Miker

17th level Hacker

Yahoo Login Problems Using Gaim

It appears that Yahoo has again changed something that causes third party apps to fail. Now, it’s not like I’m unfamiliar with the trials and tribulations of trying to deploy a large scale application like this, I just don’t agree with their policies. Needing to change the underlying protocol is not a good way to control your application, it’s just evidence of poor planning and engineering. Of course, it also highlights some of the dangers of proprietary protocols. I have friends who normally I interact with using Yahoo. Bad me, cause now that Yahoo has decided to break from the API which my client was reverse engineered to work with, I can’t contact them. I’m not really happy about that, but unfortunately there’s not much that one can do. I use Jabber, but not all of the contacts I have are willing to switch. For them the official release always works, so why should they care if Yahoo wants to change the protocol? Well, just remember that there’s nothing that says Yahoo needs to keep doing that. Say they decide that they have lots of “value in their network”. Meaning they think if they decide to make Yahoo a pay-only service that people will cough up some money. Say they decide to do this to everyone, and not just the Gaim users. Take a little while to think about that. Me, I’m off to see how many other people are reevaluating Jabber and trying to see who else I can get to switch.

UPDATE (22:29 06/23/2004) : here is a more official article about what happened. Sounds like complete bullshit to me. I don’t see how closing off their protocol helps out keeping down spam. I have a counterpoint actually. When we needed to send notifications using Yahoo and AIM and MSN we first started by using a Jabber server with transports to handle all the different protocols. But of course, some transport was always broken, and it was a huge pain in the ass to try to maintain. So instead we ended up running a Windows box (the only one in the office actually) to run the three different apps and we send Windows events to the different clients to simulate a normal user clicking on stuff and typing messages. It looks like a completely 100% legitimate client to the IM services. Haven’t had any problems since. So there you go. If you’re looking to send spim, that’s the way to do it. Works much better than hacking Gaim or Trillian to send messages. I say this not cause I like spim, but because maybe if the spammers have a different way to send messages it’ll get Yahoo to develop a fucking clue. Real security has nothing to do with the obscurity of your protocols.

UPDATE (00:02 06/04/2004) : According to the work being done to reverse engineer the changes to the protocol, the server now sends an image recognition based challenge/response sequence (like websites that ask you to enter the letters in an image that’s had some obfuscation applied). Well, good for them. That should lock out the spammers for a few days. Me, I’ve decided the service isn’t worth it. It means I might lose the ability to communicate with a few people who aren’t willing to make the switch, but I guess that’s just the price I have to pay. Apparently the price of freedom isn’t only eternal vigilance, but eternal vigilance plus a couple of entries from my buddy list.