Slashdot Mirror
Microsoft Surrenders IM War, Claims Security Risk
calibanDNS writes "The BBC is running an article about Microsoft surrendering in its instant messaging war with AOL. According to the article, the latest version of AOL's instant messaging software 'blocks interoperability by exposing a very serious security bug in its software.'"
MS would prefer it not be called a surrender, of course; see also the
Nando Times article
which hints at running arbitrary code on the client. Is this FUD, or will we carry a story next week about a new AOL IM exploit?
Well, across the years, Microsoft has proven over and over they don't really care for their users so long as said users are *forced* to buy what Microsoft offers...
So the one time that they talk relatively sanely, do you expect me to just go "oh, okay"... No. Once there's a standard in place, that's when Microsoft will subvert it.
Since most uSoft software has serious security flaws that are caused by applying power to the system, maybe there's a single point at which these problems could be fixed....
It's what's being discussed in the IETF. If every messaging service conformed to a single protocol, you'd be able to have a single third party client that could connect to any service. Kind of like IRC, except you'd want a client that could connect to ALL the different services at once. It really wouldn't be that hard to do.
This is exactly what the jabber project is attempting to do. It's building an extendable protocol, with the ability to 'gateway' between other networks, so as to not only bring about a new way of cumminicating between users, but provide a singular interface to all of the systems at the same time.
-- I'm the root of all that's evil, but you can call me cookie..
Microsoft software broken by someone else, how can it be? I thought it was supposed to be one network, one computer, one program. Boo Hoo Hoo!
Friends don't help friends install M$ junk.
Nice reminder. *thinks back to the previous Slashdot discussion on this*
It makes one wonder why they did *this* hacky thing, instead of a Netrek-style method. For those that never played (bronco) Netrek, the "official" clients were compiled with blessed RSA keys. The servers sent (sometimes periodic) challenges to the clients; the clients had to respond in such a way that the server could tell whether it was a valid client, and which it was. If a key was cracked, it could be invalidated at the server side.
It's not fool-proof, but it doesn't open the user up to remote exploits...
Only the dead have seen the end of war.
Feel free to jump on at Jabber.org. We're not only developing a new, OSS, IM system, but one that INCLUDES the capability for anyone to run a server, and talk to anyone else running them, AND the ability for these servers to talk to AIM, MSIM, ICQ, Yahoo, etc.. for you..
-- I'm the root of all that's evil, but you can call me cookie..
As you say, there is a world of difference between being crappy in recognising existing errors, and actually deliberately introducing new errors...
Not true. http://www.jabber.org
The exploit for AIM and other messaging protocols have been around since before August (but nobody reads those anyhow). The security hole posed by ICQ's protocols have been available since 1997! We can see some here: http://www.insecure.org/sploits/icq.sp00fer.html and here too: http://www.insecure.org/sploits/icq.spoof.overflow .seq.html there is code given that can be used to flood and take over the connection. Also some intresting things about the proprietary ICQ protocol implementation. As for AIM we happen to see that it gives a static open port that can be flooded. You will find that most corps. will not allow employees with net access to use AIM or AIM-Like products because of the security risks. Was M$ right about dropping the whole insane messenger thing? maybe they couldn't win--but Front Page extentsions and IIS are not exactly the models of security either.
That's what Jabber is doing. They've designed a system that uses it's own protocol for clients, but the servers can contain transports to AIM, ICQ, MSIM, IRC, etc..etc.. They're providing a means to a new protocol, with support for older protocols on the server end for users to continue to talk to other systems..
-- I'm the root of all that's evil, but you can call me cookie..
I disagree. This would have been a test of people's support of Open Standards if MS had come up with their own protocal and then given them to an open standards committee to work with. Or even if they had taken that protocal and published the *entire* specs of it(with no hidden little tricks that would make MS software work faster).
This wasn't that. This was MS basically writing software that cracked into AOL's proprietary database system and then used their network to provide a MS service. This was no more a test of open standards than if I went to a local ISP with a PPP client and *demanded* that they give me access through their network.
--John
Astounding to see this here.
How many different operating systems do we need anyways? Surely Windows is good enough for everyone. Hmm, perhaps not?
Oh, and for the record, allowing them to communicate with each other is exactly what the fight is about. That's what MS did and AOL does want to permit. This is one time where MS was actually on the side of open standards.
Here's where we see where people really stand, in favor of open standards or just in favor of bashing MS.
-Blake (rolling his eyes)
I think this is an issue of two companies arguin over who 'owns' their users. what they don't relize is, no one owns the users.
This is one of the things that started development of the Jabber project. We're designing a non centralized system, where users belong to themselves. Servers are not set in stone, but instead behave simularly to email servers. Anyone can bring their IM to any server. Any ISP can setup their own IM server, and provide their users with what they want, without 'ownership' of the user. The user can just as easily setup his/her account on a different server.
But we've taken it a step further. Any of these servers can then talk to AIM, MSIM, etc on the server level. We let you choose.
No one owns us, and we shouldn't tolerate NOT having a choice of what we want to do with IM'ing, no more so then we are limited to what we do with email.
The corperate 'wars' over user ownsership are silly, and bad buisness for them. Hopefully, for their sake, they'll wake up and smell the coffee before IM is a commodity, and their users flood to other providers.
-- I'm the root of all that's evil, but you can call me cookie..
>>AOL is dumb, i think microsoft had the right idea, fuck having 10 different IM clients
This line shows your complete lack of understanding of this issue. Microsoft is the one who came in with their different client in a market which still has no need for it. ICQ is the IM standard. I am aware of no problems with it requiring "innovation" from monoposoft. They totally missed the parade on yet another emerging market and then bribed and extorted their way into it.
Personally I would not deign to converse with anyone so misinformed about so many things that they would use a redundant piece of crap like monoposoft's IM.
---CONFLICT!!---
Has anyone noticed AOL also mooking around with their other darling, ICQ?
If you read the source from licq (and other ICQ-compatible *nix clients), you'll find that ICQ 99a and 99b don't really adhere to their protocol v5. ICQ 99b, for example, seems to want its bytes swapped around (endianness bug, or purposefull?).
What would be really good are:
1) Standard communication (clients can talk to clients), with standard back-end communication (I can make up my own ICQ server, and this can go and connect with the ICQ network).
^ This is a general thing to benefit everyone
2) A migration program for the different client databases. I'd love it if there was something like alien (package format converter) that I could use to let licq and ICQ 98 (99 is a bloated P-O-S) share the same history database.
^ This is more specific, and would mainly be a benefit for people migrating from Windows to Linux (a good browser, like Opera, would also be a must).
The standards aren't going to come about unless we can come up with a good protocol, have GPLed source (no AOL "bait and switch" tactics are possible then), and get a fair number of people using it. A good internal client with plugins for different OS specific display (like licq) would be great for this. Why would I want to use ICQ98 if I can use Licq-Win32, contact friends on the new Open network, as well as keep in touch with the older ICQ people? Not to mention the fact that this would remove the main barrier (data in one OS, but not the other) that people have to switching from one to another.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
How about a man-in-the middle arrangement? Have the client get the buffer overflow and send it to one (or several) actual PCs, running the true AIM client, get the reply, and send it back from the client? Would this work?
First the Netscape, then AIM, it's just a matter of time before AOL turns into another M$, just as what happened to IBM.
After 2001, we will see Netscape Communicator 5 in AOL 6.0 distro. But...
The distributed NC5 contains an security hole, and Konqueror programmer proposed a fix. AOL refused, because it will allow third parties to cut into the AOL profit.
At 2003, Konqueror won, and Mozilla finally extinct.
if ICQ is "the standard" then why is there only 1 client, theirs? if it was a sandard then we would see lots of clients like you see for IRC. Personly i say screw the IM clients. just use IRC. you can send private messages using /msg and you can use notify to let you know when someone you know is on IRC. Depending on the client your using you can have it play a wav whenver someone on your notify list comes on, just like some on the IM clients =)
is linux/AIM vulnerable?
--- Grow a pair, liberals... stop letting the Republicans bully you!
lets see asshole, microsoft with one client that tried to support both microsoft chat and aol's chat, and then we have aol who has aol im,and icq, neither which support anything but their own, Why don't you get off you fucking microsoft sucks high horse and see whats up.
get your head out of your ass before you tell me to get my head out of my ass. If email systems worked the way aol did, I couldn't send email to anyone beacuse aol would cock block my email because i'm not from their server!
so before you go and try to show me some dumbass link read the fucking comments first! mabey if you show that article to your highschool computer teacher, he'll give you a "good job" and a "your so smart" and then suck you off.
Oh so if i want to send mail to one of my friends on one of those server I can't... oh wait, your just stupid.
No, he's not stupid. He was saying that your ISP (hopefully) has their mail server configured so that someone who is not a subscriber can not send mail out through their SMTP server. If they didn't, they would be an open relay. Many admins block incoming mail from known open relays (I do for instance) because much of the spam coming into their network comes from open relays.
For example, if your ISP did not block non-subscribers from sending messages out through their SMTP server, you could not send email to me.
Generally speaking, the Internet is built on distributed protocols. The one protocol where everything eventually funnels down to one place, the DNS root servers, is an endless cause of headache because of the actions of the people who administer it.
A distributed IM protocol, with individual ISPs running messaging servers for their customers, or even the irc protocol is a much better thing for the network as a whole.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
I remember when IM was talk, write, and irc. the newer protocols are not an improvement.
Microsoft encircles AOL, crushing them entirely in the media and possibly even in the courts, depending on the trap they've set.
I bet you are right. I'm just curious to hear people's theories about what kind of trap Microsoft has set. Microsoft is a very deliberate company. Their retreat is probably a pseudo-defeat to look weak for the DOJ trial. Plus, Microsoft recognizes the Internet train is leaving without BillG. They want to own the Internet, or at least its users, at any cost. Linux and Apache are far more popular on the Internet than Windows NT and IIS. I've read some recent articles pointing out how Microsoft is retargeting at corporate intranets with Windows 2000 and the ActiveDirectory, trying to win the Internet war from the "inside out". Maybe Microsoft is working on an IM strategy or product that involves intranet or business features. B2B is a bigger, richer market than B2C (or C2C?).
cpeterso
Does this mean microsoft will stop producing other security-risk software, such as IE, Office, and Windows?
-----------------
Your attention please everyone, if I could just say a few words... I would be a better public speaker.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
Well, lets see. For starters, with ICQ more than one person can have the same nickname. You don't have to rely on the server nearly as much as you do IRC (assuming we're not using DCC connections). You can send offline messages, you can hide from certain users, you can set more than one availability status... granted, you can't do all that in AIM, but that's why AIM sucks.
I agree with Microsofts line that there should be a messaging standard, but at the same time have some sympathy with AOLs server position. (Hows that for sitting on the fence).
Instant messaging [as it stands] is unlike many other server propositions, because whereas it makes sense for ISPs to prevent you using their mail server, proxy server, news server etc if you are not a subscriber to that ISP, with messaging it is almost certain that one or more party is not a subscriber. This is not a problem if the ISP can get some other benefit out of use of their server e.g. use of their client and the possibility of being exposed to their adverts.
Any common messaging protocol will have to address these issues. It should be possible to write a protocol that is hosted by ISPs in a similar manner to mail i.e. so both ISPs involved have to supply a messaging server.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
It's kinda funny to see MS say the same things we've been preaching at them for years. It makes me wonder what their real intentions are. However, as much as I like seeing MS's unscrupulous tactics backfire on them, I still think AOL is wrong on this one, and I have since the beginning of this whole mess. Most people (at least on this forum) are vehemently anti-Microsoft, and I am, too, to an extent. However, I think AOL has contributed more negativity to the computing industry. They've censored the internet, exposed security holes to client information, and devoured and squandered Netscape, which offered the only real competition to IE5. It kinda makes you wonder if the Netscape buyout was a deal with MS. Would you rather have Windows as your only option for an OS, or AOL as your only option of an ISP? I wish they would both drop off the face of the earth.
+++
NO CARRIER
Answer:
The Jabber project.
http://www.jabber.org
It is not over until the Judge says it is over. Given that: Microsoft is an illegal monopoly (and Bill Gates is a Monopolist) responsible for crimes against consumers and competitors they deserve to pay for their crime. The judge found them to be an "illegal monopoly" and for that they should (and shall) be punished. Swiftly and surely. How can I say this? Two quotes come to mind:
"Gates said, Intel could not count on Microsoft to support Intel's next generation of microprocessors as long as Intel was developing platform-level software that competed with windows."
AND
"Microsoft expends a significant portion of its monopoly power, which could otherwise be spent maximizing price, on imposing burdensome restrictions on its customers -- and in inducing them to behave in ways -- that augment and prolong that monopoly power."
- Thomas Penfield Jackson, US District Judge
Read the FoF!
Adults are obsolete children. - Dr. Seuss
Actually, I like the ICQ client. With Jabber, I'd still have to switch. On the other hand, it seems that the open source nature of Jabber means that there will be many clients, at least as far as user interface goes, all communicating w/ the server via the same protocols. Maybe I'll just write my own client...
Your missing the point, i CAN send mail to that server,
You are sending it to the POP server, not the SMTP server. You are not using his outgoing-only server to send him mail.
Basically AOL is doing something it shouldn't and Microsoft realized the obvious fact that now AOL can create almost infinite minor changes to their protocol without changing their client. Microsoft could easily keep patching for every new change, but a generic solution for handling the overflow code that doesn't create a security risk would be very difficult (probably impossible).
The trick is, they would still be part of the 'network'. And if AIM at least provided for a way for other messaging systems to 'interface' with their's, the network size triples, becouse the 'network' now includes SEVERAL IM technologies, and not just one..
-- I'm the root of all that's evil, but you can call me cookie..
AFAIK, there are two versions of the protocol to attach to the AOL servers. The official Mac/Win clients use the binary one, while the non-official ones use the OSCAR protocol. Also, AFAIK, MS reverse engineered the binary protocol instead of using the available OSCAR one.
AOL assuredly modified their binary protocol, and clients using that protocol (the offical Win/Mac ones) are the only ones vulnerable.
I think this is all correct. But don't trust me - research it on your own.
Not entirely. It's also true to say that M$ was just looking for a free ride on AOL's database server. Keeping track of who & where has a price tag. An open IM standard would be nice, but who foots the bill?
Okay, well some of the ideas were right. Check out post #15 and its follow-ups for more details.
Who cares where it comes from? As long as Microsoft is supporting it now, it helps *us*. If they change halfway through they look bad, we look good, and by then hopefully even more people will understand what's good about it. The more noise microsoft makes about it the better. I don't see how this can hurt us. Who cares if Microsoft is being hypocritical?
Not depend on a persistent net connection for messaging.
;-P)
Not depend on a singular server connection between servers. (This is called 'netsplit'
Scale well.
Not require ALL SERVERS know about the exitence of ALL USERS.
There are many, MANY more..
-- I'm the root of all that's evil, but you can call me cookie..
ahahhahahahaah
wait. let me think about this one again.
ahhahahahahahahaha
Yet another day of submoronic response to a submoronic issue. IM is about as relevant to things as slashdot Supposes they are as a fourth tire on a BigWheel(tm) IdiotMessenger programs where bad to begin with and are still bad today. ICQ is the largest pile of time wasting/code addled dreck to hit computers since GUI themes and Window Mangers for Linux. Those who are concerned about them show themselves to be right marching shoulder to shoulder withthe army of morons that are flodding the ranks opf Computer User. Congrats Slashdoters, with every day and in every way you are making yourself less individual and more like the mainstream morons. Keep up the good work
4? Insightful?
First: "Microsoft could keep their hands out of this."
Then: "Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other."
Microsoft's actions will hopefully force AOL to submit to an open standard. They have actually HELPED by having their hands in this. get it?
4? Insightful?
>AOL blocked cqexpress.com's server access to ICQ, so they don't >appear to be any more friendly towards server access than they are to >client access (MSN).
Did the morons at cqexpress even bother with the simple coursty of *ASKING* AOL for permision to acess *THEIR* hardware, or were they just planning to have you bitch about it when AOL found out about it and told them to get lost?
i remember when microsoft was really about closed computing
-- your knees hurt, don't they?
>You fix bugs, not exploit them.
This is not a bug. It's basically an on-the-fly key generator which unlocks the AOL server and let the people AOL wanted in and showed microsoft users the door. Not a bad solution.
There is the mirabalis client, lICQ, gnomeICU, gICQ, zICQ (and several other ncurses ones). What was your point again?
IM servers should be no different. However, getting to that point could be difficult.
It's true that good ISPs only allow their customers to use their SMTP/POP servers. (Ignore free e-mail services for now.) However, that doesn't stop anyone from sending an e-mail to someone at another ISP - Bob's ISP's SMTP server accepts his message and sends it to Jane's ISP's POP server, from which she picks it up. It also doesn't matter if one is using MS Outlook and the other is using elm.
With IM clients in their current state, it's different. To communicate, users have to be both on the same server and using the same client. Which is, of course, a problem. ICQ, by far the most popular IM client, is in its official incarnation an ugly-slow-huge-cumbersome-bloated program (the MS one is comparatively very nice. of course, just about anything would be comparatively very nice.)
There should also be no need for MS to negotiate a contract with AOL. if I want to send e-mail to slashdot, my ISP doesn't have to have a contract with andover.net. Shouldn't be any different for IM. Course, getting a current monopoly (AOL, with both AIM and ICQ) to form a pact in the best interests of the consumer is difficult. Especially if the pact is mainly with MS, a wannabe monopoly in this area.
holy shit, I'd never seen anyone who's score defaulted to 0 before. Of course, going back and reading your comments cleared up why this is happeneing. Interesting, while the moderation system is terrible at selecting interesting and intelligent posts to raise, it seems to be working pretty well at shutting dumbfucks like you up. Perhaps moderation should be modified to be negative only.
I think we need to just say screw it and come to terms on an IM protocol.
Let AOL and ICQ and MSN and PDQ and ABC all come up with there own IM products. As long as they all can talk to each other. I for one am tired of hainvg three different IM products running.
-- Patrick Aland
-- http://www.stetson.edu/~paland
--"Karma is justice without the satisfaction"
I assume they mean AIM AND ICQ Combined, that's a hell of alot of people, and ( this is going to sound SOOO distasteful ) but i actually /agree/ with Microsoft on this issue, there /should/ be a base standard for Instant Messaging, but somehow i think Microsoft is talking out of both sides of it's mouth, they just want a standard so they can add their own kludgy junk to it. But still, a standard would be nice IMO.
MS has some points, but it's blowing smoke on one issue. A single IM standard will not allow MS clients to communicate with AOL clients. The reason is simple: to communicate with AOL clients you need to use AOL servers. AOL has the right to prevent non-AOL subscribers from using it's servers. And if you think that's wrong, think about other servers. Your ISP has it's mail servers configured to prevent anyone but it's subscribers from using them to send mail. ISPs that don't end up on the RBL. They probably also have them configured to not handle mail from certain domains, typically to block incoming spam. They probably have their news servers configured similarly, so that only their subscribers can read news off of them. Why should IM servers be different?
A single standard would be neccesary, but if MS wants their subscribers to be able to talk to AOL's subscribers, they need to negotiate a contract with AOL to have AOL's servers carry MS's traffic. Which, to date, MS has shown no apparent interest in doing.
Is there a real security risk here, or is Microsoft just trying to save face?
The AOL IM actually has a buffer overflow exploit present. Basically whenever an AOL client connected to the server, the server smashed the stack and executed a piece of code that would send a packet back to the server. This let AOL change the authentication on the fly without updating the client. Of course, it also opened up some security holes. This was discussed on bugtraq in August.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
Microsoft could keep their hands out of this.
My friends and I all have AIM.
Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other.
"Hey Bob, I thought you said you would be on AIM last night. I had to talk to you."
"Well, I tried the new Yahoo chat. It's cool. Only thing is, my wife Brenda likes eShare chat she just found."
WTF?
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
Easier said than done. This is the problem with prorietary protocol systems - non-interoperatability. Someone (not me of course, I'm busy) needs to come up with a single standard protocol, get is approved by ISO or whoever else cares, and put that forward. Pressure messaging software makers to include this protocol in their service, even if they want to keep their own proprietary stuff, too.
Of course, that'll happen about the same time windows is voluntarily open-sourced.
--
Matt Singerman
Matt Singerman
http://matt.vegan.net/
Microsoft worried about security risks? I don't think so. History has already proven that. If it was not for everyone screaming about stuff, nothing would ever get done.
I do find it quite funny about how AOL is putting an end to this silly war though. MS kept exploiting AOL stuff - now AOL exploits a hole in Windows. Someone has egg on their face and I don't think it is Steve Case....
It still not user-ready, but it's getting there quickly.
I stopped running ANY of these clients as this is the best way to expose yourself to the outer world. Just because you don't know, it doesn't mean they are not out for you.
History has shown that most MS and AOL have a generally sloppy attitude towards security.
However, history has also shown that MS is willing to say pretty much anything about competitors, backed up only by anecdote or flawed studies, in order to put the desired spin on any business decision they make.
So what's the truth? Honestly, I don't even care. I don't think that AIM or MMS is the answer. If any of you open-sourcers are devoting any resources to AIM-based or MMS-based stuff, I would encourage you to donate a little time to the Jabber project (http://www.jabber.org), a messaging system with an open protocol and (IMHO, of course) a better design than either of the commercial competitors. The product has been languishing a bit in the last several months, and it would be nice to see a surge of interest in it. If you like, check out the most recent release (as of 1999/11/09), 0.7pre4 (which can be found at http://download.jabber.org/0.7pre4.html).
Why doesn't microsoft just use the TOC protocol? If all they want to do is send messages to AIM users, TOC would work fine. The protocol was released by AOL, so they cant yell about MS using it. It doesn't support all of the features of the proprietary protocol, but for messages it is all you need. Many linux, plus AOL's own java client use it.
Yeah there's a buffer overflow in the software. This is pretty wierd/bad since it's one the only pieces of software that has a security hole put in it on purpose and with a lot of forethought. check out this for more details.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
My concern is that AOL did not release a patch after this became public knowledge. Everybody knows there's a bug in that client. Sending executable code over the wire is never a good idea on something as woefully under-authenticated as tcp/ip. I have nothing but contempt for AOL - and I'm extremelly worried that they might do something equally stupid with other products - such as the AOL v5 client now shipping. How many buffer overflows does *that* thing depend on, or what is being sent over the wire that their customers are blithingly unaware of?
There are more serious questions to answer than the "buffer overflow" in the client. Where is the outrage over this? This should be prime time news!
--
I think it's the first time I hear MS is concerned about security! Sounds suspicious...
Opus: the Swiss army knife of audio codec
Jakob Nielsen's article on Metcalfe's Law offers good insight on why the segregation of different AIM clients is a bad thing, and reduces the potential value of the network.
Metcalfe's Law states that "the value of a network grows by the square of the size of the network".
Reversing this law provides:
Note to Rob: We need SUB and SUP tags allowed in /.
pooptruck
http://www.ozemail.com.au/~geoffch/s ecurity/aim/
Describes the buffer overflow AOL is using in some pretty good detail. Here's the basic idea:
When AIM connects to the AOL server, the AOL server sends back a message containing x86 executable code. This overflows a buffer in the AIM client, and the code gets run. This code creates a packet to send back to the AOL server. If the AOL server doesn't see the packet, then it assumes you're not using AIM, and boots you.
What MS's client did was see the packet containing the code, and generate the reply message WITHOUT overflowing a buffer or executing that code. But, AOL can just tweak that code on the server a bit and have a different reply get generated, while MS's client has to get updated to use that new code.
Nevertheless, this is pretty damn reprehensible on the part of AOL. If they don't want MS customers using their servers, sue the shit outta M$, don't exploit holes in your own code to do it. You fix bugs, not exploit them.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Maybe microsoft conceded defeat to get a bigger prize - thier antitrust case.
Showing that the Big Bad Microsoft can be defeated on something like this proves that they have competition. If they can prove that they have competition they can try and appeal any anti-trust decision against them.
Look for microsoft to "lose" a few more battles in the next couple of months, eg conceding to Apache etc.
It's not like Microsoft to give up so easily on something.
Then again they could just be scared.
AOL is opening up millions of people to a stack overflow exploit. And doing it deliberately! This should be bigger news.
forgive me if this is stupid, but isn't this how IRC works? A bunch of servers that send info back and forth to each other in real time. So one person logged into one server can see a message posted by another person on another server?
This sounds like it would be a Good Thing for instant messaging.
On another note I basically agree that AOL servers should only be able to be accessed by AOL's members, but essentially wasn't this what Microsoft was trying to do? AOL's beef is that they want their software used, not microsoft's. That is perfectly reasonable for AOL to want that, but as a consumer I don't really want that.
AOL may be concerned about their network's security, but by pushing this deliberately exploitable client, it's clear that they don't care about the security of their user's own machines.
Why don't Microsoft and others like Yahoo and whoever else just use the TOC protocol that the TiK program uses. That way the only way that AOL could stop them is by either shutting down all the TOC servers or else change the TOC protocol and not release the changes. They would be within their rights to do either of these but they would also risk making a number of Unix based AIM clone users mad as well.
I know AOL didn't exactly make too many friends when they took down their Tik and TOC pages, but TiK and other clients like GAIM still work. Blocking all Unix based clients probably would generate bad press and make AOL look worse than they already do. But that is not to say I don't believe they wouldn't make such a stupid move.
Microsoft and Yahoo do want to use the extra feature of OSCAR but if it a choice between interoperating with AOL users with limited features or not working at all I would think they would choose the limited route. Of course since Tik and TOC are covered by the GPL Microsoft and Yahoo would have to release their source which may be the other problem. But again it would be better than nothing, right?
Okay, I'm still missing something.
My own AIM "clone" client (using the production AIM servers, not TOC) didn't have any troubles during the AOL/MS war. Why? I must be missing something. Can anybody enlighten me?
Looks like Nerdperfect (http://www.nerdperfect.com) beat /. to the punch on this one.
After all, it is bundled with every version of Netscape. 80 million copies may be plausible. If they're counting screen names registered on the service, I'd be a bit doubtful on how many of those names actually use AIM. My uncle has 5 AOL screen names and only one person in the house uses AIM. I don't use AOL, but I did register on AIM, and I haven't used it for 7 months. I only used it because my friend's ICQ was giving her problems, and we wanted to chat. ICQ99a fixed the problems, so we stopped using AIM. My ID is still active though-I don't believe you can delete an AIM profile off the AOL server.
AOL blocked cqexpress.com's server access to ICQ, so they don't appear to be any more friendly towards server access than they are to client access (MSN).
I remember when there used to be a buffer overflow that was easier to exploit. It existed in AIM 2.x (I think). The buffer overflow existed in a variable that existed within some wierd (proprietary?) HTML tags that AIM used. I wish I could remember the tags, but the general idea was that anyone on AOL could crash someone running AIM with a single IM. I think it was somthing like this:
<BINARY>
<DATA SIZE=12345(everything after five overflows...)>
</DATA>
</BINARY>
AIM users couldn't crash each other because AIM
would interpret the tags before they were sent, thus crashing the potential attacker. I'm sure a sophisticated user (e.g. someone not on AOL) could have smashed the stack and done some interesting things. I discovered and reported the bug and AOL actually fixed (although they never returned any email, news.com ran a story and got AOL to admit to it.)it quite fast. yay for me.
steveh@globaltelinc.net
LICQ rocks, I'm using it now. I'm wondering, though, how long it will be before Mirabilis (since AOL now owns them) starts trying to exclude third party products from using *their* servers...
MS should put something in their next windows service pack that prevents such a stack blow/execute thing from happening. This would force AOL to submit. MS can do it under the guise of enhancing security. And of course put checks of something that prevent windows from running if AOL hacks the service pack. FUCK aol
The grammar of this sentence is confusing. Microsoft was using AOLs servers for Microsoft's instant-messanger product because it uses AOL's protocol to talk to other AIM users. AOL has tweaked their protocol a dozen times to prevent this, and each time, Microsoft tweaks their client to match. Finally, AOL decided to exploit a buffer overflow in their own client in order to prevent MS from being able to further tweak to be compatible.
I'm sorry, but I'd have to agree with MS on this one: AOL should open up their protocol and secure your clients. I'm not holding my breath though. It's pretty clear that AOL is only interested in security to the extent it affects their bottom line. Unless people just decide to give up on AIM and AOL and take their dollars elsewhere, this isn't going to hit their pocketbook, which is why AOL still hasn't fixed it. After all, consider the average AOL user. (Yes, there are a few intelligent people who use AOL. It's a little like saying "Yeah, there are a few intelligent people on Earth." Most people are idiots.)
--Joe--
Program Intellivision!
Check out the WebGuys Instant Message System. It is ready for real world use today and has a Tcl/Tk client that will run in Windows, Linux and MacOS. Several more clients are on the way soon, and we are closely following the progress of the IMPP.
I personally don't understand the need for IM software... email and IRC have done me well for the last few years and apart from a nice user interface, I see no advantage to IM apps...
am i missing something?
M@T
'sapientia potestas est'
They have the product - it's the advertisements. That's what they're making money off of, and that's why there are the "IM Wars" in the first place. The more eyes on a system, the more money from the advertiser.
I agree with MS in principle, but AOL in implementation.
AIM runs on AOL's servers. AOL's physical hardware. Microsoft is using *their* software (MSN Messenger) to send messages via AOL's hardware. That is, pretty much, hacking.
Look at it in another way. It's akin to using software to send email over your servers without your permission. It's an abuse of your system, it's an unauthorized use, and you'd do your best to track me down or stop me. Hence, AOL's actions against Microsoft.
While AOL has no excuse to exploit a buffer overflow in their clients, I feel they're certainly entitled to keeping the protocol secret and to prevent Microsoft from using AOL's hardware without permission.
No sup and sub tags! How will lynx users view those? Keep /. lynx-friendly!
WTF is an astroturfer????????????????
Pretty good at blocking interoperability.
Has serious security bugs in software.
Microsoft Windows
Pretty good at blocking interoperability.
Has serious security bugs in software.
Yeah, Microsoft is one to talk.
--
"There are no winners," he said. "Consumers will win when an industrywide instant messaging standard is in place that ensures all users the ability to message with others regardless of which service they're using."
-Yusuf Mehdi, director of marketing for Microsoft's Consumer and Commerce Group
I just love it when Microsoft talks about open standards. It just gives me that warm, embraced, cuddly, mushy, smothered feeling.
_______________________________
We NEED an OSS internet messaging protocol and to hell with AOhelL and M$...you know as soon as everyone is hooked they will start charging or selling all your info openly or some such profit making nonsense. If the was an open version I for 1 would JUMP on the wagon...If a product was established and people (read US) used it, you could be sure the market would come to US on our terms.
CONTROL to the PEOPLE...down with the MAN...whoever that is
If Microsoft would concentrate on exposing bugs in its own software, they might actually end up making a better product. They need to lay off telling people there are security risks in AOL's software when their own Operating System is a CSO's worst nightmare. Nice job, Bill.
I have mixed feelings about the antitrust case... OT1H it's good that clueless people (excuse the label) out there now understands that MS is not the ultimate when it comes to computers. OTOH what does the whole antitrust suit accomplish?!?! Breaking MS doesn't really do much, imposing fines doesn't reform their behaviour/practices. Besides, the MS age is over. With cases like this, where MS concedes defeat, and with the rise of Linux, the advent of Open Source, etc., all these seem to me like signs that the MS age is over (or at least, going to be over soon). Perhaps we'd all be better off if we'd just let MS be defeated "naturally" (ie. by competitors) rather than spend all that money on the anti-trust lawsuit, which probably won't accomplish that much anyway.
mikre he sophia he tou Mikrosophou.
This is exactly what Jabber is all about, building a whole new IM architecture that is also transparently compatible with existing products.
Hopefully, system such as Jabber>/A> and the IETF effort will assist in effort. The IETF standard should make it so that users can communicate between different services. Right now, Jabber is the closest we have to a workable system that can acknoledge systems outside of it's own.
-- I'm the root of all that's evil, but you can call me cookie..
This is *EXACTLY* how Jabber work. ISP's run indendent servers, and namespaces are server based, not 'global' based. Aka, my userID would be tcharron@jabber.org. It also has the ability to allow transports to deal with any sort of data, so while jabber.org is a native jabber server, icq.jabber.org can serve as a gateway for ICQ usernames to map to jabber users names.
-- I'm the root of all that's evil, but you can call me cookie..
IRC has many benifits, but unfortionalty, doesn't scale well at all. It is more built directly for group chatting, and not quick instant messages between individual users..
-- I'm the root of all that's evil, but you can call me cookie..
----
For everyone wanting a standard for instant messaging you're a little late. There already is one, and it's called IRC, Internet Relay Chat.
What's funny is that when I first used AOL, I thought their instant messaging was just a lame excuse for IRC.
Name one thing IM clients can do that a good ircii client with script cant?
AOL has worked hard towards improving its security, after all those 1996-1997 break-ins with AOHell and all the 'email me your password' scams. In fact the last time I heard of someone hacking into AOL was about 1997. Which isn't to say AOL or any other network can ever be considered truly hack proof, but their security appears to be greatly improved.
--- Grow a pair, liberals... stop letting the Republicans bully you!