[Web4lib] FW: [DIG_REF] IM & Security

[Jonathan Gorman]

> We have been using AOL IM for several years.  It is not a security
> problem.


While I personally like IM clients, I wouldn't go so far to say that they 
are not a security problem.  Many of the IM clients out there now have 
poor reputations as far as security.

There are issues like the propagation of worms, the away message buffer 
overflow attack (I believe that occurred last year), denial of service 
attacks and so on.

Try doing a search for "AOL Instant Messenger" at www.cert.org, or google 
for AOL worm.

Of course, I'm not an expert in this topic, but I would be a bit more 
concerned with IM than most software due to the nature of the programs. 
I would consider it at least as much of a problem as email.

> I believe those in IT that call it a security problem are
> being too paranoid.

Why?  I've seen one of the IM worms in action.  They're not imagined 
threats.  Of course, many times users are not even aware machines have 
been compromised.

But again, many of the concerns with IM are solved by common-sense 
approaches to security.  On the other hand a smaller organization may need 
a longer time to create a setup in regards to IM that they can maintain. 
Some might prefer to set up their own Jabber server and implement 
filtering in a manner similar to how many emails are filtered now. 
Others might just install a bunch of clients and try to make sure that 
they're upgraded and try to watch traffic on those ports.

In a similar vein, there might be some concerns over large amount of 
communication in the clear.  Of course, so is email.  I do know people who 
have tried to keep their IM's and email encrypted and rarely find anyone 
else willing to do it.

> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety." (Benjamin Franklin)

"Eternal vigilance is the price of liberty" (Wendell Phillips)


Jon Gorman