Do you trust AOL IM?
February 23, 2001 8:19 AM Subscribe
Do you trust AOL IM? If you do, you might want to read this story.
This isn't really isolated to AIM either. Other IM's such as MSNM, ICQ, and YahooIM have had their share of "brute force" hacks. However, there are ways to report them to get back ownership....which from my experience is a total waste of time. I reported that my ICQ# 305422 was stolen about 15 times so far, still getting back the boiler-plate response. It's been over 6 months now...the good news is that ICQ has a bunch of neat downloadable "utilities" *grin*
posted by samsara at 9:07 AM on February 23, 2001
posted by samsara at 9:07 AM on February 23, 2001
Oh god no! Someone can steal my insignificant AIM password, and talk to all of my friends! Egads! Whatever shall I do?
posted by dakotasmith at 10:04 AM on February 23, 2001
posted by dakotasmith at 10:04 AM on February 23, 2001
Yeah, the threat of password theft or somebody listening in on my conversations doesn't worry me too much at all, but the client-software hacks could mean real trouble. Fortunately, I've found AIM Express, a Java version of the software that isn't downloaded, to be pretty stable. Not only that, it seems to be the only IM program that can be run from the workstations on campus without an administrator login.
posted by Eamon at 10:29 AM on February 23, 2001
posted by Eamon at 10:29 AM on February 23, 2001
I haven't read the entire article linked to above, but the MacGyver thing is over a year old.
posted by gluechunk at 11:25 AM on February 23, 2001
posted by gluechunk at 11:25 AM on February 23, 2001
Fortunately, I've found AIM Express, a Java version of the software that isn't downloaded, to be pretty stable.
Just to pick nits, it *is* downloaded. When you run a Java applet "inside a web page", the browser is implicitly downloading the program, saving it on the machine's drive somewhere, and executing it from there.
It seems to me that the word "download" is losing its meaning and acquiring a new, slightly related one implying an intent to create a permanent copy on local storage; technically, however, you download a web page every time you view it (ignoring caches).
In any case: I'm amazed people aren't embarassed to be conducting business from an AOL account.
-Mars
posted by Mars Saxman at 12:00 PM on February 23, 2001
Just to pick nits, it *is* downloaded. When you run a Java applet "inside a web page", the browser is implicitly downloading the program, saving it on the machine's drive somewhere, and executing it from there.
It seems to me that the word "download" is losing its meaning and acquiring a new, slightly related one implying an intent to create a permanent copy on local storage; technically, however, you download a web page every time you view it (ignoring caches).
In any case: I'm amazed people aren't embarassed to be conducting business from an AOL account.
-Mars
posted by Mars Saxman at 12:00 PM on February 23, 2001
Mars, I agree with your mortification at the professional use of an AOL account, but I've found this practice to be fairly common among mac-using artist types.
Apparently they're so cool offline that they have no idea how uncool they are online. Cruel irony.
posted by anildash at 12:55 PM on February 23, 2001
Apparently they're so cool offline that they have no idea how uncool they are online. Cruel irony.
posted by anildash at 12:55 PM on February 23, 2001
Was he conducting business that way, or just talking to his coworkers during the negotiations? It's not clear.
The worrisome part that caught my eye was that the exploit can be generated even if the client isn't running by forcing an aim:// request. But I guess that's implied.
What IM needs is something akin to SMTP headers. Sure, you can forge the From: line, but you (mostly) can't forge the IP that talked to your server. The technology of IM puts everyone in the position of being an AOLer who only sees the screen name.
All it is is P2P mail. Don't they see that?
posted by dhartung at 1:12 PM on February 23, 2001
The worrisome part that caught my eye was that the exploit can be generated even if the client isn't running by forcing an aim:// request. But I guess that's implied.
What IM needs is something akin to SMTP headers. Sure, you can forge the From: line, but you (mostly) can't forge the IP that talked to your server. The technology of IM puts everyone in the position of being an AOLer who only sees the screen name.
All it is is P2P mail. Don't they see that?
posted by dhartung at 1:12 PM on February 23, 2001
I must have misunderstood the article. Does it say that password theft is a security hole? Of course it's a security hole, but it's a security hole to everything in the world that uses passwords... You're not supposed to give it out. Bah. If someone knows your password, of course they can steal your AIM account, just like your Amazon account, eBay account, etc..
I agree that I have never even pictured AIM being used for business... It seems just too strange.
posted by swank6 at 6:15 PM on February 23, 2001
I agree that I have never even pictured AIM being used for business... It seems just too strange.
posted by swank6 at 6:15 PM on February 23, 2001
IM programs have been trying for quite some time to be adopted as safe and practical business tools. It seems they still have to work at it some more.
posted by thirdball at 12:18 PM on February 24, 2001
posted by thirdball at 12:18 PM on February 24, 2001
This thread has been archived and is closed to new comments
posted by rcade at 9:01 AM on February 23, 2001