[Web4lib] IM Security

[Chadwick, John, DCA]

I will chime in about IM. We discourage IM on public access systems and
staff computers because of the real risk of viruses:

http://www.microsoft.com/athome/security/viruses/imvirus.mspx

http://www.pcworld.com/article/id,115837-page,1/article.html

http://reviews.cnet.com/4520-3513_7-6072173-1.html

One of the major problems with IM is that it uses a protocol instead of
a standard TCP/IP port. It is easy to filter out spam and viruses on
e-mail because all traffic flows on port 25. IM just looks for the next
open port and delivers traffic through open ports, which is very, very
frightening to IT people charged with protecting networks from viruses
and other nasty programs. Also, since flavors of IM uses peer-to-peer
technologies, your computer essentially becomes one with other
computers, including those that are infected with viruses.

http://www.securityfocus.com/infocus/1657

http://www.bc.edu/offices/help/meta-elements/doc/articles/html/RX-AIMvir
uses001.shtml 

That being said, there really is no legitimate reason to deny use of IM
within the confines of a corporate network to allow staff to communicate
and allow patrons to communicate in real time with reference staff. We
do block Instant Messaging but we are more than happy to open up the
service to any staff person who has a need to use the technology.

John Chadwick
Manager, Information Technologies
New Mexico State Library
1209 Camino Carlos Rey
Santa Fe, NM 87507
John.Chadwick at state.nm.us


-----Original Message-----
From: web4lib-bounces at webjunction.org
[mailto:web4lib-bounces at webjunction.org] On Behalf Of Amanda Powers
Sent: Monday, March 05, 2007 4:59 PM
To: jamihaskell at gmail.com; ross.singer at library.gatech.edu
Cc: web4lib at webjunction.org
Subject: Re: [Web4lib] IM Security

There is a wiki listing all of the libraries (that have added their
names!) that IM:

http://www.libsuccess.org/index.php?title=Libraries_Using_IM_Reference

--Amanda

>>> "Ross Singer" <ross.singer at library.gatech.edu> 03/05/07 4:48 PM >>>
Honestly, this sounds like stonewalling.  These IT people must have
somebody they report to, take your business case to that person and
make these IT folks explain to /that/ person why they won't allow IM.

It might be helpful to list other organizations that allow chat for
this for this purpose.  I'm not sure where you can find such a list,
but I'll throw my hat in the ring and say that Georgia Tech is one of
them.

-Ross.

On 3/5/07, Jami Haskell <jamihaskell at gmail.com> wrote:
> No, they didn't mention a specific security risk -- just that IM would
allow
> folks to penetrate the network and is therefore a no-go.
>
> I will look into the Jabber server and what this would require.
> I would rather not have a local server or application because i want
this to
> be opened up to our users.
>
> Thanks for your input. I really appreciate it. I don't have enough
> experience to argue with these guys and they love to say no to the
things
> that library wants to do!
>
> Jami
>
>
> On 3/5/07, Micah Stevens <micah at raincross-tech.com> wrote:
> >
> > Security Risk in what way? If by interacting with an outside server
to
> > provide the IM service you have a security risk, then just install a
> > local Jabber server which is supported by many IM clients. This
would
> > also solve any sort of worry about an IM system distributed virus
(Which
> > has happened before through MSN I believe... )
> >
> > If all you need is a service for the local group of people, a local
> > server is a good way to go in my opinion because it's safer, you can
> > control exactly how it behaves, and you eliminate any concerns about
> > people using the IM for things other than work.
> >
> > Just my two cents. Did they mention exactly what kind of security
risk
> > they were worried about? Throwing around key words just inflames and
> > doesn't help the situation usually.
> >
> > -Micah
> >
> > Jami Haskell wrote:
> > > Please help!
> > > I would like to implement IM for inter-staff communications and,
> > > hopefully,
> > > for reference/user services at my library.
> > > However, I am being met with major resistance from my systems
staff.
> > They
> > > claim that it is too much of a security risk and we cannot do it.
> > >
> > > Every other library I have worked in has used IM (either via
Trillian or
> > > meebo) and security issues were never raised. I know that
thousands of
> > > libraries use IM all the time. I am proposing that my library
system use
> > > Meebo for this so that they can interact with multiple IM clients
> > without
> > > having to install software on the machines.
> > >
> > > How can I explain to my systems folks that this is an okay thing
to do??
> > > Please help!
> > >
> > > Thanks so much,
> > > Jami Haskell
> > > _______________________________________________
> > > Web4lib mailing list
> > > Web4lib at webjunction.org
> > > http://lists.webjunction.org/web4lib/
> >
> >
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>
>
_______________________________________________
Web4lib mailing list
Web4lib at webjunction.org
http://lists.webjunction.org/web4lib/

_______________________________________________
Web4lib mailing list
Web4lib at webjunction.org
http://lists.webjunction.org/web4lib/

______________________________________________________________________
This inbound email has been scanned by the MessageLabs Email Security
System.
______________________________________________________________________


Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System.