Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Microsoft Surrenders IM War, Claims Security Risk 123

Posted by jamie from the enemy-of-my-enemy dept.
calibanDNS writes "The BBC is running an article about Microsoft surrendering in its instant messaging war with AOL. According to the article, the latest version of AOL's instant messaging software 'blocks interoperability by exposing a very serious security bug in its software.'" MS would prefer it not be called a surrender, of course; see also the Nando Times article which hints at running arbitrary code on the client. Is this FUD, or will we carry a story next week about a new AOL IM exploit?
This discussion has been archived. No new comments can be posted.

Microsoft Surrenders IM War, Claims Security Risk More

Microsoft Surrenders IM War, Claims Security Risk

Comments Filter:
  • Well, across the years, Microsoft has proven over and over they don't really care for their users so long as said users are *forced* to buy what Microsoft offers...

    So the one time that they talk relatively sanely, do you expect me to just go "oh, okay"... No. Once there's a standard in place, that's when Microsoft will subvert it.

  • Since most uSoft software has serious security flaws that are caused by applying power to the system, maybe there's a single point at which these problems could be fixed....

  • This is exactly what the jabber project is attempting to do. It's building an extendable protocol, with the ability to 'gateway' between other networks, so as to not only bring about a new way of cumminicating between users, but provide a singular interface to all of the systems at the same time.
  • AOL is changing their software to break Microsoft's and protect their severs. So what? Server protection is justified, software breaking is the Microsoft way.

    Microsoft software broken by someone else, how can it be? I thought it was supposed to be one network, one computer, one program. Boo Hoo Hoo!

  • Nice reminder. *thinks back to the previous Slashdot discussion on this*

    It makes one wonder why they did *this* hacky thing, instead of a Netrek-style method. For those that never played (bronco) Netrek, the "official" clients were compiled with blessed RSA keys. The servers sent (sometimes periodic) challenges to the clients; the clients had to respond in such a way that the server could tell whether it was a valid client, and which it was. If a key was cracked, it could be invalidated at the server side.

    It's not fool-proof, but it doesn't open the user up to remote exploits...

  • Feel free to jump on at Jabber.org [jabber.org]. We're not only developing a new, OSS, IM system, but one that INCLUDES the capability for anyone to run a server, and talk to anyone else running them, AND the ability for these servers to talk to AIM, MSIM, ICQ, Yahoo, etc.. for you..
  • Good link. After reading it I rather think MS are in the right: they *could* `track' AOL by constantly amending their software if they adopted the buffer overflow error, but they have chosen to bow out rather than deliberately introduce a bud into their code.


    As you say, there is a world of difference between being crappy in recognising existing errors, and actually deliberately introducing new errors...

  • The exploit for AIM and other messaging protocols have been around since before August (but nobody reads those anyhow). The security hole posed by ICQ's protocols have been available since 1997! We can see some here: http://www.insecure.org/sploits/icq.sp00fer.html and here too: http://www.insecure.org/sploits/icq.spoof.overflow .seq.html there is code given that can be used to flood and take over the connection. Also some intresting things about the proprietary ICQ protocol implementation. As for AIM we happen to see that it gives a static open port that can be flooded. You will find that most corps. will not allow employees with net access to use AIM or AIM-Like products because of the security risks. Was M$ right about dropping the whole insane messenger thing? maybe they couldn't win--but Front Page extentsions and IIS are not exactly the models of security either.
  • That's what Jabber is doing. They've designed a system that uses it's own protocol for clients, but the servers can contain transports to AIM, ICQ, MSIM, IRC, etc..etc.. They're providing a means to a new protocol, with support for older protocols on the server end for users to continue to talk to other systems..
  • I disagree. This would have been a test of people's support of Open Standards if MS had come up with their own protocal and then given them to an open standards committee to work with. Or even if they had taken that protocal and published the *entire* specs of it(with no hidden little tricks that would make MS software work faster).

    This wasn't that. This was MS basically writing software that cracked into AOL's proprietary database system and then used their network to provide a MS service. This was no more a test of open standards than if I went to a local ISP with a PPP client and *demanded* that they give me access through their network.

    --John

  • Astounding to see this here.

    How many different operating systems do we need anyways? Surely Windows is good enough for everyone. Hmm, perhaps not?

    Oh, and for the record, allowing them to communicate with each other is exactly what the fight is about. That's what MS did and AOL does want to permit. This is one time where MS was actually on the side of open standards.

    Here's where we see where people really stand, in favor of open standards or just in favor of bashing MS.

    -Blake (rolling his eyes)

  • I think this is an issue of two companies arguin over who 'owns' their users. what they don't relize is, no one owns the users.

    This is one of the things that started development of the Jabber project [jabber.org]. We're designing a non centralized system, where users belong to themselves. Servers are not set in stone, but instead behave simularly to email servers. Anyone can bring their IM to any server. Any ISP can setup their own IM server, and provide their users with what they want, without 'ownership' of the user. The user can just as easily setup his/her account on a different server.

    But we've taken it a step further. Any of these servers can then talk to AIM, MSIM, etc on the server level. We let you choose.

    No one owns us, and we shouldn't tolerate NOT having a choice of what we want to do with IM'ing, no more so then we are limited to what we do with email.

    The corperate 'wars' over user ownsership are silly, and bad buisness for them. Hopefully, for their sake, they'll wake up and smell the coffee before IM is a commodity, and their users flood to other providers.
  • >>AOL is dumb, i think microsoft had the right idea, fuck having 10 different IM clients


    This line shows your complete lack of understanding of this issue. Microsoft is the one who came in with their different client in a market which still has no need for it. ICQ is the IM standard. I am aware of no problems with it requiring "innovation" from monoposoft. They totally missed the parade on yet another emerging market and then bribed and extorted their way into it.

    Personally I would not deign to converse with anyone so misinformed about so many things that they would use a redundant piece of crap like monoposoft's IM.
    ---CONFLICT!!---
  • Has anyone noticed AOL also mooking around with their other darling, ICQ?

    If you read the source from licq (and other ICQ-compatible *nix clients), you'll find that ICQ 99a and 99b don't really adhere to their protocol v5. ICQ 99b, for example, seems to want its bytes swapped around (endianness bug, or purposefull?).

    What would be really good are:
    1) Standard communication (clients can talk to clients), with standard back-end communication (I can make up my own ICQ server, and this can go and connect with the ICQ network).
    ^ This is a general thing to benefit everyone

    2) A migration program for the different client databases. I'd love it if there was something like alien (package format converter) that I could use to let licq and ICQ 98 (99 is a bloated P-O-S) share the same history database.
    ^ This is more specific, and would mainly be a benefit for people migrating from Windows to Linux (a good browser, like Opera, would also be a must).

    The standards aren't going to come about unless we can come up with a good protocol, have GPLed source (no AOL "bait and switch" tactics are possible then), and get a fair number of people using it. A good internal client with plugins for different OS specific display (like licq) would be great for this. Why would I want to use ICQ98 if I can use Licq-Win32, contact friends on the new Open network, as well as keep in touch with the older ICQ people? Not to mention the fact that this would remove the main barrier (data in one OS, but not the other) that people have to switching from one to another.
    ---
  • is linux/AIM vulnerable?

  • Oh so if i want to send mail to one of my friends on one of those server I can't... oh wait, your just stupid.

    No, he's not stupid. He was saying that your ISP (hopefully) has their mail server configured so that someone who is not a subscriber can not send mail out through their SMTP server. If they didn't, they would be an open relay. Many admins block incoming mail from known open relays (I do for instance) because much of the spam coming into their network comes from open relays.

    For example, if your ISP did not block non-subscribers from sending messages out through their SMTP server, you could not send email to me.

  • Generally speaking, the Internet is built on distributed protocols. The one protocol where everything eventually funnels down to one place, the DNS root servers, is an endless cause of headache because of the actions of the people who administer it.

    A distributed IM protocol, with individual ISPs running messaging servers for their customers, or even the irc protocol is a much better thing for the network as a whole.
  • Microsoft encircles AOL, crushing them entirely in the media and possibly even in the courts, depending on the trap they've set.

    I bet you are right. I'm just curious to hear people's theories about what kind of trap Microsoft has set. Microsoft is a very deliberate company. Their retreat is probably a pseudo-defeat to look weak for the DOJ trial. Plus, Microsoft recognizes the Internet train is leaving without BillG. They want to own the Internet, or at least its users, at any cost. Linux and Apache are far more popular on the Internet than Windows NT and IIS. I've read some recent articles pointing out how Microsoft is retargeting at corporate intranets with Windows 2000 and the ActiveDirectory, trying to win the Internet war from the "inside out". Maybe Microsoft is working on an IM strategy or product that involves intranet or business features. B2B is a bigger, richer market than B2C (or C2C?).
  • Does this mean microsoft will stop producing other security-risk software, such as IE, Office, and Windows?


    -----------------
    Your attention please everyone, if I could just say a few words... I would be a better public speaker.
  • I agree with Microsofts line that there should be a messaging standard, but at the same time have some sympathy with AOLs server position. (Hows that for sitting on the fence).

    Instant messaging [as it stands] is unlike many other server propositions, because whereas it makes sense for ISPs to prevent you using their mail server, proxy server, news server etc if you are not a subscriber to that ISP, with messaging it is almost certain that one or more party is not a subscriber. This is not a problem if the ISP can get some other benefit out of use of their server e.g. use of their client and the possibility of being exposed to their adverts.

    Any common messaging protocol will have to address these issues. It should be possible to write a protocol that is hosted by ISPs in a similar manner to mail i.e. so both ISPs involved have to supply a messaging server.
  • It's kinda funny to see MS say the same things we've been preaching at them for years. It makes me wonder what their real intentions are. However, as much as I like seeing MS's unscrupulous tactics backfire on them, I still think AOL is wrong on this one, and I have since the beginning of this whole mess. Most people (at least on this forum) are vehemently anti-Microsoft, and I am, too, to an extent. However, I think AOL has contributed more negativity to the computing industry. They've censored the internet, exposed security holes to client information, and devoured and squandered Netscape, which offered the only real competition to IE5. It kinda makes you wonder if the Netscape buyout was a deal with MS. Would you rather have Windows as your only option for an OS, or AOL as your only option of an ISP? I wish they would both drop off the face of the earth.
  • It is not over until the Judge says it is over. Given that: Microsoft is an illegal monopoly (and Bill Gates is a Monopolist) responsible for crimes against consumers and competitors they deserve to pay for their crime. The judge found them to be an "illegal monopoly" and for that they should (and shall) be punished. Swiftly and surely. How can I say this? Two quotes come to mind:

    "Gates said, Intel could not count on Microsoft to support Intel's next generation of microprocessors as long as Intel was developing platform-level software that competed with windows."

    AND

    "Microsoft expends a significant portion of its monopoly power, which could otherwise be spent maximizing price, on imposing burdensome restrictions on its customers -- and in inducing them to behave in ways -- that augment and prolong that monopoly power."

    - Thomas Penfield Jackson, US District Judge

    Read the FoF!

  • Actually, I like the ICQ client. With Jabber, I'd still have to switch. On the other hand, it seems that the open source nature of Jabber means that there will be many clients, at least as far as user interface goes, all communicating w/ the server via the same protocols. Maybe I'll just write my own client...
  • Your missing the point, i CAN send mail to that server,

    You are sending it to the POP server, not the SMTP server. You are not using his outgoing-only server to send him mail.
  • Nope. I just use email. There is no need to cry if my dopey little free beer client don't work. You can bake your cake and eat it.

    Closed source software sucks now, huh? If they break it, you're screwed. It's funny to watch MicroShit cry foul. They've done their best to break everything else from everyone else.

  • The trick is, they would still be part of the 'network'. And if AIM at least provided for a way for other messaging systems to 'interface' with their's, the network size triples, becouse the 'network' now includes SEVERAL IM technologies, and not just one..
  • AFAIK, there are two versions of the protocol to attach to the AOL servers. The official Mac/Win clients use the binary one, while the non-official ones use the OSCAR protocol. Also, AFAIK, MS reverse engineered the binary protocol instead of using the available OSCAR one.

    AOL assuredly modified their binary protocol, and clients using that protocol (the offical Win/Mac ones) are the only ones vulnerable.

    I think this is all correct. But don't trust me - research it on your own.
  • This is one time where MS was actually on the side of open standards.

    Not entirely. It's also true to say that M$ was just looking for a free ride on AOL's database server. Keeping track of who & where has a price tag. An open IM standard would be nice, but who foots the bill?

  • Okay, well some of the ideas were right. Check out post #15 [slashdot.org] and its follow-ups for more details.
  • Who cares where it comes from? As long as Microsoft is supporting it now, it helps *us*. If they change halfway through they look bad, we look good, and by then hopefully even more people will understand what's good about it. The more noise microsoft makes about it the better. I don't see how this can hurt us. Who cares if Microsoft is being hypocritical?
  • Not depend on a persistent net connection for messaging.

    Not depend on a singular server connection between servers. (This is called 'netsplit' ;-P)

    Scale well.

    Not require ALL SERVERS know about the exitence of ALL USERS.

    There are many, MANY more..
  • ahahhahahahaah


    wait. let me think about this one again.



    ahhahahahahahahaha
  • 4? Insightful?

    First: "Microsoft could keep their hands out of this."

    Then: "Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other."

    Microsoft's actions will hopefully force AOL to submit to an open standard. They have actually HELPED by having their hands in this. get it?

    4? Insightful?


  • i remember when microsoft was really about closed computing
  • IM servers should be no different. However, getting to that point could be difficult.

    It's true that good ISPs only allow their customers to use their SMTP/POP servers. (Ignore free e-mail services for now.) However, that doesn't stop anyone from sending an e-mail to someone at another ISP - Bob's ISP's SMTP server accepts his message and sends it to Jane's ISP's POP server, from which she picks it up. It also doesn't matter if one is using MS Outlook and the other is using elm.

    With IM clients in their current state, it's different. To communicate, users have to be both on the same server and using the same client. Which is, of course, a problem. ICQ, by far the most popular IM client, is in its official incarnation an ugly-slow-huge-cumbersome-bloated program (the MS one is comparatively very nice. of course, just about anything would be comparatively very nice.)

    There should also be no need for MS to negotiate a contract with AOL. if I want to send e-mail to slashdot, my ISP doesn't have to have a contract with andover.net. Shouldn't be any different for IM. Course, getting a current monopoly (AOL, with both AIM and ICQ) to form a pact in the best interests of the consumer is difficult. Especially if the pact is mainly with MS, a wannabe monopoly in this area.
  • I think we need to just say screw it and come to terms on an IM protocol.
    Let AOL and ICQ and MSN and PDQ and ABC all come up with there own IM products. As long as they all can talk to each other. I for one am tired of hainvg three different IM products running.

    -- Patrick Aland
    -- http://www.stetson.edu/~paland
  • I assume they mean AIM AND ICQ Combined, that's a hell of alot of people, and ( this is going to sound SOOO distasteful ) but i actually /agree/ with Microsoft on this issue, there /should/ be a base standard for Instant Messaging, but somehow i think Microsoft is talking out of both sides of it's mouth, they just want a standard so they can add their own kludgy junk to it. But still, a standard would be nice IMO.

  • IM standards (Score:3)

    by Todd Knarr ( 15451 ) on Friday November 19, 1999 @06:35AM (#1519188) Homepage

    MS has some points, but it's blowing smoke on one issue. A single IM standard will not allow MS clients to communicate with AOL clients. The reason is simple: to communicate with AOL clients you need to use AOL servers. AOL has the right to prevent non-AOL subscribers from using it's servers. And if you think that's wrong, think about other servers. Your ISP has it's mail servers configured to prevent anyone but it's subscribers from using them to send mail. ISPs that don't end up on the RBL. They probably also have them configured to not handle mail from certain domains, typically to block incoming spam. They probably have their news servers configured similarly, so that only their subscribers can read news off of them. Why should IM servers be different?

    A single standard would be neccesary, but if MS wants their subscribers to be able to talk to AOL's subscribers, they need to negotiate a contract with AOL to have AOL's servers carry MS's traffic. Which, to date, MS has shown no apparent interest in doing.

  • Is there a real security risk here, or is Microsoft just trying to save face?

  • The exploit is there! (Score:5)

    by scheme ( 19778 ) on Friday November 19, 1999 @06:35AM (#1519190)

    The AOL IM actually has a buffer overflow exploit present. Basically whenever an AOL client connected to the server, the server smashed the stack and executed a piece of code that would send a packet back to the server. This let AOL change the authentication on the fly without updating the client. Of course, it also opened up some security holes. This [securityfocus.com] was discussed on bugtraq in August.

  • How many different messengers do we need anyway? (Score:3)

    by Typingsux ( 65623 ) on Friday November 19, 1999 @06:36AM (#1519191)
    Good.
    Microsoft could keep their hands out of this.
    My friends and I all have AIM.
    Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other.

    "Hey Bob, I thought you said you would be on AIM last night. I had to talk to you."
    "Well, I tried the new Yahoo chat. It's cool. Only thing is, my wife Brenda likes eShare chat she just found."

    WTF?

  • Easier said than done. This is the problem with prorietary protocol systems - non-interoperatability. Someone (not me of course, I'm busy) needs to come up with a single standard protocol, get is approved by ISO or whoever else cares, and put that forward. Pressure messaging software makers to include this protocol in their service, even if they want to keep their own proprietary stuff, too.

    Of course, that'll happen about the same time windows is voluntarily open-sourced.
    --
    Matt Singerman
  • Microsoft worried about security risks? I don't think so. History has already proven that. If it was not for everyone screaming about stuff, nothing would ever get done.

    I do find it quite funny about how AOL is putting an end to this silly war though. MS kept exploiting AOL stuff - now AOL exploits a hole in Windows. Someone has egg on their face and I don't think it is Steve Case....

  • Jabber [jabber.org] is starting to show a lot of promise for consolidating the different messengers. It's truly open source, and it has a much more intelligent (and extendable) design then ICQ, AIM, Y!M or any of the others.

    It still not user-ready, but it's getting there quickly.

  • History has shown that most MS and AOL have a generally sloppy attitude towards security.

    However, history has also shown that MS is willing to say pretty much anything about competitors, backed up only by anecdote or flawed studies, in order to put the desired spin on any business decision they make.

    So what's the truth? Honestly, I don't even care. I don't think that AIM or MMS is the answer. If any of you open-sourcers are devoting any resources to AIM-based or MMS-based stuff, I would encourage you to donate a little time to the Jabber project (http://www.jabber.org), a messaging system with an open protocol and (IMHO, of course) a better design than either of the commercial competitors. The product has been languishing a bit in the last several months, and it would be nice to see a surge of interest in it. If you like, check out the most recent release (as of 1999/11/09), 0.7pre4 (which can be found at http://download.jabber.org/0.7pre4.html).

  • TOC (Score:1)

    by bgehrich ( 19298 )
    Why doesn't microsoft just use the TOC protocol? If all they want to do is send messages to AIM users, TOC would work fine. The protocol was released by AOL, so they cant yell about MS using it. It doesn't support all of the features of the proprietary protocol, but for messages it is all you need. Many linux, plus AOL's own java client use it.

  • I agree. I can't help wondering, since AOL now controls both AIM and ICQ, what they're planning to do with them. Personally, I use ICQ and not AIM, and I hope they don't do away with ICQ. I can't help thinking that if they could somehow come up with a product that integrated those two, that they'd have the IM market pretty much locked up.
  • Yeah there's a buffer overflow in the software. This is pretty wierd/bad since it's one the only pieces of software that has a security hole put in it on purpose and with a lot of forethought. check out this [securityfocus.com] for more details.

  • overflow (Score:3)

    by Signal 11 ( 7608 ) on Friday November 19, 1999 @06:45AM (#1519201)
    Not unless you go through the effort of redirecting DNS queries and setting up your own AIM server to mimick AOLs. It's not a "major" security risk per-say - insofar as not many people have the resources to exploit it, and those who do likely have better exploits than this.

    My concern is that AOL did not release a patch after this became public knowledge. Everybody knows there's a bug in that client. Sending executable code over the wire is never a good idea on something as woefully under-authenticated as tcp/ip. I have nothing but contempt for AOL - and I'm extremelly worried that they might do something equally stupid with other products - such as the AOL v5 client now shipping. How many buffer overflows does *that* thing depend on, or what is being sent over the wire that their customers are blithingly unaware of?

    There are more serious questions to answer than the "buffer overflow" in the client. Where is the outrage over this? This should be prime time news!


    --
  • I think it's the first time I hear MS is concerned about security! Sounds suspicious...

  • Jakob Nielsen's article on Metcalfe's Law [useit.com] offers good insight on why the segregation of different AIM clients is a bad thing, and reduces the potential value of the network.

    Metcalfe's Law states that "the value of a network grows by the square of the size of the network".

    Reversing this law provides:

    The value of partitioning a network into N isolated components is 1/N'th the value of the original network.

    This new law follows directly from the original Metcalfe's Law. Each of the new components has a size of 1/N'th the size of the original network. Thus, its value is 1/(N[squared]) of the original value. At the same time, there are N of these new mini-networks, so the over-all value is N * 1/(N[squared]) = 1/N

    Note to Rob: We need SUB and SUP tags allowed in /.

  • Here's the buffer overflow details (Score:3)

    by Otto ( 17870 ) on Friday November 19, 1999 @07:53AM (#1519204) Homepage Journal
    http://www.ozemail.com.au/~geoffch/s ecurity/aim/ [ozemail.com.au]

    Describes the buffer overflow AOL is using in some pretty good detail. Here's the basic idea:

    When AIM connects to the AOL server, the AOL server sends back a message containing x86 executable code. This overflows a buffer in the AIM client, and the code gets run. This code creates a packet to send back to the AOL server. If the AOL server doesn't see the packet, then it assumes you're not using AIM, and boots you.

    What MS's client did was see the packet containing the code, and generate the reply message WITHOUT overflowing a buffer or executing that code. But, AOL can just tweak that code on the server a bit and have a different reply get generated, while MS's client has to get updated to use that new code.

    Nevertheless, this is pretty damn reprehensible on the part of AOL. If they don't want MS customers using their servers, sue the shit outta M$, don't exploit holes in your own code to do it. You fix bugs, not exploit them.

    ---
  • Maybe microsoft conceded defeat to get a bigger prize - thier antitrust case.

    Showing that the Big Bad Microsoft can be defeated on something like this proves that they have competition. If they can prove that they have competition they can try and appeal any anti-trust decision against them.

    Look for microsoft to "lose" a few more battles in the next couple of months, eg conceding to Apache etc.

    It's not like Microsoft to give up so easily on something.

    Then again they could just be scared.
  • laughing my ass off

    moderation at slashdot is done by the masses. My personal solution is to just not give a shit, and set my threshold low.

    It's not that the moderation system is inherently stupid. I think it's a great idea and pretty well thought out. In the end though, working pretty good most of the time isn't good enough for me to trust the moderation system.
  • forgive me if this is stupid, but isn't this how IRC works? A bunch of servers that send info back and forth to each other in real time. So one person logged into one server can see a message posted by another person on another server?

    This sounds like it would be a Good Thing for instant messaging.

    On another note I basically agree that AOL servers should only be able to be accessed by AOL's members, but essentially wasn't this what Microsoft was trying to do? AOL's beef is that they want their software used, not microsoft's. That is perfectly reasonable for AOL to want that, but as a consumer I don't really want that.
  • Why don't Microsoft and others like Yahoo and whoever else just use the TOC protocol that the TiK program uses. That way the only way that AOL could stop them is by either shutting down all the TOC servers or else change the TOC protocol and not release the changes. They would be within their rights to do either of these but they would also risk making a number of Unix based AIM clone users mad as well.

    I know AOL didn't exactly make too many friends when they took down their Tik and TOC pages, but TiK and other clients like GAIM still work. Blocking all Unix based clients probably would generate bad press and make AOL look worse than they already do. But that is not to say I don't believe they wouldn't make such a stupid move.

    Microsoft and Yahoo do want to use the extra feature of OSCAR but if it a choice between interoperating with AOL users with limited features or not working at all I would think they would choose the limited route. Of course since Tik and TOC are covered by the GPL Microsoft and Yahoo would have to release their source which may be the other problem. But again it would be better than nothing, right?
  • You are confused.

    AIM uses a protocol called Oscar. When people started clamoring for non-Windows clients, AOL engineered a compatible, but less feature-rich protocol called TOC. After its release, a plethora of non-Windows, AIM-compatible clients were developed.

    Then Microsoft came along, reverse-engineered Oscar (ignoring the sanctioned interoperable protocol of TOC), and started getting a free ride for their client on AOL's servers. AOL claimed that because Microsoft was using *their* servers for MS' services with authorization, they had basically hacked into AOL's networks and proceeded to (apparently) use a buffer overflow exploit to detect AIM clients.

  • Your missing the point, i CAN send mail to that server, and people on that server can send mail back to me. The other server doesn't say, well that mail is coming from a netcom address so i'm not going to let him mail my people, that is stupid.

    Actually, you're wrong on both points. I'm an XMission subscriber. You are not. If you attempt to connect to XMission's mail server and use it to send mail, it will refuse to let you connect to it because you are not a subscriber. And if you are on an ISP listed in the RBL, you will not be able to send mail to me because XMission's mail servers will not accept incoming mail from your ISP. XMission also blocks incoming mail from some other domains that they've had problems with, and if you're on one of those domains you won't be able to send mail to me.

    Summed up: they're XMission's servers, XMission can and does decide who can send mail out and in through them. IM servers are the same.

  • Looks like Nerdperfect (http://www.nerdperfect.com) beat /. to the punch on this one.
  • After all, it is bundled with every version of Netscape. 80 million copies may be plausible. If they're counting screen names registered on the service, I'd be a bit doubtful on how many of those names actually use AIM. My uncle has 5 AOL screen names and only one person in the house uses AIM. I don't use AOL, but I did register on AIM, and I haven't used it for 7 months. I only used it because my friend's ICQ was giving her problems, and we wanted to chat. ICQ99a fixed the problems, so we stopped using AIM. My ID is still active though-I don't believe you can delete an AIM profile off the AOL server.
  • 1 - Who's "us"? Your profile says your a Microsoftie... Of course it helps "us" when "us" is Microsoft...

    2 - The enemy of my enemy is still my enemy.
  • AOL blocked cqexpress.com's server access to ICQ, so they don't appear to be any more friendly towards server access than they are to client access (MSN).
  • Remember that cqexpress was a service that added value to ICQ, not competed with it, so imagine how they are likely to view a competitor...

    If I'm an ICQ (or AIM in the Microsoft case) user, I'm going to be using the AOL server regardless of which client I use. This isn't about the AOL server - it's about the client and controlling the user base. Why do you think AOL bought Mirabilis? They're not going to give up control just because you say "please"!
  • There was absolutely nothing blocking Microsoft from having AIM and the Microsoft client to operate on the same servers and intercommunicate. Because the AIM client allows the user to input a server address (I've checked), Microsoft could have set up its own server that would serve both AIM and MS clients using the AOL-published protocol. They had all the necessary tools.

    Microsoft instead tried to hijack the AOL IM servers with a client not authorized to access the AOL servers. This wasn't an "open standards" attempt -- it was an attempt to use the AOL systems for free, without permission, and without even a token nod to providing reciprocal access (like publishing the specs that would allow AOL to enable its clients to access the Micrsoft messaging system).

    Microsfot, in short, was cracking the AOL systems and using stolen access for its own benefit. While that may be understandable behavior in a teenager, a multibillion-dollar corporation should be slammed hard for it.

  • That isn't the only one... (Score:1)

    by Anonymous Coward
    I remember when there used to be a buffer overflow that was easier to exploit. It existed in AIM 2.x (I think). The buffer overflow existed in a variable that existed within some wierd (proprietary?) HTML tags that AIM used. I wish I could remember the tags, but the general idea was that anyone on AOL could crash someone running AIM with a single IM. I think it was somthing like this:
    <BINARY>

    <DATA SIZE=12345(everything after five overflows...)>

    </DATA>

    </BINARY>

    AIM users couldn't crash each other because AIM
    would interpret the tags before they were sent, thus crashing the potential attacker. I'm sure a sophisticated user (e.g. someone not on AOL) could have smashed the stack and done some interesting things. I discovered and reported the bug and AOL actually fixed (although they never returned any email, news.com ran a story and got AOL to admit to it.)it quite fast. yay for me.
    steveh@globaltelinc.net
  • AOL claimed that because Microsoft was using *their* servers for MS' services with authorization, they had basically hacked into AOL's networks and proceeded to (apparently) use a buffer overflow exploit to detect AIM clients.

    The grammar of this sentence is confusing. Microsoft was using AOLs servers for Microsoft's instant-messanger product because it uses AOL's protocol to talk to other AIM users. AOL has tweaked their protocol a dozen times to prevent this, and each time, Microsoft tweaks their client to match. Finally, AOL decided to exploit a buffer overflow in their own client in order to prevent MS from being able to further tweak to be compatible.

    I'm sorry, but I'd have to agree with MS on this one: AOL should open up their protocol and secure your clients. I'm not holding my breath though. It's pretty clear that AOL is only interested in security to the extent it affects their bottom line. Unless people just decide to give up on AIM and AOL and take their dollars elsewhere, this isn't going to hit their pocketbook, which is why AOL still hasn't fixed it. After all, consider the average AOL user. (Yes, there are a few intelligent people who use AOL. It's a little like saying "Yeah, there are a few intelligent people on Earth." Most people are idiots.)

    --Joe
    --
  • Of course, this exploit would only work with OSCAR, which is AIM's main server, which uses binary.

    However, the Linux clients TiK and gAIM speak to TOC, which is an ASCII-based gateway to OSCAR. What prevents MSNM from talking to TOC?

  • Check out the WebGuys Instant Message System [webguys.com]. It is ready for real world use today and has a Tcl/Tk client that will run in Windows, Linux and MacOS. Several more clients are on the way soon, and we are closely following the progress of the IMPP.

  • I personally don't understand the need for IM software... email and IRC have done me well for the last few years and apart from a nice user interface, I see no advantage to IM apps...

    am i missing something?

    M@T
  • They have the product - it's the advertisements. That's what they're making money off of, and that's why there are the "IM Wars" in the first place. The more eyes on a system, the more money from the advertiser.
  • I agree with MS in principle, but AOL in implementation.

    AIM runs on AOL's servers. AOL's physical hardware. Microsoft is using *their* software (MSN Messenger) to send messages via AOL's hardware. That is, pretty much, hacking.

    Look at it in another way. It's akin to using software to send email over your servers without your permission. It's an abuse of your system, it's an unauthorized use, and you'd do your best to track me down or stop me. Hence, AOL's actions against Microsoft.

    While AOL has no excuse to exploit a buffer overflow in their clients, I feel they're certainly entitled to keeping the protocol secret and to prevent Microsoft from using AOL's hardware without permission.
  • Microsoft Office

    Pretty good at blocking interoperability.

    Has serious security bugs in software.

    Microsoft Windows

    Pretty good at blocking interoperability.

    Has serious security bugs in software.

    Yeah, Microsoft is one to talk.

    --

  • No winners (Score:3)

    by bungalow ( 61001 ) on Friday November 19, 1999 @06:47AM (#1519234)
    "There are no winners," he said. "Consumers will win when an industrywide instant messaging standard is in place that ensures all users the ability to message with others regardless of which service they're using."
    -Yusuf Mehdi, director of marketing for Microsoft's Consumer and Commerce Group

    I just love it when Microsoft talks about open standards. It just gives me that warm, embraced, cuddly, mushy, smothered feeling.
    _______________________________
  • If it were any other company spearheading the adoption of an open instant messaging standard, I'd be all behind it. But it's Microsoft. They don't care for their users or the general community, only their bottom line. While that's good business practice (to make money), it doesn't make me want to trust and/or help them.

    Imagine what the hub-bub would be if instead of AOL, MSN was the dominant ISP. Then this little company comes along and says "Hey we want open standards. AND we want to use your servers until those standards appear". How long do you think they would be in existance after that? MSFT would break them, buy them, or bankrupt them.

    But this time, since they happen to be the underdog, they whine whine whine, and say they're the white knights riding in to save us from horrible AOL. Like I said earlier, if it were anyone but Microsoft, I might just believe them.

  • Hmm, is it even possible for a "universal" IM service to exist?? Given that it's not only a matter of what protocol you use, but also whether the *servers* allow you to connect, it seems that the most we can do is to achieve something similar to the current situation of IRC: same protocol, but different server networks.

    But perhaps this isn't such a bad thing? Say, AOL's servers communicates with MS's servers, and both also communicate with ICQ servers, etc.. That way, although you're running off different servers, your messages can be transported across services. As long as the service providers can work out a common protocol amongst themselves, we don't even need a universal IM protocol for the clients -- the servers would be handling the inter-service communication.

    I suppose there are technical difficulties in transporting messages across different IM protocols, but it seems to me at a first glance that this is no different from the Internet itself -- different network protocols for LANs, but each connected via WANs, routers, etc.. Wouldn't something analogous be possible for the existing IM services? eg. messages from one IM protocol gets translated to another IM protocol at a "bridge" (analogous to network bridges translating packets from one protocol to another). The analogy is rather compelling, don't you think? :-)

  • Not save face, win!

    This is a classic military-style manoever. Retreat, get the enemy to charge in, so you can encircle them. Much as I dislike them, it's sheer brilliance on Microsoft's part to use a manoever like that to destroy AOL.

    Here's the scenario, as I perceve it:

    1. Microsoft sets up it's "infantry line" (in this case, it's own IM client)
    2. AOL confronts them, by altering their own IM client, to prevent interoperability
    3. Microsoft's infantry "fake" a charge, by taunting AOL ("Open IM Standards!")
    4. Microsoft's infantry retreat, in pseudo-disarray, trying to draw AOL into the trap
    5. AOL charges after, sensing victory, oblivious to Microsoft's plans, demonstrating it's superiority
    6. Microsoft encircles AOL, crushing them entirely in the media and possibly even in the courts, depending on the trap they've set
    7. AOL are cut to shreds, their markets devastated, control passing over to Microsoft of some valuable markets

    Mind you, I might just have played too many wargames and seen Hannibal's utter destruction of the Roman legions too many times. :)

  • Easier said than done. This is the problem with prorietary protocol systems - non-interoperatability. Someone (not me of course, I'm busy) needs to come up with a single standard protocol, get is approved by ISO or whoever else cares, and put that forward. Pressure messaging software makers to include this protocol in their service, even if they want to keep their own proprietary stuff, too.

    The IETF is already doing this. They have an "Instant Messaging and Presence Protocol" Working group. Check it out. [ietf.org]

    Of course, they take a long time to get anything together, but standards engineering needs to be good.

    -Ted

  • Check out http://jabber.org

    They're developing an OSS platform independent and decentralized server I.M. platform. With module interfaces to other I.M. systems it will also transparently work with ICQ, AIM etc, all from one client.

  • I have mixed feelings about the antitrust case... OT1H it's good that clueless people (excuse the label) out there now understands that MS is not the ultimate when it comes to computers. OTOH what does the whole antitrust suit accomplish?!?! Breaking MS doesn't really do much, imposing fines doesn't reform their behaviour/practices. Besides, the MS age is over. With cases like this, where MS concedes defeat, and with the rise of Linux, the advent of Open Source, etc., all these seem to me like signs that the MS age is over (or at least, going to be over soon). Perhaps we'd all be better off if we'd just let MS be defeated "naturally" (ie. by competitors) rather than spend all that money on the anti-trust lawsuit, which probably won't accomplish that much anyway.

  • Yes it's possible http://jabber.org

  • Jabber (Score:1)

    by jeremie ( 257 )
    This is exactly what Jabber [jabber.org] is all about, building a whole new IM architecture that is also transparently compatible with existing products.
  • Perhaps if you had a clue you wouldn't be moderated down.

    I suggest you read http://maps.vix.com/tsi/ar-what.html [vix.com] before you make more of an ass of yourself.

  • Mmm, Cannae/Austerlitz...

    If MS can get rile enough people with a remote exploit of AIM, then perhaps these folks (angry users? Or if they managed to convince sysadmins that the risks were high enough to merit banning AIM from their networks...) will go in and finish the job.

    By claiming that the reason they're backing off is to avoid replicating the security hole, they may be seemingly on the high ground, and diverting attention from the fact that it's AOL's servers that are involved, and AOL can arguably ban arbitrary networks from their servers at will.

  • Re:Jabber is shaping up (Score:3)

    by Thomas Charron ( 1485 ) <twaffle@@@gmail...com> on Friday November 19, 1999 @08:57AM (#1519248) Homepage
    Actually, it's shaping up very fast. It's extremely close to our 0.7 rewrite, which modulerizes the system and make it much more scalable.

    It's also the only system currently that will be able to support the IETF standard for an open namespace 'out of the box', simply becouse of it's design..
  • This is *EXACTLY* how Jabber work. ISP's run indendent servers, and namespaces are server based, not 'global' based. Aka, my userID would be tcharron@jabber.org. It also has the ability to allow transports to deal with any sort of data, so while jabber.org is a native jabber server, icq.jabber.org can serve as a gateway for ICQ usernames to map to jabber users names.
  • IRC has many benifits, but unfortionalty, doesn't scale well at all. It is more built directly for group chatting, and not quick instant messages between individual users..
  • Well, they are TRYING to do it. ;-P
  • Ok, granted - it's still a bunch of different protocols, at least it's a single app.
    Everybuddy [everybuddy.com] is an attempt to combine an ICQ and AOL Instant Messenger client (And maybe one day every chat protocol in existance? Is that a big dream?) into a single, fairly coherent interface. Nobody does what Everybuddy is trying to do. ;-)

    ----

  • Hmm, this raises an interesting thought... would it be possible that a universal IM protocol will be achieved ultimately by having clients like Everybuddy -- ie., a client that supports as many (if not all) IM protocols out there as possible? Then, when users realize this client would be compatible with whatever IM service they're already using, and also provides interoperability with other services, they would switch over. (Especially if it's an opensource client that can be obtained at minimal cost). Eventually, when most people are using this client, it could start to have its own protocol that encompasses all the functionality of the other protocols.

    (Of course, this is a little like M$'s strategy of embrace - extend - exterminate, but if the client were opensource, it might be embrace - extend - celebrate (because everyone will be happy to finally have a single, universal IM protocol). :-> )

  • Re:TOC (Score:1)

    by Hall ( 962 )
    Why doesn't microsoft just use the TOC protocol?

    I believe they do. That's half their arguement... after AOL made it public, MS and others started using it. I believe Yahoo tried the same, as did some company or client called something like "Tribal" (??)

    If all they want to do is send messages to AIM users, TOC would work fine. The protocol was released by AOL, so they cant yell about MS using it.

    Now AOL "claims" is was released so the Unix-based clients could be built using it.

  • AOL has worked hard towards improving its security, after all those 1996-1997 break-ins with AOHell and all the 'email me your password' scams. In fact the last time I heard of someone hacking into AOL was about 1997. Which isn't to say AOL or any other network can ever be considered truly hack proof, but their security appears to be greatly improved.

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close