Jingles and Tribulations

As many of you may know I have been working on adding XMPP Jingle to the next release. The last two nights ive been up all night trying to get a RTP packet to go from one host to another. Everything looked ok but for some reason VOIP wouldnt work.  I’ve been sniffing my network looking for packets  and kept gettin 100% loss.  Host is sending out but nothing comes in the other end.   I just  noticed what was wrong.    Look at this packet capture log. Notice something odd about the second IP address? It should be

Who ever runs the 45.x.x.x network has probably blacklisted me for blasting UDP packets at them all the time in the wee hours of the night
This i why you should ALWAYS make sure that when two computers talk the bye order is network byte order and not host byte order!

Possible end of AIM support [Update: Confirmed]

Update: AOL has informed me that TOC2 protocol has been shut off.  AIM will be removed from  Monal. 



It appears that AOL has ended support for the TOC2 protocol that Monal and many other clients use to connect to AIM service. I am going to try to contact AOL about this. I have not had any luck getting AIM to work and it certainly looks like the server has been taken offline.

Technical stuff below.


Toc2 is the successor to the TOC protocol which stands for talk to oscar, oscar being the main closed source protocol. Toc was the open protocol that allowed 3rd party clients on the AIM network but had less features. This was why AIM in monal didnt have buddy icons.   I used TOC because it was well documented and easy to write from scratch. I do not have time to figure out the much more complicated Oscar.

When connecting to TOc2 i have tried two possible servers, neither work.  I believe it is dead.

Becoming Active

2012-07-27 20:36:53.832 Monal[798:3e03] -[AIMTOC2 connect] [Line 857] stream  created to  server: toc.oscar.aol.com port: 9898

2012-07-27 20:36:53.835 Monal[798:3e03] -[AIMTOC2 connect] [Line 877] Connected to  host

2012-07-27 20:36:53.855 Monal[798:c07] -[buddylist viewDidAppear:] [Line 735] buddy list ddid  appear

2012-07-27 20:36:53.856 Monal[798:440f] -[AIMTOC2 initilize] [Line 926] beginning login procedures

2012-07-27 20:36:53.877 Monal[798:440f] -[AIMTOC2 talk:] [Line 650] ostream ok..

2012-07-27 20:36:53.878 Monal[798:440f] -[AIMTOC2 talk:] [Line 656] sending: FLAPON

second try:

Becoming Active

2012-07-27 20:34:31.828 Monal[767:3d07] -[AIMTOC2 connect] [Line 857] stream  created to  server: aimexpress.oscar.aol.com port: 9898

2012-07-27 20:34:31.829 Monal[767:3d07] -[AIMTOC2 connect] [Line 877] Connected to  host

2012-07-27 20:34:31.834 Monal[767:c07] -[buddylist viewDidAppear:] [Line 735] buddy list ddid  appear
2012-07-27 20:34:31.837 Monal[767:4903] -[AIMTOC2 initilize] [Line 926] beginning login procedures

2012-07-27 20:34:31.838 Monal[767:4903] -[AIMTOC2 talk:] [Line 650] ostream ok..
2012-07-27 20:34:31.838 Monal[767:4903] -[AIMTOC2 talk:] [Line 656] sending: FLAPON






End of iOS 3.x support

I promised to keep supporting iOS 3.x users as long as I could. The time has finally arrived where there are compelling enough technologies in newer versions that I can’t support 3.x users anymore.   The new minimum requirement will be ios4 and that should include everything but the original iPhone.

2.0.6 Coming

2.0.6 is almost done. I am currently bug testing. Barring any major bugs it should be out in before x-mas.  Still no jingle. That will be a huge update, probably Monal 2.1

2.0.6 changelog

This is a major update that adds many features and fixes significant bugs.

1. fixed bug where close all chats closed even when clicking no
2. Added ability to swipe between active chat windows (issue #15)
3. tapping on a sliding message notification will take you to the conversation
4. keyboard correctly resets from symbols after sending a message
5. Chatlog is now organized by day instead of a large flat list
6. Changed icon set to support retina display
7. improved compatibility with old style SSL
8. tested to work with Oracle Beehive servers
9. Fixed bug with SASL authentication
10. Resolved ios5 issues with SSL
11. Fixed problems connecting to cisco webex servers
12. Shows own full name properly when in chat window
13. Fixed xmpp bug with iq query on vcard request (issue #55)
14. Added a cancel button below progress indicator to cancel a login attempt. (issue #26)
15. enabled Gtalk connections on 443

How to post to other people’s Facebook accounts

As I poke through facebook, every once in a while I stumble upon some rather fun security holes.  This one is probably one of my favorites. It is simple to exploit and the victim has no way of stopping it.

For this to be most effective, it requires you to have initial access to a target’s account but it is not necessary.  This can be done by:

1. using firesheep on a public wifi network

2. when a person has left a machine logged in or  has stepped away for a few seconds.

3. tricking them into sending you a screenshot of the page below.

4. looking over someone’s shoulder

With the user logged in, go to


On the lower left, there is the” upload via email”  option with an email address. Anyone who has this email address can post videos and images to a victim’s FB wall.  Once the email address has been acquired by the attacker, the victim cannot change it.  When something is posted on the wall using this email address, nothing will indicate who posted it or how. Facebook has no security to only allow certain senders to use this address.

The email address appears to be in the form


in order for the email to work

1. it must have a subject

2. it must have an image/video attached

Since it uses two dictionary words and a number, a determined  spammer can also just brute force into random accounts by sending out millions of emails. 

When an attack is successful, a confirmation email comes with the subject  “Facebook Photos”  confirming that that email account is valid and the photo has been posted. 

This is how a compromised post appears on the wall.  The only hint as to where it came from is Mobile Uploads album.

2.0.5 coming

2.0.5 development branch has been frozen. I am currently testing for  release.  This version does not have jingle voice chat. I hope to have it working properly in the 2.0.6 release. Im pushing this out since I missed my September release deadline for 2.0.5

2.0.5 changelog

This is an update that fixes bugs and adds features.

1. iOS5 compatible (fixes crashes)
2. Uses standard iphone notification sound and vibrations.
3. Fixed bug where sounds didnt play
4. Uses device/switch settings. Removed vibration options in Monal settings since they are redundant
5. Correctly detects https links in chats
6. Added feature to not save the password and request it on every login for additional security.
7. improved xmpp capabilities support (xep-0115)
8. in chat view, will show the full date if the message came on another day
9.Added expanding text view like in messages app.
10. chat log can use the full screen to display messages (removed grey box at bottom)

Expanding chat box.

By popular demand. Here is the new expanding chat input box.

I have also fixed several bugs related to iOS5. Since these are urgent. I will likely release 2.0.5 with these changes and save Jingle for the big release coming after that.