Forgot your password?
typodupeerror
Bug America Online Security

AOL IM 'Away' Message Security Hole Found 284

Posted by CmdrTaco
from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
This discussion has been archived. No new comments can be posted.

AOL IM 'Away' Message Security Hole Found

Comments Filter:
  • by Eponymous Cowboy (706996) on Tuesday August 10, 2004 @08:43AM (#9928113)
    Unfortunately, the article this story links to has a rather large mistake. It states:
    However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
    This is completely and totally wrong.

    Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
    • Redirect response codes
    • Meta redirect tags
    • Frames
    • iframes
    • Javascript popups
    Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.

    The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here [idefense.com].
    • That error being noted, most users of AIM that I know will click on just about anything.
    • by shird (566377) on Tuesday August 10, 2004 @08:53AM (#9928199) Homepage Journal
      And, ahem, how do you get to that launch page in the first place? magic?

      Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.

      Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
      • by Ieshan (409693) <ieshan@gmail. c o m> on Tuesday August 10, 2004 @09:03AM (#9928260) Homepage Journal
        Right, because no one who uses AOL Instant Messenger ever visits websites without trying.

        Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".

        Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
      • I remember that past AIM viruses often worked by infecting through a browser exploit and changing the infected user's profile or away message to be a link to the browser exploit (sometimes just the link, sometimes with something like "visit this cool link"). Although this is an AIM exploit and not a browser exploit, the same strategy could be used.
    • you're right.. i made a page that crashes AIM. when i first ran the page though, an error message pops up that says a buffer overrun was detected. does that mean that the code wouldn't have executed anyway?


      http://www.say11.com/personal/byebyeaim.html [say11.com]

    • Registry Fix (Score:3, Informative)

      by Davak (526912)
      One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.

      Walkthrough of registry fix for AIM hack [tech-recipes.com]

      Look like a good reason to upgrade to trillian to me.

      Davak
      • Eh, Trillian is shareware trash for newbies who don't know any better.

        Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.

        Visit SourceForge [sourceforge.net] and download GAIM [sourceforge.net] or one of the many open source IM solutions.

        • Eh, Trillian is shareware trash for newbies who don't know any better.

          How on Earth did this flamebait get rated highly?

          Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.

          Except that Trillian has nice features, a nice interface, really good technical support, and all the features I want. Yeah, I guess I'm a newbie though... only been working with computers for 20 years.
    • by Causemos (165477) on Tuesday August 10, 2004 @10:02AM (#9928797)
      Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.

      Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.

      Victor
  • by asciono (220392) on Tuesday August 10, 2004 @08:43AM (#9928115)
    Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)
  • gaim Bug (Score:2, Informative)

    by derphilipp (745164)
    Wasnt a exploitable bug just found in gaim ? Or to be accurate in the "festival" plugin... See: http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml
  • by RLW (662014) on Tuesday August 10, 2004 @08:44AM (#9928122)
    When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
    • When are we going to learn to incorporate bounds checking in to everything ?

      I always validated my input, even when learning to program BASIC out of the C=64 User's Guide and the advanced Programmer's Reference Guide in my early teens before taking any formal classes in it. I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
      • by Proaxiom (544639) on Tuesday August 10, 2004 @09:21AM (#9928390)
        I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.

        Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.

        For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.

        It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.

        • When I learned about interacting with SQL (of the MS variety), one of the first things I learned was to escape single quotes to double quotes. I'm amazed that today programmers still make the mistake of not escaping/cleaning what they're sending to their SQL server.
        • The hard part is identifying all the assumptions we have to validate against

          If I didn't personally initialize the variable then I must explicitly define, through validation, what type of information that variable is carrying. It's not that tough.

          They assumed input wouldn't contain any, without realizing they were so assuming

          I think the only thing that was assumed is that the input had been validated by the routine or program which generated it. We're faced with a quandry: validate everything and was
        • by feepcreature (623518) on Tuesday August 10, 2004 @11:59AM (#9930207) Homepage
          I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.

          Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.

          The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.

          So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).

          Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(

          Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.

          Just as well there is no strict liability for software bugs!

    • I'm not having any more luck getting developers to incorporate self test, bounds checking,
      and testability access points than I am trying to get my kids to eat vegetables.
      Even tying bonuses to it motivates few.
      • I'm not having any more luck getting developers to incorporate self test, bounds checking, and testability access points than I am trying to get my kids to eat vegetables.

        Nice analogy :-)

        Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...

    • by Bedouin X (254404) on Tuesday August 10, 2004 @09:03AM (#9928262) Homepage
      I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.
    • by pjt33 (739471) on Tuesday August 10, 2004 @09:13AM (#9928326)
      When everyone uses Java or OCAML rather than C(++).
    • Simple answer, use C#/.NET with managed code. No more buffer overflows.
  • by Masque (20587) on Tuesday August 10, 2004 @08:45AM (#9928129)
    This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.

    Those rebels deserve whatever they get.
  • But.... (Score:4, Interesting)

    by lachlan76 (770870) on Tuesday August 10, 2004 @08:45AM (#9928134)
    Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
    • Re:But.... (Score:2, Informative)

      by LostCluster (625375) *
      The problem isn't a link within an AIM away note, it's an abuse of a link format within a webpage that is supposed to set an away note.

      A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
      • why the fuck is that function even allowed or needed. I dont need my browser interfacing with AIM.....the only semi useful one would be the one to open a window to send a message but even then....
        • <iframe src="aim:goaway:message=Check out my webcam at http://192.168.0.1" width="1" height="1">

          That exploit seems obvious. Wonder if it would work.
    • You have misunderstood. AIM on Windows registers a protocol handler so that it's possible to run various AIM commands by opening URLs beginning with "aim:". One of those commands is "goaway" which sets the status to Away and sets a message. The code that implements the command doesn't check the length of the message in the URL. Frankly I think it's a large security and privacy risk to register such a protocol handler in the first place.
  • by LostCluster (625375) * on Tuesday August 10, 2004 @08:46AM (#9928137)
    There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."

    AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.

    So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
    • by Ieshan (409693)
      The real solution is to teach people not to accept ActiveX Downloads and other such things without reading the screen.

      I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.

      I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one
      • Yeah, read the screen. Where will you find the information you need like:

        1. This is spyware which will download more spyware.

        2. This is poorly written and will cause you a lot of problems.

        3. There is no uninstaller, or the this is a severe pain to uninstall. Good luck, sucker!

        In other words, spyware promotes itself like typical free software people expect. I think your argument would only make sense if there was a legal responsibility to say the above things in normal non-legalese non-techese speak.
        • If I was handing out free snowcones on the street with a small asterisk next to "free" that said "also contains Methylenedioxymethamphetamine", do you think people would eat it just because Ecstacy is tough to understand in medical terms?

          Surely not.

          People are smart enough to know that all things come at a cost.
    • If it's a mile long, don't click on it.

      Good rule, if it wasn't for a couple of problems - for a start this is AOL users, not exactly the group most renouned for net-savvyness and reluctance to click every link in sight. Even the length of the URL isn't an indicator with services like shorturl, and I could write a two line perl script that could turn an innocuous looking URL into a redirect to something much nastier (and the chances are it'd work so fast they wouldn't even notice).

      URL length isn't really
  • GAIM? Fire too (Score:3, Informative)

    by ShatteredDream (636520) on Tuesday August 10, 2004 @08:46AM (#9928138) Homepage
    For Mac users there is Fire [sourceforge.net] which since going 1.0 is quite nice and polished.
    • I can't stand the Fire logo/icon. Yuck! If I'm gonna switch from ICQ to Fire I HAVE to find another icon!
    • Or Adium [adiumx.com], a quite nice interface that can use your adressbook to display informations (and a picture) about your chat partners
      They are all directly installable via the "darwinports" port system [opendarwin.org]
    • Re:GAIM? Fire too (Score:3, Interesting)

      by slamb (119285) *
      For Mac users there is Fire which since going 1.0 is quite nice and polished.

      Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)

      Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium [sourceforge.net]. I'm a little biased, but it has a great UI. (See the About [sourceforge.net] page for screenshots.) libgaim backend, so support for man

  • However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

    The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.


    This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list
  • http://www.trillian.cc

    Think Gaim but pretty!
  • Jabber & Google (Score:3, Insightful)

    by MarcoPon (689115) on Tuesday August 10, 2004 @08:51AM (#9928169) Homepage
    I just hope that Google launch a Jabber based IM system; it will be a major boost to the adoption of Jabber's servers as an open standard.
    It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.

    Bye!

    • I'm not so sure the Jabber system would work so well with Google. With Jabber (IIRC) all communications go through a central server. Apart from the privacy concerns, that'd be a helluva lot of bandwidth. Jabber servers are really meant to be implemented at the ISP/company/campus/whatever level. That would still work with having identical email addresses and JID's. Google would either have to come up with some geographically-based set of virtual servers (which they probably already do!) or modify the Jabber

      • I really don't know, but isn't that also true of AIM, unless you directly connect? I know it's easy to have AIM conversations when both parties are behind NAT firewalls that don't allow inbound connections, but I'd have to forward a port to transfer files.
  • IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.

    If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (act
  • But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
    • Gaim works (Score:5, Insightful)

      by DrYak (748999) on Tuesday August 10, 2004 @09:12AM (#9928319) Homepage
      that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.


      {thongue in cheek mode:ON}
      Apparently you have no idea what Open Source Software is either
      {/thongue in cheek mode:OFF}

      More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".

      Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
      The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc ...)

      This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"

      • This is a common problem with OSS. The versioning system is *broken*. And, what is worse (and very common among the OSS community), OSS developers blame the users, not themselves for the misunderstandings.

        Previous to many of these OSS projects gaining prominence, "1.0" was commonly accepted as the milestone where basic functionality was fully working. The software may not be "done", but it was usable and things would Just Work. This was a de-facto standard used by almost all commercial vendors, which was
    • Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.

      Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new

    • I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.

      I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
      • well you have been very lucky. My experience with it is that it is shaping up to be something awesome but as of right now it isn't worth pissing off users with it. It would gain a bad name and I just don't want people associating Gaim with unpolished and bug-ridden.

        I have had my fair share of Gaim crashes when receiving an email notification (MSN) with international characters in its subject. I've had version 0.78 crash on me for no reason whatsoever. I've also had no progress bar when sending files

  • GAIM? Trillian? (Score:3, Informative)

    by Black.Shuck (704538) on Tuesday August 10, 2004 @08:52AM (#9928190)
    Miranda [miranda-im.org]. Choice is good. :)
  • My God! (Score:4, Funny)

    by Anonymous Coward on Tuesday August 10, 2004 @08:54AM (#9928200)
    Fortunately, most of AOL users are known to be savvy enough to find some work-around until patches are available.
  • I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.
  • Coincidental... (Score:5, Interesting)

    by GillBates0 (664202) on Tuesday August 10, 2004 @08:56AM (#9928214) Homepage Journal
    I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.

    The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.

    Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.

    • And don't forget about the gaim-encryption plugin!

      http://gaim-encryption.sf.net

      Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
  • oh god (Score:5, Funny)

    by TechnologyX (743745) on Tuesday August 10, 2004 @09:02AM (#9928255) Journal
    "However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."

    Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2

    MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
    IzLikeBoizzz435435: "OMG u clic it?"
    MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
  • gaim (Score:4, Interesting)

    by minus_273 (174041) <{moc.oohay.MAPS} {ta} {aaaaa}> on Tuesday August 10, 2004 @09:03AM (#9928258) Journal
    seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
    • by pjt33 (739471)
      It alwasys (sic) seems to me like the unauthorized clients are a generation behind the real ones.
      Of course they are. You can't write the support until you've got a spec to write to, and you don't get that until the authorised client is published. OTOH this is /. - a lot of us share files using scp, for example. I know I don't care whether or not my IM client supports file transfers, or anything beyond text messages for that matter.
    • Re:gaim (Score:2, Informative)

      by silverfuck (743326)

      I'm sure you already know this, but gaim-vv [sourceforge.net] is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.

      As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins [sourceforge.net]...

    • > seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones.

      Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).

      And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature softwa
    • Well seeing how I never use audio or video, gaim's the better client for me simply because it can auto-save transcripts and doesn't have flash ads. Although I wish they'd implement a decent scroll-back history feature like ICQ. I can't count the number of times with Windows AIM where I've accidently closed a window full of flight information or something and have to try to get it again somehow.

      Actually, I *really* wish that all my friends had just stuck with ICQ instead of jumping to AIM (which was faste
      • I've never used ICQ, but for quick history you can use the "History" plug-in which comes with Gaim. Every time you open a conversation window, it displays the log of your previous conversation with that person on top (it makes all the text black and puts a <hr> to separate it from your current conversation).
  • by xiando (770382)
    My personal preference:

    screen + aterm + irssi + bitlbee

    Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere

    aterm [linuxreviews.org] is a nice terminal for X11.

    irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC [sourceforge.net], there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page [everdot.org].

    Bitlbee [bitlbee.org] is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway
  • by Anonymous Coward
    but the UI is pretty lousy
  • Bugfree OSS (Score:5, Informative)

    by brianerst (549609) on Tuesday August 10, 2004 @09:23AM (#9928405) Homepage
    Thank god there have never [vuxml.org] been [linuxsecurity.com] any [linuxsecurity.com] buffer overflow [net-security.org] bugs [osvdb.org] in Gaim [securityfocus.com]!

    We can all sleep better now.

    • Re:Bugfree OSS (Score:2, Interesting)

      by signingis (158683)
      What was the response time for developers to release fixes for GAIM? We're going on 3 weeks now for AOL to release the fix for AIM. Not to mention that some of the vulnerabilities in GAIM were found in older versions of the program when upgrades were available.
      • Re:Bugfree OSS (Score:3, Informative)

        by brianerst (549609)
        Well, according to e-matters [e-matters.de], a series of 8 different buffer overflow bugs were disclosed to gaim developers on January 4, 2004. A new gaim client (0.75) was released on January 10, but this only fixed one of the overflows and introduced four new ones.

        On January 15, gaim development was emailed patches for all 11 existing bugs. A patch was added to CVS that evening, but there was no 0.76 release and no public disclosure by gaim dev (at least on their Sourceforge page - there may have been something sent

  • However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

    Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
  • I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one. Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/
  • Gaim? (Score:4, Interesting)

    by illuminatedwax (537131) <stdrangeNO@SPAMalumni.uchicago.edu> on Tuesday August 10, 2004 @09:30AM (#9928465) Journal
    I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.

    --Stephen
  • by mccalli (323026) on Tuesday August 10, 2004 @09:40AM (#9928554) Homepage
    The smug "switch to Gaim" comment rather let the side down there, I think. Gaim is not a full-featured replacement. The particular deficiency I'm referring to is common to many alternative IM clients - yes, they all handle chat but very few go the whole hog and support video chats. Alternative MSN client supporting video? Not that I can find, though I'd be happy to be proved wrong here.

    A quick search reveals a fork of the Gaim project here [sourceforge.net], which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.

    The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.

    Cheers,
    Ian

  • Yet another reason to switch to, IMHO, a better client such as gaim. ...Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.
  • by huchida (764848) on Tuesday August 10, 2004 @01:27PM (#9931331)
    I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
  • by Mulletproof (513805) on Tuesday August 10, 2004 @02:04PM (#9931825) Homepage Journal
    "Yet another reason to switch to, IMHO, a better client such as gaim."

    I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.

Do not simplify the design of a program if a way can be found to make it complex and wonderful.

Working...