Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
America Online Security Spam

AOL Hacks Subscribers' Computers 558

ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
This discussion has been archived. No new comments can be posted.

AOL Hacks Subscribers' Computers

Comments Filter:
  • A0L is L337 (Score:5, Funny)

    by JonoPlop ( 626887 ) <meNO@SPAMJonathonMah.com> on Friday October 24, 2003 @10:46AM (#7300825) Homepage
    ...next thing you know they'll change their name to a0l.

    (fp?)
    • "internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.
      • "internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.

        Exactly. Changing from disabled to manual or automatic for the startup type is very easy. Easier than starting and stopping unix daemons. Just because the author wasn't immediately familiar with the process doesn't mean it's hard.

        Uninstalling software is hard for people that don't know how to use their computers.
    • by mikeswi ( 658619 ) * on Friday October 24, 2003 @01:11PM (#7302466) Homepage Journal
      AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.

      Jesus, even for slashdot this is too much FUD.

      Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.

      DISABLE MESSENGER SERVICE? MESSENGER SERVICE
      CAN BE USED TO DELIVER UNWANTED POP UP ADS.
      [*YES*] [NO]

      Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?
  • Solution (Score:2, Informative)

    Solution: Do not use AOL.

    I hope this helps.

  • by jaredmauch ( 633928 ) <jared@puck.nether.net> on Friday October 24, 2003 @10:47AM (#7300845) Homepage
    This is a good thing. Windows messenger is not used by the bulk of the AOL userbase except to receive spam. Disabling something that should have been off by default already and enabled in a true lan/office environment will provide them a better user experience. It will also close one more possible way their possibly unpatched machines will become compromised.

    I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)

    • by siskbc ( 598067 )
      This is a good thing. Windows messenger is not used by the bulk of the AOL userbase except to receive spam. Disabling something that should have been off by default already and enabled in a true lan/office environment will provide them a better user experience. It will also close one more possible way their possibly unpatched machines will become compromised.

      Yeah, but the idea of your ISP fuX0ring your computer isn't so cool. But at the point where you use an OS that *lets* your ISP do that shit, AOL isn'

      • by jaredmauch ( 633928 ) <jared@puck.nether.net> on Friday October 24, 2003 @10:55AM (#7300965) Homepage
        You're not talking about your "Average" ISP. AOL software uses a VPN client to connect you into the private aol-exclusive content. If this was done by earthlink or some other provider that just provides you ppp and unfiltered bits to the world, then yes, it's a bit more fuzzy, but you need to have the AOL software, and this could be covered by their EULA. People may not like it, but if you don't, use a different provider or OS that doesn't have these issues. I for one defend AOL for taking a good security stance in disabling a service 99.9% of the people likely don't know is running on their system, and for which they could be compromised via.
        • Being an adult, I personaly don't care for some one else desiding what is good for me and forcing it on me. That sort of mentality quickly becomes self serving and can never be trusted. It's made worce by the fact that AOL could have offered it as a service to it's users, who then could have clicked a link to alow AOL to disable this. Had they put out word and offered a way to fix it I would have found my self in the uncomfortable position of having to prase AOL. How ever, as they chose to force there will
          • AOL did provide it as a choice for users, they were uneducated enough to do it themselves yet were still complaining. You can find such references in the article. Please read it.

            Saying AOL is breaking into their system is just trolling. They are already AOL customers, receiveid an AOL software update for which they're paying a fee for the AOL service (and the required software for the AOL service, remember AOL isn't just internet access. Those of us that remember prodigy, compuserve, etc.. know this qu

        • by fredz ( 89077 ) on Friday October 24, 2003 @11:52AM (#7301638)
          I think jaredmauch hits the nail on the head when he says "You're not talking about your 'Average' ISP." AOL is very paternalistic, giving its customers a nice, safe, easy environment that you or I might find infuriating but that some people really like. Those people who want 'somebody who knows computers' to manage their 'online experience' are the same people who want 'someone who knows computers' to manage their PC.

          I think AOL may be accidentally backing themselves into a good business model. You buy the PC and sign up for AOL, and they take care of all of the rest of the technical stuff for you. I won't be signing up anytime soon, but I bet a lot of people would love the service.

          Fred
      • Yeah, but the idea of your ISP fuX0ring your computer isn't so cool.

        Why not? Especially if it's a network service.

        This isn't AOL looking for passwords--this is the rough equivalent of them updating the AOL software.

        If you want an ISP that just gives you a modem dial-in and e-mail box, then AOL simply isn't your choice.
      • Yeah, but the idea of your ISP fuX0ring your computer isn't so cool. But at the point where you use an OS that *lets* your ISP do that shit, AOL isn't the greater evil.

        The OS doesn't "let" AOL shut off the service. It's not like Windows is opening a port that listens for remote configuration requests. (Although I think XP has some stupid features like that, they're probably not turned on by default and in any case that's not the mechanism AOL is using.)

        As an AOL user you installed AOL's crap on your comp
    • by TopShelf ( 92521 ) on Friday October 24, 2003 @10:55AM (#7300972) Homepage Journal
      One way of looking at this is that AOL is simply taking Microsoft's quality issues into their own hands. As for crossing into the uncharted waters of adjusting Windows settings from within the AOL application, don't they do that already during setup to arrange dialup settings, etc.? Really, the only thing I'd see wrong with this is the lack of notification by AOL to their users. Sure, it would take some effort to craft a statement that explains what they're doing while not confusing or scaring the users, but it would have covered their corporate butts at least.
    • by mao che minh ( 611166 ) on Friday October 24, 2003 @10:58AM (#7300996) Journal
      AOL probably realizes that the average customer is going to blame pop-ups on either AOL software, or blame AOL for being unable to prevent them. With competitors like Mindspring offering free software that does block the messenger flaw, people are leaving AOL.

      AOL is just protecting their business.

    • Holy buckets I think you're on to something. Why *doesn't* AOL start putting MS patches on their CD's? Really. Most all the AOL CD's I get just get tossed in the garbage. I know they can't be using all 700 MB of space on that disk anyhow. Granted it shouldn't be the only way that users patch... but at least it'd keep those on dial-up and those that are unaware patched up every 6 months or so. Granted my AOL CD's would still go in the trash since I have a Mac... but...

      I don't however agree that MS sho
    • I'm sure that somewhere in the EULA, TOS, or AUP is a clause that gives AOL the authority to do this to their subscriber's computers. Or they may argue that "optimal configuration of our product requries the Messenger service be disabled." Either way, I'm sure their lawyers looked at it first.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday October 24, 2003 @11:31AM (#7301393)
      Comment removed based on user account deletion
      • the problem with that is that a good number of people would think it was talking about Windows Messenger AKA MSN Messenger. They would then say no and not have this setting turned off like it should be.
      • by AllUsernamesAreGone ( 688381 ) on Friday October 24, 2003 @01:52PM (#7302873)
        Theoretically, I agree. But put yourself in the place of AOL - they start asking people whether they want Messenger Service disabled and the first thign they'll see is a massive increase in the number of people phoning the technical support line asking why their computer is asking them this question, then they'll find (as anothe rposter suggested) that many of them will get confused and refuse it and then they'll have yet more people on the phone complaining that something has gone wrong "because fo that fix you did" (when it is likely to be just psychological, or somethign the user has done). Trust me, I've done tech support, the very LAST thing you want to do is ask the average, bearly computer literate user, questions about technical issues on their machines.

        While the ethics are questionable, IMO AOL is aimed at people who are not and have no intention of becoming technically literate, and as such they are dangerous - to themselves and the net - when a known exploit exists on their machines. In exactly this situation, I have no problem with the action. Ys, I'd be annoyed if anyone tried it on my machines, but I'm with an ISP that expects some technical ability.
  • Someone will sue (Score:3, Interesting)

    by Rai ( 524476 ) on Friday October 24, 2003 @10:48AM (#7300853) Homepage
    I wonder how this will stand up in court when someone decides to sue...and you know someone will.
    • I don't know about the AOL software EULA, it could permit such patching/changing of registry settings. They could also say that it was done in order to preserve the security of their network (ie: having millions of compromised machines via the latest messenger exploit). I don't see anything clearly illegal here.
      • I just picture some lawyer in court saying "your honor, AOL violated the rights of my client as stated in the The Computer Fraud and Abuse Act...and we are asking for XXX thousand dollars in compensation."
    • Yes as Newton's third law clearly states..

      For every corporate action, there is an equal and opposite class action suit.

    • Dude, didn't you read the headline?


      AOL users. Their swarming membership will probably be oblivious to all this, and think that they finally got the 'internet security slider in just the right position, or alternately, figure all the replies they sent spammers saying 'take me off your list' just got there.

  • by Anonymous Coward on Friday October 24, 2003 @10:48AM (#7300855)
    Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.
    • by donutz ( 195717 ) on Friday October 24, 2003 @11:03AM (#7301051) Homepage Journal
      Maybe you're new here, but "white hat" hacking is dangerous. Just look at the Welchia [symantec.com] worm. Someone tried to fix computers infected with Blaster, but their "white hat" hacking worm only made things worse.

      Good intentions doesn't always mean you let it slide when someone breaks the law.
    • by arcanumas ( 646807 ) on Friday October 24, 2003 @11:04AM (#7301064) Homepage
      The fact that their intention is good means nothing.
      Think of this. I have a custom application that USES this service and when they disable it my company stops working... Do they have the right to do it now?

    • The problem I have is that when AOL does it, it's business and when someone else does, it's hacking. Remember the anti-msblast worm [slashdot.org]? People high up in the industry called for that guy to be found a prosecuted (And I think he might have been, but I couldn't find the article). Those same people will probably praise AOL for this. Just imagine the precedent this will set. You know, that new version of Gator or Bonsai Buddy (no - I won't link them) should be helping you configure your machine too! Oh, and Rea
  • by blunte ( 183182 ) on Friday October 24, 2003 @10:48AM (#7300858)
    When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?

    I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.

    I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.

    • that's what I thought, enough complaints about penis enlargment ads or busty-grandma's part 3 will get them to act... afterall, they all but control every piece of advertising that you see on your PC (when your an AOL user), why not "help you out" with this... it's the least they can do.

    • When you install AOL, you expect it to make changes to the configuration of your computer. Why is this any different?

      My girlfriend has aol (subscribed before I met her, otherwise I'd have recommended something better) and was being driven mad by these pop-ups. I had to explain that it was microsoft stupidity that allowed them, and disabled them for her.

      HH
      --
    • I can't believe I'm saying this, but I'm with AOL on this one. Their customers are not techies. The Windows Messenger service is a worthless spam hole. I just hope AOL doesn't start misusing the trust of its customers to add "new" enhancements.

    • BS. First, it is illegal if not specifically included in the contract. Second, it is probably in a grey area even if it is not specified by the contract and AOL is likely liable for any "damages" they cause. Third, it is a little creepy that AOL can weld that kind power if legal action is not pursued by someone.

      Sure, in this case, it probably helped the greater good. Sure, in this case, it probably helped more than it harmed. That wouldn't always have to be the case and we now know that AOL is capable
  • They could just put a blanket firewall over their entire subscriber IP pool...
    • Please read the article. It isn't as simple as blocking a port.
      • Excuse me?

        If you connect to the Internet by using a corporate network or if your Internet service provider (ISP) uses a firewall, ask the network administrator to configure the firewall to block inbound NetBIOS and UDP traffic. Contact your network administrator or ISP for more information.

        A bit further on...

        The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445; and an ephemeral (that is, short-lived) port number greater than 1024.

        In addition to preventing net send messages,

  • While there are clearly bad implications for this, there are many positive ones. I am constantly amazed when I ask people if they get the windows messangers pop-ups and they answer 'all the time!'
    I've never gotten them (I suppose my router helps), but I turned off the service long ago, but I talk to many people who say they get them several times a day. They are always very grateful when I turn it off for them.
    AOL shouldn't do this automatically, but they should have a prominent feature that allows user
  • EULA (Score:5, Interesting)

    by Rosonowski ( 250492 ) <rosonowski.gmail@com> on Friday October 24, 2003 @10:50AM (#7300881)
    EULA.

    That says a lot.
    The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.

    Unethical, yes.
    Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)

  • by BlackBolt ( 595616 ) on Friday October 24, 2003 @10:50AM (#7300888) Homepage Journal
    Turn off Messenger [virginia.edu]
  • Install AOL on there PC. Get Hacked Sue
  • AOL Users (Score:2, Insightful)

    by gregarican ( 694358 )
    When I see people sign up for AOL I feel the way I do when I see fat people line up outside the Dairy Queen pickup window. Why, people, why? You don't need to add to your own miseries.

    The typical AOL user is vulnerable no matter which angle you take. It's like if a new ISP service was started by the "...For Dummies" company. As a user you'd have a big Kick Me sign on your back.

  • Or user agreement or whatever they have.

    I dunno just asking, I'd like to think that a big player like AOL knows all the dirty tricks to cover themselves legally before pulling stunts like that. They've been around a bit and this move is just too sloppy IMHO

  • by mao che minh ( 611166 ) on Friday October 24, 2003 @10:51AM (#7300907) Journal
    2003-2004 America Online Inc.
    Microsoft Security Analyst

    - Remotely corrected flaws in the Microsoft Windows operating system
    - Reason for leaving: Incarceration by the Federal Bureau of Investigation, 2004-2006

  • by jericho34 ( 542866 ) on Friday October 24, 2003 @10:52AM (#7300914) Homepage
    echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...

  • I mean, they could always add a clause, assuming the it's not already in there...

    Such a depressing news day, I'm leaving early for the pub today ;)

    Oh, and who the hell is Russ Cooper - seriously, a "security expert" recommending that software providers secretly reconfigure machines ? Lemme guess, he's a MCSE who's on the take ?

    RE:

    Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reac

  • You Agreed (Score:5, Insightful)

    by Ageless ( 10680 ) on Friday October 24, 2003 @10:53AM (#7300936) Homepage
    I guarantee that somewhere in some license agreement the users gave AOL permission to do this.

    And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in /etc/inetd.conf would you call it "adjusting Linux's internal settings"?

    Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.
    • Re:You Agreed (Score:3, Insightful)

      by frankie ( 91710 )
      somewhere in some license agreement the users gave AOL permission

      This is almost certainly true.

      If someone recommended that you comment out the telnet line in /etc/inetd.conf

      If your ISP got root on your linux box, killed telnetd, and commented that line out, without telling you, then you might have an analogy worth discussing.

      • If your ISP got root on your linux box, killed telnetd, and commented that line out, without telling you, then you might have an analogy worth discussing.

        Fair enough. I rescind my broken analogy.
    • Re:You Agreed (Score:4, Interesting)

      by ComputerSlicer23 ( 516509 ) on Friday October 24, 2003 @11:22AM (#7301283)
      I'll point out that, recommending you comment out the telnet line, is completely different then when you install pppd it went into your /etc/inetd.conf and turned fiddled with it to turn it off for you.

      I'd be pissed if pppd did that if it wasn't documented clearly (for a variety of reasons, upto and including the fact that I forgot to turn off telnet on a machine I ran). Mostly because the people who wrote pppd shouldn't be fiddling with my inetd.conf settings.

      I didn't get the impression from the Slashdot story that they are doing it in software. However, that makes me think you are correct, it's FUD. Goodness, is it a crime to install software which enables IIS for you, because enabling IIS has security flaws? I'm pretty sure various pieces of software enable IIM for you when you install them. No 17 year old kid convinces you to install highly useful software, and pay them for a subscription service, and also happens to install BackOrifice on your computer. If it was documented to install BackOrifice, I don't think they'd even have a complaint until somebody actually logged into BackOrifice.

      If they wanted to be on the up and up about it, they'd refuse to install AOL until the messagner service was turned off and give you instructions about how to do it. Possible have a dialog box that was set up for you to click okay to approve it, or uncheck this box to leave the service running.

      Kirby

    • This isn't AOL "recommending" that users turn off the service. If Comcast could magically go in through my cablemodem and shut down my (completely internal) instance of PostgreSQL, I'd be pretty cheesed. Would that mean they could also alter or delete any anti-Comcast documents they found hanging around? Wouldn't AOL's userbase be the type to have programs "remember" their password for, say, their online banking?

      You are probably right about some EULA giving them the "right" to do this, however (assuming
    • Formatting a users hard drive without asking isn't detroying their computer, it's just informing them they are vulnerable, and really should update their system configuration.

      Sorry, it is MY computer, it is MY responsibility. Others shouldn't go around taking care of it for me without my permission.
      At least by demonstrating they are willing and able to control users computers. And acknowledge that they have a responsiblity to control thier users computers they have opened themselves to liability for any wo
  • by cosyne ( 324176 ) on Friday October 24, 2003 @10:54AM (#7300956) Homepage
    I think even non-slashdotters colud manage:

    Disabling the Messenger Service

    You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.

    Windows 2000

    1. Click Start->Programs->Administrative Tools->Services
    2. Scroll down and highlight "Messenger"
    3. Right-click the highlighted line and choose Properties.
    4. Click the STOP button.
    5. Select Disable in the Startup Type scroll bar
    6. Click OK

    Windows XP

    1. Click Start->Control Panel
    2. Click Performance and Maintenance
    3. Click Administrative Tools
    4. Double click Services
    5. Scroll down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties.
    7. Click the STOP button.
    8. Select Disable in the Startup Type scroll bar
    9. Click OK

    You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.

    * net send 127.0.0.1 "test"

    (blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg. shtml)
    • Steps to stop and disable a service running on Win2K: 6
      Steps to stop and disable a service running on WinXP: 9

      Steps to stop and disable a service running on Linux: 3

      1) Open a Command Prompt (OK, OK, Terminal Session)
      2) Type: service messenger stop
      3) Type: chkconfig messenger off

  • This is a service, as mentioned, and so it can be stopped. Right click my computer -> manage -> Services and Applications -> Services -> right click on Messenger, and click disable. Can you linux users really not figure out the simplest things in Windows?
  • net message username message
    I use it when I just don't want to pick up the phone. Not really usefull except for saying "rebooting the server in 15 minutes. Save your work. Consider yourself warned." I used it a lot more in the NT4 days then I do now though. Far from useless like the article would have yuo believe. Granted, for home use it should be turned off.
  • The Computer Fraud and Abuse Act makes this clearly illegal

    No, it doesn't. Point out to me where this would fall under that act. The act requires fraud, causing of damage, etc...
  • "The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating. "

    actually, the FBI won't investigate without a reported loss of $10K (see The Cuckoo's Egg by Cliff Stoll - tho i don't know how this has changed since cliff wrote his goofy book.

    of course, given some of the claims made of damages by corporations (cough! nytimes! cough!), perhaps all these users could claim 10million in damages with about as much plausability and get a

  • by BrynM ( 217883 ) * on Friday October 24, 2003 @10:57AM (#7300985) Homepage Journal
    To quote their oh so action packed commercial...
    "Sanitized for your protection"
    God, I cringe every time I hear that. I didn't think their ideas to sanitize the internet would come down to hacking their users machines. If only AOL would tell their customers exactly how invasive they can be. Oh well, I'll go back to herding the user cattle now.

    Git along hapless users. Cck! Chk! Git! C'mon users, git!

  • by onyxruby ( 118189 ) <onyxruby@ c o m c a s t . net> on Friday October 24, 2003 @10:58AM (#7300994)
    I hate to defend AOL, but so what. AOL has been f**king with subscribers computers for years now. From changing TCP/IP to modifying network settings and on and on. They were sued for this kind of this with AOL 5.0, and that was several years ago. This is hardly new behavior from their part.

    The only thing newsworthy about this is the fact it is finally actually a beneificial change to the users computer. Frankly, it'd be more newsworthy if they made a change that opened a security flaw instead of closing it. Perhaps this is considered newsworthy because AOL finally did something in the consumers best interest? Otherwise, why the story?
  • Let me get this straight.... The ISP that intentionally displays pop-ups in user inboxes, the start page, chat, IM, and web areas wants to help "fix" computer without you knowing?

    <stat prnd_analyze.frk=1>
    The sheer fact that they had the ability to control your computer in this way should be duely noted as downright ludacris! Despite their "effort" to stop certain ads from showing up on your computer, I believe this is only being done so they can be replaced with even more pop-up ads directed from AOL
  • by appleLaserWriter ( 91994 ) on Friday October 24, 2003 @10:59AM (#7301017)
    Back when I was the Pool Guy, I had to employ a similar tactic. You see, many customers require pool service. A large subset of these customers require "service" on "ports" that aren't usually associated with pools. As you can immagine, "servicing" these "requests" landed me in hot water on more than a few occasions.

    One day it occured to me that I could simply change my standard contract to unconditionally allow me to preform any additional "service" the customer required. All at no charge.

    Can I sue AOL for prior art?
  • When Joe User turns on his PC and fires up his AOL client and the very next thing that happens is that he gets hit with popup boxes resulting from some spammer bastardo invading his opened messenger port, who will Joe User likely blame? AOL that's who.

    AOL claims to block spam and popups for their customers and given that their market share is levelling off as well as Time Warners stock price sinking a little each day, this seems like a serious "let's-cover-our-asses" type move on AOL's part.

    If called o

  • Heh (Score:4, Funny)

    by Salamander ( 33735 ) <jeff.pl@atyp@us> on Friday October 24, 2003 @11:05AM (#7301070) Homepage Journal
    if this were a 17-year-old instead of AOL, the FBI would be investigating.

    According to AOL's online history [aol.com], AOL is a 17-year-old. OK, it's a bit of a stretch, you have to count from when they went online instead of when they incorporated and they'd still be less than a month away from 18 years, but that's my story and I'm sticking with it.

  • I just received a new AOL Coaste^H^H^H^H^H^HCD yesterday and as I was tossing it in the trash I noticed some interesting fine print. I don't have the cd with me so I'm paraphrasing but it said something along the lines of this: "By installing this CD you grant AOL the right to make configuration adjustments to your computer to enhance performance."

    Seems to me that what AOL is doing would be perfectly legal then as opposed to the actions of some 17 year old doing the same. By installing AOL onto their box t
  • The comment at the end of the article attributed to Russ Cooper is unbelievable coming from a "security expert". For those who do not RTFA here it is

    "Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it."

    This type of forced security by AOL is not welcome in any form. As an analogy, what if there were a few burglaries in your town. The criminals decided that most people in your t
  • Wow. This poster needs to do more research, and perhaps back off the sensationalism a bit re: Windows Messenger Service.

    "...Windows Messenger Service, a mostly useless tool which Microsoft has left on by default!"

    How is it useless? In a corporate environment, admins use the service all the time (at least I did) to inform users of server reboots, downtime, etc. I use it at home to send quick messages to other Windows users on my LAN. I also use it in conjunction with Linpopup, where my Linux router wil
    • There is another problem with non-savy NT/2000 users. If you use broadband and do not know enough about modem highjacking then you are really at risk.
      Read the Telus reports about this problem. It is mostly kids seeing if they can make free local phone calls in other cities. They even reverse the thing, by phone freaking and try to come in through the modem and out by your net! If you are getting inexplicable incoming computer handshake requests on your land line, from 1-800 numbers, then you are a target. I
  • I'd bet the AOL licensing agreement (among others) basically says this.

    The bigger problem is that the act of changing the configuration to block these ads is both benign and sinister. On the one hand it can be construed as a valuable customer service -- use AOL and we automatically update your computer to minimize spam/ads/etc. On the the otherhand unannounced reconfigurations could interfere with normal PC operations or uninstalling AOL. I'm not sure how a company can both provide tweaks like this on
  • That's what my firewall is for.
  • here's a bit of irony for you....

    The first (and last) of these popup's I received informed me that the only way I could get rid of those popup's was to go to some website and install some software. Well, I promptly googled for a solution, found how to disable Windows Messenger Service, and haven't dealt with it since.

    I'm sure if I did as they suggested it would have been something like a popup blocker coupled with a keylogger--of course, that's assuming it wasn't *entirely* malicicious and would actually
  • AOL is doing these users a favor. Most AOL users have no idea what windows messenger service is, and don't ever use it. By turning it off, they are doing something Microsoft *should* have done from the beginning.

    AOL is taking a big risk by doing it, but in the end, they are the only ones who are taking a pro-active approach to closing holes in people's computers.

    Ever take a look at the AOL Computer Checkup function in 9.0? It suggests fixes and other things to help patch your computer and close holes.
  • Are they actually doing this automatically, or only after you enable the popup blocking? AOL advertises that their service enables popup blocking technology, so its hard for me to see the complaint.

    Just like how ad blocking services block useful popups used by webmail and similar systems, AOL's adblocking is blocking windows messenger service popups.
  • by papasui ( 567265 ) on Friday October 24, 2003 @11:18AM (#7301239) Homepage
    I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.

  • I'm not a big XP user, although I do have XP installed at home. Fortunately, the only thing I use it for is OPEN SOURCE software that runs on 'doze, and of course, games. I ran into the messenger madness, and the first thing I did was search the net for an answer. Disabling the messenger service is so simple that the average user should be able to handle this. Not being able to accomplish something like this is akin to not being able to put the seat forward in a car to make more room for trunk storage. One
  • Somebody was running an application that was semi-dependant on the windows messaging protocol. Albeit, the thought of such a thing gives me shudders as there are many better ways... but I could see this being a problem for AOL.

    What's good for the majority isn't good for everyone, and when it comes to modification of personal property there's likely a lawsuit on the horizon...

    Of course, if AOL had pre-notified customers for authorization to do this, it would not have been a problem. There was a time even
  • Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.

    "I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."


    I have been an NTBugTraq member for five years. Russ is usually right, and I think he is in this case. They aren't hacking your computer, they're securing it. If yo
  • by Compulawyer ( 318018 ) on Friday October 24, 2003 @11:46AM (#7301579)
    The Computer Fraud and Abuse Act makes this clearly illegal . . . .

    Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.

    Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.

    Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.

    Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:

    • Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
    • Obtaining financial information or credit reports;
    • Obtains anything of value...
    The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.

    One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.

  • by ionpro ( 34327 ) on Friday October 24, 2003 @12:54PM (#7302313) Homepage
    This is AOL's warning shot across Microsoft's bow. They are saying "Don't fuck with us." Think about this -- if AOL can disable random services, they sure as hell can uninstall random software on the users machine. they can disable MSN messeneger by default -- or even REPLACE it with AOL software. They can remove all links to Internet Explorer and replace it with their own browser. They're telling Microsoft that is MS makes it hard on AOL, AOL is going to make it hard on MS.

    Even if this had no ulterior motive, it is still a Good Idea. Your typical AOL subscriber leaves their computer wide open. Normally, that would be their problem, but with root level bugs that require no user intervention, such as the RPC DCOM exploits, it becomes EVERYONEs problem. When my Internet connection is slowed because of the idiots who run cable connections with AOL broadband, it is imperitive that someone step in and patch those machines. You think AOL wants to spend the bandwidth and processor power required to send and/or reject all those packets?

    I am a member of a IT department that supplies a medium-large college with internet access. While we don't actually automatically patch users machines, we do block access to the network for simply being unpatched (by MAC address). Many people would be outraged, but the fact remains that our network is infinitely more secure now then it was 8 weeks ago. Border security is no security at all. I personally welcome AOL's choice in this matter.

  • more BS (Score:3, Insightful)

    by sootman ( 158191 ) on Friday October 24, 2003 @01:35PM (#7302703) Homepage Journal
    >Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.

    Excuse me, Mr. Asshole, but the only way for me to know the service is no longer on is for me to say "Hmm, I should have gotten a message by now... what the fuck?!?" Thank you for deciding for me, and then not telling me, that my settings should be changed.

    How fucking hard would it have been for AOL to ship something that briefly explains the vulnerability and says "Click here and we will turn it off for you."?

    > "I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."

    Well, you heard it boys, start writing all those anti-Nimda, anti-CodeRed, anti-Slammer viruses! After all, with this mentality, why stop at "providers"? Why can't just *anyone* decide how every other computer on the Net should be set up?
  • by Guppy06 ( 410832 ) on Friday October 24, 2003 @06:05PM (#7305256)
    AOL requires the use of proprietary software, correct? If so, then why not include a basic firewall with the program instead of playing white-hat? It accomplishes the same thing without ethical dillemas.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...