Slashdot Mirror
Microsoft Surrenders IM War, Claims Security Risk
calibanDNS writes "The BBC is running an article about Microsoft surrendering in its instant messaging war with AOL. According to the article, the latest version of AOL's instant messaging software 'blocks interoperability by exposing a very serious security bug in its software.'"
MS would prefer it not be called a surrender, of course; see also the
Nando Times article
which hints at running arbitrary code on the client. Is this FUD, or will we carry a story next week about a new AOL IM exploit?
Well, across the years, Microsoft has proven over and over they don't really care for their users so long as said users are *forced* to buy what Microsoft offers...
So the one time that they talk relatively sanely, do you expect me to just go "oh, okay"... No. Once there's a standard in place, that's when Microsoft will subvert it.
This is exactly what the jabber project is attempting to do. It's building an extendable protocol, with the ability to 'gateway' between other networks, so as to not only bring about a new way of cumminicating between users, but provide a singular interface to all of the systems at the same time.
-- I'm the root of all that's evil, but you can call me cookie..
Nice reminder. *thinks back to the previous Slashdot discussion on this*
It makes one wonder why they did *this* hacky thing, instead of a Netrek-style method. For those that never played (bronco) Netrek, the "official" clients were compiled with blessed RSA keys. The servers sent (sometimes periodic) challenges to the clients; the clients had to respond in such a way that the server could tell whether it was a valid client, and which it was. If a key was cracked, it could be invalidated at the server side.
It's not fool-proof, but it doesn't open the user up to remote exploits...
Only the dead have seen the end of war.
Feel free to jump on at Jabber.org. We're not only developing a new, OSS, IM system, but one that INCLUDES the capability for anyone to run a server, and talk to anyone else running them, AND the ability for these servers to talk to AIM, MSIM, ICQ, Yahoo, etc.. for you..
-- I'm the root of all that's evil, but you can call me cookie..
As you say, there is a world of difference between being crappy in recognising existing errors, and actually deliberately introducing new errors...
The exploit for AIM and other messaging protocols have been around since before August (but nobody reads those anyhow). The security hole posed by ICQ's protocols have been available since 1997! We can see some here: http://www.insecure.org/sploits/icq.sp00fer.html and here too: http://www.insecure.org/sploits/icq.spoof.overflow .seq.html there is code given that can be used to flood and take over the connection. Also some intresting things about the proprietary ICQ protocol implementation. As for AIM we happen to see that it gives a static open port that can be flooded. You will find that most corps. will not allow employees with net access to use AIM or AIM-Like products because of the security risks. Was M$ right about dropping the whole insane messenger thing? maybe they couldn't win--but Front Page extentsions and IIS are not exactly the models of security either.
That's what Jabber is doing. They've designed a system that uses it's own protocol for clients, but the servers can contain transports to AIM, ICQ, MSIM, IRC, etc..etc.. They're providing a means to a new protocol, with support for older protocols on the server end for users to continue to talk to other systems..
-- I'm the root of all that's evil, but you can call me cookie..
I think this is an issue of two companies arguin over who 'owns' their users. what they don't relize is, no one owns the users.
This is one of the things that started development of the Jabber project. We're designing a non centralized system, where users belong to themselves. Servers are not set in stone, but instead behave simularly to email servers. Anyone can bring their IM to any server. Any ISP can setup their own IM server, and provide their users with what they want, without 'ownership' of the user. The user can just as easily setup his/her account on a different server.
But we've taken it a step further. Any of these servers can then talk to AIM, MSIM, etc on the server level. We let you choose.
No one owns us, and we shouldn't tolerate NOT having a choice of what we want to do with IM'ing, no more so then we are limited to what we do with email.
The corperate 'wars' over user ownsership are silly, and bad buisness for them. Hopefully, for their sake, they'll wake up and smell the coffee before IM is a commodity, and their users flood to other providers.
-- I'm the root of all that's evil, but you can call me cookie..
Has anyone noticed AOL also mooking around with their other darling, ICQ?
If you read the source from licq (and other ICQ-compatible *nix clients), you'll find that ICQ 99a and 99b don't really adhere to their protocol v5. ICQ 99b, for example, seems to want its bytes swapped around (endianness bug, or purposefull?).
What would be really good are:
1) Standard communication (clients can talk to clients), with standard back-end communication (I can make up my own ICQ server, and this can go and connect with the ICQ network).
^ This is a general thing to benefit everyone
2) A migration program for the different client databases. I'd love it if there was something like alien (package format converter) that I could use to let licq and ICQ 98 (99 is a bloated P-O-S) share the same history database.
^ This is more specific, and would mainly be a benefit for people migrating from Windows to Linux (a good browser, like Opera, would also be a must).
The standards aren't going to come about unless we can come up with a good protocol, have GPLed source (no AOL "bait and switch" tactics are possible then), and get a fair number of people using it. A good internal client with plugins for different OS specific display (like licq) would be great for this. Why would I want to use ICQ98 if I can use Licq-Win32, contact friends on the new Open network, as well as keep in touch with the older ICQ people? Not to mention the fact that this would remove the main barrier (data in one OS, but not the other) that people have to switching from one to another.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Generally speaking, the Internet is built on distributed protocols. The one protocol where everything eventually funnels down to one place, the DNS root servers, is an endless cause of headache because of the actions of the people who administer it.
A distributed IM protocol, with individual ISPs running messaging servers for their customers, or even the irc protocol is a much better thing for the network as a whole.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Microsoft encircles AOL, crushing them entirely in the media and possibly even in the courts, depending on the trap they've set.
I bet you are right. I'm just curious to hear people's theories about what kind of trap Microsoft has set. Microsoft is a very deliberate company. Their retreat is probably a pseudo-defeat to look weak for the DOJ trial. Plus, Microsoft recognizes the Internet train is leaving without BillG. They want to own the Internet, or at least its users, at any cost. Linux and Apache are far more popular on the Internet than Windows NT and IIS. I've read some recent articles pointing out how Microsoft is retargeting at corporate intranets with Windows 2000 and the ActiveDirectory, trying to win the Internet war from the "inside out". Maybe Microsoft is working on an IM strategy or product that involves intranet or business features. B2B is a bigger, richer market than B2C (or C2C?).
cpeterso
The trick is, they would still be part of the 'network'. And if AIM at least provided for a way for other messaging systems to 'interface' with their's, the network size triples, becouse the 'network' now includes SEVERAL IM technologies, and not just one..
-- I'm the root of all that's evil, but you can call me cookie..
I think we need to just say screw it and come to terms on an IM protocol.
Let AOL and ICQ and MSN and PDQ and ABC all come up with there own IM products. As long as they all can talk to each other. I for one am tired of hainvg three different IM products running.
-- Patrick Aland
-- http://www.stetson.edu/~paland
--"Karma is justice without the satisfaction"
MS has some points, but it's blowing smoke on one issue. A single IM standard will not allow MS clients to communicate with AOL clients. The reason is simple: to communicate with AOL clients you need to use AOL servers. AOL has the right to prevent non-AOL subscribers from using it's servers. And if you think that's wrong, think about other servers. Your ISP has it's mail servers configured to prevent anyone but it's subscribers from using them to send mail. ISPs that don't end up on the RBL. They probably also have them configured to not handle mail from certain domains, typically to block incoming spam. They probably have their news servers configured similarly, so that only their subscribers can read news off of them. Why should IM servers be different?
A single standard would be neccesary, but if MS wants their subscribers to be able to talk to AOL's subscribers, they need to negotiate a contract with AOL to have AOL's servers carry MS's traffic. Which, to date, MS has shown no apparent interest in doing.
Is there a real security risk here, or is Microsoft just trying to save face?
The AOL IM actually has a buffer overflow exploit present. Basically whenever an AOL client connected to the server, the server smashed the stack and executed a piece of code that would send a packet back to the server. This let AOL change the authentication on the fly without updating the client. Of course, it also opened up some security holes. This was discussed on bugtraq in August.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
Microsoft could keep their hands out of this.
My friends and I all have AIM.
Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other.
"Hey Bob, I thought you said you would be on AIM last night. I had to talk to you."
"Well, I tried the new Yahoo chat. It's cool. Only thing is, my wife Brenda likes eShare chat she just found."
WTF?
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
It still not user-ready, but it's getting there quickly.
My concern is that AOL did not release a patch after this became public knowledge. Everybody knows there's a bug in that client. Sending executable code over the wire is never a good idea on something as woefully under-authenticated as tcp/ip. I have nothing but contempt for AOL - and I'm extremelly worried that they might do something equally stupid with other products - such as the AOL v5 client now shipping. How many buffer overflows does *that* thing depend on, or what is being sent over the wire that their customers are blithingly unaware of?
There are more serious questions to answer than the "buffer overflow" in the client. Where is the outrage over this? This should be prime time news!
--
Jakob Nielsen's article on Metcalfe's Law offers good insight on why the segregation of different AIM clients is a bad thing, and reduces the potential value of the network.
Metcalfe's Law states that "the value of a network grows by the square of the size of the network".
Reversing this law provides:
Note to Rob: We need SUB and SUP tags allowed in /.
pooptruck
http://www.ozemail.com.au/~geoffch/s ecurity/aim/
Describes the buffer overflow AOL is using in some pretty good detail. Here's the basic idea:
When AIM connects to the AOL server, the AOL server sends back a message containing x86 executable code. This overflows a buffer in the AIM client, and the code gets run. This code creates a packet to send back to the AOL server. If the AOL server doesn't see the packet, then it assumes you're not using AIM, and boots you.
What MS's client did was see the packet containing the code, and generate the reply message WITHOUT overflowing a buffer or executing that code. But, AOL can just tweak that code on the server a bit and have a different reply get generated, while MS's client has to get updated to use that new code.
Nevertheless, this is pretty damn reprehensible on the part of AOL. If they don't want MS customers using their servers, sue the shit outta M$, don't exploit holes in your own code to do it. You fix bugs, not exploit them.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Maybe microsoft conceded defeat to get a bigger prize - thier antitrust case.
Showing that the Big Bad Microsoft can be defeated on something like this proves that they have competition. If they can prove that they have competition they can try and appeal any anti-trust decision against them.
Look for microsoft to "lose" a few more battles in the next couple of months, eg conceding to Apache etc.
It's not like Microsoft to give up so easily on something.
Then again they could just be scared.
You are confused.
AIM uses a protocol called Oscar. When people started clamoring for non-Windows clients, AOL engineered a compatible, but less feature-rich protocol called TOC. After its release, a plethora of non-Windows, AIM-compatible clients were developed.
Then Microsoft came along, reverse-engineered Oscar (ignoring the sanctioned interoperable protocol of TOC), and started getting a free ride for their client on AOL's servers. AOL claimed that because Microsoft was using *their* servers for MS' services with authorization, they had basically hacked into AOL's networks and proceeded to (apparently) use a buffer overflow exploit to detect AIM clients.
AOL blocked cqexpress.com's server access to ICQ, so they don't appear to be any more friendly towards server access than they are to client access (MSN).
"There are no winners," he said. "Consumers will win when an industrywide instant messaging standard is in place that ensures all users the ability to message with others regardless of which service they're using."
-Yusuf Mehdi, director of marketing for Microsoft's Consumer and Commerce Group
I just love it when Microsoft talks about open standards. It just gives me that warm, embraced, cuddly, mushy, smothered feeling.
_______________________________
The IETF is already doing this. They have an "Instant Messaging and Presence Protocol" Working group. Check it out.
Of course, they take a long time to get anything together, but standards engineering needs to be good.
-Ted
Hopefully, system such as Jabber>/A> and the IETF effort will assist in effort. The IETF standard should make it so that users can communicate between different services. Right now, Jabber is the closest we have to a workable system that can acknoledge systems outside of it's own.
-- I'm the root of all that's evil, but you can call me cookie..
This is *EXACTLY* how Jabber work. ISP's run indendent servers, and namespaces are server based, not 'global' based. Aka, my userID would be tcharron@jabber.org. It also has the ability to allow transports to deal with any sort of data, so while jabber.org is a native jabber server, icq.jabber.org can serve as a gateway for ICQ usernames to map to jabber users names.
-- I'm the root of all that's evil, but you can call me cookie..
IRC has many benifits, but unfortionalty, doesn't scale well at all. It is more built directly for group chatting, and not quick instant messages between individual users..
-- I'm the root of all that's evil, but you can call me cookie..
----