Slashdot Mirror
AOL Still Working On AIM Security Hole
TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.
Just from what I've seen being a long time user of ICQ, and having used AIM, I think the best IM/Chat program on the 'net now has to be Jabber. It works similiarly to the other programs, plus it allows you to chat with people on ICQ, AIM, Yahoo!, MSN Messenger. But, you have to have UserNames/Passwords for all those services.
-- this
ICQ wouldn't be the best choice, no matter who they're owned by. First of all the newest version of ICQ's installation file is 5 megs, uncompressed it takes about 7-8 megs of disk space (just for a messenger program). That and it isn't the most secure IM application either. I found this link on www.securityfocus.com which lets other people access your account. It only affects the user locally, but look at how many college computer labs have ICQ installed on them........
AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".
Ah, but security for AOL's users or for the other companies'?
This sort of thing astounds me. Not only is it unbelievably bad business, but it's blood in the water for the litigation sharks circling out there. A big juicy target like AOL would be ripe for a class action suit as we've seen targeted against so many other businesses in the past.
The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.
The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.
A much more detailed explanation here
ya but there's lots of red-tape in applying for that fraud liability. And usually from internet scams by the time you know you're credit card is in the hands of a 3l33t h4x0r he's charged possibly thousands of dollars to the card. By the time this all goes through it can have already ruined your credit rating. Once you're in the "bad credit" section of any banks or credit companies it's extremely hard to get out.
If someone takes the password to your screenname then it doesn't matter HOW you connect to the service -- whether over AIM, Gaim, or Jabber -- the screenname's password has been compromised and you no longer have it.
---
Rob Flynn
---
Rob Flynn
Pidgin
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
If I remembrer correctly, Microsoft, Before They got out of the AIM Network to concentrate on their own IM Userbase, Mentioned that there was a huge security hole in AIM and AOL Blew it off as MS FUD. Maybe they knew about it all along and kept it a secret figuring that someone would find it eventually.
Personally, I use MSN Messanger. I used to use ICQ then AOL Got hold of it and turned it into the ultimate example of bloatware. How many people can remember when it was a 1.4 meg download? I think it's up to 6 Megs now, has all kind of stupid things like web servers and greeting cards that are almost never used, and they made the E-mail notification into a full featured POS E-mail program that never would read E-mail because it would always screw up the Downloading of headers. and I never used AIM for obvious reasons (It's From AOL)
The only IM Clients I would Even touch right now is Yahoo Messanger and MSN Messanger. and since MSN Messanger currently has exactly what ICQ had before it became a bloat monster, Thats the one I Use
--
In Soviet Russia, Trojan exploits YOU!
About 4 or 5 months ago my favorite AIM name was stolen out from under my nose and it was used to create an actual AOL account. I immediately brought this to the attention of AOL, but their stance on my situation was "You must have given your password to someone, and now that it belongs to a paying customer we're not going to do a damn thing".
Now that the problem has been made public, is there anything I can do to get it back?
~Panic~
...will be LAIM.
hehe.
;)
That might be the case, but it'd still be inaccurate to say 'ICQ caught on even though it had a different protocol'. They developed at least concurrently, and from my experiance ICQ's userbase grew much faster than AIM's (aside from AOL users, of course) initially. MSN or Yahoo messenger might be a valid case, but they still don't have the userbase of AIM. Basically, I'm willing to submit to the evil AOL empire for the sake of being able to contact people easily - almost everyone I know uses AIM, even if they have another messenging service, for the same reason - everyone they know uses AIM. It's hard to take a userbase like that and convert it, because most people don't want to change from what they're used to. For instance, I didn't go on AIM until ICQ started to really suck.
Just my thoughts - I don't see any new IMs catching on as quickly as AIM and ICQ did, because they were the first (or first mainstream) ones availiable.
-palp
Um, Slashdot != America. You're seeing a trend on Slashdot. Most people in the US don't mind companies like Sony, Microsoft, and AOL.
Well, i think thats nonsense. The only reason i got ICQ was b/c a friend say 'hey check this out, its pretty cool.' Last time i checked, the Yahoo! and MSN IM systems were gaining a userbase fairly quickly. I'd say within a few years, just about 'everyone you know' will have one of these as well. When it comes to these chat programs, i don't think people are as loyal as you would think, and many have at least 2. Especially if they all work pretty much the same (which from what i am told, the MSN equiv. looks alot like AIM).
I agree that ICQ for windows has begun to suck; i hate that they are using it to advertise, and its way more bloated then it should be. Although the same can be said for AIM, which is why i'm still using one of the 1.x releases. At any rate the linux clones seem to be coming along nicely, so i may switch to that.
This would explain the reason why one of the companies I work for, The Williams Companies, force us now to use this really crappy version of ICQ Groupware that I don't even think is being developed anymore.
This is a multi-billion dollar company that is forcing it's tech support (we support 30,000+ users and three different call centers) to use this communications method that show's us "away" half the time.
This article, along with a few others, was shown to our managment saying "ack look what they can do to our system intergrity!" when the people pointing out the problem didn't even really know what they are talking about in the first place...
Maybe we DID take the blue pill. You wouldn't remember anyway.
AIM? Uhhh. Look at the article. Ask yourself: Do I feel lucky?
.
.
ICQ? Hmmm. Nope. Used to be good, until AOL bought it. Now I wonder whether UINs are going to be vulnerable . .
Yahoo! Messenger? Ah, a prima donna company that tries to take ownership of its users' pages. I think I'd be better off with AOL . .
MSN Messenger? Ah, a "reliable," "free*" product, brought to you by the kind folks at Micro$oft.
PowWow? Honestly, how many people do you know that have even heard of it, let alone have bothered to create an account?
* Subject to terms decided by Microsoft. By signing up for MSN Messenger service, you hereby agree to give Microsoft Corporation (hereafter referred to as "We Own Your Soul") sole ownership and possession of any and all inventions, ideas, etc. produced by you (hereafter referred to as "Putty-brain"), including any electrochemical developments and all genetic by-products. These terms are subject to change at our discretion.
Nah, he's probably a proper moron.
ALEXANDRIA, Va. (AP) - An anonymous AOL employee has leaked news that AOL is still working on creating the AIM security hole that will be the main new feature of AIM 4.5. This new hole will reportedly allow spammers every Friday night to identify and spam AIM users who refuse to have their profiles included in the publicly searchable AIM Member Directory. Spammers are expected to have to pay AOL $1000 to be directed to this new hole. Spammers will be asked to handover to AOL any credit card numbers they are given in subsequent transactions. Any credit cards with no AOL account will mysteriously get one without the user's knowledge.
Welcome to the wonderful world of bloatware.
How can they steal my credit card information? I never gave said information to AOL in the first place. Nor does it reside anywhere on my hard drive, so far as i can figure. Is this some sort of "psychic" hack where they can read my mind or something? :)
If the hole's limited to AIM, and AIM users don't need to provide anything but an email address to access the service, i can't figure how anyone could steal anything more than that.
In the end they should enforce upon users a permissions based system. Each account gets a master account and 6 user accounts. They should explain the master account as being a sort of "root" account, only use it when you need to change your billing info or your screen names. And then disable "remote" access to it - ei AIM. That'd their worries right there, but at this point it'd cost them millions in order to notify everyone of the change and what to do about it.
According to the copyright on my very old version of AIM, it came about in 1996. Thats also when i discovered icq, which wasn't out that long at all at the time. And according to the copyright in my fairly recent version of icq, it also came about in 1996.
Get your facts straight...
As far as the "When you set your away message, the hostiles IM you, and your away message gets sent to them, allowing them to warn you" goes: there's an option to turn off the auto-response and just set the away message in your personal profile.
How about, "It's their own network, so let them do whatever they want with it"? AIM's protocol was never fully open; the "Open your protocol back up" is just typical open-source drivel. They have an acessible protocol, TOC, which is implemented in their Java-applet clients and most open-source clients. Their binary protocol, OSCAR, is their own property. Some hacked implementations exist for other platforms, but they're not quite perfect.
AIM is not life-or-death. The only thing they put at risk here is their Good Name (cough). You don't like it? Start your own IM network, and make it "standards-compliant." I'll be too busy chatting with all of my AIM and ICQ buddies to care.
For more information, click here.
The AIM 4.x license agreement states, in effect, `By installing this software, you agree to the terms. ... You may not use client software not approved by AOL Inc. on AOL's AIM servers.' This is why I use AIM 2.1 (the fastest Win32 AIM client that AOL ever made) on my Windows 98 partition, alongside Everybuddy. I know there's Jabber, but I found its AIM gateway to be a bit unreliable.
Will I retire or break 10K?
Actually, ICQ is even better than AIM in these regards. I don't know about the newer version because I hadn't upgraded, but the older ones do not show you ads at all. That goes to another point, that you don't have to upgrade the client all the time. I am running ICQ99b right now and will not upgrade. I tried the 2000 version and I didn't like it, so I went back to the old one. Another advantage is that it doesn't pop up windows while you are working. I hate when I am typing something and then someone sends a message on AIM (I am forced to use it at work) and I end up sending them a message of some code or something. Also, the ICQ protocol is not kept as secret as AIM. There are plenty of clones out there, and I believe ICQ does have a unix version that they made, as well as a palmOS version, mac, and CE in addition to the rest. Also for AIM, there is a java applet that is not too big and you can run to connect to the AIM service. I use it at work on my Sparcstation and have no problems with performance or any lack of features.
Mas vale cholo, que mal acompañado.
AOL members, by default, have the same AOL usernames and AIM screennames. By stealing the AIM account of an AOL subscriber, you will be able to change the password and gain access to all other AOL features by using the same screenname/password as that user's AIM screenname/password.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
ICQ is a decent product in my opinion, and the opinions of many. Just because it is owned by AOL doesn't mean it is a horrible product. I am pretty sure you are using either Netscape or Internet Explorer. Both of these companies are hated and bashed a lot for their problems and the way they do business. However, that doesn't mean that they don't do something right once in a while.
Well, that is their choice, however, for the year or two that they've owned ICQ, I've never had to stop using the older versions. At this point I have no need to "upgrade" to AIM 4.3 so this doesn't really affect us yet. If they do merge the two and force everyone to upgrade, I see the potential for people finding something else similar to ICQ because it has a lot better features than AIM. In fact, it could be possible for a rogue ICQ network running ICQ groupware servers. I've done that before, and even though that only runs on NT, I believe there is a unix or linux clone that someone made.
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
Excluding the peer-to-peer part, the exact same could be said for pop/sendmail based email systems. However, we all know how widely used it is. Email, and to a greater extent instant messaging, should not be your main form of communication. I use ICQ to keep in touch with friends and family, not to send credit card orders or discuss top secret plans. I don't want people to read my instant messages, but if they do it will not actually hurt me. It is basically just a toy, like talking on walkie talkies or sending a postcard. If you want some form of encryption, you can encode your messages with pgp quite easily, and I believe there may be an ICQ plugin for doing that as well. Also, as far as security, you mentioned another thing...that the messages from ICQ are peer to peer and do not go through the server. That is one advantage over AIM. If my messages go directly to the person I want to send them to, how can AOL log them?
Mas vale cholo, que mal acompañado.
No. Is it so hard to read the damn article first?
For more information, click here.
Congratulations. You took the exact same thing that spammers on AOL do with AOL chat rooms and l33t VB pr0ggi3z, and did it with Perl. I'm proud of you.
Maybe soon someone will figure out a way to gather e-mail addresses by spidering web pages. Could nebby101@hotmail.com fall into the hands of spammers? Could all e-mail addresses be gathered this way? Judging by some mail that I get, "100 MILLION EMAIL ADDRESSES FOR $49.95" is a good place to start checking.
For more information, click here.
where do credit cards come into the picture for AIM? this makes 0 sense to me.
hrm. the act of obtaining them or posession of them? might be illegal to run a bot in such a manner, but owning a list of valid im names? someone would just have to harvest them and sell the list. i'm stunned that nobody has done this yet.
but talk about intrusive! forget a phonecall during dinner, imagine the phone throwing the handset at your head!
My .02,
My .02,
zencode
iactivist.org/jason
Here is a detailed explanation of SecurityFocus
From www.inside-aol.com:
"12/1/00: Better late than never - despite missing their stated deadline for a solution, America Online has managed to put a stop to the theft of Instant Messenger subscriber screen names, according to information received by Inside-AOL.com. We hope that their fix will prove to be a lasting one, and find it greatly satisfying to see that even the largest of companies cannot ignore public pressure indefinitely."
so, AOL is not completly negligent.
- *Normality Is The Root of All Evil*
The slashdot blurb says this could lead to credit card numbers being stolen. The articles linked to did not mention this. Furthermore, since registering for an AIM name does not involve giving a credit card number, I fail to see how this is even plausible. Is slashdot just making up news or is there a factual basis behind this allegation?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Comment removed based on user account deletion
Makes me thankful that i got off aol itself 6 months after i got onto the net and signed up with a free isp under a name in ohio (yet i am a proud new yorker). sometimes being paranoid pays off.
I am !amused.
sounds like they pulled a microsoft.
:-)
How long did it take them to "fix" vb script holes in outlook again?
# debian/rules
Maybe not. You can have different AIM and AOL passwords. Most people will probably pick the same password, but in theory there's no reason why this is necessarily the case.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
If you read the article linked to up there, it says that they could get AOL members credit card numbers, and AIM members screen names and passwords.
You are an idiot. Back in the days of 2 gig Hard drives, a 8 meg install might be considered huge.. now-a-days though, we've got 20 and 40 gig hard drives, and nothing to fill em up with but mp3s. Why not write larger and more feature-rich programs if we've got the processor speed to handle it? If you've got an older computer, then stick with the old version you have, it'll still work.
Just so you know, I, and several other people, have had lots of problems with GAIM. It crashes a lot basically. I don't really know quite where the issue is, but thankfully there's plenty of good UNIXen AIM clients out there. I myself use Tik (an emacs-lisp version :-) for those times when I need to get on, which is not too much...
But just so you know, if you run into problems, try something else.
-----
________
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".
They never elaborate, nor specify exactly what criteria have to be met, so others can meet it and get use of their network.
The FTC was considering possibly forcing them to open up instant messaging, but seemed to back down when AOL said they refused due to security of their customers.
YET, here we have AOL knowing about a problem for MONTHS and not fixing it?
Smells like time for a few senators and congressmen to say a few words to AOL about "equal standards".
Open your protocol back up, AOL.
GPL'd web-based tradewars themed space game
Some one should check facts, the artical is a lil bit wrong.
(1) The exploit was first posted on observers.net
(2) It only applys to AOL accounts, and not AIM
(3) It was patched about a month ago.
-Eternal
--------------------------------------
If Murphy's Law can go wrong, it will.
(Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)
Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.
--
The shareholder is always right.
I'm by no means a hacker (or cracker), but I can recognize their importance. If well-intentioned hackers are afraid to help the companies out, then a foreign crackpot will inevitably find the flaw out and exploit it before anyone realizes it. So, I would hope that AOL found some reasonable evidence of fair wrongdoing before blindly prosecuting. The courts are becoming an evil tool of people with more money. Justice will never be served as long as money can buy it.
For more information, click here.
As for the alternate versions of ICQ, I believe that I used a version in the past for linux entitled Licq, and had no complaints with it's operation. And AIM Express (the java applet) is also a pretty nice little utility, especially when combined with the latest version of AIM that stores your buddy list on their servers, as well as locally. AIMe's great when you're at some public terminal or a non-windoze box to be able to instant message a friend with a question. Not to mention that keeping your buddylist stored on their server makes it much easier for me to keep my list coordinated between all three of my machines.
--------------------------------------
If Murphy's Law can go wrong, it will.
Two things:
1) Just because he's sentenced to 19 years, doesn't mean he'll do 19 years.
2) Breaking into a computer is viewed by many corporations in the same way as if you broke into their company headquarters, poked around in their file cabinets (if there are any), and then left a note with your name, address and home phone explaining who you were, what you had done, and that you "didn't see anything confidential, steal stuff, or otherwise molest important items."
I'm sorry to have to say it, but this kid was a friggin' idiot.
Jay Satiro, 19, pleaded guilty Tuesday in Westchester County Court to first-degree computer tampering. He faces up to 15 years in prison.
The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months.
First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.
The greatest crime you can commit in America is first degree curiousity.
--
What happens when you outlaw guns
I've seen this happen at companies that I've worked for over and over and over again. You make a client, and a server, talking to each other over a proprietary protocol, and you forget that the client is inherently untrusted. Security through obscurity breeds in these proprietary environments. I've had heated arguments with programmers who insisted that the server was secure because the client was unable to perform certain actions. I've had managers ask me to prove that these problems were security holes by exploiting them, but without modifying the client source code because "the public doesn't have the client source code, so if you need the source code, it can't be exploited". The fact is, if you have any plans of being as big as AOL, your protocol will be reverse engineered, alternate clients will be created, and your security holes will be found.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Well, spammers have found interesting ways to try to get these completed user lists. A standard spammer trick is take any address they get at all, and make variants of it for the big ISPs. After all, if there's a barbsmith@someisp.net, there's probably a barbsmith@aol.com. Given the negligable cost of sending spam, it doesn't matter if it only hits one in ten times.
AT&T gets something in the neighborhood of a million or two bounces from this type of spam, per day.
--
"Don't trolls get tired?"
My work forced me to get an AIM name. Then they tried to be angry that I put my work email address in instead of my personal one. I'm sure lots of people's jobs require them to use IM, and AOLs is popular.
> This is just the kind of news I could do
> without, having recently been persuaded to
> register with AIM and give GAIM a try.
We've already had to deal with Taco this week and his anti-Java stance. Do you think the Slashdot guys could get any more elitist about things?
-Chris
...More Powerful than Otto Preminger...
Your not describing anything new. People have harvested email addresses for a while. Just describe how to harvest email addresses and then s/email address/screen name/g and bam your post.
AOL is not as evil as most people like think. With their AIM serivce they provide all the tools to have none/some/all privacy and still chat. People just don't used them and then get their panties in a wad.
What I disagree with is the warning system which I think is an agressive action and not defensive like they claim. Blocking a user is defensive. Warning actually effect the other screen name's abiliy to use the service which I think is wrong even if I don't agree on how they are useing or taking advantage of it.
Sorry it turned into a rant.
Leknor
the name-hijack exploit most CERTAINLY applies to users of the standalone AIM... and who's not checking facts? here they can be found: http://Inside-AOL.com the exploit can be SIMPLY thwarted, just register again for AIM and use your current username MINUS the first TWO letters in your username... DOH.
oops - typo there... should be "ON SecurityFocus." This article explains how the credit card numbers are comprimised along with some other interesting techincal stuff that seems to have been left out elsewhere.
Both harvesting screen names and sending unsolicited communications is against their terms.
--
Well, not all e-mail addresses (most, I'm betting) are AOL screen names.
Also, the trick is finding "active" screen names. The ones coming in and out of chat rooms are the best cases for that, afaik. Ones that have big buddy lists probably are too.
There'd have to be a way to automate the process of "hacking" an account, getting the buddy list, and then doing the same on all of those, rinse, repeat.
I think you need to use that AOL tool though, so it's probably an impossibility to automate such a process.
--
I have both AOL and AIM, and I registered my AIM screenname (same as my AOL screenname) after I had the AOL account. Despite the fact that they are the same screenname, when I change my AOL password, my AIM password doesn't change, and I have to subsequently change it. Therefore, it seems that there are two different password databases...
".... Earlier this year, a hacker discovered that he had gained access to AOL's internal network. He contacted them and told them about it, then helped them fix it. After it was fixed, AOL turned around and had him prosecuted."
if you bite the hand that helps you... will it reach again?
Ah yes, the typical "AIM sucks, use ICQ" response to an article like this. Of course, by now you must know that ICQ is owned by none other than AOL, and that the company is planning on merging the services. (Don't believe me? Download AIM 4.3, and log in using your UIN and password.)
Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.
ICQ and AIM are supported in Everybuddy for Linux. Good app, with no ad banners or ugly "skins" or "wings" like Odigo.
For more information, click here.
A while back I was playing with the idea of getting lists of AIM user screen names to use for sending random stuff to at my will. The only way that I knew of to get screen names of AIM users was to either do a search in the directory or look in chat rooms. I also tried generating them, but that didn't work well.
.. it was freaky :)
:)
Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)
It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?"
I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.
This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".
You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.
Or you could just OSS the whole list
--
--
I don't understand! They told me, "At AOL, your privacy and security are always respected." Mr. Graham has some explaining to do...
For more information, click here.
um... we kind of forgot your billing information, username and password.
Could you tel us what it is again?
stupidity exploits work rather well on AOL users.
"// this is the most hacked, evil, bastardized thing I've ever seen. kjb"
Yet another reason why I don't use Windows or AOL.
int func(int a);
func((b += 3, b));
are you from britain or something? "first reply"?
If all that was stolen was credit card numbers, then that's not necessarily a big deal. By Federal law you're only responsible for the first $50 of any fraud committed against you, and most banks cover that responsibility for you. Yes, it's still AOLs fault, but a stolen credit card number isn't a big hassle if you deal with the fraud as soon as you see it happen and you act accordingly.
Small potatoes make the steak look bigger.
Yes, I'll fess up, I'm the one who gave him the suggestion... but I'll qualify that by saying that I'm flatly refusing to run any AOL software on my computer, and encouraged Tim to do the same. And remember, you don't even give AOL a credit card number when you sign up for an AIM account -- only an AOL account.
proprietary,
...
invades your privacy by collecting data covertly,
rolls over when anyone wants to examine logs of what you did,
actually keeps those logs,
forces you to upgrade your client (and OS if needed) every time and again,
only supports one or two OSes,
changes their protocols to deliberately foil free implementations,
tells you what you can and cannot say,
reserves the power to cancel your account for any reason,
spams you with ads and calls it the "price" for your using the SW free,
Gee, I guess IRC really does suck. The big corps know whats best for me and I should grow dependent on them.
Not.
Please, read the article. AOL accounts aren't vulnerable from AIM; it's exactly the opposite. And, as noted in a previous post, AIM and AOL screenname passwords are not kept in sync.
Jeremy
Looking for a Python IRC bot?
A few points were missed on the exploit and its details.
It doesn't matter which version of AIM you use for the service, what matters is if you have an AIM account. The AOL service comes to play due to using AOL to steal the name.
The way its done, and a walk-through on the hole was provided by Observers.net and can still be found there by the link at http://www.observers.net or http://www.observers.net/indent.html
Basicly ANYONE that had an AIM Account could have been vunerable to getting the name stolen. It didn't matter if AIM, GAIM, Everybuddy, or anything else out there was used.
Whoever posted it first is not known to me, I know I assisted in the observers.net article a while back.
~Phantasm
observers.net
Since you so desperately need it, Mr "Bash RMS because it's cool to"
Since 1984, RMS has been working on writing software for, and promoting the GNU project. A project to provide software which is not only royalty free (free like beer), but that allows the user to modify, pass on and generally screw up said software (free like speech).
The GNU project has always had the aim of replacing UNIX with a workalike system (it could be argued that this is the aim of emacs alone). By the early 1990s GNU was providing a complete set of development and user tools to run on top of many commercial operating system. The only part missing was the kernel.
GNU have been working on their own UNIX like kernel. Built on top of the Mach Microkernel, HURD aims to compete with the most advanced and modern operating system kernels to date. However, development (which of course had to be done using entirely GNU tools) has been slow and even now HURD is not ready for any sort of production system.
In the early 1990s Linus Torvalds, appeared from nowhere with a working rewrite of the Minix kernel written under the GPL, Linux. The Linux kernel is heavily based on tried and tested designs, old technology. However, it works, is fast and incredibly reliable. This was the spark on the arms dump that was GNU. Suddenly there was available a completely free operating system with all source code and a range of user and development tools.
In media terms it appeared overnight. One minute there is a bunch of obscure hackers writing compilers for UNIX, an OS that had not even been heard of by most computer users. The next, there are a few distributions of "Linux", providing the kernel alongside sets of GNU tools.
Linux took off, picked up by many students wanting to get their hands dirty with something that they could work on and learn about it was propelled into teaching institutions, ISPs and the hands of even more hackers. By 1998, Linux was being touted as "the last best hope" against Microsoft just as the Apple Macintosh had been before they went into their long dark period of flaming Powerbooks and buggy Finders.
Linus Torvalds will not be remembered in history as an innovator, he will be remembered as in implementor. As his discussions on Minix with Andy Tanenbaum show, Linus wasn't concerned with new technology, taking advantage of powerful hardware or dealing with the problems of tomorrow. He seized the opportunity to apply textbook principles and build an OS kernel using 60s concepts. Linus should not be hailed as a great hero, who boldy coded where no man had done before. The reason that Linux is now
Next came the ugly bits. Industry wasn't interested in an operating system written by "hackers" thrown together from whatever was available. They refused to provide device drivers for Linux, mainly because they were concerned that they might give away trade secrets by providing free source code under the GPL. Throughout the 2.0, 2.1 and 2.2 kernels, Linux changed constantly. Providing binary only drivers for it became impossible (was this on purpose). Companies had no choice but to provide code t
Source code was released under a variety of licenses. There was GPL code, BSD code, XFree86 code, Apache code, Artisticly licensed code and all sort of other weird things. The only common factor was that each provided source code and allowed users to at least distribute untampered versions of source code and binaries.
So, in an effort to tidy up the situation, the "Open Source Movement" began. Fronted by ESR and Bruce Perens it brought together all code fitting a common denominator of source code availability and freedom of copying under the banner, "Open Source". Initially, opensource.org claimed to, and did, act as a marketing campaign for the GNU project. It generated amazing amounts of publicity.
However, when opensource.org started to class software such as QT under the same banner as GCC and other GNU software, RMS took issue. He denounced open source as not being purely free software and distanced himself from the movement.
Open source is the power hungry brat child of GNU. Concerned with short term publicity and gain, they abandoned the principles that have given GNU such a strong foundation. After RMS split from opensource, there were various other internal squabblings, most visibly over the use of the trademark "Open Source". Next came the talks at Microsoft from ESR and the killing he made by being on the board of VA Linux. In the space of a few months he managed to suddenly move from the editor of the Hacker's
In a sense, ESR not only distanced himself from the hacker ideal. But showed software developers and marketeerers just what potential for cash-in existed in open source software. Since then, it seems, open source has been the latest and greatest buzzword. Everyone (even Microsoft) has either released open source software or talked about it. Suddenly, there is a vast amount of code available to normal users.
RMS argues that it is wrong to call the "Linux distributions" "Linux". Instead he favours GNU/Linux, to show that the system is comprised of both GNU tools and the Linux kernel. This will probably never happen as the term "Linux" is so well established in the media now (when HURD comes along, things may be very different though). A much better name for most of today's Linux distributions would be opensource/Linux. For example, Mandrake comprises binary only versions of software such as netscape w
Recently there was a Slashdot interview with RMS where questions were submitted by users. The story carried a health warning. RMS is accused by many of being a zealot who wants to see all programmers starve. He is not.
RMS provides a much needed figurehead for the FSF. A group devoted to providing and fighting for free software. Much like Marx, Machiavelli or Neitsche everything he says should be taken with a pinch of salt for life in the real world. But without these people, without the purist ideals they promote we would be stuck in a realistic world of pragmatists ready to sell out at the first opportunity, hardly role models.
In order to steal an AIM account not only do you need an AOL Registration Number and Registration Password, but you need a valid (not one generated by a Credit-Card Generator; AOL checks to see if the credit card is not only valid, but existing) Credit-Card Number. Now obtaining an AOL Registration Number and Registration Password is fairly easy. Just go somewhere that is distributing those damned AOL CD. The Registration Number and Password is listed with every CD. I also remember seeing generator programs from them awhile back. So, that's not the hard part. The hard part is getting the valid credit card number. In my mind I see more people going ahead stealing credit cards from other people just for the sole purpose of stealing someone's AIM account. I mean AOL users aren't vulnerable to this, if you read the article you would know this. Only AIM users are at risk, if you consider losing an AOL service as being "at risk", LOL. There is no credit card information kept on AIM users so I don't see how they could obtain a credit card from that person unless they pretended they was the person who's account they stole to get a credit card number out of a friend or relative, which is still highly unlikely. In the whole article about people stealing credit card numbers...I think they meant more that this will slightly increase credit card fraud, becuase the person wanting to steal someone's AIM account will need to obtain a valid existing credit card number. Becuase you obviously aren't going to want to use your own credit card number. So you would need to steal someone's else, in trade of stealing an AIM account. Now the risk involved in this I'm not sure about, but depends on how much you are willing to risk just to steal someone's AIM account and mess around with them for a bit. To me it doesn't seem worth it. If you are going to play a practical joke on someone don't waste your time, just infect them with SubSeven to mess around with them a bit. I really don't see what someone could get out of stealing someone's AIM account...financial stuff, NO...possibly through social engineering, but highly unlikley. To me stealing someone's free AOL service doesn't seem with the time or possible risk. And everyone should know how anal AOL is about stuff. Peace, TankDawg7
This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
Sorry, what did you say your screen name was again?
--
"Give him head?"
simple solution:
don't use AOL.
Visit my website xpenguin.com -- A linux penguin website
Anyone who already has AOL is too damn stupid to figure out how to steal an account and everyone else wouldn't want an AOL account, even if it is free.
-atrowe: Card-carrying Mensa member. I have no toleranse for stupidity.
Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.
Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.
Makes me glad I already have an AOL account as a backup dialup...
Jabber is a Free instant messaging system with a Free server and several Free clients. No AOL needed; however, there are gateways to Yahoo!, MSN, AIM, and ICQ if you have an account on those services.
Will I retire or break 10K?