Question about security on a program........

Tue, 8 Jan 2002 22:54:22 -0700

On Tue, Jan 08, 2002 at 09:35:27AM -0700, Kimi A. Adams wrote:
> I have a potential customer requesting a program that I believe will 
> provide security issues.  It's called YTalk, see the link below.
> 
> http://www.iagora.com/~espel/ytalk/ytalk.html
> 
> I has lot's of information but since I am unfamiliar with this product, I 
> need to know from the group whether it's a potential problem for security 
> risks.  This person says he dials in with an ISP dial up account, initiates 
> the Ytalk program from his shell account, then "rings" the other party, his 
> friend in Ukrain, and they are connected.  I believe it's sorta like IRC, 
> which is not too much of a problem but I just won't light up "talk" on my 
> servers for obvious reasons.
> 
> If there is a good way to protect against security risks, I would like to 
> know that as well.  Again and always, I appreciate all comments and info I 
> can get from all of the group.  Thanks.

I used talk/ytalk a bit in college.  It allows you to have a
split-screen chat session in a terminal, either with people on your
own machine or people on another machine running a talk daemon.

Since he's initiating the session, the server his friend is on must be
running a talkd server.  This means that you would need to provide him
only the ytalk client, not a running talkd server.  The security
issues involved in running the ytalk client should be roughly
equivalent to those involved in running an irc client.  (Actually,
depending on the irc client, they would be somewhat less because ytalk 
does not have scripting functionality or file transfer capability.)

By the way, Red Hat (version 6.2, at least) provides ytalk, so you may
already have installed it with your distribution.

-Mike