Slashdot Mirror
AOL's AIM Exploits Buffer Overflow On Purpose
Scott Hutton writes "CNN is carrying a story that states that AOL is exploiting a buffer overflow in their own client in order to detect and lock out Microsoft AIM clients. That's the first time I've seen someone use a buffer overflow to 'enhance' security."
AOL has a computer setup to detect non AIM users, and then it sends them a long IM (from user AOLINSTANTMESSENGER) twlling them why they arebeing disconnected, and then 10 seconds later you are logged off. Thats the latest trick anyway, before this, AOL just gave all MSN users an automatic "evil" level of 1782% which automattically logs them off.
Opinionated Law Student Strikes Again!
There is no buffer overflow in AIM that AOL exploits as client verification. If there was, the Free OSCAR clients would not work. This does not include gaim, which uses TOC; TOC is an "open" wrapper to OSCAR, not a native AIM client per se. The Free OSCAR clients include cLAIM, gtkFAIM, and naim. I know that at least naim works, and mfaim (in development) works. None of these have the buffer overflow, yet they continue to work. Therefore, it is very unlikely that AOL is screening people out through a buffer overflow.
;^)
For future reference, could we please make a distinction between OSCAR and TOC? They are two totally different protocols. TOC stores all your settings on an AOL server, and the client just interfaces with that "proxying server," for lack of a better term. OSCAR stores all your settings locally and interfaces with the Real AIM Servers. AOL loves it when we use TOC, because it keeps all the power in their hands. Which is why i spend my time working on an OSCAR client
For more info on naim, check out http://naim.n.ml.org, and http://www.auk.cx/faim/protocol/ has good (and very incomplete) info on the AIM protocol. And, as a side note, there are preliminary steps for gaim to use OSCAR as well, but that's still in progress.
This is the first time i've seen the Community listen to blatant M$ hype, and quite frankly, i'm disappointed.
/jbm
um.. no body here
There are 11 types of people in the world: those who understand unary, and those who don't.
"This isn't the typical buffer overflow exploit at all. It seems like AOL is using those extra 24 or so bits as a kind of checksum or key to their servers. ... This really doesn't fit the description of the typical buffer overflow exploit does it?"
The server is sending more data than the client can handle, so yes, this is a buffer overflow. AOL isn't exploiting this to hack into people's computers, but someone else could. If someone could modify the AOL's DNS information, they could redirect clients to their own server and execute whatever code they want (this can be done).
"Microsoft and the users of the Mircosoft software are tresspassing on AOL property (The AOL servers). AOL has told Microsoft to get lost. Therefore AOL has every right to ban the use of the Mircosoft software on *AOL*'s servers, just like the owners of the IRC servers can and have banned people from acessing their networks."
Microsoft is not connecting to AOL's servers, the MSN Messenger users are. They have already created an account with AOL, and have a right to use that account (the AOL terms of service do not say you can only use certain software to connect). The owners of IRC servers ban abusive people, not programs - they will not ban you because of the IRC client you use.
I've always found tart things bitter...
;-) (sarcasm, people! ;-)
Buuuut, perhaps this was being used as a drogatory (sp?) term for women. Ie: They put the lady together, then MS comes in and rebuilds the lady...
What if some kind of proxy is built (illegaly, but "without" MS's knowledge) to send that logo for the client? If that happened MS is indemnified of charges, and the "non-existant" proxy writer gets burned (but never found... for some strange reason).
I had to re-read the article several times to figure out what they were trying to report. Even now, I'm not sure I understand what the issue is.
As I interpret the article, the AOL *client* is sending 256 bytes (the expected amount) followed by 24 bytes. This is somehow supposed to overflow the buffer on the AOL *server*. The AOL server detects the extra bytes and knows that it is an AOL client.
Extra data not in the spec is NOT the same thing as a buffer overflow exploit. If the server wants to see those 24 bytes it is NOT a buffer overflow. It's simply an omission from the specification.
If this is how things work, the "buffer overflow bug" is on the server side, not the client side.
In this case, suggesting that the AOL client has a "buffer overflow bug" is misleading. Implying that the bug somehow compromises security for users of the AOL client is malicious deception. The client is *sending* extra data, not receiving it.
I don't want to suggest that anyone is trying to create hysteria by misusing the term "buffer overflow". We all know that the phrase "buffer overflow" is a sure way to get the attention of security folks.
As I read the article, though, it's just 24 extra bytes being sent to the server. If the server expects it and handles it, it's hardly a security issue. Are those 24 bytes actually writing into executable memory with a jump instruction? I find that hard to believe.
Or maybe I just missed something in the article....
Save the whales. Feed the hungry. Free the mallocs.
Not at all. The previous flap wasn't over whether AOL was secure or not, but rather over the fact that Micorsoft got caught astroturfing again.
And the hilarious thing, the poetic justice if you will, is that while Microsoft was clumsily trying to call the kettle black without anyone knowing who the pot was, the pot itself was found to be dirty with respect to messaging software security. (As if MS's security problems are actually news anymore.)
Sheesh, evil *and* a jerk. -- Jade
Finally! I've been reading all these posts just waiting for someone to point this out. What AOL has been doing has been kind of childish, but then again, it's the computer industry! It's been childing since infancy! But what MS has been doing is even worse. Basically they are stealing AOL's proprietary protocol. And this whole thing about buffer overflow being a security hole... MS should worry about it's own flaws before going off on someone elses... And besides, AIM has always been about 200 times more reliable and secure that ICQ for me... I've never lost a message for been spoofed on AIM like on ICQ... so what if I can't send e-mail w/ it? that's what all the other email clients I have are for!
Well, AOL would get that server shut down promptly. MS could keep putting up more servers "without their knowledge," but they'd have to keep releasing new versions of their client to connect to the new proxies (or their users would have to keep reconfiguring the clients to use different proxies). For the long term, it'd be unworkable.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The AOL client simply sends a longer message that is recognized specially. A buffer overflow is not needed in order to do this, and that's probably not how it's done. I doubt that someone would purposely, not to mention needlessly, introduce a horrible defect into their software. So the whole bit about AOL compromising security is just Microsoft FUD against AOL. I don't think that the ``security'' company in question have any clue how big the actual receive buffer size is that is declared in the software but are just hypothesizing. AOL is using Microsoft tactics against Microsoft, and it's pissing Microsoft off. :)
Actually, for a while AOL was encouraging people to use its servers, in an attempt to gain market share. They published all the specs for the protocol and even released some source code. If you want people to stay off your server, publishing specs to your protocols and inviting people to use your server is not the way to go about doing it.
"Besider loser in case you've forgotten," while AOL is of course not using this overflow maliciously, the point is that it is one. The other point is that AOL seems to be trying to limit access to its servers to only the clients that it likes. They'll let the Linux client in, but not Yahoo and Microsoft. The point is that if you have a server which you make available to software other than your own, without requiring prior licenses, then you have to make it available to all clients. This is why Microsoft is not "tresspassing" on AOL's property - and believe me, if MS was doing anything illegal, lawsuits would be flying within seconds.
Ok, why do some people feel the need to type in all caps? Caps are more difficult to read, and they don't make you right or more important. They just make you look like a twit. Also, please re-read your posts for grammar(sp) and punctuation. They are both our friends and help others understand the ideas in your head.
-matt
Hm. How about, then, the 'blessed binary' method with public-key authentication? For all you non-[ex-]Netrek players, Netrek servers generally bar non-blessed clients with a crypto challenge, so that modified ('borg') clients get bounced.
I believe that it has been worked around with a proxy and some cleverness, but it complicates the matter and does *not* require that the client have a known buffer overflow problem.
Network clients do not have any business accepting more data than they can handle.
Only the dead have seen the end of war.
And AOL has the right to do anything they want with their servers... They own them! It's like the signs in restaurants: "We reserve the right to refuse service to anyone."
I agree...but I sure hope that you are against the prosecution of MS with this attitude -- otherwise you're a hypocrite.
The point is that if you have a server which you make available to software other than your own, without requiring prior licenses, then you have to make it available to all clients.
You're talking out of your ass. There is no such lawful requirement and nor should there be.
The way I read the article was that the *client* sends back more information than the server expects, to receive. So the "buffer overflow" is actually on the server, which I'm certain AOL has fixed (if it ever was a security issue to begin with). Also, IRC servers will ban based on clients too. Does anyone remember IPhone? The client would connect to an IRC server and from there connect to other clients. Now the people who made IPhone had their own servers, which were modified with a very poor method of locking out irc clients. It wasn't long before IPhone users started using standard IRC servers, and then not long before patches were available to IRC servers to block IPhone users.
The way I see this whole situation is that AOL owns the servers, they can dictate whatever rules they want for accessing the servers. If they want to say, "You MUST use our software if you are going to access our servers using the OSCAR protocol!" that's fine. I'd say the same thing if the situation were reversed.
-matt
The AOL IM service seems (to me) to be pretty well :-)
thought out, if you can live with the centrally-
administered servers thing. Just because most of
the freebie client libraries floating around out
there suck..
AOL released the specs to TOC, a text-based slimmed down version of their binary OSCAR protocol. Microsoft is using OSCAR, not TOC. This probally is illegal, if EULAs are enforcable, since I'm guessing the aim EULA comes with the standard no-reverse-engineering clause, and I strongly doubt Microsoft pulled the specs for the protocol out of it's proverbial ass.
-matt
William Gibson must be having a field day if he's reading anything about this. Corperate Computer Warefare at it's best. hehe Im sure it's only going to get worse before it gets better, but will we be seeing a new book from Gibson based on the scenario? Could be a good one.
IceBerg
"When all other possibilities have been eliminated, whatever is left, no matter how unlikely, must be the answer" -- Sherlock Holmes
It makes all the difference in the world. Regardless of whether you side with AOL or Microsoft or whoever on this one, you should be able to see the line here... AOL released specs to the open TOC protocol (albeit with a clause stating that it could change without warning at any time; kudos to them for not doing that to us!) in order to allow people to write unsupported clients. They did *not* release specs to the Oscar protocol.
I don't know exactly what their line of reasoning is to do this, but it seems to me that since they have an established method for unapproved clients to connect, their argument that the Oscar protocol was to remain closed is, if anything, stronger.
My $0.02...
When will /. start blocking all these idiots from aol who type in all caps and love microsoft?
There is an UnOfficial OSCAR implementation. It is used by a few clients. Again, naim is the most common OSCAR client that i know of, thought cLAIM (link not handy) has been around for awhile. naim uses libfaim, which is a tolerable implementation of the OSCAR protocol.
;^)
Also, gaim has been released as an oscar client. I need to read the freshmeat newsletters more often
oh the joys of being OT
/jbm
As much as as the libertarian in me is disgusted by the lengths that AOL has gone to keep AIM proprietary, my overwhelming reaction to this story is: Man, the guys who came up with this are gods! If this buffer overflow really works as described, and is intentional, this is the coolest hack I've seen in a long time.
MSK
You'll note that instead of, as another poster suggested, MSN would insert this bug into their software, they are now responding to the packet, without coding a overflow in their software.
They're responding to "the packet"? What packet are they getting? Or, do you mean that they're responding [differently] to the original packet send to the MS IM client from the server, so that the server will think their AOL IM? I didn't quite get that, because my initial thought was that you meant that MS was responding differently to the "buffer overflow" [packet], which I didn't understand because I was thinking: "MS isn't getting the packet! The server is!"
Stupid me..
Clarification would be helpful, though, because I'm curious as to what exactly MS is doing to make their IM client 'work.'
Insert mind here.
How are they stripping people of choice? It's their product, if they don't want MS hacking into their messaging system, let them build up their own defenses... stupid defenses but defenses nonetheless.
--
RumorsDaily
both posts have good sense, and i agree with the dude, but really it should be up to AOL since they made it up and its proprietory (am i wrong?)and ms im version is using the AOL servers for "its users"; lets make our own secure im and use it for linux and screw their standards, they would lose because their objective is to make money, and ours is to have a nice reliable im; they would have to accept our standards and we won't mind. alex
This doesn't contradict the previous discussion. An MS employee did start this rumor, but it turned out to be true.
Peer to peer creates a security problem in that it allows the sender to find the IP address of the receipient.
But look at friggin' ICQ: that's client-server, and you can just hit 'User Info' on somebody and it *gives* you their IP address. I can think of no reason for this other than to nuke, ping-flood, spoof, etc.
What an interesting mechanism to get the truth out, eh? I think politicians call these "deniable leaks".
The user has to have an AOL account and password (i.e. be an AOL user), and the MS software connects just like the AOL client software would to. AOL tried to identify their client by tripping the overflow, which the MS client wouldn't do, so those are the users who got cut off.
AOL wanted its service to become ubiquitous, so it published it's protocols and encouraged everyone to support their protocol and user base. When the Microsoft client appeared to be viable in the market, AOL suddenly got cold feet, pulled the standards and started actively targeting connections originating from MSN.
If you provide some kind of mostly free public service, then shut the fuck up if someone gets on it with other then your's client. Provide pay as you go service or get lost, this is the anwer to AOL. IRC bans abusive bots/people only
I *thought* that the original article didn't make much sense.
:)
Moderators, I know you can determine the quality of posts without my help. If I had the power, though, I'd be bumpin' this one up a few notches.
Save the whales. Feed the hungry. Free the mallocs.
...expecting accuracy and facts and stuff. Another poster put up an article with some analysis.
:)
Now I'm going to spend all night reading flames from people who were smart enough to skip the article.
Save the whales. Feed the hungry. Free the mallocs.
The specs I've seen for a few different IM's all seemed to be rather crappy and ill thought out. Does anyone know if any of the IM protocols or proposed protocols are actually flexible, secure, and peer-peer? IMO w/out those three simple things the protocol is doomed as time passes regardless of who has the most users now. IPX seems to have lost to TCP/IP even though it had the majority of the market up to a few years ago. Remember all the IPX enabled multiplayer games? I have not followed it closely but I liked the protocol being used by Jabber which is based on XML and seems to be fairly flexible. Flexibilty is the key in a protocol such as this I think, even if it is unsecure and client-server at conception if it is flexible enough it can easily adapt as time goes on w/out breaking backwards compatibility.
:P
Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
The specs I've seen for a few different IM's all seemed to be rather crappy and ill thought out. Does anyone know if any of the IM protocols or proposed protocols are actually flexible, secure, and peer-peer? IMO w/out those three simple things the protocol is doomed as time passes regardless of who has the most users now. IPX seems to have lost to TCP/IP even though it had the majority of the market up to a few years ago. Remember all the IPX enabled multiplayer games? I have not followed it closely but I liked the protocol being used by Jabber which is based on XML and seems to be fairly flexible. Flexibilty is the key in a protocol such as this I think, even if it is unsecure and client-server at conception if it is flexible enough it can easily adapt as time goes on w/out breaking backwards compatibility.
:P
Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
As often, what was neglected to be mentioned was that while, yes, the Microsoft implimentation of a compatable client uses OSCAR, the Prodigy and Yahoo! ones attempted to use TOC, and look where THEY are.
Methinks they did what had to be done to keep free to them what others have had free (gaim?).
Who cares if there are no ads in it now, I do aggree that the MS Messager is stealing from what AOL built up, they are using some of the ad revenue to pay for the service, while MS is screwing aol out of $$$
This was spread by the Microsoft employee who was posing as a consultant to discredit AOL. The trick of it is, after Microsoft denied having anything to do with the "consultant" emails, they said that the allegations were correct and that AOL was exploiting a buffer overflow to keep MS out of their AIM network. After some posturing about what a failure of security it was to exploit such a bug, they conceded it was possible that what they were looking at may not be a bug after all, but a feature of some sort. In other words, they're miffed and guessing at what's giving them trouble, and the pop media is picking up on it and taking Microsoft's word for it.
Naked.
I don't think you can sue someone for using your trademark if it is functional. For example, many BIOS's used to have an IBM Copyright string in a special place so that DOS would run properly. This isn't considered a copyright or trademark violation.
Copyrights and trademarks are generally for non-functional protection, while patents are for functional protection.
(I am not a lawyer -- thank god)
>>
I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement.
ONE THING I CAN THINK OF IS IF SOMEONE ON BLIZZARD .COM SENT OUT A MASS EMAIL (MORE THAN 300 OR SO RECIPIENTS) AND AN AOL MEMBER REPORTED IT THEN THEY WILL BLOCK THAT DNS ACCESS UNTIL THEY (BLIZZARD MEET AOL`S NO-SPAM POLICY MAYBE THEY GOT HACKED BY A SPAMMER?
We don't know that it's a bug yet. We don't know how much MS paid this company to say it's a bug. Mindcraft anyone? As others have mentioned here, all we know is that AOL is sending a longer string then was technically published. Is this a problem? We don't know, it most likely isn't.
No. That would mean I would be receiving for free, what everyone else has to pay for. As soon as AIM, and GAIM, and TiK (if it still works) cost me a monthly fee, then a company who was allowing me access to that for free (while everyone else paid) would be in the wrong.AIM is not free. It does cost money to run the service you know. However, instead of charging you, they use advertising to offset the expenses. When the MSN client provides access to the service, AOL loses it's ability to pay for the service.
I didn't say Microsoft. This *isn't* about Microsoft (and I'm curious why everyone thinks it is.. who of you bashed Gaim?), its about a company trying to do for free, what others can do for free (unless the people who developed Gaim are partnered with AOL..?)Any company has the right to work with anyone they want. If AOL wants to give certain groups the ability to use their service and not give other companies the same ability, that is their choice and right. Local companies in this area do it all the time. For instance, a bakery might provide free products to the local soup kitchen, but not the local resteraunt. It is about Microsoft trying to steal something from AOL, that AOL doesn't choose to give.
More about MS and AOL
-BrentI'm a little confused. The article that suggests my posting get bumped, itself gets bump to 2, but mine (which I think is very helpful bit of signal in the noise) remains at 1. Not that I really want to get bumped; I'm just a little curious as to how /. works.
The owners of IRC servers ban abusive people, not programs - they will not ban you because of the IRC client you use.
That's not actually completely true; does anyone remember when Microsoft Comic Chat came out? It dumped all kinds of crap data in band (for the character emotions and so forth), such that it was extremely obnoxious to be in a channel with people using it. Having to put up with "(#WEIFEOU#@5*UR)" or some crap at the beginning of every send phrase got very annoying, very fast. You got 5 or so people in a channel using the client, and it basically killed the conversation for everyone else.
Even worse, in the first few versions, the CTCP implementation was severely broken -- it sent PRIVMSGs instead of NOTICEs for replies, which could have resulted in infinite loops between the two clients trying to respond to each other. (although it generally didn't, as that version of Comic Chat provided no way for a user to send CTCP messages ... thankfully)
However, a lot of people still thought MS CC was really cute. Once they were using the client, they didn't really give a damn if they were dumping crap in channels -- they couldn't see it themselves, so why should they care? It finally got so bad that channel operators began to ban CC users on sight. Things continued to spiral downwards, though, and some IRC networks were compelled to politely (or often not so politely) ask people to stop using the Comic Chat client, "or else".
Today, although the functionality has, I believe, now been folded into the current Microsoft chat product, you won't see it used on normal IRC networks, nor is it a default. We won, but barely. It took a concerted effort on the part of the channel and server adminsitrators to preserve the networks for the rest of us.
I'm not really sure how or if this relates to the AOL/MS IM war, but I just felt like this little bit of history might be relevent somehow.
---
DNA just wants to be free...
Why not? They would still need to have an AOL account to access these features, so AOL would still be getting their $$. If you could access these features with the free account then I would agree with you.
"MS shouldn't be able to get access AOLs client base for free. MS just doesn't want to have to build a user base for its product and fight AOL on fair terms. When you're the new person to a market you have to start from ground zero."
But the Linux community should (gaim, tck etc) - hypocrite.
"Why should AOL support the MS client with its IM infrustructure? All those extra users will be a strain on AOLs infrustructure and AOL won't get any benefit from it."
Sorry, these are NOT extra MS customers, they are people with valid AOL/IM accounts, wether they use the AIM or MSN client makes no difference on the infrastructure.
Get a life.
Have you ever tried to wonder around microsoft.com with a non-MS browser?
Even better than this is trying to access any MS page with the Internet Explorer bundled with NT 4.0 (IE version 2.0 build 1381)? It can't load the page at all, instead giving bogus error messages like:
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
Netscape, OTOH displays the pages quite reasonably.
--
"L'IT c'est moi!"
If UCITA becomes tha law of the land (And I hope that it does NOT) all AOL has to do is tinker with the protocol a little again to break MS' client and if MS compensates they've broken the reverse engineering provision of UCITA.
Though I despise both parties in this dispute I have to side with AOL. AOL's servers handle all of the IM traffic and it's not right for M$ to be able to use AOL's servers for free and make money by selling advertising on their client. This is like me getting a copy of Win9X and duplicating the CD and distributing my copies with a copy of a CD-Key generator.
AOL has every right to break M$' client. It's their protocol, they're their servers. M$ is once again acting like a bull in a china store. AOL is the only company with the muscle to fight them off. Imagine AOL office, platform independant office suite that you get as a part of your internet connection fee.
In today's world David can not fight Goliath. You need another philistine to do the deed.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
I guess in a while the Microsoft client will accidentaly have the same buffer overflow :) 1st post?
That's the first time I've seen someone use a buffer overflow to 'enhance' security.
That's the first time I've ever seen a company act so retarted and strip users of thier choice..Heh, further proof that AOL isn't someone I want to side with.
I read this somewhere last week. Can't remember where. Why so slow? :-)
Paul
I'm feeling lost; I must just be overlooking
something. Where is this overflow? I don't
quite follow how the AOL hosts use it to
identify the clients.
I was going to point this out myself... I really hope the original post is moderated up, since it could easily get drowned out by "evil AOL"-type posts...
Yes, it is a buffer-overflow exploit. The article had a factual error in it. The server sends more data than the client expects; a field 0x0100 bytes long is sent 0x0118 bytes of data. To read the original technical analysis, go to http://www.robertgraham.com/pubs/aol-e xploit.
An earlier story on Slashdot, MS Dirty Pool Against AOL, referenced a sv.com article which claimed that this buffer exploit was a rumor floated by an MS employee. It would appear that either the CNN or sv.com article or the is factually incorrect and that some people have some apologizing to do.
--
"L'IT c'est moi!"
I am consistently surprised that gaim still works with all these client-blocking things that AOL keeps putting on their servers.
From the article, and another related, it seems that this is not really a buffer overflow exploit, but instead just a bug in the client software that sends more information than is requested by the server.
An exploit would be a discovered bug in the server code that allowed an engineered packet masquerading as the client to obtain privleges or information from the server, or possibly crash or disable it. This, instead was handled by the server in a graceful manner, but now is actively being checked for in order to allow AOL to shut out MS.
As they talk of an 'intercepting user' or some such, that is something that any IM could be vulerable to, bug or not..
This goes along with a pet peeve of mine at work. I must hear 'buffer overflow' twice a day. In fact, in addition to the Y2K verification forms I have to sign for in-house software put in production, on some servers I have to sign 'no buffer overflow vulnerabilities' certs as well..
Many VP's and high level managers think that this is the only type of security hole that can exist. They also seem to think that it always exists. Ahh, well.. they also say the network was 'hacked' when a virus shows up from some user with a screen saver from home.
IT also won't work if you want to send a message to a guy who is offline now (will go through server)
I guess the email from the Microsoft employee did its job.
Ask CNN what two plus two is, and the answer would seem to be five.
Actually, ICQ is _not_ client-server... by default it tries to do peer to peer... if that doesn't work then it will fall back onto client-server.
Since it's usually peer-to-peer, it makes sense that the software would have to know what the IP address is... They have an option to "hide IP" from other people, but only the official client actually does, and even that is easily broken.
You don't really think all those files you transmit through ICQ actually go through the ICQ servers do you? Where would they get THAT much bandwith?
Heh, I'm surprised MSNBC didn't report it first. Or maybe MSNBC wanted CNN to report it first.
... I wonder how many former AOL employees now work for Microsoft? Betcha it's at least one more than zero...
To continue with the conspiricy theories
I haven't seen MS's instant messenger, but I think AOL is justified in putting some protections in. Here's why: AOL has been distributing this client and access to its servers for free, recouping its investment largely through advertising dollars. If MS can come along, use AOL's servers for instant messaging traffic, but redirect the advert GIFs to retrieve from MSN's site. AOL is basically doing all the gruntwork and support, while Microsoft leeches off AOL and makes the big profit. More classic Microsoft, just it's being wrapped in Open Source clothing and pulling along the bulk of the slashdot crowd. Tom
The protocol used is called "OSCAR", do a we serach on it, there are (albeit incomplete) specs available. I did a bit of research on the protocol a while ago for work, and using altavista I found a few pages that explain how the protocol works in great detail. And as others have already said, it's client/server. -dilinger
Not meaning to piss anyone off.. but this probably isn't the best thread (Blizzard being blocked) to be calling for censorship, reguardless if they "love Microsoft" or not. The caps, yes, the opinion, no.
"We reserve the right to refuse service to anyone."
I agree...but I sure hope that you are against the prosecution of MS with this attitude -- otherwise you're a hypocrite.
Have you ever tried to wonder around microsoft.com with a non-MS browser? It's not very pleasant. But while we may bitch about it, and not think it a very bright move, no one has tried to force them to allow Netscape users access.
Is there a limit on what format the image has to be in? Does it have to be well distributed or documented? Or is there an additional filed trademark on the sequence of bits in the image? If not, anyone could make up a format on the fly that reads some specific data and turns it into a trademarked logo. It seems if there are no limitations, this would be a field day for nuisance lawsuits.
Secondly, it seems if someone were to find out the string of bits with no knowledge that they were a bitmapped image, and prove it (IE: hack at the Gameboy code and figure out what string of bits makes it run games), Nintendo would have a hard time filing a suit that wouldn't get thrown out.
It also seems interesting in that it implies a trademark on a particular chunk of data. Heck, randomly searching the net, after a while, would probably turn up something--a binary, a JPEG, whatever--that contains a 15x15 bitmapped representation of AOL's logo. Does this mean that, if some AOL wonk was feeling nasty, they could file an infringement suit on some poor shmuck or demand he take down some image because of this? Or, God forbid, another annoyance tactic in the Scientologist's lawyer attacks?
I am in no way familiar with trademark laws, so I am genuinely curious about this...
To me we should create a instant messaging protocol that would be secure (If I didn't gave permission to someone then someone can't have acess to my status), distribuited (why have only one server?), open source, multi-plataform (this shold be usable for mac, windows and all other OSes users too).
I think that it's rather easy to create it using existent protocols, HTTP for files and messages and irc for chat.
Is there something like this being developed?
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"
[]'s Victor Bogado da Silva Lins
^[:wq
- FREE
product to everyone to use for- FREE
. now that ive mentioned that its- FREE
, i can ramble on about how it is childish to want free email as well.i can not see for any reason why people want aol to give out all of its services for free, and why ms is having a hissy fit about tiny little glitches, while ms has many of its own glitches.
in adendum, i say aim is a good
- FREE
source of chatting.finale
fini
peace out.
HaVoK "um ya im a loser" Tha MaVeRiK
_slightly_ offtopic (dammit dont moderate me down), but is aim protocol client server or peer to peer? also msn protocol ... i dont know what ietf is doing but doesnt peer to peer make infinitely more sense in the case of messsaging?
-- your knees hurt, don't they?
Intrusion discussed in press on tuesday, supposedly confirmed on monday.
/.
Posted to web site on Sunday, after posting to
AOL provides the free service not as a nicety, but as a way to produce cash. AOL gets profits from AIM in the form of advertising. MS's users use the servers w/o any compensation to AOL at all.
Remember, companies rarely to anything to be nice, but rather to make money.
And AOL has the right to do anything they want with their servers... They own them! It's like the signs in restaurants: "We reserve the right to refuse service to anyone."
FWIW, AOL opened the TOC protocol (which every free client uses) not OSCAR (which has a few more features and which MS is using).
--
"L'IT c'est moi!"
In his message, he asserted that America Online is using a programming error that has created a security flaw -- one not found in Microsoft's clone program -- to detect the Microsoft Messenger program.
Why bother with all this mess? MS will find away to make its client always work, and we'll sit back and watch as AOL plays chicken and turns off all of our clients except the windows version. I will also make a bet that MS's IM client will be bundled with the next version of windows. Just like they did with IE.
This story makes no sense.
AOL controls the server and its code.
AOL changed the code in its server to accomodate a larger client response.
What am I missing?
I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement. AOL could then authorize gaim and the other non-Windows AIM clients to use the logo free of charge, so they wouldn't be inconvenienced, and AOL would retain its control of the Windows clients, keeping Microsoft out.
This method works, and has legally been tested, as this is the method Gameboy uses to keep non-licensed developers from writing Gameboy games. If a game doesn't have the gameboy trademarked logo at the beginning of its ROM, the Gameboy refuses to play it.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Sorry, someone had to say it.
might as well have been me.
Peer to peer creates a security problem in that it allows the sender to find the IP address of the receipient.
This is not good, so the messages are relayed through the server.