On 09/27/2009 02:32 AM, David Banes wrote: Hi,
First of all, my apologies. I just finished reading the chapter on humour in the book "Native English for Nederlanders" and tried to put it to practice in my original posting. I think I should suggest the author politely that his remarks on irony were inadequate. > I've been in IT security R&D for 20 years and can say that the crims use > whatever protocol will get the job done, And that is a big compliment for XMPP: it gets its job done, whatever the job is... On 27/09/2009, at 6:59 AM, Peter Saint-Andre wrote: > http://www.rsa.com/blog/blog_entry.aspx?id=1525 > http://www.rsa.com/blog/blog_entry.aspx?id=1515 In matter of facts, it is this one: http://www.rsa.com/blog/blog_entry.aspx?id=1520 > Hold it. Now that the unsuspecting user has visited a fraudulent > website, anything is possible! The criminals could use XMPP, SMTP, HTTP, > IRC, or whatever they want at that point. Correct, and as I stated above, it is a compliment for XMPP that it is the technology of choice for both creating a webchat and for real-time distribution of data. But what struck me most, was the explicit mentioning of jabber (and not XMPP!) as the technology behind the scenes. In most cases the news articles don't care about the technologies behind the scenes of a trojan and just talk about its functionality. (Like some other articles on this case did). > There is nothing particular to XMPP in these attacks, other than the > fact that the criminals are using a chat interface and then sending > information through an XMPP server that they have installed on their own > machines. These attacks are not being perpetrated against Jabber users, > but against regular older Internet users via fraudulent websites, with > XMPP as an information transport. > > There is nothing we can do about this kind of attack. No, we can't prevent these attacks. But IMHO they are a concern for the XMPP standards foundation. One of the factors that gave IRC a bad name, was its use by botnet herders. Nowadays any IRC-server is suspect. For me the news was not XMPP doing something (illegal or not), but Jabber (and not XMPP...) getting 'bad press' like this. If we have any possibility to avoid XMPP/Jabber getting a bad name like IRC did, we should do so. One way of doing so, might be generating 'good' press about XMPP's security features. An other way might be to differentiate clearly between the protocol, the public Jabber network and private applications of the protocol. A case like this, would then have a much smaller impact on the public image of XMPP/Jabber. > However, we might want to look more seriously at XEP-0165 so that we can > help prevent similar attacks over the real XMPP network. Proactive working on things like XEP-0165 can indeed help with controlling the possible damage of illegal use of XMPP. It might lessen the damage when the day comes that the public jabber network is a big time target for things like identity theft. It might also help by showing that insecurity is not a feature of the protocol but that the insecurity is a result the way the protocol is applied. best wishes, Winfried
