[JDEV] Fwd: [BUGTRAQ] First reflections on security of MSN Messenger

Jeremy Wise jwise at pathwaynet.com
Fri Jul 23 12:10:25 CDT 1999


As long as there are people actively sniffing the packets, and the
transport mimics those packets to the byte, the servers can't know the
difference.  The biggest problem for them is that they have to maintain
backwards compatibility.  GnomeICU uses the same protocol as ICQ99a.  That
means GnomeICU will work fine until/unless they drop support for ICQ99a -
not going to happen for a while.  I've never used AIM, but the same should
be true.

Later,

Jeremy Wise

+----------------------------------------------------------------+
| Jeremy Wise                       Make every effort to enter   |
| jwise at pathwaynet.com              through the narrow door,     |
| ICQ #4664755                      because many, I tell you,    |
| http://www.pathwaynet.com/~jwise  will try to enter and will   |
| http://gnomeicu.gdev.net/         not be able to. (Luke 13:24) |
+----------------------------------------------------------------+

On Fri, 23 Jul 1999, Thomas D. Charron wrote:

>   Can anyone confirm as to if the libfaim, etc libs clients still connect?
> 
>   This could be bad for our AIM AND Icq transports if AOL is going to begin starting to take this approach..
> 
> ---
> Thomas Charron
> 
> On Fri, 23 Jul 1999 11:52:31   Vijay Saraswat wrote:
> >> Sounds almost like MSN's client also spoke AIM's protocol natively?
> >> It also sounds like AOL isn't too happy allowing others to utilize their
> >> AIM service w/o using their client, but there's not much they can do since
> >> it's their customer's choice to use a client that utilizes the
> >> reverse-engineered AIM protocol.
> >>
> >
> >Yes, MSN Messenger does not speak TOC. It speaks OSCAR. During the login sequence it
> >identifies itself as "Compatible client", whereas AOL IM clients distributed by AOL
> >identify themselves as clients such as "AOL Instant Messenger (TM), Version
> >2.1.1236/WIN32". Apparently, AOL has tweaked their servers so that "Compatible client"s
> >are no longer compatible :)
> >
> >I wouldnt be surprised to see this hit the courts very soon.
> >
> >>
> >> One of the benifits of having the transport bits happening on the server
> >> side is so that when something like this happens and they "tweak" their
> >> servers to reject clones, the tweak can be fixed and transport replaced
> >> without affecting or reinstalling all of the clients :)
> >>
> >
> >Sure, having central mediating servers helps.
> >
> >Best,
> >Vijay
> >
> >
> 
> 
> --== Sent via Deja.com http://www.deja.com/ ==--
> Share what you know. Learn what you don't.
> 




More information about the JDev mailing list