IM Security Risks?

I am thinking about entering the world of instant messaging on a linux system. I intended to use gaim.

But . . . I am very cautious about the security risks that IM have. What security risks would IM pose to me? Would using encryption help circumvent some the threats?

I need help. . .know absolutely zero about IM …anything would be appreciated.

There arn’t any really, the only threats possible would be based on poor programming which creates an insecure access point to connect to a PC /send files unmonitered, and even for an IM program that is really hard since the IM is only there to send and recieve data and turn it into text, it doesnt accept commands to control OS features and so on.

Your more likely to get a virus from a website that to have a security breach from an IM product.

That said, most IM programs are bloatware nowerdays (allowing files to be downloaded etc…) but in general the security risk is pretty damn low. Just dont go running .exe’s your “internet buddies” send you

I’m not sure what kind of, if any, encryption Gaim uses, but I know for sure that Skype is encrypted. I believe that uses 256 bit encryption for everything it does. You can talk, chat, send files, and all sorts of fun stuff with Skype.

anybody that you accept a file from can see your IP address
[if you’re on dial-up or not behind a router they can see your computer directly]

and some viruses spread using IM [send you a file or have you click on a link with the payload]

and the usual, don’t give people information you don’t want them to have
[yawn]

When you say security risks, do you mean viruses and friends, or people seeing what you type?

For the second, encryption would work.

Most IM protocols don’t have encryption, so don’t go typing anything secure in them. File transfers (and, in some cases, just chatting) can reveal your IP, though this is much less a problem than firewall marketing people make it out to be.
As for viruses, it’s about as safe as email - anyone can send you a link to a virus, or (on some protocols) send you the virus itself, but nothing will happen unless you actually run it.

Actually, now that I think about it, it’s about as safe as email on all counts - unencrypted, can reveal your IP to anyone you talk to and suseptable to really easy to avoid viruses.

End-to-end encryption is avaliable for most unofficial clients, like Gaim, but they probably require whoever you’re talking to to be using the same client, with the same plugin… most people will probably be using the official clients, which don’t have encryption as far as I know (though I haven’t looked into it much).

By security risks, I am meaning a compromise in system or network stability/security in any way. I know it is a broad definition, but I am by nature, very cautious about doing things on the internet.

I’m internet-aware enough to know that I don’t give out sensitive information. I keep my online identity arbitrary.

I’m using a linux system, so *.exe files really won’t be much of a problem unless someone cons me into running them under wine, which shouldn’t have much effect either. :slight_smile:

I don’t prefer people to see what I type…I assume that it is possible to mask messages so only one person can read them.

I’ve been looking into the Jabber IM service. I’ve used it a little before on a private server. I’m trying to figure out how to set up my own private jabber server for friends and family.

Is there anyway to mask my IP or send a bogus IP instead?

Is there anyway to mask my IP or send a bogus IP instead?

Tor for the internet, not sure about IM though.

One thing that you could reasonably do is to set up a non-privileged separate account for yourself, then use the IM program exclusively through that. (Just su with the username of the limited user.)

From this separate account, none of your files are accessible to the IM program. Naturally, since the account has no special privileges, neither is the system. Any files owned by the separate user wouldn’t be available to your regular user, unless (as the separate user) you moved them to a common place and allowed access… a very conscious and deliberate thing to do.

Realistically speaking, you can never constrain what a program might try to do (with or without your knowledge), but you certainly can use existing operating-system features to strictly constrain what any program will succeed in doing.

“Even Windows” has excellent user-access controls! Trouble is, most users until now have left them turned-off, or don’t even know they exist. People who routinely lock their doors at night, and their cars when they park them, leave their computers completely exposed. For no good reason at all.

I like your idea . . . . I will try to implement this… thanks