methods used by two different systems of software development. I'm a long-time Linux and FLOSS user/supporter so I usually know about the things they mention. But occasionally someone will mention a package or project I haven't heard of before. It's useful information.
Re:Why allways plugging FLOSS?
by
dave420
·
· Score: 1
Apart from the fact AIM has been around for years, is incredibly stable, ISN'T BETA, and has a real, professional support team working to keep it that way. I know people here love to defend their open-source apps, but really. Objectivity doesn't hurt.
Re:Why allways plugging FLOSS?
by
Lehk228
·
· Score: 1
yes minor flaws such as Arbitrary remote exploits, that's nothing to worry about there. Now gaim is terrible, a clever h4x0r could find out your USER NAME for a while before the leak was fixed.
-- Snowden and Manning are heroes.
Re:Why allways plugging FLOSS?
by
tepples
·
· Score: 1
Now gaim is terrible, a clever h4x0r could find out your USER NAME for a while before the leak was fixed.
You don't need to be a clever cracker, as last time I checked, user names (but not passwords) were public. Profile links to my web site, which links to my e-mail address, which contains my (public) user name.
Re:Why allways plugging FLOSS?
by
lboxman
·
· Score: 1
Dude...I think you missed the joke...
-- Regexes are like cocaine. The first hit is pretty good, but afterwards you try to use them to solve all your problems.
Did you know that you can add AIM contacts to your contact list on ICQ, and vice versa?
Much handier for keeping message archives, and much less exploitable... and less intrusive also.
For those who don't want to use GAIM, Trillian, or Miranda.
The AIM client is ugly and stupid; I can't believe people still use it anyway.... unless they've "gotta have their AOL" even though they've "graduated" to a real ISP.
Feh.
-- [an error occured while processing this directive]
Re:I use the ICQ client.
by
hawaiian717
·
· Score: 1
Older versions of ICQ can't talk to AIM, and vice versa. Personally, I expect sooner or later ICQ will cease to be a separate service from AIM; ever since AOL purchased ICQ the two have gotten more and more alike... ICQ uses AIM's OSCAR protocol now.
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Eh, Trillian is shareware trash for newbies who don't know any better.
How on Earth did this flamebait get rated highly?
Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.
Except that Trillian has nice features, a nice interface, really good technical support, and all the features I want. Yeah, I guess I'm a newbie though... only been working with computers for 20 years.
-- Ironically, the word ironically is often used incorrectly.
I mostly use GAIM, but only because I work on Linux. Excellent as GAIM is, it's not a patch on Trillian. Trillian is one of the few utilities I've splashed out cash for the full version for. It's a great bit of software.
Funny how trillian has none of the features I want, and the interface is so "nice" that it takes 5 minutes to do anything, if you can do it at all. And then they try to convince you that it would be a good idea to pay money for that crap when the free alternatives are better?
Funny how trillian has none of the features I want
Yikes, I can tell this is going to be an unbiased review... literally, NONE of the features you want? Give me a fucking break, man.
the interface is so "nice" that it takes 5 minutes to do anything
How can one even argue with such ambiguous garbage? How about an example of something taking a long time to perform in Trillian? I use it all the time and am anal about things like that, and have had no issues. It's also very easy to write plugins for Trillian, to extend it.
If I wanted, I could install a skin to make it look like Gaim, but honestly, why would anyone want their application to look like it uses Gtk?
-- Ironically, the word ironically is often used incorrectly.
that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
{thongue in cheek mode:ON} Apparently you have no idea what Open Source Software is either {/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too. The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc...)
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
-- "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is a common problem with OSS. The versioning system is *broken*. And, what is worse (and very common among the OSS community), OSS developers blame the users, not themselves for the misunderstandings.
Previous to many of these OSS projects gaining prominence, "1.0" was commonly accepted as the milestone where basic functionality was fully working. The software may not be "done", but it was usable and things would Just Work. This was a de-facto standard used by almost all commercial vendors, which was handed down to students of programming, and even into software engineering textbooks. OSS dev guys just said hey screw that...13454 is the point where the software became usable, its up to the users to figure that.
1.0 made sense. now... its virtually meaningless. I have no idea if a.9 version is as good as firefox or as crappy as a piece of software in Beta. 1.0 for OSS somewhat resembles the 3.0 of MS, aka the version when things are finally done well.
Practices like this and others are what entrenching OSS as for "programs for programmers" and keeping them off my family's start menu. Which is fine by me, but the general goal of OSS seems to be for general acceptance among all users. If you disagree, explain, and also explain how I should be interpreting the "intuitive" versioning systems of many pieces of OSS software.
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
Re:Client for your IM needs
by
phuturephunk
·
· Score: 1
Make it a one click install and maybe you'll have a shot of someone (other than someone with extensive computer expertise) adopt it.
Re:Client for your IM needs
by
dave420
·
· Score: 1
Or, just download Trillian, and do all of that without touching the command line.
Rule of thumb: Everyone on/. will recommend a solution infinitely more complex than that they suggest replacing
Re:Client for your IM needs
by
xiando
·
· Score: 1
End users don't need to install or know much about Bitlbee, but to use it they they must be able to:
a) (install and) use a IRC client, OR
b) use a web browser
I've heard there is something called MIRC for Windows, apparently it's very simple. I've also heard Windows comes with something called Internet Explorer.
Re:Client for your IM needs
by
phuturephunk
·
· Score: 1
This is what I was getting at. Thank you for clarifying. There's a term for this sort of behavior, but I can't remember what it is.
I usually refer to it as the Germanization of things, pulled from the fact that most German cars are too over-engineered for their own good.
Re:Client for your IM needs
by
dave420
·
· Score: 1
I think Germanization is a bit harsh:)
Americanization is probably a better term from a global perspective;)
I'd switch to gaim..
by
Anonymous Coward
·
· Score: 2, Insightful
but the UI is pretty lousy
Bugfree OSS
by
brianerst
·
· Score: 5, Informative
Re:Bugfree OSS
by
signingis
·
· Score: 2, Interesting
What was the response time for developers to release fixes for GAIM? We're going on 3 weeks now for AOL to release the fix for AIM. Not to mention that some of the vulnerabilities in GAIM were found in older versions of the program when upgrades were available.
--
I prefer a void in conversation to a vacuous one.
Re:Bugfree OSS
by
brianerst
·
· Score: 3, Informative
Well, according to e-matters, a series of 8 different buffer overflow bugs were disclosed to gaim developers on January 4, 2004. A new gaim client (0.75) was released on January 10, but this only fixed one of the overflows and introduced four new ones.
On January 15, gaim development was emailed patches for all 11 existing bugs. A patch was added to CVS that evening, but there was no 0.76 release and no public disclosure by gaim dev (at least on their Sourceforge page - there may have been something sent to the mailing list). On January 23, e-matters let gaim dev know that they would release the bug report on January 26. On January 25, gaim dev replies that there is no timeframe for a 0.76 or bug-fix release. On January 26, e-matters publishes the bug report.
On January 28, gaim dev responds with a note saying they are far from a 0.76 release and provides a link to the FreeBSD source patch. Not much use to your average teenage Windows IMer. There may have been an executable patch, but I can't find any evidence of one.
On April 1, gaim release 0.76, the first release with the bug fixes is released. This has taken so long because:
This is no slam on gaim - the devs have lives outside of gaim and I'm glad they're providing a great OSS client. But like anything, there are pros and cons to both OSS and commercially developed software. Assuming that OSS is always more responsive, more bugfree, and better in every other way is naive. There are tradeoffs involved in libre software - most are well worth it, but there can be downsides occassionally too.
Browser does matter.
by
Chuck+Chunder
·
· Score: 2, Informative
Opera for example doesn't just action any URL type.
It will only pass on those that have been configured to be trusted.
-- Boffoonery - downloadable Comedy Benefit for Bletchley Park
Re:Solution
by
Anonymous Coward
·
· Score: 1, Funny
I've been "using" Jabber for like 2 years now. Unfortunately I am the ONLY one "using" it. Everyone I talk to uses yahoo, msn, or aim. I still keep myself logged into to Jabber via gaim, but I can't convince people to even try Jabber. What's your secret? Bribery? Black mail?
Umm is this not a user issue?
by
matth
·
· Score: 1
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
Re:Umm is this not a user issue?
by
TEMM
·
· Score: 1
You can make it happened automatically by making the page redirect automatically to that url.
Re:Umm is this not a user issue?
by
d3ad1ysp0rk
·
· Score: 1
Correct me if I'm wrong
Ok.
The point is, the software is supposed to stop things like this from happening. That's the whole point of having error classes, form validation, and the whole 9 yards.
They thought "well, the only way to get a away message is by entering it into the text box we provide, so theres no need to check the length", but like usual, they were wrong, since it can be sent via links/redirects.
Re:Umm is this not a user issue?
by
matth
·
· Score: 1
Yes, yes... I understand that... I kinda like the whole aim: thing. It allows me to join chat rooms from websites, also lets me have websites that set rotating away messages.
I'm still not sure how this is an issue exactly. If you are clicking a link you should be checking where it goes before you click it(yes I do).
Yes, they should do length checking, but I wouldn't say this is entirely an AIM issue, as much as a user education issue.
I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one.
Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
-- Did you ever notice that *nix doesn't even cover Linux?
Gaim not a full-featured alternative
by
mccalli
·
· Score: 3, Insightful
The smug "switch to Gaim" comment rather let the side down there, I think. Gaim is not a full-featured replacement. The particular deficiency I'm referring to is common to many alternative IM clients - yes, they all handle chat but very few go the whole hog and support video chats. Alternative MSN client supporting video? Not that I can find, though I'd be happy to be proved wrong here.
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Re:Gaim not a full-featured alternative
by
McBeer
·
· Score: 1
-- Hikery.net - The best hiking site ever. Made by yours truly.
Re:Gaim not a full-featured alternative
by
mccalli
·
· Score: 1
MSN messenger supports video chat.
Well yes, but that's not an alternative client - it's the official one. Unofficial ones are needed to integrate multiple accounts, and also to operate on different platforms. And NetMeeting is drastically NAT unfriendly - not its fault, just the protocol it implements.
At this moment, for example, I have iChat and Fire open. The reason I have iChat open is purely for the AV side of things - Fire can't handle that.
On Windows, I have Messenger installed too, again to handle video conferencing. I know of no alternative which can do that, and I'd love one - video-conferencing with MSN user on my Mac would be a great boon to me, but MS's official Mac client can't handle that. As it is, I have to persuade people to install AOL 5.5 or put away my laptop and go use the desktop PC upstairs. Can't move the PC over to Linux either - same reason, no AV support for IM networks.
I should point out that I use this feature a lot, so it really does matter to me.
Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new versions of Gaim on top of old ones, and you won't loose your settings. Also, Gaim can run along the "real" IM programs, so if you don't like Gaim it's a 30 second uninstall. THe benefits are worth the "risk" of trying it out.
as far as i understand, amsn supports the msn messenger protocol over HTTP
Sure, its a great client
by
imtheguru
·
· Score: 1
> seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones.
Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).
And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature software typically delivers a better user experience. That said, it should be noted that Gaim has been and still remains one of the mostactive projects on sf.net. Should tell you something about the pace of development.
> Back when file sharing was big, gaim could not do it.
So are you admitting to file transfers being a passing fad?;) Gaim did support file transfers on different protocols at different times. Look at the changelog
version 0.11.0-pre5 (02/26/2001) -- Rewritten file transfer for TOC
version 0.75 (01/09/2004) -- Yahoo! file transfer (Tim Ringenbach)
version 0.76 (04/01/2004) -- Jabber file transfer
version 0.76 (04/01/2004) -- IRC file transfer (Tim Ringenbach)
version 0.79 (06/24/2004) -- Added MSN file transfer (Felipe Contreras)
version 0.80 (07/15/2004) -- Drag a file into the buddy list or a conversation to send it to that buddy
I know that much of the file transfer functionality for Msn and Y! protocols has been added just last month. But, to be perfectly honest, i didn't miss this feature, coz i use email to send/receive files. IMAP beats having to write firewall rules.
> Then buddy icons, gaim could not do it. No gaim can do those,
version 0.11.0-pre12 (05/29/2001) -- Can receive buddy icons in Oscar
version 0.45 (10/04/2001) -- Can choose buddy icon to send (for Oscar)
version 0.63 (05/16/2003) -- MSN protocol plugin was rewritten, has experimental buddy icon support, and MSN Mobile support.
version 0.79 (06/24/2004) -- Yahoo buddy icon support
version 0.79 (06/24/2004) -- Dragging an image file into the Modify Account dialog will set that as a buddy icon.
Earlier buddy icons could only be set for AIM/ICQ (2001-2003). Now i can drag an image onto the "modify account" dialog of any account and I get an instant buddy icon.
> but the big thing is voice and video, gaim cant do those.
Sure it can. Check out gaim-vv. It is a fork of gaim with the aim of bringing Voice and Video to the gaim experience. Its not perfect, but its not moving backwards either.
I think you should test drive a recent gaim.
Cheers,
imtheguru
-- Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
Re:This "hole" is just smoke for AOL paid infectio
by
HFXPro
·
· Score: 1
You must have not used AIM lately. It doesn't install gator, but while installing aim if your not paying attention it will install both weatherbug and WildTangent? Ever try removing Wild Tangent from your control panel after having removed what you thought was all components. That was a nightmare.
-- Reserved Word.
a more secure approach
by
feepcreature
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters:-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
-- Paul
"Say no to feeping creaturism"
nasty, but good for you...
by
feepcreature
·
· Score: 1
I'm not having any more luck getting developers to incorporate self test, bounds checking,
and testability access points than I am trying to get my kids to eat vegetables.
Nice analogy:-)
Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...
-- Paul
"Say no to feeping creaturism"
Why didn't they use anything like Vstr?
by
tepples
·
· Score: 1
Even C and C++ have mechanisms for safe string handling. C++'s std::vector and std::string types can be configured with buffer checking, and judicious use of a decent string handling library can solve the problem for C. Thus, I see the problem as programmer ignorance of the available libraries rather than any inherent defect in the languages themselves.
Re:Why didn't they use anything like Vstr?
by
Vreejack
·
· Score: 1
This seems to be the philosophy behind Java: it assumes that programmers are stupid, thus bounds-checking is automatic.
What does this say about Java programmers? That the stupid ones fo a better job in Java than C++
-- "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
Re:Why didn't they use anything like Vstr?
by
sorbits
·
· Score: 1
Of course, C is an awesome language. C++ I'm not as keen on. If you're going to use a lot of C++-isms, you might as well be using Java.
All the things I love about C++ is missing from Java
Generic code/templates, operator overloading, implicit type conversion, RAII, introduce own types which feel 100% as "build into the language" etc.
Probably you only view C++ as the ability to have member functions...
Yet another reason to switch to, IMHO, a better client such as gaim....Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.
My little pet project;-)
It has a pretty complete OSCAR implementation, skinnable GUI, logging, talking while away, and runs straight from the binary (no install).
Why all the AOL bashing?
by
huchida
·
· Score: 4, Funny
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
Open Source Pimpdaddio
by
Mulletproof
·
· Score: 2, Interesting
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
There's more. This January, 12 remotely exploitable buffer overflow bugs were found in Gaim. Less than a week ago, the SuSE security team found another remotely exploitable buffer overflow. (Scroll down.) Those found in January should be fixed as far as I can tell.
Is switching to a supposedly better product really the best idea for this sort of situation? I mean, I'm no expert in this kind of study, but it appears to me that whatever is most popular falls victim to the most attacks. While there are flaws in Windows, security problems exist anywhere there are enough people looking for them. I often here reports of vulnerabilities in programs like SendMail (or at least I used to), and a great novel was written about a non-Windows based securtiy error. (The Cuckoo's Egg or something like that).
Is it reasonable to assume that if Gaim, Yahoo Messenger, or any other instant messenger became the most popular (measuring popularity in usage) then wouldn't it risk the same scrutiny that befalls AIM?
This question doesn't come from biased motivations either. I'm wondering if there has been a study how much scrutiny is placed on a software product in relation to its popularity in usage.
Perhaps this would call for moderation in all things software? Diversification of your software portfolio? Crazy stuff.
Failure to understand the point of a comment on your part does not constitute idiocy on mine.
How many usability holes?
by
aclidiere
·
· Score: 1
To me, the biggest flaw in AIM is its user interface. It's ugly, it's hard to learn, it's painful to use. I'm sure there's a hundred obvious usability mistakes.
And, why does a company like AOL feels the need to violate my window real estate with ads? (Animated ads!! Movies!!) (Tip to block ads: Set a firewall rule to block any communication with the server ads.web.aol.com)
What is sad is that Gaim doesn't seem to do much better than AIM. Though more efforts were made on the look, the GUI is still messy. (See the menus, the preference dialog, too many dialogs, etc.)
This already had it's posting over the weekend, but... say you're chatting it up nicely at Starbucks or what-have-you on the wireless network. You're web-browsing while you're at it when - Wham! - someone injects a webpage into your browsing session with a redirect to an aim: URL with the buffer overflow. You've just been AirPwn'd
Supposedly trusted but hacked sites could also be used to inject malicious content. Case In Point: The most recent Bagel virus making the rounds used a binary file called 2.jpg as it's method of downloading itself to new victims. Even though it had the.jpg extension, it was an exe. Most of the hacked websites that it downloaded from were Polish or Russian, but one notable exception: http://financial.washingtonpost.com.
I'd say it's always safer to remove the vulnerability than to live in denial about having vulnerable vectors open. Hackers, like Love, will always find a way.
-- -AutoNiN
Re:Needs user assistance - NOT!
by
Autonin
·
· Score: 1
This has been stated several times already, but because this posting is at '+4, Informative' I have to comment.
With respect to the author, this should be "-4, Ignorant". The AIM: URL protocol handler is incorporated into the operating system (Yay for Browsers integrated into the OS!) and so *any* program that calls the AIM: URL will in turn be sent to AIM for handling and overflowing.
To reiterate: You *don't* necessarily have to click anything at all. Hover over links ALL DAY LONG, but get one HTTP re-direct, one Javascript imbedded in a hacked website, and you're OWNED.
http://site.n.ml.org/info/naim/
NAIM is everything I need in an aim client, and more. Encryption, console based, irc+lily+icq compatible, been around forever, etc, etc.
And dont forget, combined with screen, its extremely portable.
Sorry to be so overblown.. just tired of the mess
by
woodsrunner
·
· Score: 1
You're right, it does ask to install, but most people go with defaults.... there is some popups that seem to come in through AIM that require stuff like Dead AIM to stop them since they are activated by launching AIM.
I generally don't use the products. Mostly just GAIM on Linux. Lately I've been stuck running XP and I haven't bothered to figure out how to remove Outlook or Messenger. Just pulled Messnger off the start button so it doesn't launch everytime I use that menu.
I am mostly just amazed at the amount of crud that goo's up normal users boxes. It's boggling to me and I know how to fix it and avoid it... for the average person it must be demoralizing.
no wonder nobody's becoming computer scientists anymore... too many darn pop ups!
Next time you look at the aol messenger, just check out all the stupid ads that that thing has! And those annoying sounds!
I know you're trolling, but I'll bite anyway. I haven't seen an AIM ad in a long, long time. Of course, maybe that's because I'm running AIM version 4.8.2616 (Copyright 2001), which you can download at oldversion. It supports all of the AIM essentials, including messaging (obviously), chat, file transfer, stock ticker, IM Image, "AIM Phone" voice chat, and all the craptastic buddy icons your friends can find.
I don't know what sort of bloated junk they're pumping out as the AIM client these days, but ignore it. You're smart enough not to fall for some sort of viral IM, so forget the "latest and greatest," even with a vulnfix. Get one of the legacy builds. 4.8 works fine, has no ads, and oh - it allows you to change or disable the sounds.
Slickest, smallest, least intrusive messaging app I've ever found, and it has the most intuitive UI of any I've tried (including both Gaim and Trillian). That's why I use AIM and not ICQ, MSN, Yahoo, etc.
-- "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
-- THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE
ALSO FUCK BETA, ~NYORON
Questions about upgrade paths
by
babbage
·
· Score: 1
The original article has left me a little bit confused. It is implied that the bug is with the AIM client, and not the protocol, but is that actually the case? Do we know for sure that other clients -- such as Gaim or iChat -- are not affected by the problem here?
And if the problem is just with AIM, and everyone that doesn't want to switch clients has to stay with AIM, are we really stuck with the standard AOL-IM suite that the company has been distributing lately? You know, the one that comes bundled with Weatherbug, which as far as I can tell will install itself with AIM whether or not you want it, and is damned near impossible to remove. Is that really what we're looking at here? Because that sucks big time.
If this is really the case, then hell with it, I'm going to put Gaim on everyone's desktop at work if AIM exploits become a problem. I'll bet most people probably won't notice the difference, and some will even like that it can be used to talk to the company's internal Jabber server, or other chat protocols.
But even without that, being able to avoid the mandatory spyware is fine by me...
Slashdot Mirror
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
It's hard for thee to kick against the pricks.
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)
Wasnt a exploitable bug just found in gaim ? Or to be accurate in the "festival" plugin... See: http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml
Spelling mistakes: My is english spoken not tongue of mother.
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.
Those rebels deserve whatever they get.
away for good?
There are no atheists when recovering from tape backup.
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Click here or a puppy gets stomped!
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list.
I know that most of my less knowledgeable friends that use AOL would instantly click a URL from someone on their buddy list. I am not so sure they would do it from a random IM.
http://www.trillian.cc
Think Gaim but pretty!
blah, blah, blah
You don't have to be an AOL subscriber to use AIM.
Support the First Amendment. Read at -1
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
Bye!
SeqBox
Trillian
IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.
If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (actually coding) flaws.
On the other hand, if these companies were not hired for security reviews, will this sort of 'discovery' (paranoia here:) cause a DMCA backlash?
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Miranda. Choice is good. :)
They can use Trillian, too.
-- Liberalism is a mental disorder.
Fortunately, most of AOL users are known to be savvy enough to find some work-around until patches are available.
I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Gaim's security doesn't look very good either. Switch if you like, but don't expect it to be any more secure.
Thank goodness I downloaded SP2, since it will obviously keep my computer safe from this problem.
It's the bestest thing ever!
I don't use away messages you insensitive clod!
Seriously, its easier to ignore people you don't want to deal with if they know you don't use away msgs.
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Slashdot sucks
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
The war with islam is a war on the beast
The war on terror is a war for peace
Why does every article mentioning a piece of software have to mention a FLOSS alternative in the blurb?
Did you know that you can add AIM contacts to your contact list on ICQ, and vice versa?
Much handier for keeping message archives, and much less exploitable... and less intrusive also.
For those who don't want to use GAIM, Trillian, or Miranda.
The AIM client is ugly and stupid; I can't believe people still use it anyway.... unless they've "gotta have their AOL" even though they've "graduated" to a real ISP.
Feh.
[an error occured while processing this directive]
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Walkthrough of registry fix for AIM hack
Look like a good reason to upgrade to trillian to me.
Davak
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
wouldn't this be a good way to test the new DEP in SP2?
My personal preference:
screen + aterm + irssi + bitlbee
Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere
aterm is a nice terminal for X11.
irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC, there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page.
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
More: BitlBee Guide - Talk to msn, icq and jabber contacts using any IRC client.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
9/11: Never forget it was a false-flag operation
but the UI is pretty lousy
We can all sleep better now.
Opera for example doesn't just action any URL type. It will only pass on those that have been configured to be trusted.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I've been "using" Jabber for like 2 years now. Unfortunately I am the ONLY one "using" it. Everyone I talk to uses yahoo, msn, or aim. I still keep myself logged into to Jabber via gaim, but I can't convince people to even try Jabber. What's your secret? Bribery? Black mail?
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one. Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new versions of Gaim on top of old ones, and you won't loose your settings. Also, Gaim can run along the "real" IM programs, so if you don't like Gaim it's a 30 second uninstall. THe benefits are worth the "risk" of trying it out.
http://gaim.sourceforge.net/
AOL is still the provider, though.
This bug has been around since the 0.76 and I've reported it already. The workaround is SocksCap or runsocks (depending on your OS).
I'm sure they'll get around to fixing it, that's a fairly low priorty issue. I'd rather see full protocol support added first.
gaim recently forked to get this functionality. search on sf.net for it
amsn.sf.net
as far as i understand, amsn supports the msn messenger protocol over HTTP
Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).
And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature software typically delivers a better user experience. That said, it should be noted that Gaim has been and still remains one of the most active projects on sf.net. Should tell you something about the pace of development.
> Back when file sharing was big, gaim could not do it.
So are you admitting to file transfers being a passing fad?
- version 0.11.0-pre5 (02/26/2001) -- Rewritten file transfer for TOC
- version 0.75 (01/09/2004) -- Yahoo! file transfer (Tim Ringenbach)
- version 0.76 (04/01/2004) -- Jabber file transfer
- version 0.76 (04/01/2004) -- IRC file transfer (Tim Ringenbach)
- version 0.79 (06/24/2004) -- Added MSN file transfer (Felipe Contreras)
- version 0.80 (07/15/2004) -- Drag a file into the buddy list or a conversation to send it to that buddy
I know that much of the file transfer functionality for Msn and Y! protocols has been added just last month. But, to be perfectly honest, i didn't miss this feature, coz i use email to send/receive files. IMAP beats having to write firewall rules.> Then buddy icons, gaim could not do it. No gaim can do those,
A quick search of the changelog reveals this:
- version 0.11.0-pre12 (05/29/2001) -- Can receive buddy icons in Oscar
- version 0.45 (10/04/2001) -- Can choose buddy icon to send (for Oscar)
- version 0.63 (05/16/2003) -- MSN protocol plugin was rewritten, has experimental buddy icon support, and MSN Mobile support.
- version 0.79 (06/24/2004) -- Yahoo buddy icon support
- version 0.79 (06/24/2004) -- Dragging an image file into the Modify Account dialog will set that as a buddy icon.
Earlier buddy icons could only be set for AIM/ICQ (2001-2003). Now i can drag an image onto the "modify account" dialog of any account and I get an instant buddy icon.> but the big thing is voice and video, gaim cant do those.
Sure it can. Check out gaim-vv. It is a fork of gaim with the aim of bringing Voice and Video to the gaim experience. Its not perfect, but its not moving backwards either.
I think you should test drive a recent gaim.
Cheers, imtheguru
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
You must have not used AIM lately. It doesn't install gator, but while installing aim if your not paying attention it will install both weatherbug and WildTangent? Ever try removing Wild Tangent from your control panel after having removed what you thought was all components. That was a nightmare.
Reserved Word.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Paul "Say no to feeping creaturism"
Nice analogy :-)
Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...
Paul "Say no to feeping creaturism"
Even C and C++ have mechanisms for safe string handling. C++'s std::vector and std::string types can be configured with buffer checking, and judicious use of a decent string handling library can solve the problem for C. Thus, I see the problem as programmer ignorance of the available libraries rather than any inherent defect in the languages themselves.
Yet another reason to switch to, IMHO, a better client such as gaim. ...Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.
my blog
TerraIM
;-)
It has a pretty complete OSCAR implementation, skinnable GUI, logging, talking while away, and runs straight from the binary (no install).
My little pet project
TerraIM - my pet AIM client project.
http://www.securityfocus.net/bid/10865/info/
Stranded.org
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
You need a FREE iPod Nano
Three words: Cross Site Scripting
There's more. This January, 12 remotely exploitable buffer overflow bugs were found in Gaim. Less than a week ago, the SuSE security team found another remotely exploitable buffer overflow. (Scroll down.) Those found in January should be fixed as far as I can tell.
...hack, no wonder it's #1!
I started using Trillian a while ago now when I started finding myself using AIM to chat with one group of people and Yahoo another.
I find it works well (except when yahoo updates something and breaks it for a few days) and they do a good job with updating it. I'd recommend it.
Is switching to a supposedly better product really the best idea for this sort of situation? I mean, I'm no expert in this kind of study, but it appears to me that whatever is most popular falls victim to the most attacks. While there are flaws in Windows, security problems exist anywhere there are enough people looking for them. I often here reports of vulnerabilities in programs like SendMail (or at least I used to), and a great novel was written about a non-Windows based securtiy error. (The Cuckoo's Egg or something like that).
Is it reasonable to assume that if Gaim, Yahoo Messenger, or any other instant messenger became the most popular (measuring popularity in usage) then wouldn't it risk the same scrutiny that befalls AIM?
This question doesn't come from biased motivations either. I'm wondering if there has been a study how much scrutiny is placed on a software product in relation to its popularity in usage.
Perhaps this would call for moderation in all things software? Diversification of your software portfolio? Crazy stuff.
Failure to understand the point of a comment on your part does not constitute idiocy on mine.
To me, the biggest flaw in AIM is its user interface. It's ugly, it's hard to learn, it's painful to use. I'm sure there's a hundred obvious usability mistakes.
And, why does a company like AOL feels the need to violate my window real estate with ads? (Animated ads!! Movies!!)
(Tip to block ads: Set a firewall rule to block any communication with the server ads.web.aol.com)
What is sad is that Gaim doesn't seem to do much better than AIM. Though more efforts were made on the look, the GUI is still messy. (See the menus, the preference dialog, too many dialogs, etc.)
Please, I know someone that uses GAIM and the fucking program can't even paste hyperlinks properly.
Just because something is FREE doesn't mean it's GOOD.
But please enlighten me, someone, anyone, why is GAIM so much better than the official AIM client?
evil adrian
Just do it. A rare, well-written and well-balanced post.
This already had it's posting over the weekend, but... say you're chatting it up nicely at Starbucks or what-have-you on the wireless network. You're web-browsing while you're at it when - Wham! - someone injects a webpage into your browsing session with a redirect to an aim: URL with the buffer overflow. You've just been AirPwn'd
.jpg extension, it was an exe. Most of the hacked websites that it downloaded from were Polish or Russian, but one notable exception: http://financial.washingtonpost.com.
Supposedly trusted but hacked sites could also be used to inject malicious content. Case In Point: The most recent Bagel virus making the rounds used a binary file called 2.jpg as it's method of downloading itself to new victims. Even though it had the
I'd say it's always safer to remove the vulnerability than to live in denial about having vulnerable vectors open. Hackers, like Love, will always find a way.
-AutoNiN
This has been stated several times already, but because this posting is at '+4, Informative' I have to comment.
With respect to the author, this should be "-4, Ignorant". The AIM: URL protocol handler is incorporated into the operating system (Yay for Browsers integrated into the OS!) and so *any* program that calls the AIM: URL will in turn be sent to AIM for handling and overflowing.
To reiterate: You *don't* necessarily have to click anything at all. Hover over links ALL DAY LONG, but get one HTTP re-direct, one Javascript imbedded in a hacked website, and you're OWNED.
-AutoNiN
http://site.n.ml.org/info/naim/ NAIM is everything I need in an aim client, and more. Encryption, console based, irc+lily+icq compatible, been around forever, etc, etc. And dont forget, combined with screen, its extremely portable.
You're right, it does ask to install, but most people go with defaults.... there is some popups that seem to come in through AIM that require stuff like Dead AIM to stop them since they are activated by launching AIM.
I generally don't use the products. Mostly just GAIM on Linux. Lately I've been stuck running XP and I haven't bothered to figure out how to remove Outlook or Messenger. Just pulled Messnger off the start button so it doesn't launch everytime I use that menu.
I am mostly just amazed at the amount of crud that goo's up normal users boxes. It's boggling to me and I know how to fix it and avoid it... for the average person it must be demoralizing.
no wonder nobody's becoming computer scientists anymore... too many darn pop ups!
I don't know what sort of bloated junk they're pumping out as the AIM client these days, but ignore it. You're smart enough not to fall for some sort of viral IM, so forget the "latest and greatest," even with a vulnfix. Get one of the legacy builds. 4.8 works fine, has no ads, and oh - it allows you to change or disable the sounds.
Slickest, smallest, least intrusive messaging app I've ever found, and it has the most intuitive UI of any I've tried (including both Gaim and Trillian). That's why I use AIM and not ICQ, MSN, Yahoo, etc.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
That's what makes it so dangerous.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The original article has left me a little bit confused. It is implied that the bug is with the AIM client, and not the protocol, but is that actually the case? Do we know for sure that other clients -- such as Gaim or iChat -- are not affected by the problem here?
And if the problem is just with AIM, and everyone that doesn't want to switch clients has to stay with AIM, are we really stuck with the standard AOL-IM suite that the company has been distributing lately? You know, the one that comes bundled with Weatherbug, which as far as I can tell will install itself with AIM whether or not you want it, and is damned near impossible to remove. Is that really what we're looking at here? Because that sucks big time.
If this is really the case, then hell with it, I'm going to put Gaim on everyone's desktop at work if AIM exploits become a problem. I'll bet most people probably won't notice the difference, and some will even like that it can be used to talk to the company's internal Jabber server, or other chat protocols.
But even without that, being able to avoid the mandatory spyware is fine by me...
Hmmm.....
DO NOT LEAVE IT IS NOT REAL