December 18, 2003

The rise of instant messaging

Instant messaging has become what TALKD never was: very popular and useful. It is email without the spam (mostly), and is widely used.

Instant messages are generally sniffable on local networks. Hence, it is a bad idea to IM sensitive details to your colleagues while working at a negotiation table. Instant messages usually go through a central server, which is a fine place to eavesdrop. I suspect that cops and spies have utilized this situation more than once. Companies can set up their own servers (i.e. jabberd) for a better- controlled central site, and interfaces to various IM services.

The "user is away" feature can be used to decide when someone is at home or at work, or even
figure out his standard commuting schedule. I have not yet heard of burglaries based on this
information. You can also tell when someone is away from his desk, perhaps in a meeting.

I decided to bring IM up here because the government is groping with this service, even on secure networks. It usually has a terrible security model, and its users are often ignorant of this fact. But warfighters like this kind of service, too.

There is much confusion on how IM is implemented, and implementation varies by product and situation. It would be nice to set the defaults to something secure, and hide the login sessions to protect user names and passwords.

Posted by Bill Cheswick at December 18, 2003 10:57 AM