Slashdot Mirror
Interview With Mike Sklut
Slashdot:
What does Parental Controls do?
Mike Sklut:
Parental controls block certain Web sites that AOL lists on their system. When you type in a URL, tokens are sent through your client to the AOL proxy requesting a site. The screen name is verified, and if you are on any three of four settings, the proxy may or may not send you the information.
These settings not only block certain Web sites that AOL lists, but also certain features of AOL. For example: kids only can't access most main features of AOL such as instant messages, and many e-mails are blocked unless the controls are set further.
Also note that if you are not set on 18+ (the very highest setting), then no sockets applications are allowed to connect to anything. It does not give your computer any connection to the Internet except through the AOL client.
Can you describe the hole?
This hole affects all AOL users who are set on mature teen (16-17). This exploit (or trick if you will) is simply done by adding a "." at the end of the second level domain extension. For example: if you're trying to get into 'newriot.com' and it gives you the classic "Web restricted error," just type in 'newriot.com.'
How'd you learn about it?
Just over three years ago (I must have been in fifth grade at the time), a friend and I were trying to get into altavista.com to do research for a project. I was set on young teens at the time, and I believe he was on mature teens. (Note: this trick used to work on young teens as well as mature, but it now seems to only work on mature).
Anyway, we couln't get in, each of us, because altavista was believed by AOL to have adult ads or something, so it was blocked by AOL. We were just messing around with the URL, adding characters here, port numbers there, and all of a sudden I got into it. It happened unknowingly and it took me a minute to figure out how I actually did it.
A small thing, but it proved to be a popular trick for a time with my friends.
Is this useful for anything besides looking at porn?
I knew this question would come along. =] Research projects? Well, seriously, if you needed something that AOL didn't like (other than porn); warez, pages with cussing or swear words on them.
I never used it much at all; soon after that research project, I got into Web design and my parents had to change me to 18+ to use sockets applications for publishing to my site. It worked great for me though; I told all my friends (and more) who tried to take credit for it, and that really made me mad.
If you just needed to do research, why didn't you just talk to your parents about turning the controls off?
They had already gotten mad at me before. I had gone on my dad's screen name and changed my controls (back and forth multiple times) to do other stuff that required an Internet connection that was external from the AOL client. Once or twice he caught me and got mad, and he had refused to change them before because I had done it without his permission; he really didn't care if I had other stuff that I wanted to do (IRC, FTP, and I think that was all I did that required a connection at the time).
How many kids did you tell about this?
In the last three years I would guess I would have told at least 5000 people about it. Since I learned about the trick I have lived in three different states (IL, MA, and MI). I usually told a ton of my friends.
And, you have to add me publicly talking about it on my old Web site (emall2.com, which I am currently battling out with the owners of emall.com over trademark infringments). I posted it on there on a sub site (some AOL tricks thing) just about a month before it was taken down; I got about 500 "THANK YOU SO MUCH" e-mails about it, and my hit counters showed thousands of hits to that one page.
Did you know when you posted it on your site what would happen? (Are you sorry you tipped off the media, or are your friends ticked off at you for revealing the secret?)
I rushed into getting the site up, and I needed pretty quick publicity. The site is not 1/4 done yet, and the our first major staff meeting isn't until next Monday. I had to post about some big news that someone might be interested in and come to the site to look at, and this seemed to be the thing. It was horrible timing, and I wish I would have done this in two weeks from today, when most of the site is up. I got a ton of e-mail telling me about how good the site will be, and wondering where all the content was. I absolutely knew this would happen, and I'm very glad that I did it (but the timing was off, as you can see), and I'm very glad of the results.
I'm very happy I tipped off the media. I hate America Online, as I have for years (various reasons), and this just makes them look bad (bad in some people's eyes, horrible in others).
My friends (about 15 so far) e-mailed me screaming about how happy they were to see me on news.com, yet very mad at me for this is their only source for getting out of AOL's controls. Next week I'll post how to use proxies, so they can get around it once again.
I'm also working on getting a new NPH wrapper (if you can help I'd love it because I can't figure out how to do this) for the server so it can understand some of the commands in my cgi-based proxy app.
Has AOL patched it up yet?
Last night [Thursday, July 13] I called them (as a very concerned parent) asking them if my son (who I said was set on mature teen) was at risk.
The man I spoke with "absolutely assured" me that he was safe and AOLs parental control system was "100% fullproof". I told him about newriot.com and news.com's articles on it, and he tried it out. He was very suprised to see that he could get into a restricted site with the account he had made set on mature teens. He told me this was the first he had seen of this, and that he would tell his supervisor of the incident. He then told me that he was very sorry about the problem and he was sure something would happen fast. I thanked him.
Today [Friday], around 10:38 AM EDT, I tried it, and was suprised to see that it was fixed. I never knew AOL was quick with anything these days.
Your site mentions "several other methods" but doesn't give details yet. Can you give us a hint?
Yea sure. =P
1 - proxies
2 - using staff tools to force certain tokens through the proxy. This gives you access to any Web site (and many staff areas on AOL that aren't on stratus)
3 - once again using staff tools to create hybrid forms that will go through other proxies that can be searched for
Proxies will always work and always be around for the rest of history; AOL won't get a work around these for many years. Even when they do get something to decode pictures and sites through proxies, there will still be encryption. Staff tools will let us get through easily on the 'younger' settings, but the kids that use them would be breaking the law by using the tools themselves (I think), and might not be technical enough to use them.
Your site also says you're going to put up a tutorial on forging e-mail. Do you like poking around computer security, do you think you'll keep doing it?
The tutorial for forging e-mail was already put up on the old design for newriot.com. I recently gave her a facelift, and deleted all the old stuff to put into the new template for the site. I have had it all ready to go for a while, I just can't upload it until I get to my house and out of this baseball tournament.
I've been messing with AOL's security for a while now, and about a year ago I got a little out of AOL and more into the main Internet thing. The first hackers conference I went to was this summer (rubi-con) and I hope to get to go to some others (the problem is my parents and transportion).
Poking around at online security is a blast. It just infuriates me all of the Internet users that think of themselves as "elite" just because they can scam a password from some staff AOL account, or the people that go around causing havok online and think they are the best. These are the idiots that ruin it for the all of us, and I'm also very sorry to see all the newbies looking to them, who will one day become one of them.
Anything you'd like to say to parents who have trusted Parental Controls to keep their teens safe on the Internet?
If your kid is half-way smart and is a quarter computer literate -- he'll get around it. There are plenty of sites that will show you how to use proxies that are very easy to understand.
What's the best (and only) way to make sure your teen (or kid) isn't looking at stuff online you wouldn't want him/her to be looking at? -- Don't have kids. In today's world many kids have external access to the Web; off-home surfing. Their friends have it, their school has it, their public library has it. So much access to this. If any or all of these are using filtering there are always ways around it.
Are your parents going to get mad when they see this interview?
My parents wouldn't ever see it without me telling them about it, and even if they did they wouldn't read it. And even if they read it, they wouldn't get mad. So all in all; no, they'll be fine. Thanks.
(from the 1999 Free Software Award Nominee page)
Granted, some of these have been covered already, but maybe a handful at the most. I must confess to maybe knowing who 10% of these people are. I would sure like to know something about the rest of them. Just imagine all the cool stuff each of these people has to offer--why in the world are we looking to interview inflamatory, damaging people like JP?
Just trying to help :-) I figure 80 some odd suggestions should keep you busy for a while.
I think its evidence of bad parenting to trust AOL to plan your child's intellectual diet.
This isn't a case of forced government removal of information, this is simply a product that you choose to use or you don't. What's the problem with that? So it has a hole in it... big deal, so do a lot of things.
Maybe I'm just missing the point, but I don't think it's "bad parenting" to have AOL assist you in guarding the information your kids can see. Personally, I would never censor anything from my kids, but if a parent wants to, why should they have to go out and find all "bad" sites on the internet and limit them from their kids? What a waste of time.
Please, I'd love to hear other people's arguments on this -- I really want to know why you think it's such an evil thing. Simply being against it because it's censorship doesn't exactly seem right to me.
When are parents going to learn that if they want to control what their kids see, they are going to ahve to watch them 24 hours a day?
No software will ever be able to replace parents. I have a son, and the way I look at it is that information cannot hurt someone who is intelligent. Misinformation is the real risk, and kids might believe it if they aren't prepared to always look for both sides of an issue.
Of course, a lot of parents don't want their kids to see both sides of an issue, and this is the big thing. It is going to be very interesting to see what a generation that grew up with the greater availability of information from all sides of the spectrum are going to turn out like. I think it will make these politician's job of lying to the people a lot harder at least.
-----------------------------
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Step 1: Put up an internal firewall.
Step 2: Set up proxies.
Step 3: Monitor the webtraffic from the proxies. Have your monitoring be smart enough that you can label things as, "I know this is OK, don't mention it any more."
Step 4: Sit down and have some heart to heart conversations about anything that really bothers you.
By default don't get in the way. Have the rules match exactly what you are concerned about. And realistically, if step 4 fails, then you have real problems. You cannot block what your kid does at a friend's house, pretending that you can protect them by controlling what they do at yours is just stupid.
Cheers,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Seriously, I'm sure this guy is a charming young man - and probably a decent second baseman too - but there are just so many other people you should spend your time interviewing. As a general rule, I'd like to suggest you refrain from posting lengthy discourse with people who place on or more of the following phrases on their homepage:
- "AOL Sucks"
etc..."Visual Basic"
--
I think there is a world market for maybe five personal web logs.
Uhm. no.
/.'s or your ISP's job to look after your kids. It is not the government's job to look after your kids. It is NO ONE'S JOB BUT YOUR JOB. Filtering software may be a helpful aid (issues of effectiveness aside), but do not blame us if your kid looks at porn.
1. It's not illegal to look at sites about warez. It's illegal to DOWNLOAD or provide warez. AOL or your local ISP may decide to block these sites (it's their perogrative), but there is nothing illegal about these sites that just provide info on them.
2. It's been shown again and again that filtering software of all types are at best grossly inefficient, many times blocking perfectly legitimate sites. This "workaround" would allow you to access these sites. This sounds pretty reasonable, no?
3. It is not
4. As far as I know, the ethics of news reporting require you to report the news. Not just the Happy News. or the Poltically Correct News. Sure, there are times when news should be withheld (for the sake of security or whatnot), but this is hardly of that caliber. There have been news pieces on how bomb making instructions are easy to find on the Internet. Is the media irresponsible for pointing out that this information is available?
I'm going to stop now, before I get really pissed.
There is no replacement for proper, responsible parenting. The problem with these "parental controls" tools is that they are induced by a market of people who don't want to spend the effort to raise their kids properly, and depended on by people who don't understand what proper parenting is.
After all, it's your kid. You are the one who should supervise them and educate them in the proper way. That responsibility is on you not on AOL or any other corporation or person. The proper way to be a parent is to nourish a healthy relationship with your kid -- and that means spending lots of time and effort to educate him/her properly, and to maintain a good relationship. If you're not willing to spend the time or expend the effort, you're an absolute fool to think that so-called Parental Controls software or whatever other garbage they have out there will do your kid any good. And don't be surprised if your kid grows up to despise you. Kids know when you really love and care about them, versus when you're doing it grudgingly just because you know you have to.
Kids aren't Tamagotchi's. Parenting is not merely about changing diapers, stuffing them with food, cuddling them when you feel like it, and sitting them in front of the TV or computer just so you don't have to spend the time/effort to be with them as a person. Parents who think that they can have both the "advantage" of distracting their kid with TV/computer and also "safe-guarding" them with "Parental control" garbage are greatly deceived.
---
mikre he sophia he tou Mikrosophou.
Why are we interviewing some kid who found a really lame hole in security software? That'd be like interviewing every individual that posts to BUGTRAQ with mind-numbing questions like, "Oh, so how'd you find the bug?" and "How many people did you tell?" .. this is really contentless. Is this Slashdot editor new?