Crowd-sourced tech support

[liv]

So jabber.org is being DDoSed, and whatever measures they're taking to mitigate this problem mean that I can't connect via my usual IM client, Pidgin. Apparently it has something to do with DNS, but beyond that I'm in the dark. I have tried upgrading Pidgin to the latest version but no joy there. And I have tried all the reasonable web searches I can think of and not turned up any way of fixing this myself.

So, does anyone know of an IM client that successfully connects to Jabber / XMPP when they have anti-DDoS measures turned on? Basically my only requirement is that it works under Windows and handles multiple protocols, with Jabber being the most important. I would prefer something that doesn't display ads; I'm willing to pay a small amount of money to make the spam go away. If it can do IRC as well as IM that's a bonus, but not an essential feature. Visually sleek or simple is better than visually flashy and cluttered, and I don't particularly need something heavily skinnable.

Secondly, does anyone know how to retrieve IM service passwords out of Pidgin? I have several accounts that I only ever use for IM: MSN / Windows Live Messenger, Yahoo, AIM, and ICQ, and the passwords are stored in Pidgin, never getting typed in anywhere, and not in my browser where I can choose to display stored passwords. Would be a lot easier to move to a different client if I can extract them somehow.

The consequence is, until I can get this fixed or the DDoS goes away, I'm not available at my usual Jabber contact, the one I use for chatting to people who are on Google Talk. PM me if you'd like to add me on one of the other services temporarily, and I'll give you a username. It would help if you could send me a brief message with the add request because I'm getting a whole heap of IM spambots trying to persuade me to join webcam sites (especially on Yahoo and AIM), so I tend to delete add requests by default.

ETA: Fixed!

Comments

[synecdochic]

I've had to switch to using a Jabber server lately, and after careful consideration of a bunch of clients (and throwing out the ones I'd already tried and wound up finding unusable), I picked up Psi+. It is the least worst Jabber client I've tried so far, though it only does Jabber and not IM.

[liv]

Thanks very much for the tip! Pidgin is reasonably polite about running in the background, so maybe a reasonable temporary solution is to find a dedicated Jabber client as a fall-back and use my multi-protocol client for all the old-fashioned messenger systems.

[liv]

Bah, just installed it and it appears to have the same problem with jabber.org as Pidgin did. But ever so small and customizable, I can definitely see why you don't hate it.

[synecdochic]

Alas, woe!

But yeah, it's the only Mac Jabber client I've found that doesn't do the obnoxious iChat-style grouping of messages, which I loathe with the passion of a thousand suns.

[403]

I'm having the same problem with Trillian (v4.2 build 29), so will be watching the comments here with interest.

[liv]

Huh, what's Trillian like these days? I switched away from it to Pidgin (then known as gAIM if I'm remembering correctly) because it was just getting too cluttered and bloaty for me. If they are quicker to fix this issue than Pidgin I may go back and give it another try.

[liv]

OK, having tried six different clients, none of which could connect, I tried again at searching for solutions on the internet, being a bit more determined this time. The answer is that Jabber's anti-DDoS means they've done something weird with DNS, so you have to specify that you want to connect to hermes.jabber.org and not just leave it as default. In Pidgin that's under Advanced settings > Connect server, which was previously left blank. A bit of poking around might find a similar option in Trillian?

[vatine]

It's been a while since I poked the innards of Pidgin and I don't know if there's differences between OSes, but...

At least under Linux, there should be a .pidgin (or similar name) settings directory in your home dir. This has several files, one is a chunk of XML with all configured accounts in it (and passwords).

Under Windows, I'd expect these things to live in the registry, but I honestly have no idea.

[liv]

OK, that was a really helpful hint, even with translating between OSes. I know the Windows equivalent of the home dir is C:\Documents and Settings\user\Application Data and I was able to poke about in that looking for XML files. It turns out that Windows Pidgin sometimes calls itself purple for no readily obvious reason, but I have now found the place where it stores the passwords in plain text, and I'm all set up to change to a better client. Plus I have reminded myself that in the mid-90s when I discovered ICQ I was really bad at choosing sensible passwords, maybe it's time I fixed that! Many thanks, anyway.

[jack]

Because purple is awesome? :)

Huh. Come to think of it, it must be possible to recover saved passwords. If that's right, it's somewhat deceptive for programs to show them as asterisks without any option for displaying them, if that gives the impression they _can't_ be recovered.

[vatine]

I think it is because in some intermediate phase between being "Gaim" and "Pidgin", it was "The purple IM client".

[liv]

Sure, purple is awesome, but if you're looking for data files related to a specific program, it's somewhat more helpful if the filename is in some way related to the name of the program. Though admittedly, I suspect that using Windows Explorer to look for and directly edit XML files is probably not the most obvious use-case the creators of Pidgin had in mind.

I don't honestly know if displaying the passwords from as asterisks in the user interface actually provides any security, or if it's just an illusion. I sort of naively hope that the passwords aren't being sent to the various services as plain text, but I don't really know that for a fact.

[jack]

*hugs* Sorry, I meant that as an explanation, not a justification -- I agree that "it's unusable" should outweigh the reasons for purple :)

I don't honestly know if displaying the passwords from as asterisks in the user interface actually provides any security, or if it's just an illusion.

I think there's a combination of factors:

* Displaying asterisks when typing a password is a good default, because it prevents people just casually seeing your password and happening to remember it and succumbing to curiosity, even if they normally wouldn't install a keylogger on your computer even if they could.

* Stored passwords should be encrypted by the browser and/or the operating system, so you can't see them unless you're logged in. I think they probably are, but I'm not sure.

* Passwords will usually be stored as text, not as a hash or anything. There's normally no benefit to doing anything else, since whatever is stored, it will be transmitted to the website and suffice for authentication.

* I'm not sure if there's a better way of managing passwords (or private-key based authentication) if browsers and websites worked together -- I don't think so, but I'm not sure. I think things like ssh recommend something more secure.

* If someone can use your stored password to log in, they can in principle recover what the password is (even if they have to recompile firefox).

* Not displaying the password prominently has some social-hacking prevention value: it stops someone who borrows your computer for a second seeing it, even though it's not cryptographically secure.

* Probably the best compromise is to store the passwords encrypted by a browser master password, display them as asterisks by default, but have a "show password" or "show stored paswords" button which needs you to enter the master password.