-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/27/09 6:34 AM, Winfried Tilanus wrote: > On 09/27/2009 02:32 AM, David Banes wrote: > > Hi, > > First of all, my apologies. I just finished reading the chapter on > humour in the book "Native English for Nederlanders" and tried to put it > to practice in my original posting. I think I should suggest the author > politely that his remarks on irony were inadequate. > >> I've been in IT security R&D for 20 years and can say that the crims use >> whatever protocol will get the job done, > > And that is a big compliment for XMPP: it gets its job done, whatever > the job is... > > On 27/09/2009, at 6:59 AM, Peter Saint-Andre wrote: > >> http://www.rsa.com/blog/blog_entry.aspx?id=1525 >> http://www.rsa.com/blog/blog_entry.aspx?id=1515 > > In matter of facts, it is this one: > http://www.rsa.com/blog/blog_entry.aspx?id=1520
Thanks. BTW one of those blog entries said something like "download the [sic] Jabber server", indicating that the RSA folks have not done a lot of research about our technology. >> Hold it. Now that the unsuspecting user has visited a fraudulent >> website, anything is possible! The criminals could use XMPP, SMTP, HTTP, >> IRC, or whatever they want at that point. > > Correct, and as I stated above, it is a compliment for XMPP that it is > the technology of choice for both creating a webchat and for real-time > distribution of data. > > But what struck me most, was the explicit mentioning of jabber (and not > XMPP!) as the technology behind the scenes. In most cases the news > articles don't care about the technologies behind the scenes of a trojan > and just talk about its functionality. (Like some other articles on this > case did). Good point. I will reach out to the RSA folks soon to educate them a bit about XMPP. >> There is nothing particular to XMPP in these attacks, other than the >> fact that the criminals are using a chat interface and then sending >> information through an XMPP server that they have installed on their own >> machines. These attacks are not being perpetrated against Jabber users, >> but against regular older Internet users via fraudulent websites, with >> XMPP as an information transport. >> >> There is nothing we can do about this kind of attack. > > No, we can't prevent these attacks. But IMHO they are a concern for the > XMPP standards foundation. One of the factors that gave IRC a bad name, > was its use by botnet herders. Nowadays any IRC-server is suspect. > > For me the news was not XMPP doing something (illegal or not), but > Jabber (and not XMPP...) getting 'bad press' like this. Yes. > If we have any possibility to avoid XMPP/Jabber getting a bad name like > IRC did, we should do so. One way of doing so, might be generating > 'good' press about XMPP's security features. An other way might be to > differentiate clearly between the protocol, the public Jabber network > and private applications of the protocol. A case like this, would then > have a much smaller impact on the public image of XMPP/Jabber. Agreed. A post at blog.xmpp.org is in order... >> However, we might want to look more seriously at XEP-0165 so that we can >> help prevent similar attacks over the real XMPP network. > > Proactive working on things like XEP-0165 can indeed help with > controlling the possible damage of illegal use of XMPP. It might lessen > the damage when the day comes that the public jabber network is a big > time target for things like identity theft. It might also help by > showing that insecurity is not a feature of the protocol but that the > insecurity is a result the way the protocol is applied. Yes, we need to make an effort to communicate about this more publicly. More soon. Thanks for bringing this up, Winfried! Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq/ZN0ACgkQNL8k5A2w/vxOpwCeIfIvYjeJSIO0Na6GruqtdoBF 8hcAoI9W9xGGpVVzkh0BrZd1vbBmZNZ8 =yGq1 -----END PGP SIGNATURE-----
