The guy your're talking bout is Ira Einhorn. France refused to extradite him because he could possibly face the death penalty in America. The circumstances are quite different than Skylarov's.
Wait... I thought the DMCA did carry the death penalty. Is Eisner losing his iron grip on congress?
Jabber Inc. does not have "patents on stuff you need to implement Jabber"
Check the minutes of the Jabber BOF held at the IETF in Yokohama: "[P]ortions of the Jabber, Inc., implementation have IPR protection, but there are at least two commercial XMPP implementations from other companies, and the Jabber, Inc. lawyers aren't suing them."
And that was from a member of Jabber, Inc's Senior Management Team (Joe Hildebrand). Not actually being with Jabber, Inc anymore, do you think you know better than their management team what IPR they hold, Peter?
The simple fact -- and as Executive Director of the Jabber Software Foundation I have the in-depth knowledge to state this categorically -- is that there is no IPR on "things you will need to implement a Jabber server".
You and Joe Hildebrand need to get your story together, then. (Joe, for the other readers out there, is Jabber.com's Chief Architect, and a member of their senior management team). I was in the same room as Cullen and heard Joe make the exact statements to which Cullen is referring. By Joe's assertion, Jabber.com (not the Jabber Software Foundation) owns patent rights to Jabber-related technologies. The only reassurance that Joe gave during that discussion is that Jabber.com has not pursued anyone for patent infringements to date.
It is interesting to note that the Jabber.com open source license specifically mentions, for example, that "No patent license is granted separate from the Licensed Product", implying that the open-source implementation available from Jabber.com (to which people are contributing) is, in fact, covered by patents owned by Jabber.com.
Not very comforting, from an open-source perspective.
Can someone please find the original so we can verify this for ourselves?
Yep, it's a load of horsehockey.
The passage he's trying to cite, I beleive, is from an essay Louis Aragon wrote in La Révolution surréaliste, n 4 (published in 1925):
"Que les trafiquants de drogue se jettent sur nos pays terrifiés. Que l'Amérique au loin croule de ses buildings blancs."
I'd translate this more as "That the drug traffickers throw themselves on our terrified countries. That far away, America's white buildings collapse."
I wouldn't even interpret the first sentence as relating to America, since Aragon clearly considered America to be quite distant from himself and, consequently, any countries he would feel compelled to call "our."
Using such a questionable quote without checking sources was extremely irresponsible on the part of Dr. Greenwood. On the other hand, Wlad Godzich should be summarily dismissed from his position at UC Santa Cruz for such academic dishonesty as daring to translate the same phrase as "The time will come, America,/When the hordes of Afghanistan/Will crash your gleaming airplanes/Into the shiny towers of Manhattan."
I've always been a bit miffed that I can drop $16 on a CD (or, back in the day, $8 on a tape), and then have it scratched (or eaten) the following day, and need to essentially purchase another license for it.
Of course, if I'm just buying the media itself, and not merely a license, then I must be free to distribute the music as I see fit.:)
(Certainly, this isn't what the record companies intended.)
As somebody who has had considerable experience administrating and setting up various Jabber servers, I can tell you that it is safe to disable plain-text passwords
It doesn't matter how you have the server set up. If I convince a client to connect to me (and there are plenty of routing and DNS tricks I can play to make this happen), I can bid down the security to plain text. I can even turn around and hash the password to your server, so that neither you nor the client ever find out about the compromised security.
According to Peter Saint-Andre (member of the Jabber Software Foundation, who was at this year's IETF meeting), SIMPLE is about two years away from defining the protocols, let alone implementations, for a full-featured IM system. Jabber only recently had an RFC written (earlier this year), as the focus before that has been on implementations. The difference is obvious: people are using Jabber right now, while SIMPLE is basically all talk.
Okay, in this respect, I'm afraid you (and Peter) are sorely misinformed. Jabber has had its first internet-draft written about it (first internet-draft to RFC usually takes about three years), while SIMPLE is rapidly approaching RFC status (I'd be surprised if it is not published as a full-fledged RFC by year's end). It's stable enough that the most recent versions of Microsoft Messenger have included SIMPLE support.
I'm not a server developer, so I'd like to hear about these DoS attack vulnerabilities (that aren't inherent to servers in general). Otherwise, I'll write this comment off as unfounded.
Okay, here's a fun one.
Once a Jabber server accepts an incoming connection, it looks for a <stream:stream>
tag, and inside it, for the structured data objects that make up the other basic Jabber functions (authentication, messages, subscriptions, intentionally inserted malformed tags, etc.) The fun part is that Jabber is defined in such a way that the server needs to queue up such requests until it sees an authentication request.
So, I can push most Jabber servers over by connecting to them, starting the stream, and then sending arbitrary chunks of valid but useless XML, but never actually sending authentication information. Eventually, it runs out of resources from queueing all this random crap I've sent it, and falls over.
This is especially fun if I get multiple machines to partcipate in the attack.
What?!?! Jabber sends the password as a hash and even has SSL support. Some clients do PGP end-to-end if you really that. Not to mention that the server-to-server protocol does "dialback" to prevent spoofing. Sorry, but you are terribly misinformed here.
He said one critical thing -- and this was the main crux of my previous argument -- that applies just as forcefully to your statement: "Most sites don't do this today".
And this is exactly the problem. The protocol, as deployed today, is fundimentally insecure. Securing it is not a backwards-compatible change, since it will cause older clients to break.
Further, because the security used is the weakest supported by either the client or the server, typical deployments still see a large number of passwords sent in the clear (put a sniffer on a segment near a Jabber server and you can verify this for yourself).
Jabber won't be free from this flaw until it deprecates plain-text passwords -- which will unfortunatly break backwards compatibilty. In short, this really is a major flaw that will be difficult for Jabber to recover from.
So does that mean that using MSN I can talk to AIM users?
Not yet. AOL is apparently waiting until the ink dries on the RFCs before releasing their support for SIMPLE. SIMPLE is currently under development (actually, it's pretty close to being done), and should be published as an RFC by the IETF before the end of the year. Look for AIM support sometime after that.
IMUnified (which is what I think you're trying to refer to) is long dead. However, AOL and Microsoft have both thrown their support behind SIMPLE. The SIMPLE development effort is alive and well. Expect to see this protocol published as RFCs before the end of the year...
So, how about we look towards the same standards body that brought you SMTP: the IETF.
And, in fact, there's an IM standard under development in the IETF, called SIMPLE, that both AOL and Microsoft support. In fact, Microsoft already has SIMPLE support in the latest version of MSN Messenger
As you suggest, the addressing uses multiple domains (like "chefmonkey@aol.com") to route between systems.
AOL has abandoned support for the initiative you site (about two years ago, in fact). They are now throwing their support (along with Microsoft) behind an IETF emerging standard called SIPMLE. See this article for confirmation of AOL's support of SIMPLE.
On the contrary, both AOL and Microsoft have agreed to interoperate using an IETF protocol currently under development, called SIMPLE. It's already shipping in the most recent version of MSN Messenger.
From this article: "AOL, the leading provider of instant messaging services, says it will use the IETF SIMPLE protocol to support interoperability with third-party vendors."
Here's the usable standard that both AOL and Microsoft have agreed to use in the future. It's still under development, but almost complete. Complete enough, in fact, that MSN Messenger already includes a working implementation.
Microsoft Messenger already has support for an interoperable standard built right in. It's called SIMPLE, and it's being developed by the IETF. Best of all,
it's being supported by both AOL and Microsoft. Once the IETF gets done with SIMPLE, you'll start seeing AIM, MSN Messenger, and probably a whole slew of other systems talking to each other seamlessly.
You WILL get AOL behind an interoperable standard. It's called SIMPLE, and it's being developed by the IETF.
Quoting an article from ABC News: "AOL recently announced that it has begun testing a SIMPLE-compliant AIM"
The newest version of MSN messenger (the one that ships with Windows XP and can be downloaded for the other MS operating systems) also supports SIMPLE (although they use the obscure term "communications service" to signify it).
It looks to me like interoperablility -- even with the guys you predict will never be interoperable -- is on the way.
Jabber, unfortunately, has a number of weaknesses. It was not designed for security (for example, it sends passwords as clear text), and the model it uses is inherently vulnerable to DOS attacks. And you'll never convince AOL to use it.
On the other hand, SIMPLE is every bit as interoperable as Jabber, with the added weight of the fact that AOL has agreed to interoperate with other vendors using SIMPLE once it is complete.
Slashdot Mirror
Oh... and, uh... it's opensource, too. Bonus.
Check the minutes of the Jabber BOF held at the IETF in Yokohama: "[P]ortions of the Jabber, Inc., implementation have IPR protection, but there are at least two commercial XMPP implementations from other companies, and the Jabber, Inc. lawyers aren't suing them."
And that was from a member of Jabber, Inc's Senior Management Team (Joe Hildebrand). Not actually being with Jabber, Inc anymore, do you think you know better than their management team what IPR they hold, Peter?
No, I didn't think so.
You and Joe Hildebrand need to get your story together, then. (Joe, for the other readers out there, is Jabber.com's Chief Architect, and a member of their senior management team). I was in the same room as Cullen and heard Joe make the exact statements to which Cullen is referring. By Joe's assertion, Jabber.com (not the Jabber Software Foundation) owns patent rights to Jabber-related technologies. The only reassurance that Joe gave during that discussion is that Jabber.com has not pursued anyone for patent infringements to date.
It is interesting to note that the Jabber.com open source license specifically mentions, for example, that "No patent license is granted separate from the Licensed Product", implying that the open-source implementation available from Jabber.com (to which people are contributing) is, in fact, covered by patents owned by Jabber.com.
Not very comforting, from an open-source perspective.
Yep, it's a load of horsehockey.
The passage he's trying to cite, I beleive, is from an essay Louis Aragon wrote in La Révolution surréaliste, n 4 (published in 1925):
I'd translate this more as "That the drug traffickers throw themselves on our terrified countries. That far away, America's white buildings collapse."
I wouldn't even interpret the first sentence as relating to America, since Aragon clearly considered America to be quite distant from himself and, consequently, any countries he would feel compelled to call "our."
Using such a questionable quote without checking sources was extremely irresponsible on the part of Dr. Greenwood. On the other hand, Wlad Godzich should be summarily dismissed from his position at UC Santa Cruz for such academic dishonesty as daring to translate the same phrase as "The time will come, America,/When the hordes of Afghanistan/Will crash your gleaming airplanes/Into the shiny towers of Manhattan."
For those of you that find PDF a Pain In The Ass, you can grab an HTML version of this chapter from here.
Legally? Probably. Morally? That's a personal issue, but I'd say it's probably not.
Amen.
:)
I've always been a bit miffed that I can drop $16 on a CD (or, back in the day, $8 on a tape), and then have it scratched (or eaten) the following day, and need to essentially purchase another license for it.
Of course, if I'm just buying the media itself, and not merely a license, then I must be free to distribute the music as I see fit.
(Certainly, this isn't what the record companies intended.)
It doesn't matter how you have the server set up. If I convince a client to connect to me (and there are plenty of routing and DNS tricks I can play to make this happen), I can bid down the security to plain text. I can even turn around and hash the password to your server, so that neither you nor the client ever find out about the compromised security.
While you don't seem to personally care about widespread support, the endorsement of an open standard (which SIMPLE is) by such IM giants as AOL and Microsoft certainly seems to give it a certain amount of credibility.
SIMPLE has a client on every Windows XP box in the world, and will soon be joined by every AIM client in the world. What's Jabber's total penetration?
Okay, here's a fun one.
Once a Jabber server accepts an incoming connection, it looks for a <stream:stream> tag, and inside it, for the structured data objects that make up the other basic Jabber functions (authentication, messages, subscriptions, intentionally inserted malformed tags, etc.) The fun part is that Jabber is defined in such a way that the server needs to queue up such requests until it sees an authentication request.
So, I can push most Jabber servers over by connecting to them, starting the stream, and then sending arbitrary chunks of valid but useless XML, but never actually sending authentication information. Eventually, it runs out of resources from queueing all this random crap I've sent it, and falls over.
This is especially fun if I get multiple machines to partcipate in the attack.
I already addressed that here
And this is exactly the problem. The protocol, as deployed today, is fundimentally insecure. Securing it is not a backwards-compatible change, since it will cause older clients to break.
The way Jabber is defined, it is subject to man-in-the-middle bid-down attacks. In particular, the fact that the Jabber "standard" specifies: "Typically a server is only going to support one of the three, a client should choose the most secure by default," anyone able to intercept messages can pare down the server's capability list to plain text, thus forcing the client to expose a plain-text password.
Further, because the security used is the weakest supported by either the client or the server, typical deployments still see a large number of passwords sent in the clear (put a sniffer on a segment near a Jabber server and you can verify this for yourself).
Jabber won't be free from this flaw until it deprecates plain-text passwords -- which will unfortunatly break backwards compatibilty. In short, this really is a major flaw that will be difficult for Jabber to recover from.
Not yet. AOL is apparently waiting until the ink dries on the RFCs before releasing their support for SIMPLE. SIMPLE is currently under development (actually, it's pretty close to being done), and should be published as an RFC by the IETF before the end of the year. Look for AIM support sometime after that.
SIMPLE exists in a firm enough form that it's shipping in the MSN Messenger that comes with Windows XP (and can be downloaded for other MS platforms), and has received the explicit backing of both Microsoft and AOL.
So, let's review -- a SIMPLE client is already installed on every XP system in the world, and AIM will soon provide interoperability using SIMPLE.
Those are plusses, aren't they?
IMUnified (which is what I think you're trying to refer to) is long dead. However, AOL and Microsoft have both thrown their support behind SIMPLE. The SIMPLE development effort is alive and well. Expect to see this protocol published as RFCs before the end of the year...
And, in fact, there's an IM standard under development in the IETF, called SIMPLE, that both AOL and Microsoft support. In fact, Microsoft already has SIMPLE support in the latest version of MSN Messenger
As you suggest, the addressing uses multiple domains (like "chefmonkey@aol.com") to route between systems.
Is that kinda what you're looking for?
AOL has abandoned support for the initiative you site (about two years ago, in fact). They are now throwing their support (along with Microsoft) behind an IETF emerging standard called SIPMLE. See this article for confirmation of AOL's support of SIMPLE.
On the contrary, both AOL and Microsoft have agreed to interoperate using an IETF protocol currently under development, called SIMPLE. It's already shipping in the most recent version of MSN Messenger.
From this article: "AOL, the leading provider of instant messaging services, says it will use the IETF SIMPLE protocol to support interoperability with third-party vendors."
Here's the usable standard that both AOL and Microsoft have agreed to use in the future. It's still under development, but almost complete. Complete enough, in fact, that MSN Messenger already includes a working implementation.
Microsoft Messenger already has support for an interoperable standard built right in. It's called SIMPLE, and it's being developed by the IETF. Best of all, it's being supported by both AOL and Microsoft. Once the IETF gets done with SIMPLE, you'll start seeing AIM, MSN Messenger, and probably a whole slew of other systems talking to each other seamlessly.
Quoting an article from ABC News: "AOL recently announced that it has begun testing a SIMPLE-compliant AIM"
The newest version of MSN messenger (the one that ships with Windows XP and can be downloaded for the other MS operating systems) also supports SIMPLE (although they use the obscure term "communications service" to signify it).
It looks to me like interoperablility -- even with the guys you predict will never be interoperable -- is on the way.
On the other hand, SIMPLE is every bit as interoperable as Jabber, with the added weight of the fact that AOL has agreed to interoperate with other vendors using SIMPLE once it is complete.
This is typically referred to as "giving away the razor and selling the razor blades."
So, let's recast this... if I sell replacement razor blades for the Trac II razor, would it be reasonable for Gillette to sue me to get me to stop? Of course not.
Microsoft is just being a baby. Granted, they're an 800-pound baby that tends to get its way...