By Gnick

Poor Meg and Tom... Their cheesy romance has been soiled by a nosy
hacker - Let's see if we can help them out.

1) Why hadn't the privacy settings in Tom's AIM client or the digital
certificate in Meg's client encrypted their connection?

This one's pretty simple - AIM prioritizes convenience over security
(which seems to be popular in modern software.) AIM uses the highest
available security level & informs no-one of the protocol it selects.
Meg had a certificate (or key, or whatever you want to call it)
registered. Tom didn't. Therefore, AIM used the lowest settings
available, Tom's. Then it proclaimed Meg's security settings to both
users, and broadcast the liason in clear-text to the entire world.

2) How can Meg and Tom employ an encrypted protocol for communication
using AIM? What other chat programs offer better security features?

Really, all Tom needs to do is create and handle a security certificate
and Meg and Tom can enjoy all the security features that AIM has to
offer. Truthfully, though, if you're looking for security - Chat
protocols are the wrong place to look. If all you're doing is playing
out a lame Hollywood script and trying to find romance - AIM is fine
provided that it's set up correctly on both sides. If you need a little
more privacy (maybe things are getting serious, or you're trading
personal information), I'd suggest using YTalk through a SSH connection
- A little more set-up time is required, but it provides very nice
security. There are also several commercial solutions, but none that I
have enough experience to recommend. If you're really serious about
your privacy (maybe you're transmitting nuclear secrets to the Commies
or something like that), I'd suggest a more secure method of
communication than 'Chat.'

3) Given the evidence presented in the narrative above, which system had
the attacker most likely compromised: Meg's computer, Tom's computer, a
machine on the network between Meg and Tom, or AOL's messaging system
itself? Why?

Any one of these compromises could have produced similar results from
the hacker's side. If any machine was compromised, I would guess 'a
machine on the network', because it seems like the easiest target. It
could be that no machine was really 'compromised' at all - Any machine
located on the same network could have probably snooped in on the
conversation.

4) What steps should Meg and Tom take next to deal with the bad guy and
eradicate him from their lives?

First - Abandon AIM. The big players (AOL/MICROSOFT) tend to be the
most attacked AND they tend to be the worst about sacrificing security
for convenience. Hopefully, that will change - But I'm still waiting.
Second - Change protocols and services. If you're romantically chatting
over AOL, and you don't mind voyeurs, then enjoy yourselves and make
peace with the fact that you'll be snooped on. Otherwise, kick it up a
notch and use a protocol that's a little tougher to mess with (a SSH
tunnel is probably 'good enough' for Meg and Tom.)

-gnick