PC Magazine ran a story the other day about instant messaging and how it's a big virus threat. I understand that it is a threat, but I don't understand why because I can't imagine what goofy things most IM programs let you do with them when you connect.
According to the article, people leave their IM programs on 24/7, even at work, and that these are gateways for viruses. It's not talking about the "someone sends you a link and you download it and run it variety"--it's talking about viruses like Blaster that can simply infect PC-to-PC. The article espouses that IM programs have vulnerabilities like those found in IIS, where a hacker could gain access to your PC and execute arbitrary code. I just don't get it, I really don't. Maybe that's because I know how BitWise works and fail to see how such an attack could occur.
For an attacker to hit your PC, you must be listening on one or more ports. BitWise listens on port 4137 for connections from other BitWise users. For BitWise, however, I fail to see the point of vulnerability. Read data from client, validate data, read data, etc. Everything goes into separately allocated memory; buffers are always checked for length. It doesn't take that much effort to ensure your memory allocations are not exceeded--so I guess what I'm saying is, "Hey, you other IM programmers, what's going on with your coding practices?"
I just can't help but wonder when people design software, don't they think about the implications of an attack on revenue and (even worse) reputation? It's not that hard to code "safely" but it seems to be something that's just not happening. Besides, it seems if hackers can find vulnerabilities, the designers should be able to as well--and plug them before they're out there. I don't think I'm asking for anything unobtainable--just something with a little vision past the end of the nose.
Maybe I should post another "hacker's challenge" like I did once a year ago and see if someone can make BitWise do something really bad. While I don't want to know, I do want to know, so it can be fixed. Better to find something in an controlled way than in an uncontrolled way, eh? Anyone want my IP--you can have at my port 4137 all you want.
"Maybe I should post another "hacker's challenge" like I did once a year ago and see if someone can make BitWise do something really bad."
how did that go? did anyone break in? i think it would be good publicity to do such a thing, and of course after no one is able to do "something bad" it would just prove how secure BitWise is.
honestly, i have never heard of IM programs being used as gateways for viruses or hacking...i suppose its possible though.
Well, I'm not sure than anyone really took it seriously, so I can't really say that there were any results. :) Of course, there's always the risk that something bad DOES happen, and then where would we be... not that I think there is, but there's always that risk. It could also end up inviting DOS attacks, which, of course, there's not much of a good defense against, and that's not beneficial either.
It really would need some sort of reward, but I'm not sure what would be appropriate.
reward eh, do that same thing as before....mp3 player or whatever it was. or just $$$ ...not sure how much $$ u would have to offer before you got some serious hackers trying.