« Google now has ActiveSync | Main| What I'd like to see at Lotusphere 2010 »

Sametime needs Chinese Walls, now more than ever, otherwise we can expect SPIM

Category

I was chatting with a few Penumbra folks this morning about LotusLive, and how you can login with a Sametime Connect Client to im.lotuslive.com, now it is my understanding that one of the target audiences for LotusLive is business that want to work securely in an online space with other business, vendors, suppliers etc.  Great share docs, have online meetings, use Sametime to IM, but I think there's an issue. LotusLive has a friends feature, so you can expose your information to friends, invite them into activities etc. but they can't do that unless you give them permission, and this is where I think Sametime needs Chinese Walls (the ability to restrict who can chat with other people from the server side).

Right now if you connect to im.lotuslive.com with Sametime you login and you can add other people if you know their email address.  The thing is you can add people you don't know, people can add you without your permission.  So imagine someone writes a Sametime Bot, they give it 50000 email addresses that they try and resolve, if it resolves they send a SPIM message (IM Spam), now because it's Sametime and it has Rich Text support that spim can be images, text links all sorts.  Just for kicks I did an experiment to demonstrate how this could be abused, I created a new account called "Sametime Admin", so to other users, the message comes from "Sametime Admin", I sent a test message to the folks I was discussing this with and they got it.  Imagine users getting a message from "Sametime Admin" saying something like "We have an important update to apply to your Sametime account, please enter your password to proceed", now sure most people would never be so stupid, but not everyone is most people.


It is my belief that People should not be able to IM someone else on lotuslive, unless they have added them as a friend, LotusLive is about business, you don't want SPIM in a business application.  The Sametime privacy feature needs to somehow get tied in automatically to the friends/contacts list in LotusLive.  In fact as a usability feature, any contacts you have in LotusLive should appear automaticall in your Sametime buddylist anyway. Also whilst talking of general enhancements, the Sametime Profile picture should be populate with the picture used in the LotusLive profile.

The good news is that there are not many users on LotusLive yet, so IBM has time to fix it.

Comments

Gravatar Image1 - Want to take it a step further? All the email addresses from Lotusphere are floating around because of the vendor floor and every attendee got an account created already. NO need to build the list, it exists.

Gravatar Image2 - Carl,

I agree on your statement of "the Sametime Profile picture should be populate with the picture used in the LotusLive profile." That's exactly why I created this ideamJam posting { Link } a while back.

Vote it up!! Emoticon

-Tim E. Brown

Gravatar Image3 - @1 Yep, although I was smart enough to use a different email address for both Emoticon

@2 I thought I had, but I will.

Gravatar Image4 - Carl,

I agree. And in the future we want LotusLive to be a white label product, and by that timeframe we also need Chinese Walls within the other parts of LotusLive.

I also would like to see that if we create a LotusLive Group, it automatically become a LotusLive Sametime Group.

Erik

Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::rolleyes:;-)