Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
The Internet Networking Communications Security

New Secure IM Client from NTT Due this Year 61

Posted by CowboyNeal from the excuse-to-say-docomo dept.
An anonymous reader writes "NTT in Japan has developed a new TLS-based secure instant messaging system that it says will comply with corporate compliance regulations, such as the post-Enron Sarbanes-Oxley Act. There's a PC version, as well as a Java one for i-Mode cell phones."
This discussion has been archived. No new comments can be posted.

New Secure IM Client from NTT Due this Year More

New Secure IM Client from NTT Due this Year

Comments Filter:

  • Gaim and OTR (Score:4, Informative)

    by ChazeFroy ( 51595 ) on Saturday February 11, 2006 @12:58PM (#14695011) Homepage
    OTR [cypherpunks.ca] doesn't use TLS, but it does a great job encrypting conversations. Much better approach than SecureIM by Trillian or gaim-encryption.
    • Oh, sweet, this is exactly what I was looking for. I've been using encryption plug-ins for security. What I always felt was missing, though, was a server that "can archive copies of all messages to satisfy provisions of compliance regulations, such as the Sarbanes-Oxley Act." I like secure communication, but I don't like it to be TOO secure. I like encrypting things, but knowing that someone might still be able to read them.

      Of course, this is entirely reasonable -- it's not that they're debuting a servi

    • Re:Gaim and OTR (Score:2, Informative)

      by revscat ( 35618 )
      For OS X users, the multi-protocol IM client Adium [adiumx.com] comes with OTR encryption built in by default.

      It's a very nice client.

    • Re:Gaim and OTR (Score:1, Informative)

      by Anonymous Coward
      dont forget jabber.org

    • Re:Gaim and OTR (Score:3, Informative)

      by brunson ( 91995 )
      Nothing like reinventing the wheel.

      Jabber can use TLS, it can also use PGP encryption over TLS or an unencrypted TCP connection, it's an open protocol documented in IETF standards track RFCs 3920-3923 and Jabber servers can communicate with each other just like SMTP servers. I installed my Jabber server in an afternoon and I can talk from my server to any other Jabber user, including GoogleTalk users.

      • Re:Gaim and OTR (Score:5, Informative)

        by fossa ( 212602 ) <pat7@g[ ]net ['mx.' in gap]> on Saturday February 11, 2006 @02:45PM (#14695477) Journal

        Um... OTR is not PGP for a reason. I'm no crypto expert, but with PGP, Alice and Bob know each others public keys. They encrypt messages to each other, and anyone with the secret key, hopefully only Alice or Bob, can decrypt or forge a message. If these messages are stored, any breach due to a trojan, subpoena, etc. will be able to recover the messages.

        OTR uses PGP to create a "shared secret" which is used to generate temporary encryption keys for each conversation. During the conversation, the security is the same as in the PGP case. After the conversation, the temporary encryption keys are discarded, so that no one may now decrypt the conversation (at least, they should be discarded). I'm a bit confused on the final step, but I think the shared secret is then published which allows anyone to create new temporary encryption keys which may be used to generate messages that belong to the conversation. This fact may be used to deny the validity of any claimed transcript of the conversation (and this way you don't need to trust that Bob has really discarded the temporary keys).

        • I'm no crypto expert
          Clearly.

          If someone is able to record the conversation and replay it with a compromised PGP key, then they could capture the key exchange and use that with the compromised PGP key to come up with the "shared secret" (or "session key" as it's referred to in the crypto world). Either you're explaining it badly, or I don't see the benefit. If the keys are compromised, you're fuqued.

          The only advantage I see would be added resistance to some sort of attack that leveraged a large quantity of
          • After reading the FAQ on OTR, I see the other "feature" is deniability, whatever that's worth. If you can't trust the person on the other end of the wire, you shouldn't be saying anything you don't want disclosed. A transcript of the conversation and the other person's statement under oath, or that of the NSA agent that recorded the conversation, is enough for a jury to convict. Everything I said about capturing the key exchange and a compromised PGP key still stands.

            Going back to my previous post, i.e.

          • It's not that a compromised PGP key isn't a problem; it is. During the conversation, you've got the same security as PGP: if your keys are secure, the conversation is secure. The advantage comes *after* the conversation. With PGP, a compromised key will reveal past conversations. With OTR, a compromised PGP key will not reveal past OTR conversations because they were encrypted with a temporary key. A compromised temporary key (which is normally destroyed) will reveal the conversation, but there is no g

        • So here's the main difference - OTR uses Diffie-Hellman key exchange to create an ephemeral session key, and when the session's over both ends can discard the key. DH is an older technique than RSA, and works differently.

          In RSA-based systems, like PGP and most implementations of SSL, etc., Alice creates a secret session key, encrypts it with Bob's public key, Bob decrypts it with his private key, and then they can talk, but if Bob's private key is compromised in the future, an attacker can decrypt the en

  • This is just one more attempt .... (Score:5, Insightful)

    by zappepcs ( 820751 ) on Saturday February 11, 2006 @01:21PM (#14695101) Journal
    This is just one more attempt, IMO, to realign privacy and security values to where they were before new technologies. Where IM is replacing conversations around the water cooler in the workplace, securing it from snooping is an okay thing. Logging it as official corporate communications is getting into, perhaps, dangerous territory. There is the part where it is a company resource, but when it comes close to being thought police, it is dangerous.

    I think that modern society is still trying to find a place of 'normalcy' in the midst of new technology. I don't believe that there is an equivelant of IM prior to the advent of IM, other than private conversations. Recording private conversations is still not an okay thing to do. Comparing this to text based conversations that deaf/mute people have with text based phones, it all gets a bit confusing as to what is okay to record and what isn't.

    Until it is clearly understood what is okay to snoop and record and what is not, people will make mistakes in what they allow to be recorded, and why, and how those recordings are used. No manner of encryption will fix the real issues. It seems that the only secure mannner to communicate is whispering so that no one can hear what is being said.... very low tech!
    • It seems that the only secure mannner to communicate is whispering so that no one can hear what is being said.

      *shrug*. Nothing in this system stops you from exchanging public keys with your friend and sending each other encrypted messages on top of this layer. It's a bit cumbersome, but privacy has a price.

    • It seems that the only secure mannner to communicate is whispering so that no one can hear what is being said.... very low tech!

      As usual, there is a high tech solution for this, and it has been around for some time, but this solution is really only popular amongst secret agents. I like to keep secrets safe from prying ears, that is why i refuse to speak to anyone about anything important unless we are under a cone of silence [a9.com].

  • Source? (Score:4, Insightful)

    by xtal ( 49134 ) on Saturday February 11, 2006 @01:22PM (#14695106)
    If I can't look at the source.. it ain't secure.

    • Re:Source? (Score:2, Insightful)

      by Anonymous Coward
      If I can't look at the source.. it ain't secure.

      Just because you can't see the source doesn't necessarily make it insecure. It just makes it harder for you to verify that it's secure.

      You can't see the source code for the computer in your car. Does that make it unsafe to drive?
      • actually yes, it does, and thats precisely one of the situations in which the source should be available.
      • My car is not connected to a public network. And if it were, I'd make sure I use my own firewall to protect that connection (a hardware based one outside of the control of the manufacturer).

        Why do we have to trust anything at all, especially computer-related stuff? This is the reason why open source makes perfect sense for the rest of us. The rest of the population (you included), can keep using closed source code connected to public networks... if that's fine with you that's fine with me. For as long as I [kernel.org]

    • Re:Source? (Score:2, Interesting)

      by m_frankie_h ( 240122 )
      http://www.acm.org/classics/sep95/ [acm.org]

      You have to look at the compiler, the OS, the microcode and the hardware, too.

    • Re:Source? (Score:3, Insightful)

      by lasindi ( 770329 )
      If I can't look at the source.. it ain't secure.

      No ... if you can't look at the source, you can't know that it's secure. Open source is great, and IMHO it produces more secure products in general; but open source isn't some magic spell that makes programs secure. Firefox, Linux, KDE, etc. all have security problems now and then. Whether or not they aren't as bad as their proprietary counterparts is debatable, but nothing is 100% secure, FOSS or not.

  • Encryption is pointless here (Score:3, Informative)

    by timeOday ( 582209 ) on Saturday February 11, 2006 @01:26PM (#14695119)
    The "compliance" they refer to is that this encrypted IM will have a logging capability. What this means is that outsiders won't be able to snoop (without a court order), which is fine. But your words can still be dug up out of context months or years later if somebody high enough on the ladder decides they want to get rid of you.

    Whether email or IM, writing anything controversial is a really bad idea. Say it face to face or on the phone instead.

    Of course the question arises of what to do when you receive a verbal order to do something against company policy. You could comply, and take a small chance of later reprecussions, or else refuse or demand the order in writing, and face smaller but almost guaranteed reprecussions over time.

    • Why not confirm the verbal order in writing? This avoids the awkward "Sir, I'll need the order in writing to release those childrens' browsing history to our tobacco advertising partners" and replaces it with "Sir, in accordance with your {IM, phone call, verbal instructions} today, I am sending the childrens' browsing history to our tobacco advertising partners." It avoids the confrontation and still creates a document which your counsel could subpoena showing you were following orders. Keep a printed, dat
    • Say it face to face or on the phone instead.

      Even a mediocre company PBX can record any call nowdays. And if it is VOIP recording all traffic is so trivial that it is not even funny. So on your expectation of privacy in a corporate phone call I can say only one thing. Bwahahahaha...

  • Does Jabber specify any encryption methods that could be implemented by clients? At the moment different clients are adding encryption but they all seem to be incompatible with the other clients.
    • Just should add that there are two levels of encryption:
      - Connection based encryption, which I believe Jabber already provides.
      - Content encryption, requiring users to provide a public and private key, which I don't believe has been standardised. GPG would be my favourite solution, but I don't see many clients using it, and when they do it seems inconsistent.

      BTW Can someone tell me whether the connection between the two people chatting with Jabber is P2P or whether it is routed
    • Jabber can integrate beautifully with pgp/gpg and there are at least two different (but compatible) implementations that do so.
    • Yes, Jabber has had TLS/SSL support for a while. My connection to the server is encrypted via TLS/SSL and my actual chat to my woman is encrypted with gpg.
  • Been Jabber [jabber.org], done that...

    Seriously, why wouldn't a company want a secure flexible internal IM system, for free, instead of an expensive proprietary system?
    • Because if a company spends money on it, they know it has to be good, plus tech support and such, and don't give me that crap about forums. Part sarcastic, part serious, but some companies think this way.
      • You should take a look at Wildfire [jivesoftware.com]. It has a GPL'd version and commercial version (extra features and support). At work I use the GPL'd Wildfire and it is excellent. It's also very easy to install, basically all you have to do is install the RPM and open a web brower to configure it.

    • Re:Jabber (Score:3, Interesting)

      by DrXym ( 126579 )
      Seriously, why wouldn't a company want a secure flexible internal IM system, for free, instead of an expensive proprietary system?

      Our company uses something called Lotus Sametime. Ever heard of it? Me neither until I joined. I've heard of Lotus of course, but not Sametime. Basically it's an AIM-a-like for corporate environments. Now you ask why they use it... because (and this are the only reasons as far as I can see) it has some screensharing / whiteboarding capabilities, its authentication can be tied i

      • I have heard of Sametime, although I have never used it. As far as proprietary IM systems stopping people from chatting with friends, that is true but you could do the same thing by running your own Jabber server. Just disallow server to server connections and stop client to server connection at the firewall.

      • Re:Jabber (Score:2, Informative)

        by m_frankie_h ( 240122 )
        You can do whiteboarding over Jabber using Coccinella.

        jabberd2 can use your LDAP for authentication, data storage and maybe as a directory. I don't know about a web-based UI.
      • Sametime was 5 years ahead of it's time about 7 years ago. It had been neglected somewhat in terms of development since then, and is 2 years behind the times so it needs to be brought up-to-date. Fortunately that is exactly what IBM has done. At Lotusphere in Orlando last month they showed Sametime 7.5 which will be out later this year, it is a complete rewrite of the client end (which needed it) it is now based on the Eclipse framework and is extensible and cross platform, it supports graphical emoticons e
    • A few reasons. Reuters brought out Reuters Messaging a while back, and the main focus there was to rival Bloomberg's offering of their lightning quick Bloomberg Mail. Essentially, if you're a financial institution (and if you want financial regulation complience, then you probably are), you don't want to have all your employees part of a directory that is also full of the general public. Then you have cases where you don't know who someone is, people might have multiple accounts etc. The model preferred is
    • I have been testing jabber servers at work. So far OS X Server's Collaboration Services, A.K.A iChat Server is my favorite. I simply started up the machine, added it to our AD domain, and named and started the service. Users were immediately able to authenticate against the domain and chat. Macintosh users immediately had audio, and with a Firewire camera, H.264 video chat capability. I am waiting for a USB camera so I can try video on Windows. The app comes with the hardware, our cost figures to be abou
  • Bitwise [bitwiseim.com] is a rather nice IM network/client that's already available for Windows/Mac/Linux. It uses 128 bit Blowfish encrpytion for the free version, 256 for the Plus version and 448 bit encryption for it's enterprise solution (Bitwise Professional). Apparently the Professional version also provides the logging capabilities required for compliance regulations too. Closed source though :\
  • Comment removed based on user account deletion
  • This system has a backdoor built in which allows logging of the discussions by those not participating in them.

    Secure = nobody has access to the conversation but the two people involved in it.
  • Secure Internet Live Conferencing [silcnet.org] :: It's a snap to install, has support in GAIM but also has a very decent client of it's own...not sure why this wheel needs to be re-invented.
    • Exactly! SILC already has an existing public network, no need to set up your own server (but its easy to do so, if you feel the want).

      At work, we're currently developing the multi-user layer of our flagship program, and we're using SILC because it's an existing, tested, standards approved (they get a 1024 port) system.
  • So...it's Sarbanes-Oxley compliant *and* "secure"...

    I don't think so...
  • Since Docomo has a bad habit of charging users for their connect time, this is going to have almost no take-off in the Japanese cell phone market. The Japanese are so used to just emailing and calling it good. The only time you might want to do a live chat by cell phone is if you're getting ready to meet somebody, and at that point, why not just call?

Slashdot Top Deals

[We] use bad software and bad machines for the wrong things. -- R.W. Hamming

Close