Slashdot Mirror
Interview With Mike Sklut
Slashdot:
What does Parental Controls do?
Mike Sklut:
Parental controls block certain Web sites that AOL lists on their system. When you type in a URL, tokens are sent through your client to the AOL proxy requesting a site. The screen name is verified, and if you are on any three of four settings, the proxy may or may not send you the information.
These settings not only block certain Web sites that AOL lists, but also certain features of AOL. For example: kids only can't access most main features of AOL such as instant messages, and many e-mails are blocked unless the controls are set further.
Also note that if you are not set on 18+ (the very highest setting), then no sockets applications are allowed to connect to anything. It does not give your computer any connection to the Internet except through the AOL client.
Can you describe the hole?
This hole affects all AOL users who are set on mature teen (16-17). This exploit (or trick if you will) is simply done by adding a "." at the end of the second level domain extension. For example: if you're trying to get into 'newriot.com' and it gives you the classic "Web restricted error," just type in 'newriot.com.'
How'd you learn about it?
Just over three years ago (I must have been in fifth grade at the time), a friend and I were trying to get into altavista.com to do research for a project. I was set on young teens at the time, and I believe he was on mature teens. (Note: this trick used to work on young teens as well as mature, but it now seems to only work on mature).
Anyway, we couln't get in, each of us, because altavista was believed by AOL to have adult ads or something, so it was blocked by AOL. We were just messing around with the URL, adding characters here, port numbers there, and all of a sudden I got into it. It happened unknowingly and it took me a minute to figure out how I actually did it.
A small thing, but it proved to be a popular trick for a time with my friends.
Is this useful for anything besides looking at porn?
I knew this question would come along. =] Research projects? Well, seriously, if you needed something that AOL didn't like (other than porn); warez, pages with cussing or swear words on them.
I never used it much at all; soon after that research project, I got into Web design and my parents had to change me to 18+ to use sockets applications for publishing to my site. It worked great for me though; I told all my friends (and more) who tried to take credit for it, and that really made me mad.
If you just needed to do research, why didn't you just talk to your parents about turning the controls off?
They had already gotten mad at me before. I had gone on my dad's screen name and changed my controls (back and forth multiple times) to do other stuff that required an Internet connection that was external from the AOL client. Once or twice he caught me and got mad, and he had refused to change them before because I had done it without his permission; he really didn't care if I had other stuff that I wanted to do (IRC, FTP, and I think that was all I did that required a connection at the time).
How many kids did you tell about this?
In the last three years I would guess I would have told at least 5000 people about it. Since I learned about the trick I have lived in three different states (IL, MA, and MI). I usually told a ton of my friends.
And, you have to add me publicly talking about it on my old Web site (emall2.com, which I am currently battling out with the owners of emall.com over trademark infringments). I posted it on there on a sub site (some AOL tricks thing) just about a month before it was taken down; I got about 500 "THANK YOU SO MUCH" e-mails about it, and my hit counters showed thousands of hits to that one page.
Did you know when you posted it on your site what would happen? (Are you sorry you tipped off the media, or are your friends ticked off at you for revealing the secret?)
I rushed into getting the site up, and I needed pretty quick publicity. The site is not 1/4 done yet, and the our first major staff meeting isn't until next Monday. I had to post about some big news that someone might be interested in and come to the site to look at, and this seemed to be the thing. It was horrible timing, and I wish I would have done this in two weeks from today, when most of the site is up. I got a ton of e-mail telling me about how good the site will be, and wondering where all the content was. I absolutely knew this would happen, and I'm very glad that I did it (but the timing was off, as you can see), and I'm very glad of the results.
I'm very happy I tipped off the media. I hate America Online, as I have for years (various reasons), and this just makes them look bad (bad in some people's eyes, horrible in others).
My friends (about 15 so far) e-mailed me screaming about how happy they were to see me on news.com, yet very mad at me for this is their only source for getting out of AOL's controls. Next week I'll post how to use proxies, so they can get around it once again.
I'm also working on getting a new NPH wrapper (if you can help I'd love it because I can't figure out how to do this) for the server so it can understand some of the commands in my cgi-based proxy app.
Has AOL patched it up yet?
Last night [Thursday, July 13] I called them (as a very concerned parent) asking them if my son (who I said was set on mature teen) was at risk.
The man I spoke with "absolutely assured" me that he was safe and AOLs parental control system was "100% fullproof". I told him about newriot.com and news.com's articles on it, and he tried it out. He was very suprised to see that he could get into a restricted site with the account he had made set on mature teens. He told me this was the first he had seen of this, and that he would tell his supervisor of the incident. He then told me that he was very sorry about the problem and he was sure something would happen fast. I thanked him.
Today [Friday], around 10:38 AM EDT, I tried it, and was suprised to see that it was fixed. I never knew AOL was quick with anything these days.
Your site mentions "several other methods" but doesn't give details yet. Can you give us a hint?
Yea sure. =P
1 - proxies
2 - using staff tools to force certain tokens through the proxy. This gives you access to any Web site (and many staff areas on AOL that aren't on stratus)
3 - once again using staff tools to create hybrid forms that will go through other proxies that can be searched for
Proxies will always work and always be around for the rest of history; AOL won't get a work around these for many years. Even when they do get something to decode pictures and sites through proxies, there will still be encryption. Staff tools will let us get through easily on the 'younger' settings, but the kids that use them would be breaking the law by using the tools themselves (I think), and might not be technical enough to use them.
Your site also says you're going to put up a tutorial on forging e-mail. Do you like poking around computer security, do you think you'll keep doing it?
The tutorial for forging e-mail was already put up on the old design for newriot.com. I recently gave her a facelift, and deleted all the old stuff to put into the new template for the site. I have had it all ready to go for a while, I just can't upload it until I get to my house and out of this baseball tournament.
I've been messing with AOL's security for a while now, and about a year ago I got a little out of AOL and more into the main Internet thing. The first hackers conference I went to was this summer (rubi-con) and I hope to get to go to some others (the problem is my parents and transportion).
Poking around at online security is a blast. It just infuriates me all of the Internet users that think of themselves as "elite" just because they can scam a password from some staff AOL account, or the people that go around causing havok online and think they are the best. These are the idiots that ruin it for the all of us, and I'm also very sorry to see all the newbies looking to them, who will one day become one of them.
Anything you'd like to say to parents who have trusted Parental Controls to keep their teens safe on the Internet?
If your kid is half-way smart and is a quarter computer literate -- he'll get around it. There are plenty of sites that will show you how to use proxies that are very easy to understand.
What's the best (and only) way to make sure your teen (or kid) isn't looking at stuff online you wouldn't want him/her to be looking at? -- Don't have kids. In today's world many kids have external access to the Web; off-home surfing. Their friends have it, their school has it, their public library has it. So much access to this. If any or all of these are using filtering there are always ways around it.
Are your parents going to get mad when they see this interview?
My parents wouldn't ever see it without me telling them about it, and even if they did they wouldn't read it. And even if they read it, they wouldn't get mad. So all in all; no, they'll be fine. Thanks.
I don't think the interesting aspect of this is the exploit. It has to be AOL's general policy! If you are going to have a strict policy to make you look good parents, why then isn't it being enforced to fullest. Not to say that censorship is a good thing, but it still says something when you a defined a policy to address complaints and still don't enforce it well. Especially with such a sensitive topic as what "children" are allowed to view. I think parents in every country are concerned to a certain extent with protecting their children.
kick some CAD
(from the 1999 Free Software Award Nominee page)
Granted, some of these have been covered already, but maybe a handful at the most. I must confess to maybe knowing who 10% of these people are. I would sure like to know something about the rest of them. Just imagine all the cool stuff each of these people has to offer--why in the world are we looking to interview inflamatory, damaging people like JP?
Just trying to help :-) I figure 80 some odd suggestions should keep you busy for a while.
I think its evidence of bad parenting to trust AOL to plan your child's intellectual diet.
We interview a random hax0r script kiddie from IRC.
This isn't a case of forced government removal of information, this is simply a product that you choose to use or you don't. What's the problem with that? So it has a hole in it... big deal, so do a lot of things.
Maybe I'm just missing the point, but I don't think it's "bad parenting" to have AOL assist you in guarding the information your kids can see. Personally, I would never censor anything from my kids, but if a parent wants to, why should they have to go out and find all "bad" sites on the internet and limit them from their kids? What a waste of time.
Please, I'd love to hear other people's arguments on this -- I really want to know why you think it's such an evil thing. Simply being against it because it's censorship doesn't exactly seem right to me.
When are parents going to learn that if they want to control what their kids see, they are going to ahve to watch them 24 hours a day?
No software will ever be able to replace parents. I have a son, and the way I look at it is that information cannot hurt someone who is intelligent. Misinformation is the real risk, and kids might believe it if they aren't prepared to always look for both sides of an issue.
Of course, a lot of parents don't want their kids to see both sides of an issue, and this is the big thing. It is going to be very interesting to see what a generation that grew up with the greater availability of information from all sides of the spectrum are going to turn out like. I think it will make these politician's job of lying to the people a lot harder at least.
-----------------------------
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Step 1: Put up an internal firewall.
Step 2: Set up proxies.
Step 3: Monitor the webtraffic from the proxies. Have your monitoring be smart enough that you can label things as, "I know this is OK, don't mention it any more."
Step 4: Sit down and have some heart to heart conversations about anything that really bothers you.
By default don't get in the way. Have the rules match exactly what you are concerned about. And realistically, if step 4 fails, then you have real problems. You cannot block what your kid does at a friend's house, pretending that you can protect them by controlling what they do at yours is just stupid.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Seriously, I'm sure this guy is a charming young man - and probably a decent second baseman too - but there are just so many other people you should spend your time interviewing. As a general rule, I'd like to suggest you refrain from posting lengthy discourse with people who place on or more of the following phrases on their homepage:
- "AOL Sucks"
etc..."Visual Basic"
--
I think there is a world market for maybe five personal web logs.
Of course, none of the people you listed would really be related to the story of AOL only now patching up a very obvious and very rediculous flaw, would they?
---
seumas.com
sorry to sound all supportive and everything, but JP comes across as a pretty together person - certainly more sane than most of the script kiddies out there. more power to him.
/.'s job. interesting tech articles are. this is one.
the only way to protect your children in this sort of arena is to either keep them out of it (when young enough) or to bring them up to be sufficiently responsible (when they get smart enough - and they will in spades).
oh, and AFAIKS this article is bang in the middle of slashdot's charter. moral responsibility - after a bare minimum - is not
cheers
pete23, reality on demand
Uhm. no.
/.'s or your ISP's job to look after your kids. It is not the government's job to look after your kids. It is NO ONE'S JOB BUT YOUR JOB. Filtering software may be a helpful aid (issues of effectiveness aside), but do not blame us if your kid looks at porn.
1. It's not illegal to look at sites about warez. It's illegal to DOWNLOAD or provide warez. AOL or your local ISP may decide to block these sites (it's their perogrative), but there is nothing illegal about these sites that just provide info on them.
2. It's been shown again and again that filtering software of all types are at best grossly inefficient, many times blocking perfectly legitimate sites. This "workaround" would allow you to access these sites. This sounds pretty reasonable, no?
3. It is not
4. As far as I know, the ethics of news reporting require you to report the news. Not just the Happy News. or the Poltically Correct News. Sure, there are times when news should be withheld (for the sake of security or whatnot), but this is hardly of that caliber. There have been news pieces on how bomb making instructions are easy to find on the Internet. Is the media irresponsible for pointing out that this information is available?
I'm going to stop now, before I get really pissed.
Duh.
---
seumas.com
O'Reilly
See, Visual Basic on the front page. They even have a whole domain devoted to the evil stuff!
The moral of the story? Be careful with hard and fast rules...
:-)
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
[First Voice] Napster is just a facilitation for crime.
[Second Voice] True, true. Microsoft is just a facilitation for innovation.
[Third Voice] Waaaazzzzzzzaaaaaaaaappppp?
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
Really? How many AOL children do you suppose are readers of Slashdot?
Yes, I accept that there may be some (read: a rare few) but it seems readily apparent to me that those who are, no doubt are likely to be fairly advanced users already. They not doubt use AOL only because that is what is provided by their 'NOT' so aware parents. Reading of an AOL exploit here is probably 'old' news... conveyed by their equally astute net associates who turned them on to slashdot in the first place.
Frankly, Slashdot, whose membership consists of LOTS of parents, by publishing this info is doing exacly what I expect of them...making it's readership aware of tech exploits. You appreciate this when it is DECSS or the like.
Seems to me that just because the subject matter does not impress YOU, that is hardly reason to badmouth Slashdot for passing along info that may indeed, interest others regardless of your opinion of their level of expertise.
Just my opinion on a Sat. morning.....
ah! the internet!! we may still screw up the world but NEVER again will we be able to claim IGNORANCE
There is no replacement for proper, responsible parenting. The problem with these "parental controls" tools is that they are induced by a market of people who don't want to spend the effort to raise their kids properly, and depended on by people who don't understand what proper parenting is.
After all, it's your kid. You are the one who should supervise them and educate them in the proper way. That responsibility is on you not on AOL or any other corporation or person. The proper way to be a parent is to nourish a healthy relationship with your kid -- and that means spending lots of time and effort to educate him/her properly, and to maintain a good relationship. If you're not willing to spend the time or expend the effort, you're an absolute fool to think that so-called Parental Controls software or whatever other garbage they have out there will do your kid any good. And don't be surprised if your kid grows up to despise you. Kids know when you really love and care about them, versus when you're doing it grudgingly just because you know you have to.
Kids aren't Tamagotchi's. Parenting is not merely about changing diapers, stuffing them with food, cuddling them when you feel like it, and sitting them in front of the TV or computer just so you don't have to spend the time/effort to be with them as a person. Parents who think that they can have both the "advantage" of distracting their kid with TV/computer and also "safe-guarding" them with "Parental control" garbage are greatly deceived.
---
mikre he sophia he tou Mikrosophou.
I'm English, and I've had net access since I was 11. Proper TCPIP stack, no AOL crap. I did pay for it myself, but most of my friends also had net access and I never heard of any of them having access censored or restircted by their parents. What is it about American parents that makes them want to hurt their children so?
Abashed the Devil stood,
And felt how awful goodness is
Why are we interviewing some kid who found a really lame hole in security software? That'd be like interviewing every individual that posts to BUGTRAQ with mind-numbing questions like, "Oh, so how'd you find the bug?" and "How many people did you tell?" .. this is really contentless. Is this Slashdot editor new?
Sadly, the late W. Richard Stevens is not on that list; he would not be an interesting interview unless Slashdot has some supernatural interviewers.
Some interesting adds I'd suggest:
Of fame for the "worse is better" thesis
One of the designers, at Apple, of the Dylan language, previously involved in designing Common Lisp, and Symbolics machines.
Noted for involvement with famous books on C, Scheme, Lisp, and Java.
If you're not part of the solution, you're part of the precipitate.
Through their half hearted attempt at censorship AOL seem to have actually caused a few kids out there to go and learn a little about how tcp/ip works and what AOL are doing... No parent in their right mind should believe that a service provider can accurately censor an internet that is growing at the rate of thousands of pages an hour.
Quite honestly the best policy is to trust your kids with the internet and explain what is and isn't right.
Can you imagine what it would be like if AOL sold a plastic suit that ur kids could wear so that they wouldn't be able to access drugs or cigarettes at schooL!?
The whole internet censorship thing isn't really any different in my mind and it's up to the parents to teach their children responsibility, or to supervise their internet usage.
Quite honestly are a few pictures of girls with their kit off really going to corrupt a 16 year olds mind that much?
Then switch to something else or shut up. You must have other choices, and if you don't, then start your own ISP, or be glad you have anything at all.
-cwk.
If some OSes do that, then they need to be fixed, since that is buggy behavior. The whole point of the trailing dot is that it makes it an absolute name (i.e. explicitly relative to the DNS root).
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Starting 7 years ago up until about 4 or 5 years ago I spent a lot of my time on AOL. I was rather young at the time, and didn't really know too much about computers except that I thought hackers were cool. Somehow I ended up in private room hack, I don't know how or why, but there was a whole culture of people in there. Keep in mind this was a long time ago, this was when compuserv and prodigy were viable alternatives, when AOL sucked because of the "me too"s first and foremost. When AOL didn't have a web browser.
So to skip all the boring shit I found myself going to the "elite" room with various other kids who had somehow proved their eliteness. Anyway, these were the people who really fscked around with AOL, not this parental control bs. This was before parental controls even existed. These were the people who figured out how to upload and download and chat at the same time (back when you couldn't do that). Figured out how to download in a free area (back when you had 5 hours a month on a 2400bps modem), and other usefull things. And no they weren't all harmless, we got overhead accounts (sort of below a guide and above a regular user) that could go to guide areas and had other special features. Some people knew guides that could TOS or delete someones account, etc etc. We also figured out how to kick people offline, intercept instant messages(!), and other cool but usually malicious things. Of course this usually involved pirating software and even credit card theft and all that bad stuff that seems to follow behind, but at the very center of it all there was really just a bunch of people exploring AOL.
At some point Visual Basic got thrown into the mix (probably as a result of the widespread software priacy), and AOHell was made - which automated a lot of these tasks we did manually. Then came the huge amounts of "AOHacks" or "AOProggies" or whatever people would call them. This led to drones of people being able to do the tricks that were previously restricted to only the people who were cool enough to be told. Some of the folks who thought themselves better than this created "AOTurkey" around thanksgiving one year as a sort of joke, making fun of AOL's version of script kiddies. Even though we may have thought ourselves superior, we didn't nothing to stop the flame. I myself spent a decent chunk of time writing a still incomplete VB 3.0 program (and I still have the source code in case I ever come back to it :) ) that could do all sorts of stupid shit like make accounts with fake credit card numbers, automatically send messages to people asking them for hteir credit card numbers, and other random crap. A few decent programmers did some pretty incredible things with Visual Basic back then. No one had really done this stuff before - that is trying to interface directly with AOLs client. If you could write a program that would "get the chatroom text" (ie - being able to detect when someone says a trigger that would add them to a mailing list (of pirated softare)) you were elite. Of course the original people started to grow up and realize they really weren't as hot shit as they thought they were, and that some of the more illegal stuff they were doing was really not worth the risk at the least. I left and never went back, though I still keep in touch with a few of those people through EFNet and emails etc etc. I was actually a bit surprised when I didn't see a comment like this one already posted, since the people who lead the way always think they kick ass :).
So I guess what I'm saying is hacking AOL isn't neccisarily something to immediatly scoff at, I just wouldn't have picked Mr. Sklut to be the representative...
- tred
We have 31 flavors if ice cream. That's got to count for something.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
My biggest problem with these systems is the whole idea of a site being appropriate for one age group but not for another. Like, I think that a page using foul language is appropriate for almost anyone, but if I had kids, I'd probably block all religious sites until they were in their teens. I'd also block almost all retail sites, until they were out of the "screaming their heads off about stupid cartoon characters" phase.
The only workable solution is a system like reputation managers, where everyone ranks pages as to what degree they agree with the statement "this page is suitable for my children"? Rank it one to five, and have your ranking sent to the central server. The central server uses your rankings to match you to others who agree with your rankings. Then sites you haven't ranked are based on what the people you match think they should be rated. Adding categories (rank wrt sex, language, politics, religion) would allow the system to function more accurately with less users.
Then you could set on your own computer what level to allow the kids to surf. Maybe it's set at 2 for when you're home and you bump it up to 4 for when you leave the kids with a babysitter for a weekend. It works even if some people are overprotective, so that a parent of a 7 year old in Berkeley, a parent of a 10 year old in Los Angeles and a parent of a 16 year old in Salt Lake City might actually be using each others rankings (unknown to each other) because they match.
It's fairly robust against people trying to supress or promote an agenda, because if your agendas don't match, then you aren't going to use their rankings.
Sure, "what your kids while they're on the internet" is a great idea for now, but I'm thinking that by the time I have kids old enough to type, people won't get what "while they're on the internet" means, because well, what, you lost the signal? In some weird anti-technology retreat? Every terminal you own suddenly broke down? And your phone too? Think of how much more wired we are now than ten years ago. Is this somehow going to slow down?
"Newby, an information and library science professor at the University"
A meeting for hackers (sic) and the moderator is named "Newby". Not the right spelling, but it sounds the same.
Pretty funny, but then again, I don't get out much.
I do not. But it's obvious that it is a lot of responsibility and work. It's unimaginable for parents to be able to look after their kids every second of the day, and it should not be required of them, nor is it only their fault when the kid does "evil" things while not under their supervision. Under the assumption that internet is a good place for kids to play/learn (which isn't settled in my mind), Parental control ideally permits at least some control when you're absent.
You know that cookie-jar in the top shelf, placed "out of reach" of most children? Yes, that restriction is circumventable, so why have it?
By placing something out of immediate reach a person - here kids - need to consciously decide to break that barrier. It's a way to train kids to be aware of the rules.
There's got to be some amount of trust, indeed, I don't want to imagine a family without it.
That and the fact that the security hole was found by an 11-year-old kid. But three years is a long time for that simple a hole to stick around.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks