Forum Replies Created
-
AuthorPosts
-
March 21, 2007 at 5:19 am in reply to: Yahoo! to drop support for Y! Messenger 7.5 April 2nd #159409Torseq Tech.Member
Not surprising at all.. this means that YMSG 13 and YMSG 14 (7.0-7.02 use YMSG 13 / 7.5 uses YMSG 14) are on thin ice now while YMSG 12 (used by Messenger 6.0) has been walking on it for a while now. I’ll bet that when Yahoo! does do away with older logins that 10, 11, 12, 13 and 14 will all go in one fowl swoop leaving only 15 and newer protocol versions standing. Nobody knows when but it’ll happen.
Torseq Tech.MemberIn the words of one of the authors… ‘It rocks’. {*_*}
Coming in the next build is the ability to support any executable chat program that has voice chat capability. Additional preloaded preset selectable voice chat clients/voxes to be added next build are YahElite’s new VoxBar, YMLite’s old external vox known as MiniVoice and MyChat (now that it has YMSG support and has been updated). No5 might also make it in there but I’ll have to test it out first and see if it meets the criteria for a preset selection. 😉
Torseq Tech.MemberA lot of the time the PC-2-PC call connection (SIP protocol) will die and reconnect throughout a session. Sometimes you could be waiting a bit to have it established or even reestablished so it’s not too uncommon to not have it available whenever you want/need to use it. Dr_web you’re also correct with what you said but I believe Chet is aware of that issue since I told him about that back during the summer (when it was doing the same). Not sure when it’ll be fixed but bringing it up was a good point because that may be playing a role with the problem raf is having.
Torseq Tech.MemberThis is an easy one. To set the port simply change the current port number (dword value default is 5050) to another valid one such as -> 20, 23, 25, 80 or 119.
To set your own server there’s a couple ways to do it but the easiest is to create a string called “connserver” with a valid server’s IP address or hostname as the value.
Torseq Tech.MemberIn the Messenger buddymain *buddy list* window go to the Messenger menu and check the menu option “No Incoming Calls”.
Torseq Tech.MemberThe following is a post made by me regarding Yahoo!’s actual ‘patch’ for this. If you would like to know some of the technical details you can read below. This is also posted on my forum, the YTK board.
Now, for anybody that wants to know the intricate details of this patch, I’ll give you the lowdown…There was a vulnerable field inside of the Chat Message packet (service type: 0x00 0xA8). This field is known as the Message Type Definition field (at least what I call it) as it defines the ‘type’ of ‘message’ for the client to read in. 1,2,3 in ASCII denotes a standard chat message, an emote and lastly a think/thought type of chat message.
What Yahoo! has done with their recent patch (which took place today) is that they are enforcing that this field (124) only contains a single byte of data, thus ‘patching’ the vulnerability that existed. The single byte of data allowed has to be an ASCII numeric value, values 1-6 are allowed. Anything higher than 6 or lower than 1 and your chat message isn’t delivered to the room. Before anybody asks I don’t know why 4-6 are allowed since they’re not used, my guess is that they’re reserved for future use.
On their blog, when I wrote them an open letter about this, I did in fact tell them to enforce a single byte of data (which is all that this field would normally be used for) so I’m glad that they took my advice.
I would like to thank Dermot and everybody else including Chris who aided/attempted to aid in the patching effort. =)Torseq Tech.MemberI know, Chris, LoL. I already told him my answer to that (whatwasIthinking).
The good news is that the room boot is FINALLY Patched, and what do you know, ON THE 30th DAY of January. =)
Torseq Tech.MemberCChris wrote:
Torseq tech today is the day your going to report what you found on the booter right?
I have reported it directly to a Yahoo! admin that I’m working and communicating with. He has directly told me that a fix IS on the way, and knowing this, I will wait a little longer before I disclose this in full (I’ve already partially done so to the public).
You wouldn’t believe how much criticism I’ve received from Yahoo! IM forums around the internet (YMLite forum, the YTK forum and others) for stating that I would go public. Suddenly I’m everybody’s ‘man to hate’. 😀 A threat to take away a child’s toy can really anger some.
Torseq Tech.MemberFirst to have the generated sequence of numbers would have been Y! Tunnel.
Yes, I remember when it first debuted in Y!TunnelPro years back.
It’s setup in YTK Lite/Pro very solidly:
- A 6 character randomly-generated alphanumeric string that is case-sensitive is issued. Spaces are inserted after each character and the key is to be sent back without the spacing.
- The user has 3 tries to complete the challenge successfully, if they fail they’re silently ‘ignored’ for the remainder of the session (or for as long as you have the Spam Challenge Integrity Check enabled).
- Spam Challenge Integrity Checking (Magic Word Verification) is “Zonable” and each group, Chat Users & Unknown Users/Outsiders, are treated independently (Off/On to each separately).
- Relatively sensitive flood detection and challenge suspension is present to combat a potential disconnection from the server if you were to be PM bombed and had to issue a challenge PM(s) to each bot flooding you (ouch).
- Authenticated user’s PMs are sent to your UIC storage window for review unlike some other chat programs that will pop open a separate PM window for each authenticated user that successfully completed the challenge (this isn’t a safe way to implement such a feature!).
As of YTK Pro beta build 260, if an authenticated user is replied to then event statefulness is tracked internally and all future PMs from the particular user will be sent to your open PM window (and not back to the UIC storage window). This entitles you to complete convenience without the need to worry about being PM bombed by authentication bots written to successfully complete the challenge and attempt to open up several separate PM windows on your screen (thus eating up more memory and CPU).
Torseq Tech.MemberHi psyklon. You can find TrackSpew here (direct download): http://www.acidiceflows.com/misc/TrackSpew.exe
It was coded by a guy named ‘Gollum’ several years ago.
January 28, 2007 at 5:41 am in reply to: YTK Pro Now Available! *pre-release to release info tracking* #155846Torseq Tech.MemberQuote:All this program is, is another version of tunnel that claims to be “unbootable”.Very similar to Y!Tunnel, yes. There are, however, differences not to mention that YTK Pro was built from the ground-up to be heavily security-centric. It’s also programmed in a different language (more productive) than Y!Tunnel is. The claim of 100% unbootability is true, think what you want.
Quote:I have tried YTK Pro & yea it’s ok but in no way does it have the easy to use features like Y tunnel.There’s plenty of “easy to use” features in YTK Pro. The added flexibility in YTK Pro might make it appear to be more complex to work with but we’ve got 80 year old customers that manage just fine (I’m not kidding).
Quote:What I’m saying is why buy something that hasn’t been around but for few monthsYou’re wrong. YTK Pro HAS “been around” since April of 2005 when it began development. It wasn’t released until it had just as many features (and many of it’s own) as Y!TunnelPro 2.0/2.5. Just because a program was “playing catch up” for that time span and not available to the public in it’s extremely early development stages doesn’t mean it hasn’t existed. You don’t create a program like YTK Pro in only a couple of months, LoL. It was being beta tested since the summer of 2006 and was released on November 12th officially.
Quote:there saying it’s unbootable lol? This is so hard to believe for you? Look up inverse simplex communication (when in Gawd Mode) and we’ll see just how “bootable” YTK Pro is. 😉
Quote:Y tunnel in no way has ever clammed to be unbootable & never will.Y!Tunnel isn’t “unbootable” because
A) It doesn’t have Gawd Mode
and
B) Over the many years that it’s been available to the public it’s had many flaws that booters have been able to successfully exploit. YTK Pro doesn’t contain these same kind of flaws… proof is in why you don’t ever see booters with YTK Pro “boot” options to specifically exploit a flaw in the program. The one booter that I did find with a YTK Pro boot option doesn’t even work as advertised, it’s only there to make it appear to be more powerful than it really is.
Quote:Yea there are a lot of features that help but don’t be dumb about this new program its not all that.I co-developed this program and it IS “all that”, it’s one of a kind and each new build we release proves it’s worth more and more, there’s no back stepping. YTK Pro has introduced several chat innovations and will only acquire more and more each new build that is available (wait until you see the next build).
Quote:But hey maby after sometime has passed the program will develop. It takes years to make a program stick out from the restYTK Pro is already sticking out from “the rest” and it’s only taken a couple months to accomplish. This program is extremely developed, it’s over 60,000 lines of source code, that isn’t developed enough?
As far as stability is concerned YTK Lite/Pro is hands down a winner, we’ve had 0 YTK crash reports from our members running it since we released the first build back in November (beta build 235). Not to cut Y!Tunnel down but you won’t find that kind of track record with Y!Tunnel in operation, there’s been several crash reports reported by board members and they’ve had to be looked into separately. I have been running Y!Tunnel since 2002 when I purchased Y!TunnelPro, I’m aware of it’s PROs and CONs and stability isn’t it’s strongest point. Others and myself believe that it’s not even the added flexibility and increased protection you get from YTK Pro that puts it on top in it’s submarket, we believe the stability alone is what places it there.
Don’t degrade a program developed and maintained aggressively with a bright future ahead, you’re not giving it or the developers (myself included here) enough credit.
Have a good one…
Torseq Tech.MemberDermot wrote:
Quote:Yahoo! have started to filter the field used for this boot.I just checked today (10 mins ago) if they were validating the message type definition field and they’re not. = I will be checking every couple of hours to see if anything’s been done. I have contacted a direct staff member at Yahoo! and he has told me that a fix might be happening sometime this weekend. I can’t say anymore than that but if it’s true then I won’t have to disclose this to bugtraq etc.
We’ll see… 😎
Torseq Tech.MemberI like the drag-‘n-drop IM window tab creation. 🙂 It’s a nice looking interface, very, BUT will it be flimsy and break all the time? It would be almost insane to assume a NO for this one but if it’s written from the ground up (most of it anyway) it could be a big step in the right direction. I’m sure Yahoo!’s learned from past mistakes and hopefully can avoid some of them this time around.
It’ll be interesting to test this one out. When it’s stable enough my programs, YTK Lite & Pro, will support this Vista version and Yahoo! Messenger support for XP/2K/2K3/MCE will be maintained. It’ll be extra work but I’m liking the new interface a lot and the innovative next generation features.
Torseq Tech.MemberConsider Yahoo! “slapped in the face” as I just wrote an ‘Open Letter’ to them, on their Blog spot, and gave specific information concerning this broadcast room boot vulnerability and exploiting it. The Yahoo! Messenger Development Team has 5 days (until the 30th) to comply and resolve this issue or I promised them that I would indeed go Public (to Secunia and Bugtraq) with working “Proof-of-Concepts” complete with a fully detailed advisory. This is complete negligence on their behalves and they’ve been given more than a fair amount of time to patch this hole. If they don’t meet the deadline they’ll regret it when every network security professional around the world is criticizing them (more so even than they’re doing now).
Y! Messenger Dev Team’s Blog spot: Yahoo! Messenger Blog » Let’s Chat
If Yahoo! decides to remove my post there you can alternatively find it on my forum at YTKPro.com: YTK Support Forum :: View topic – EXPECT the Server-Side Room Boot Vuln to be Patched SOON!
The Countdown has Begun…
Torseq Tech.MemberThere are actually several other chat programs that you could’ve encountered that have this ability, Colin. Two programs come to mind… YahElite and YahEh. I actually do believe that YahElite was the first one to have this Magic Word Verification (Dermot would probably know) system, but I could be wrong so I’m not 100% on that.
Venom recommended my program, YTK Lite, which is free to use and it has the most flexibility for this system. In Y!TunnelPro this system is much the same but not as flexible because 2 Groups (Zones), chat users and unknown users, are spam challenged when this feature is enabled. In YTK Lite and YTK Pro we give you the ability to actually Enable this on a per-group basis, meaning, you could have this enabled to ‘challenge’ chat users and have it disabled to unknown users (users that dont belong to your friends, safe list or chat users groups) or vice versa. This flexibility definitely comes in handy imo.
While it is possible to bypass these magic word challenges prompting for a pass code, I’ve yet to see it done other than a proof-of-concept tool I wrote last year that will do it (easy enough to write for most programmers). It’s a nice system to have working for you, eliminates ‘SPIM’. 🙂
-
AuthorPosts