[TriLUG] IM server solution for MS Messenger clients

Cristóbal Palmer cristobalpalmer at gmail.com
Thu Sep 6 15:27:10 EDT 2007 

On 9/6/07, Jeff The Riffer <riffer at vaxer.net> wrote:
>
> Did you point out that they had absolutely NO WAY of knowing?

Actually we do. We can brainstorm who would realistically be
interested and/or who would potentially have the access to listen in.
In my mind, that includes:

(1) AIM employees/administrators
(2) people on the same VLAN (ie. students and staff)
(3) highly-motivated 3rd party with sufficient technical knowledge

realistically, that's it. If I'm wrong, please tell me why. (3) is
pretty irrelevant because there is much more low-hanging fruit that
would be easier to take advantage of than eavesdropping on our IMs,
and the potential profit in eavesdropping on our IMs is... what? Why
waste time doing that when you could instead slurp up all of project
gutenberg for use in word salad spam that's immediately profitable?

> Unless of course UNC has a complete IDS/IPS system in place alongside security
> kernel controls, antivirus, a CIRT response team, etc...

tipping point machines at the boundary, iirc.

> > (2) If someone were listening, what could they possibly get that would
> > be damaging?
>
> BWAAAAA HAHAHAAHAHAHAAHAHAAH!

You laugh, but this is a serious question. What are we trying to
protect? More specifically, what are we trying to protect that we'd be
pasting in an IM? The only sensitive data we deal with involves access
to powerful computing resources, so realistically we should be careful
to keep access to those resources limited in a sensible way that
doesn't limit _us_.

> > (3) If it's really valuable and you're worried about it leaking, can't
> > you use your in-house email?
>
> Eh, that's probably a good point.

Thanks. :)

You mention that Outlook is a hog and you don't like using it. Why not
dump it? Have you looked at other options like Zimbra? How about
Meldware from our own Andy Oliver?

http://buni.org/mediawiki/index.php/Meldware_Communications_Suite

> I'm kinda surprised people working for iBiblio would want to continue to
> depend on external, for-profit entities for IM though.

Why? We're social animals, and our networks built around those
external IM companies are valuable to us. Additionally, using Pidgin
means that we can be on multiple networks at once, so the cost of
transitioning is practically nill.

> On top of the security
> advantages of running an in-house IM system, you also get the advantage of not
> losing internal communications during Internet outages, or outages on a
> providers network. See also: Skype and RIM.

Which is why we have an internal, secure wiki that lists all the
points of contact, including:

(1) home phone
(2) cell phone
(3) IM names/networks
(3) personal email
(4) work email

How likely is it that all of those will simultaneously go down? If
they do simultaneously all go down, I doubt fixing ibiblio systems
will be our top priority....

Again, I would emphasize that metalab (the group that manages ibiblio
systems) is one office, and as you point out we're in academia AND
we're Open Source nerds, so there's a culture of openness. Multi-homed
offices sharing high-value or legally-sensitive data are obviously
going to come up with a different solution.

Cheers,
-- 
Cristóbal M. Palmer
celebrating 15 years of sunsite/metalab/ibiblio:
http://tinyurl.com/2o8hj4

More information about the TriLUG mailing list