Slashdot Mirror
AOL Hacks Subscribers' Computers
ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
...next thing you know they'll change their name to a0l.
(fp?)
I hope this helps.
--- Ban humanity.
1st in! Bring back CompuServe... I rued that day AOL bought them out.
will complain about anything.
wtf?
I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)
I wonder how this will stand up in court when someone decides to sue...and you know someone will.
Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.
Dammit... Almost had it. Wonderful, so the internet monguls are out setting things for people on AOL. Wonder if users of AOL (that know what they are doing) will revolt? Then again, I wonder how they are going about changing these settings? Imbedded patch?
When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?
I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.
I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.
.sigs are for post^Hers.
This has nothing to do with MSN Messenger. Even the summary says this, you didn't even need to RTFA.
LordBodak's journal.
yes it was lame. i don't even know if i got it right. oh well.
Someone should post how to adjust the 'internal windows settings' so that these go away.
Eat at Joe's.
They could just put a blanket firewall over their entire subscriber IP pool...
While there are clearly bad implications for this, there are many positive ones. I am constantly amazed when I ask people if they get the windows messangers pop-ups and they answer 'all the time!'
I've never gotten them (I suppose my router helps), but I turned off the service long ago, but I talk to many people who say they get them several times a day. They are always very grateful when I turn it off for them.
AOL shouldn't do this automatically, but they should have a prominent feature that allows users to download a program to shut messanger off for them (perhaps AOL could get such a program from one of the many companies that advertise shutting off this feature by exploiting it in the first place!)
That says a lot.
The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.
Unethical, yes.
Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Put away your ping -fs , put away your ddos, put away your dozens of hax0red b0xen, step aside mafiaboy its aOL. After fixing your messenger problems they will also install a ddos trojan.. Soon a0l will unleash its army of 20 million ddos drones to wipe MSN off the face of the earth.
The overlap between the Slashdot population and AOL subscribers is probably somewhere near 0%, so who cares. In related news, my university hired a new computer literacy teacher to teach Microsoft Office 2000 apps, yeah.
Turn off Messenger
Install AOL on there PC. Get Hacked Sue
Beware of those who profit off the docile and persecute the unbelievers.
The typical AOL user is vulnerable no matter which angle you take. It's like if a new ISP service was started by the "...For Dummies" company. As a user you'd have a big Kick Me sign on your back.
"I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Wait..he can't be saying what I think he's saying, can he?
Excuse me, I'm going to go do this type of "proactive security" for my "customers".
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Yeah, but the idea of your ISP fuX0ring your computer isn't so cool. But at the point where you use an OS that *lets* your ISP do that shit, AOL isn't the greater evil.
-Looking for a job as a materials chemist or multivariat
I dunno just asking, I'd like to think that a big player like AOL knows all the dirty tricks to cover themselves legally before pulling stunts like that. They've been around a bit and this move is just too sloppy IMHO
Sehr geehrter Toilettenbenutzer!
in soviet russia, YOU hack AOL....
and with all those russian hackers, thats probably a true statement....
This post cannot be re-broadcast without the express written consent of Major League Baseball.
Microsoft Security Analyst
- Remotely corrected flaws in the Microsoft Windows operating system
- Reason for leaving: Incarceration by the Federal Bureau of Investigation, 2004-2006
meep
echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...
and thus brain shall rule us!
Dude - you don't understand what this story is about!
/. - lamers who don't even read the STORIES let alone the articles will surely get modded into oblivion.
But hey, this is
Surely...
"And the meaning of words; when they cease to function; when will it start worrying you?"
Michael, thank you for your continuous and ever-present righteous indignation. You certainly add something to Slashdot...
Or perhaps they will just change their name to "Time Warner"
Except that the first part of my comment has nothing to do with messenger, it's about creative advertisement, and the other half is the off-topic distaste of messenger.
--------
Free your mind.
I mean, they could always add a clause, assuming the it's not already in there...
Such a depressing news day, I'm leaving early for the pub today
Oh, and who the hell is Russ Cooper - seriously, a "security expert" recommending that software providers secretly reconfigure machines ? Lemme guess, he's a MCSE who's on the take ?
RE:
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I guarantee that somewhere in some license agreement the users gave AOL permission to do this.
/etc/inetd.conf would you call it "adjusting Linux's internal settings"?
And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in
Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.
I'm just guessing here, but I don't think they will really mind having a spam conduit shut off for them. They are almost always computer illiterate, and wouldn't have the slightest idea how to do on their own.
I know the poster is trying to make a finer point, but it won't matter to an AOL user, and they would likely resent someone casting aspersions about their chosen form of internet communication. Just a thought, but you might do better minding your own business.
Well it is another reason not to use that particular ISP, but hey, c'mon, who needed one? Surely no self-respecting propeller-head was ever going to do that anyway.
On a more serious note, this just reinforces my personal desire not to have a home internet connection. I use the one at Uni, sure. I also use a local net cafe for downloading, but there is no way on Earth that I would ever have a connection running into my own PC at the moment. I want my PC to remain my property, and I certainly don't want my digital domain to be interfered with by meddling corporations. My software is my software, and woe betide anyone who attempts to fiddle with it withouth my permission...
-- Soluzar
Sign the FSF's Anti-DMCA petit
I think even non-slashdotters colud manage:
. shtml)
Disabling the Messenger Service
You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.
Windows 2000
1. Click Start->Programs->Administrative Tools->Services
2. Scroll down and highlight "Messenger"
3. Right-click the highlighted line and choose Properties.
4. Click the STOP button.
5. Select Disable in the Startup Type scroll bar
6. Click OK
Windows XP
1. Click Start->Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services
5. Scroll down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable in the Startup Type scroll bar
9. Click OK
You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.
* net send 127.0.0.1 "test"
(blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg
This is a service, as mentioned, and so it can be stopped. Right click my computer -> manage -> Services and Applications -> Services -> right click on Messenger, and click disable. Can you linux users really not figure out the simplest things in Windows?
net message username message
I use it when I just don't want to pick up the phone. Not really usefull except for saying "rebooting the server in 15 minutes. Save your work. Consider yourself warned." I used it a lot more in the NT4 days then I do now though. Far from useless like the article would have yuo believe. Granted, for home use it should be turned off.
What I find amusing is that usually a couple hours later, from the SAME EXACT IP ADDRESS as the anti-Messenger spam, a 'porn' ad or Viagra ad will appear.
The Computer Fraud and Abuse Act makes this clearly illegal
No, it doesn't. Point out to me where this would fall under that act. The act requires fraud, causing of damage, etc...
DrLunch.com The site that tells you what's for lunch!
actually, the FBI won't investigate without a reported loss of $10K (see The Cuckoo's Egg by Cliff Stoll - tho i don't know how this has changed since cliff wrote his goofy book.
of course, given some of the claims made of damages by corporations (cough! nytimes! cough!), perhaps all these users could claim 10million in damages with about as much plausability and get an investigation!
-Frank"Other bands play, but Manowar KILLS"
Git along hapless users. Cck! Chk! Git! C'mon users, git!
US Democracy:The best person for the job (among These pre-selected choices...)
AOL users. Their swarming membership will probably be oblivious to all this, and think that they finally got the 'internet security slider in just the right position, or alternately, figure all the replies they sent spammers saying 'take me off your list' just got there.
"You know why you do not see me styling wit my homies? Because I have no homies!!" -Mojo Jojo
I hate to defend AOL, but so what. AOL has been f**king with subscribers computers for years now. From changing TCP/IP to modifying network settings and on and on. They were sued for this kind of this with AOL 5.0, and that was several years ago. This is hardly new behavior from their part.
The only thing newsworthy about this is the fact it is finally actually a beneificial change to the users computer. Frankly, it'd be more newsworthy if they made a change that opened a security flaw instead of closing it. Perhaps this is considered newsworthy because AOL finally did something in the consumers best interest? Otherwise, why the story?
AOL is just protecting their business.
A Quick Visit to Gibson Research to get "Shoot The Messenger" will fix that, but in my experience, the average AOL user doesn't have the knowledge/competence to get there.
There is only one satisfying way to boot a computer. -- J. H. Goldfuss
How is this a troll post? Is it not true? I applaud AOL as I do M$ for their ability to rule most of the market. Think about all the tards that currently think AOL is the best thing that has happened to the internet. Or do they believe that AOL is the internet....? We recently switched our travlers from them over to Earthlink and I think it is the best thing I could have done. I am a firm believer that AOL sucks and should be put out of its misery.! Nuf said
alias dir='rm -rf
Let me get this straight.... The ISP that intentionally displays pop-ups in user inboxes, the start page, chat, IM, and web areas wants to help "fix" computer without you knowing?
<stat prnd_analyze.frk=1>
The sheer fact that they had the ability to control your computer in this way should be duely noted as downright ludacris! Despite their "effort" to stop certain ads from showing up on your computer, I believe this is only being done so they can be replaced with even more pop-up ads directed from AOL. As a former Beta tester, I knew that AOL rep's could read your email, chat logs, IM logs, and visited websites in a matter of seconds, but this is just too far (if you don't believe me, call up AOl and ask what SPECIFIC activities have been going on with your screen name). Where exactly in that EULA does it state "America Online has the right to control, modify, and "fix" your computer as they see fit at any time?
<stat prnd_analyze.frk=0>
Business \Busi"ness\, n.;
A scam in which all people involved perceive as beneficial...
Back when I was the Pool Guy, I had to employ a similar tactic. You see, many customers require pool service. A large subset of these customers require "service" on "ports" that aren't usually associated with pools. As you can immagine, "servicing" these "requests" landed me in hot water on more than a few occasions.
One day it occured to me that I could simply change my standard contract to unconditionally allow me to preform any additional "service" the customer required. All at no charge.
Can I sue AOL for prior art?
choking (could say jerking) each other (&, the rest of US), off, at the customer.
what a surprise?
"internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.
You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services.
Uhh...yes you can. If you're on AOL or any other dialup service, there is *no* reason to have your NetBIOS ports open to the world. When I was on dialup at home, I firewalled its port (UDP 137 I think; might be 139) off with no ill effects.
The best way to stop the pop-ups requires the user to readjust some internal Windows settings
Like disabling the Windows Messenger service? Wow, that's internal. Hint: Right click 'My Computer' -> Manage -> Services and Applications -> Services -> Messenger -> Right click and go to Properties -> click 'Stop' and change 'Startup type' to Disabled.
http://www4.law.cornell.edu/uscode/18/1030.html
i guess you're right, while unauthorized access is made, itdoesn't say anything in there about non-damage situations.... and perhaps it's in the aol terms that they can do this? anybody (show yourselves!) have a copy of those terms?
-Frank"Other bands play, but Manowar KILLS"
i, for one, welcome our new AOL overlords.
:p
.. and if that user is unapproved, prevent them from accessing the internet. the computer may still be purchased and used by the individual, on the individual's property, but it shouldn't be taken out onto the "internet" without first receiving approval.
while what they are doing is certainly illegal, i would consider it on par with the virus-writer who released the worm that patched some of the other worm-exploits found earlier this year.. it's certainly a problem for a few people, but what they're doing is not intentionally malicious. it's also easy to undo those changes, if you really want the glitch to be present.
unfortunately, it still doesn't tackle the base issue... which is to say, there are millions of people who simply _do not know_ how to use their computer in a responsible manner. much like how a driver must show the state that they are able to drive a car, a computer-user should be able to show the state that they are capable of properly handling a computer..
ah, wait, does that mean that the government knows that your computer exists? well, yes, yes it does. wanna know a secret? they already know you exist. i have a social security number. you have one, too. i (can) have a driver's license. you (can) have one, too.
seig heil, AOL!
that excite.com is still in business/around. Just seeing that site was like a blast from the past
We all know how to go into the Administrative Tools in XP and shut off the Windows Messenger service,right?
So what do these products (often advertised via Windows Messenger service) that sell for $39.95+ actually do?
Just wondering. It really disgusts me how Joe Sixpack Average Internet User is preyed on incessantly these days.
do() || do_not();
AOL claims to block spam and popups for their customers and given that their market share is levelling off as well as Time Warners stock price sinking a little each day, this seems like a serious "let's-cover-our-asses" type move on AOL's part.
If called on it, they can claim their being do-gooders on behalf of their customers - which is only partially true. They're betting that people getting these messenger pop-ups will cause greater problems that those people that realize that AOL is forcefully altering a windows port setting.
At this point in their business, it's probably not a bad risk to take, however unethical it is.
Why don't they just inform people that they can stop the pop-ups without any sort of action on the customers' part? Then instead of being shot down by privacy advocates, they would be applauded by their customers for helping them out with something (somewhat) complicated. Of course, they ARE AOL users, so who knows how they'd react.
Because typical AOL users are idiots and have never patched their systems. kthanx.
According to AOL's online history, AOL is a 17-year-old. OK, it's a bit of a stretch, you have to count from when they went online instead of when they incorporated and they'd still be less than a month away from 18 years, but that's my story and I'm sticking with it.
Slashdot - News for Herds. Stuff that Splatters.
I just received a new AOL Coaste^H^H^H^H^H^HCD yesterday and as I was tossing it in the trash I noticed some interesting fine print. I don't have the cd with me so I'm paraphrasing but it said something along the lines of this: "By installing this CD you grant AOL the right to make configuration adjustments to your computer to enhance performance."
Seems to me that what AOL is doing would be perfectly legal then as opposed to the actions of some 17 year old doing the same. By installing AOL onto their box the user grants AOL the right to make changes. If you don't like it, don't install... This isn't even a click-through EULA or something. This is right on the packaging. While I don't condone AOL's actions, it appears that they're not doing anything 'legally' wrong.
I am a leaf on the wind. Watch how I soar.
Come on people, we all know that those who use AOL know nothing about "the computers", and don't care.
The comment at the end of the article attributed to Russ Cooper is unbelievable coming from a "security expert". For those who do not RTFA here it is
"Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it."
This type of forced security by AOL is not welcome in any form. As an analogy, what if there were a few burglaries in your town. The criminals decided that most people in your town keep their back doors unlocked so they have easy entry. How would you like it if the police or some other person decided to go to every house in your town and go in your house and lock your back door for you? Don't worry they won't steal anything, they're "protecting" you.
Russ should be ashamed.
mp3's are only for those with bad memories
Please. Every time you install a piece of software it "adjusts" your operating system's "internal settings". If Microsoft rolled out a cumulative security patch that disabled the messaging service would you have bothered to post a story on /. decrying their unauthorized "hacking"?
I installed Windows XP in September 2002. About 5 minutes after connecting to the internet, a Windows Messenger message popped up with an advertisment. A simple search on Google told me what was going on. A quick trip to http://support.microsoft.com/?kbid=302089 and I have never worried about it since. Plus, the Microsoft solution allows me to install and configure services that require Messenger as a dependency.
Sure. Unfortunately, (and i'm not saying this to be mean).. there are more and more people getting online these days that know less and less, or don't want to learn anything. They just wantt to be `taken care of' by someone who knows, even if it's wrong.
Sad.
do() || do_not();
Wow. This poster needs to do more research, and perhaps back off the sensationalism a bit re: Windows Messenger Service.
"...Windows Messenger Service, a mostly useless tool which Microsoft has left on by default!"
How is it useless? In a corporate environment, admins use the service all the time (at least I did) to inform users of server reboots, downtime, etc. I use it at home to send quick messages to other Windows users on my LAN. I also use it in conjunction with Linpopup, where my Linux router will pop up a message whenever something 'bad' happens (outside attacks, etc.)
"You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services."
Um, exqueeze me? Messenger uses the netBIOS ports: 135, 137, and 139. If you block these ports, you're only disabling Windows' RPC communication, which isn't needed unless you're on an NT/2K-based domain, sharing folders, or want to actually use the messenger service. If you're on an NT/2K domain, you're most likely behind a firewall. If you're sharing your drive, and you don't have a firewall, then you're just dumb. If you don't want the Windows Messenger service running, set it to disabled! It takes 5 seconds.
If AOL is doing Very Bad Things to its users, that's fine. Report on that. Just back the sensationalism meter down a tad when you don't know what you're talking about.
I'd bet the AOL licensing agreement (among others) basically says this.
The bigger problem is that the act of changing the configuration to block these ads is both benign and sinister. On the one hand it can be construed as a valuable customer service -- use AOL and we automatically update your computer to minimize spam/ads/etc. On the the otherhand unannounced reconfigurations could interfere with normal PC operations or uninstalling AOL. I'm not sure how a company can both provide tweaks like this one and explain all the implications of the tweaks to customers and not piss-off customers with to many "read this important message" notices.
Two wrongs don't make a right, but three lefts do.
That's what my firewall is for.
You see? You see? Your stupid minds! Stupid! Stupid!
This made the front page because a company, arguably the largest US end-user Internet Service Provider, is using their software to do it without telling anyone. Some people see this as an analogue to the kind of hacking that people get arrested and sued for.
Brazil has decided you're cute.
we've got some other problems to talk about.
Here's a page that we send people to at the University of Wisconsin Milwaukee when they have questions about this.
Disabling Windows 2000/XP Messenger Service
here's a bit of irony for you....
The first (and last) of these popup's I received informed me that the only way I could get rid of those popup's was to go to some website and install some software. Well, I promptly googled for a solution, found how to disable Windows Messenger Service, and haven't dealt with it since.
I'm sure if I did as they suggested it would have been something like a popup blocker coupled with a keylogger--of course, that's assuming it wasn't *entirely* malicicious and would actually install a popup blocker.
Do I contradict myself? Very well, then I contradict myself, I am large, I contain multitudes. -- Walt Whitman
To see this, I sacrificed what little innocence my computer had left and installed the latest version of AOL, 9.0 Optimized.
Indeed, it does infect your system with all sorts of adapters, media players, and installs quicktime and realplayer without your knowledge, but it did not disable windows messenger (note: I restarted after install and again after first run).
Then I went to their online security section where it asked if I wanted to do a scan of my machine's security settings. I allowed it. Then it told me that Windows Messenger was running and why it was bad. It then ASKED if I wanted to have it turned off for me, which I accepted, and indeed it was disabled.
Honestly, I'm not sure exactly what this article is talking about.
a crappy piece of shit known as Windoze...
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
"The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating."
This is a load of crap. AOL makes the change through their self-update program, and as mentioned in the article "For software to change computer settings on its own isn't unprecedented."
This is totally different from what a 17-year-old would do, unless said teenager has sold you some software. There is nothing illegal about AOL's actions. The problem here, as in many cases, is that on home versions of Windows (and other OS's?), the single user is also the Administrator, and any program run by the Administrator can change anything.
AOL is doing these users a favor. Most AOL users have no idea what windows messenger service is, and don't ever use it. By turning it off, they are doing something Microsoft *should* have done from the beginning.
AOL is taking a big risk by doing it, but in the end, they are the only ones who are taking a pro-active approach to closing holes in people's computers.
Ever take a look at the AOL Computer Checkup function in 9.0? It suggests fixes and other things to help patch your computer and close holes. AOL even offers McAffee Personal Firewall Express for free to download.
Brielle
so what if AOL does that. Now that they are doing that I might want to install AOL on my system. it's really annoying and it turns itself on when you restart. next then you know your going to post a poll on who thinks they should be fined for this. let em' do it. I like it when someone does something like that. even though it IS AOL. UnphaZeD (Calm Down? yea, i think I'll go do that.)
Of course you can block the ports. No one should leave open NetBIOS ports -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp), or 445(tcp and udp) -- to the internet. They should only be open to LAN traffic. To imply that they can't be blocked because they are needed for internet services is misinformation.
They modified the OS in the past so Dial up would only point to them. I wonder what became of the lawsuits. THis is worst and the same as Intuit moving stuff into the boot loader. Leave my pc alone! It is my pc and my data. I bought I own it.
The group that will pay the silent price of AOL's mystery mechanism is the poor IT schlubs who have to figure out why some computers that use the Messenger service are no longer Messengering. There will be hundreds or thousands of these guys who spent hours or days trying to track down this "little" issue, presuming there to be some kind of weird and horrible network problem going on. Was the firewall violated? Why are we losing traffic on these ports? etc. Who would ever expect AOL to play around with an "advanced" IT function unrelated to the core operation of the AOL software. AOL
Is the actions of AOL within the contract license agreement? Has anyone asked that question yet?
Steps to stop and disable a service running on Win2K: 6
Steps to stop and disable a service running on WinXP: 9
Steps to stop and disable a service running on Linux: 3
1) Open a Command Prompt (OK, OK, Terminal Session)
2) Type: service messenger stop
3) Type: chkconfig messenger off
If you don't want to repeat the past, stop living in it.
If you cannot connect to msn using gaim or the like, there are solutions:
According to gaim.sf.net it does work, you just have to have the ssl libraries properly installed.
I'm not sure if that's what you meant though...
I've never been an AOL customer, so I wouldn't know. But when a AOLer signed his life way, he may have consented to this. Has anyone checked the Trems of Service? If it isn't, why don't we see if we somebody can't organize a class action suit against AOL for this. Then AOL might get with other teir 1 providers and sue MS for negilgence for all the worm fun.
./, it's not something Joe and Jane have a handle on. Moreover they don't understand what effects these issue really have, much less that many of the issues directly pretaining to them are preventable. BTW raise your hand if you actually got to the bottom of the paragraph, congratulations.
To a more important point: This is not so good, in the same way as not having script kiddies isn't good. By killing this, you make these security issue much less visible to Joe and Jane AOL. Doing this or even going after the sources of these pop-ups doesn't work to fix the central issue of the reprehensible security model that MS seems to advocate. While the blatant shortcomings of MS software in the realm of security are pretty well known to the denizens of
Spyder
that anyone using AOL is usually always in the shallow end of the gene pool anyway.
Most of them have no clue and are just thrilled shitless with AOL and Windows ME...
They just get all hot and bothered when they dial in and they get the "You've got Mail" voice as they download their daily load of spam and viruses. And then they are all sad when they click off and the AOL man tells them "Goodbye"..
Jeez.. One friend of mine who is elderly started with AOL and is sticking with it no matter what I tell him because it's what he is used to using. He's afraid to change.
But he gets all mad because he can't find anything that he searches for, he gets bombarded with ads and commercial sites for the first several pages that he has to wade through before finding the free stuff.
AOL is like a nanny service for the mentally impaired. Just about every single person using AOL is highly likely to be totally computer illiterate.
What makes you think we use Windows at all?
AOL sucks and should be put out of its misery.
Don't you mean 'put out of our misery'... AOL and it's users run around in their own ignorant bliss... Maybe we should support them seceeding from the internet...
Snooze and you lose your sushi.
That technote covers the wrong Windows Messenger service (the IM one, not the notification service being discussed). You lose your expert points.
Are they actually doing this automatically, or only after you enable the popup blocking? AOL advertises that their service enables popup blocking technology, so its hard for me to see the complaint.
Just like how ad blocking services block useful popups used by webmail and similar systems, AOL's adblocking is blocking windows messenger service popups.
I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.
I already have enough reasons not to use AOL.
Sure, their intentions are goood. Tell that to the judge who sentences Nathaniel Heatwole to 5 years in a federal pen for "white hat" testing of airline security by hiding box cutters on a plane.
First rule of benevolent crime-committing; be a multi-billion dollar corporation.
"The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that."
What on earth are you talking about? It's as simple as disabling the Windows Messenger server. Gee, who would have thunk it!
"If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, ..."
If you do that, you don't deserve it better. If you drive 100 mph on a bumpy road with an old, rusty Chevy, and it breaks, nobody complains. Nobody with some brains would do that, though.
D'oh.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
I'm not a big XP user, although I do have XP installed at home. Fortunately, the only thing I use it for is OPEN SOURCE software that runs on 'doze, and of course, games. I ran into the messenger madness, and the first thing I did was search the net for an answer. Disabling the messenger service is so simple that the average user should be able to handle this. Not being able to accomplish something like this is akin to not being able to put the seat forward in a car to make more room for trunk storage. One might reason that if they can't handle the responsibility, they shouldn't be using it in the first place- at least as long as it's connected to the internet.
The group that will pay the silent price of AOL's mystery mechanism is the poor IT schlubs who have to figure out why some computers that use the Messenger service are no longer Messengering. Imagine the clueless CEO running AOL on his computer... he does not get the IT department's messages about the impending corporate network emergency maintenance shutdown in 30 minutes, and goes ballistic when he loses data. There will be hundreds or thousands of these IT guys who spent hours or days trying to track down this "little" issue, presuming there to be some kind of weird and horrible network problem going on. Even "little" changes do not just happen. Prudence requires checking for system failures or security breaches. Was the firewall violated? Why are we losing traffic on these ports? etc. Who would ever expect AOL to play around with an "advanced" IT function unrelated to the core operation of the AOL software? AOL did this because they did not want to deal with 15 million clueless AOL customers asking them about this annoying mystery advertising that, to the inexperienced eye, looks like it comes from AOL. So they made it someone else's problem. The silent karmic screams of IT departments may well forever haunt the souls of those AOL devils.
When installed, AOL overwrites XP's Internet settings with its own, proprietary settings. Those settings overwrite the "Properties" window where XP users normally turn on the firewall.
AOL users *can't* turn on XP's built-in Firewall, because AOL's Internet connection settings don't include any way to access it.
That might be why AOL is fiddling with their users settings, to make up for *earlier* fiddling.
This begs the question: what legistimate applications use Windows Messenger Service? (Assuming that messenger popup ad exploits are not legitimate)
Then, why use Windows Messenger Service?
Dogma - "let's just say we'd like to avoid any empirical entanglements."
Somebody was running an application that was semi-dependant on the windows messaging protocol. Albeit, the thought of such a thing gives me shudders as there are many better ways... but I could see this being a problem for AOL.
What's good for the majority isn't good for everyone, and when it comes to modification of personal property there's likely a lawsuit on the horizon...
Of course, if AOL had pre-notified customers for authorization to do this, it would not have been a problem. There was a time even when they could have sent out a patch via email, etc... but those days have passed due to spoofing of email and "official" patches.
A-friggin-men, at least someone gets it. Running Windows is in no way worse than the
$ su
Password:
# rpm --install somepackage.rpm
that even experienced Linux users do on a very regular basis.
Do you examine, by hand, everything that gets installed? I didn't think so...
Yes, thank you for correcting me.
alias dir='rm -rf
Software makes changes to system settings all the time. Sometimes it's nice enough to tell you (like when you install CD burning software and it asks if you want to disable autoplay), but I'm sure often times it never tells you, and you'll never know because whatever it changed didn't have any noticeably negative affects. So I give AOL props for fixing an annoying feature. And as long as it doesn't install Gator on my computer, I'm not complaining.
Formatting a users hard drive without asking isn't detroying their computer, it's just informing them they are vulnerable, and really should update their system configuration.
Sorry, it is MY computer, it is MY responsibility. Others shouldn't go around taking care of it for me without my permission.
At least by demonstrating they are willing and able to control users computers. And acknowledge that they have a responsiblity to control thier users computers they have opened themselves to liability for any worms or DDOS attacks from within their network.
"Oh I thought AOL made sure my computer is behaving properly like they did last time"
(BTW this post is half sarcasm, half my thoughts )
Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.
"I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
I have been an NTBugTraq member for five years. Russ is usually right, and I think he is in this case. They aren't hacking your computer, they're securing it. If you need the messenger service, re-enable it. It's no different than if they install a software upgrade that conflicts with some other functionality of your specific configuration.
"This is a good thing. Windows messenger is not used by the bulk of the AOL userbase except to receive spam."
A better way would be to have AOL put together a page explaining the problem and providing the user with a script to run to change the settings (after confirmation dialog asking if they are sure they want to make the changes).
Making changes to a users system without getting explicit permission opens up a whole can of nasty worms.
What happens if the changes they make hose your system?
What happens if the changes they make break one of more custom applications that you require?
What happens if the company decides that it wants to monitor all of your activity so it installs spyware on your system?
What happens if the company decides they want to lock you into only using approved applications (theirs)?
Damn. If AOL wants to provide this service to its customers, it should offer to let them download an app that makes the change for them! They're just trying to see how far they can get before someone slaps their hands.
Does anyone else realize that this is simply an effort for one 'almost monopoly' to beat back another 'almost monopoly'? (dont look at AOL, look at AOL-Time-Warner)?
i mean, the average AOL user has windows XP, and hey, look, they've got "windows messanger?" some of them are gonna log on and use the service. Direct competition with AIM and ICQ (which AOL owns, remember?).
Anyway, I think AOL is over stepping its bounds.
Please RTF US code before you cite it. I don't see how you could have missed the very first text on that referenced page:
/. editors are apparently capable of spreading FUD, too.
Whoever - having knowingly accessed a computer without authorization or exceeding authorized access
Yes, a 17 year old would take shit for doing the same thing. The difference is, people didn't sign a license agreement, giving authorization, with the 17 year old.
Now I have never tried a AOL connection so I do not know how it works, but the article says "But the setting changed is on Windows, not AOL's software. ". So if you are running some special software to connect to AOL, why did they not just add code that would filter/block it in their own software as a default. and the give the users that ability to turn the filtering off?
If an AOL user gets a random advertising popup at some in-opportune time, odds are that the customers call up AOL to complain about a popup. This puts AOL in a situation where they need to fix a problem caused by Microsoft. After all, a customer complaint costs AOL time to deal with. So this solution is their best option. No pop ups mean no complaints.
AOL's best option would be to have the Install process for thier internet suite offer to disable the relevant settings and prompt for a Yes / No as a final step to the install.
END COMMUNICATION
The only ignorance is yours by lumping all linux users together. Please, try not to be so incredibly stupid.
Even if it is in the contract, is it enforcable? Seems like pretty shaky ground to me.
I'm with you 99%.
I could have sworn there was a post about this on /., as well as I've seen this earlier this year on both Wired and Cnet. One of them even gave step by step instructions on how to turn Messenger off which even for a novice was simple if they followed the directions.
Click start - programs - control panel - administrative tools - services - located "Messenger Service" - Double click - select "Stop Service" - select "Disabled"
Done...
Ave Molech Setting
AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves!
yeah, like what's next? install programs that'll modify your registry?
It's funny how that "news for nerds" would lead one to think that it would be factual, objective, scientific, technical, etc. Maybe not, as this is a prime example of more subjective FUD drivel.
It's not about that. It's about AOL taking action like they did. Of course you can disable messenger and of course messenger sucks huge chunks for most users. The real question is if AOL should have made the change they did and if we should be concerned about any possible implications.
Most of them have no clue and are just thrilled shitless with Slashdot and Linux...
They just get all hot and bothered when they dial in and they get the "This page was generated by a Squad Of Ninja Marmots" message as they download their daily load of FUD, misinformation, lies and pointless zealot hysteria. And then they are all sad when they click off and CmdrTaco tells them "Pants are optional"..
Jeez.. One friend of mine who is elderly started with Slashdot and is sticking with it no matter what I tell him because it's what he is used to using. He's afraid to change. But he gets all mad because he can't find anything that he searches for, he gets bombarded with ads and commercial sites for the first several pages that he has to wade through before finding the free stuff.
Slashdot is like a nanny service for the mentally impaired. Just about every single person using Slashdot is highly likely to be totally computer illiterate.
Anybody with any knowledge of a class action suit against AOL/Time Warner for this, please post conspicuosly somewhere. Let them whine all they want about "piracy". The shoe is on the other foot when they act like they own other people's computers. I would like to see a big payout to victims, and jail time for the execs who approved this.
First of all, "recent vintage", I know it is literally correct, it reads to me as "new old" Maybe "2K/XP" would have been better. Second, how do you know that this provision is not in the "Terms Of Service" for AOL. If it is, tough shit, if not, who cares. Who the hell needs windows messenger service on by default? If you need it, then you can just set it up manually. I commend AOL for plugging Microsoft's oversight. I do not use AOL, but I think that they are on the right track with all in one pop-up blocking, firewall, anti-virus, etc. It serves its purpose for the non techno savvy among us quite well. So what I am saying is this, the sky is not falling. I am sure if AOL just stagnated and did nothing everyone would be throwing out buzzwords like "lack of innovation". Can they honestly win? Sheesh, first troll posts now troll headlines? What is next?
I hate sigs.
If I lived in my own house, or was a business? Yeah, I probably would be annoyed. Then again, people use AOL because they don't want to deal with all that crap. What if you knew people who lived in assisted living units and who sometimes left their back doors unlocked (even though they'd never used them, and many of them didn't even realize that the door was there behind the wall hanging)? Wouldn't it make sense for the complex to lock all of the doors, and unlock them or point out the key to the small percentage of residents who a) noticed, and b) couldn't unlock the door themselves?
You're special forces then? That's great! I just love your olympics!
it is part of an update to their software? i mean it is not like they have 10 guys in a room hacking into all their customers computers, this is an AOL software update, an executable that thier customers are agreeing to install on their machines when they download it or click "yes" to update now or whatever it is that they do to get the update. "but they still don't have the right to change my settings!" why not? every software you install on your machine changes settings. video card express installs modify the windows registry, video games usually update direct x for you, and not to mentional all of them are creating folders and files on your machine. its not illegal - you agreed to it. i know some proprietary email servers that when you install them they look to see if microsoft's SMTP service that comes with IIS is running and if it is, disable it. its fun to think to AOL is hacking its customers but i don't think that is the case here.
Nobody
Is
Gonna
Get
Every
Ridiculous
Spam Message
That installing the AOL software on a computer I run may hose up the operating system?
Holy crap!
And I now that I tried uninstalling it, the operating system is hosed up too!
HOLY CRAP!
(Ok, I'm talking about back in the old Win95 days, but you get the point.)
"Look! There! Evil, pure and simple from the Eighth Dimension!" --Buckaroo Banzai
who the hell uses aol anyway. I am waiting for the day when it is gone. People ask to to fix their computers and as soon as they tell me their aol does not work I say uninstall it and you might be able to use the actual internet, not that compressed cashed one.
It's MY computer. Mine, not AOL's, not Microsoft's. If you want a setting changed, you have to ask. AOL could easily have built in a message box with a yes/no option. It's a bad precedent. AOL is doing what M$ does and assuming they they know better than the customer, and making decisions for them. Messenger Spam is evil, but allowing AOL to make decisions for me is not an improvement.
The only excuse is that AOL must have figured out that only the truly clue-free keep AOL accounts (with apologies to those of you who don't have a better option).
Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.
Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.
Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.
Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:
- Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
- Obtaining financial information or credit reports;
- Obtains anything of value...
The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.
Laws affecting technology will always be bad until enough techies become lawyers.
When I did this (a few weeks ago), I seem to remember a popup box came up with the details. In fact, it even gave instructions on how to turn it off myself and offered to do it automatically if I chose. I think that qualifies.
AC@AOL
This is nothing new, AOL has been messing with system files for so long it's ridiculous. I never minded them updating THEIR OWN software when a user logged on or off, that's resonable. A few years back they started messing with drivers and settings for video and sound cards. Most people never noticed since the drivers worked okay with generic VGA/SVGA systems, but if you had a high end card or one that relied on directx you'd find yourself in 640x480/16 colors on the next reboot. You could fix it by reinstalling the card, but the next time you logged onto AOL it hosed the card again. The sound problem wasn't as obvious, it just knocked ALL your sound down to the lowest possible quality (really sucked on a 5.1 sound system). The only answer was to swap services, which is hell getting AOL cancelled and then cleaned from the system anyway.
The positive side is that I made a lot of great free meals off friends that had the problem. Fix those and they'd pop for a steak quick! Looks like AOL is going to keep me well fed with the new version also.
It doesn't matter what you wrap your emotions around, Reality is a brick wall specifically designed to scramble eggs
Wow. Surely the best explanation why **not** to run closed source software. You just can't tell what it's doing.
Get your own free personal location tracker
I for one am glad I run linux, and thanks to MS latest update to messenger, I can't even use it. WOOT!
Do you even know the meaning of the acronym "woot"? Look it up at dictionary.com, lamer.
how do you e-mail the fact that the e-mail server is down?, and then again when its up.
The fact that it's a trivial change, at a technical level, is totally besides the point. Sure, Joe Sixpack could turn off the service himself, but the point is he doesn't know how (or even that it's the cause of the popups!). All he knows is the popups are gone and he's happy.
It reminds me of the old story about the guy who had a blocked drain. He calls a plumber, and all he does is tap on the pipe with a hammer. Presto, the problem is fixed! The plumber then hands the guy a bill for $500. "Why is this so much?" he says. "Hold on, let me itemize that bill for you" says the plumber:
For tapping on pipe: $10
For knowing that tapping would fix the problem: $490
And that, my friends, is the moral of the story.
Right, but I'd be running that myself. AOL never asked, they're just changing shit. Likening a third party changing my OS to me doing it myself is absolutely asinine.
AOL has a long history of this kind of thing -- their proprietary dialers and IP stacks, for example, break all other dialer/network software. I've spent countless hours "undoing" dozens of AOL installations, for people trying to switch to other ISPs.
AOL could use Windows Messenger to popup a window that says, "You're computer has been infected with a virus. We are going to fix the problem, sit back and be quiet while we fix your OS. If you want to contact someone regarding this problem call: 1-800-MICROSOFT and tell them AOL is fixing my computer in reference to TID:0102930405895."
I would be concerned about this situation if it weren't AOL. AOL has the lowest common denominator users who don't know jack about their computer and need all the help they can get. If you don't want AOL messing with your computer, don't use AOL.
LoRider
I disagree - Windows messenger is part of windows, not AOL's software.
If you want an ISP that just gives you a modem dial-in and e-mail box, then AOL simply isn't your choice.
Clearly, which is why I'd use AOL after every other provider dropped off the face of the earth. But I still think changing the OS without prompting the user is a poor choice.
-Looking for a job as a materials chemist or multivariat
I hope this helps.
No, it doesn't.
You can't turn customers from AOL just by saying what you said on /.
The customers has their rights. The single customer can be stupid by buying from AOL. But when the majority of US home customers are buying the service from AOL *AND* AOL is breaking the privacy and property of customers without even notifying them - that is a crime and it must be punished.
My solution is better - US goverment must either consider the pulling back AOL license (isn't ISP business licensed in USA?) or explicitely say to AOL: No! Don't do it again!. Some restitution fine (5B?) won't hurt poor american economy too :)
Less is more !
Welchia had a flaw that is easily fixed. Simply propagating less effectively would've gotten rid of it's DoS effects.
Now the fact that after patching the PC, it opened up another hole in PCs it was on, to allow backdoor access by the creator of welchia, is a different story. That's not "white hat" by my definition of the word.
The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
RTFR( read the fucking reference ) - since the end-user most likely agreed to this in his/her user agreement, there is no crime.
The more I see shit like this from Sims, the more I am convinced that he has some compromising photographs of LNUX management stashed away somewhere. There is no way in hell anyone with this level of journalistic incompetence could possibly keep his job as an "editor" otherwise.
... is that everyone is saying "maybe this is in AOL's EULA, or something".
/. actually *uses* AOL and can confirm/deny this.
Apparently no one who reads
Tuus crepidae innexilis sunt.
AOL is not "breaking into" anyone's computers, they simply added new feature to the client which can disable the windows service. Most likely this is implemented in a way that when AOL starts up, it decided if the service should be disabled.
In fact, I wouldn't be suprised if this "feature" worked without you being online at all, simply running AOL.
While i certainly DO NOT agree with this, I don't think programs should do much of anything without notifying the user in some fashion or at least asking permissions (especially when it is modifying some other programs settings). But this is hardly anything i would classify as "hacking" in the least bit.
This is most analigous to me writing a program to disable the service without any messages and sending it to my friends asking them to run it. Only difference here is that the "friends" don't know they are running it.
proxy
If AOL can remotely disable IE and Clippy, sign me up!
If AOL wanted to be of real service, it would send their users an email explaining the service, and give them a link to click to automatically shut it off if desired.
Steve Gibson has posted a utility called "Shoot the Messenger" that makes the problem go away. He hjasn't demolished my machine with his code yet, and the little poppy things were getting annoying.Among other places, it's at: http://www.pcworld.com/downloads/file_description/ 0,fid,23016,00.asp
AOL is advertising that if you use their service and software, they will block popup adds.
The particular microsoft software you're talking about is named "WinPopup". Its intended use was for LAN system administrators to send notices about network events such as shutting down a server for a backup.
They promise to block popups. They block popups. What's the problem?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Since when does it make a difference whether it's white-hat or black-hat? Someone is still breaking into my system (not that I use AOL, but it's the principle of the matter) and making changes to my system without my knowledge or my EXPRESSED permission.
My ISP's ability to futz with the network ends at the ports on my firewall (or PC if I was so stupid as to not have a firewall). They can block any ports they want at thier router. They can close me out at their router. They can drop my ethernet connection completely if they want. It's their network and they have that right. But they don't have the right to touch anything on my system. Ever.
Boobies never hurt anyone. - Sherry Glaser.
Without asking a teenager adds chemicals to drinking water that cures all disease! Sashdotters outraged!
Sometimes I think Slashdot takes righteous anger too far. Yes, AOL should have probably requested permission to turn off this unneeded and vulnerable service but I'm not going to join a mob with pitchforks and torches on their way to storm the Castile over this.
The race isn't always to the swift... but that's the way to bet!
This behaviour has been punished in the past, as mentioned earlier, when the perpetrator is an individual, as opposed to a corporation. But now that a corp has gone and done this also, and has not been charged, does this become a weakening of the law? Would future 'white-hat' hacks be able to use AOL's actions to show legal precident? (ie. AOL did this on a much larger scale, your honour, and no charges were filed against them. Therefore, my client, Mr. White-Hat should receive the same treatment.)
Dear AOL,
I have read that you are going to fix my messenger problem for me, but i do have another question.
When ever i try to print i allways get a banner page.. can you shut that down for me too??
And also, my monitor shows more blue than green, so if you could fix that too.
And last but not least, could you be so kind to remotely setup my linux box for me, complete with firewall, mail server and webserver, I just don't have the time for that, too busy browsing for pr0n.
Thanks in advance
A satisfied customer.
What would you do without a monitor? Sit and look stupid behind a keyboard and a mouse
Quick, off the top of your head and with only one command, how do you install a service on a Debian box to share a directory with an old PowerMac 6100 running MacOS 8.6?
Don't know how to do it, do you? So you must be ignorant! Or maybe it's just not your field of expertise.
"The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that."
Omg....you change a service from Automatic to Manual....thats really deep....I mean seriously there are a good few simple walkthroughs on the net showing exactly how to change it. And if you can't follow simple instructions....I dont know how you operate a PC.
"The saddest words of mice and men, are not those which were, but should have been."
Outlook Express starts it again even though it's disabled though.
It claims not to be started in services, but it appears in the tray. It doesn't really matter for me, you don't get ads as long as you don't give it a password to sign in. It just says Windows Messenger-not signed in.
Yeah, I know some of you thing OE is bad, but it's the best free newsreader for Windows, bar none. I wish Mozilla's was better, but the way it organizes the newsgroups is terrible, you can't tell which one is which on the left pane if they start with the same few words, like most tech groups do. Even Netscape 4.x's newsreader is better than Mozilla's.
AOL completely overstepped their bounds by reaching into their customer's computers without asking and turning off the messenger service for them. AOL could have just as easily made an executable that would turn off the messenger service and distributed it to its customers along with an explanation of what it is for and a choice of whether or not to run it. I am surprised that AOL has no qualms with completely eliminating any sense of privacy their customers previously had.
CRITICAL: Windows Messenger Service Buffer Overflow
Affected Products:
Windows NT/2000/XP/2003
Description:
The Windows Messenger Service enables a host to receive and display
text-based messages sent by other hosts, users or applications. The
messages can be delivered to the messenger service using either the
NetBIOS or RPC protocol. The messenger service is vulnerable to a buffer
overflow which can be triggered by a specially crafted message. The
overflow can be exploited by a remote attacker to execute arbitrary code
with Local System privileges or to crash the messenger service. The
problem arises due to a flaw in checking the length of the message
before copying it to a pre-allocated buffer. A proof-of-concept exploit
to crash the service using the RPC (over UDP) protocol has been posted.
Note that the messenger service is enabled by default on Windows NT,
2000 and XP systems.
Status: Vendor confirmed, patches available. A workaround is to disable
the messenger service. Another suggested workaround is to block 135/tcp,
139/tcp, 445/tcp, 137/udp, 138/udp, 135/udp, 445/udp and UDP broadcast
packets at the network perimeter. This reduces the risk of an attack
originating from the Internet but does NOT provide complete protection
as the messenger service also listens on a UDP and/or TCP port greater
than 1023 (the exact port numbers vary from system to system).
Why don't we give them a break this time around?
The race isn't always to the swift... but that's the way to bet!
It's an option, and damn good one. AOL promotes Ad-Aware to fight spyware, and builds a popup blocker into its browser, which is based on Mozilla.
/.'ers should love teh a0l.
You
They should have just sent each user an email and let them opt-in or even opt-out.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
shouldn't microsoft be fixing this instead of others 'fixing' it for them instead. how difficult can it be to add this to a patch or something. perhaps they were paid by companies to put in this advertising 'hole' :)
On a long enough timeline, the survival rate for everyone drops to zero.
Point #1: This is not hacking.
AOL is not doing anything "hackish" or even illegal. All they're doing is turning off a Windows service. This is something that is done via standard, well-documented, widely used Win32 API calls. Other applications do this all the time. Microsoft themselves do it. Any application that installs or uninstalls a service does it. This is not a hack in any sense of the word. Imagine that Windows services are machines working in a factory. Imagine that you want to turn one of these machines off. There's a huge control panel with well-marked and frequently-used buttons labeled "Start" and "Stop" for each machine. That "Stop" button is there for a reason. Using it to turn off a machine is an accepted use. Now, if you had instead gone up to the machine and thrown a wrench into the works and started pulling out hydraulic tubing and hitting it with a hammer, that would be the equivalent of "hacking".
Point #2: By running software on your machine under a privileged account, you implicitly agree to trust the software to do what it wants.
This is a point that is hard to grasp for Windows users, but it is possible to run software with limited privileges on Windows. It's just not how things are done by default. In any case, the only way AOL or any other software can use those API calls to manipulate Windows services is if you're running it under an account with administrative privileges. If you were running it under a standard User account, the services would be off-limits to AOL and the standard APIs wouldn't work. If AOL then proceeded to somehow stop the services anyway, that would be hacking. This is akin to inviting a child into a candy factory and then beating them when they take some of the candy.
Point #3: What's there to complain about, anyway?
I can certainly see why people would freak out about this given the misinformation being presented as fact here, but when it comes down to it, what AOL is doing is intended to be beneficial to the user. And not beneficial in the sense of, "By collecting your personal information we can better target our ads to your interests," but beneficial in the sense of, "Here, I notice your pants have fallen down and random strangers are butt-raping you constantly, let me pull them back up for you, since you don't seem to know how."
Granted, it would be nice if AOL made it clear that it was doing this before actually doing it, but there is nothing illegal or even shady about what they're doing, and actually taking legal action against them is way, way overkill. This is the sort of minor inconvenience that should be resolved with an email or phone call campaign. Dragging lawyers into the matter will only blow it even more out of proportion and possibly result in the setting of an unfavorable precedent.
I, for one, welcome our new AOL overlords.
AOL software changes computer settings!
I think it's fair to say 99.9% of AOL customers will be happy with such a move. They should, however, explain what they are doing.
So close and yet so far from the world's perfect ID number
(as a former AOL Time Warner employee) -- typical AOL bufoonery. Not too alarmed, though. This article makes it like there is a "hacking" taking place, but in fact it is just scripted behavior of an update program running locally on the machine. Yeah yeah they could "turn off competitor software" and all that.. And get sued IMMEDIATELY! Not too worried..
--
om Shanti
I recommend you hire a half-decent lawyer and sue AOL.
About the time you think that ALL of the stupid decisions that M$ made have been caught and patched, the spammers/virus writers/script kiddies find more! Well, you can close this one too; there are probably only about 1 billion left!
I notice this one was found and detailed on M$'s site in January. AOL was still getting complaints, so I guess this is a comment on the whole philosophy of patching systems after the fact. By the same token, AOL was able to change settings in windows through their update process for AOL software. Is this not a comment on the relative security of Windows in general? I mean, if control of this "feature" can be modified by any program install, what is to keep an unscrupulous company from changing the same settings back when you install a program from them to insure that we get their spam?
This is far beyond ridiculous! What person in his right mind wouldn't admit now that Windows is not to be trusted on the Internet?
We need to have an ISP that does automatic monthly maintanance on user'c PC. Install everything from windowsupdate, remove viruses and adware, defragment the hard drive - all on some weekday night starting from 3am.
AOL would need to support broadband first, but I think another provider doing it will be immensly popular. The only condition is iron clad respect for privacy - don't keep any logs of what was found and don't make any changes unrelated to security. The server might have to reside in a country with decent laws - any idea where that might be?
This is NOT about disabling MSN Messenger in order to give AIM sopme kind of advantage, which you seem to think.
This is about disabling the Microsoft Messenger Service, which is a system daemon used to pop up a little window on Windows clients over the LAN. We use it to tell domain members if we're going to have to restart samba or something. It is an entirely seperate entity to MSN Messenger.
I know the two are easily confused but... please... RTFA!
Moderation Total: -1 Troll, +3 Goat
A Windows program that allows remote access to your machine without your consent? And its enabled by default? This is a 'feature'? Maybe for companies looking to increase the reach of their spam, but certainly not for users. How is this feature useful to a user at all? Yet another reason to use something (anything) besides Windows (and AOL for that matter). As long as most users are completely clueless as to what goes on inside that beige box under their desks, and what to do with it, companies will continue to decide how they use their computers, and what to use them for. (Gamble Online! Lose Weight! Enlarge your Genitals! BUY SOMETHING!!!)
TallGreen CMS hosting
They also hack other components of Windows!
Like putting Icons in the start menu.
And adding registry entries.
IT'S LIKE BIG BROTHER!!!
Messie's mesages are more obnoxious than Clippie. The wonderful Steve Gibson has a utility to turn it off that's tiny, fast and free. Go to and get Shoot the Messenger.
Microsoft will be automatically turning on the firewall built into Windows XP with the next service pack.
This isn't any different than AOL disabling the Messenger service.
This is a double-edged sword. I applaud AOL's efforts and intentions, but I don't think this is at all the right way to go.
If you did that now, every minute or two they'd be getting a "YOUR'E COMPUTR HAS A SECUTIRY FLAW!!!" popup.
But perhaps adapting spam filters to popup messaging could extend the viability of WMS, for the time being.
If your LAN at Cisco was subscribed to AOL, then you'd have a problem. However, I assume it was not.
The simple fact is that there's really no reason an AOL subscriber would ever use the messenger service.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Sorry. The Gibson site is http://grc.com/stm/shootthemessenger.htm
This is AOL's warning shot across Microsoft's bow. They are saying "Don't fuck with us." Think about this -- if AOL can disable random services, they sure as hell can uninstall random software on the users machine. they can disable MSN messeneger by default -- or even REPLACE it with AOL software. They can remove all links to Internet Explorer and replace it with their own browser. They're telling Microsoft that is MS makes it hard on AOL, AOL is going to make it hard on MS.
Even if this had no ulterior motive, it is still a Good Idea. Your typical AOL subscriber leaves their computer wide open. Normally, that would be their problem, but with root level bugs that require no user intervention, such as the RPC DCOM exploits, it becomes EVERYONEs problem. When my Internet connection is slowed because of the idiots who run cable connections with AOL broadband, it is imperitive that someone step in and patch those machines. You think AOL wants to spend the bandwidth and processor power required to send and/or reject all those packets?
I am a member of a IT department that supplies a medium-large college with internet access. While we don't actually automatically patch users machines, we do block access to the network for simply being unpatched (by MAC address). Many people would be outraged, but the fact remains that our network is infinitely more secure now then it was 8 weeks ago. Border security is no security at all. I personally welcome AOL's choice in this matter.
mmmm, pie
Mostly useless != mostly harmless!!!
As the subject states, I'm probably missing the point here - But surely AOL could block this server side? It really can't be that difficult (My router seems to manage it automatically).
People that believe in their opinions don't post AC.
Since when was it illegal for a software program to configure a users computer? It's not. In fact, its common. And how is this a hack? "Excuse me, Mr. Policeman, AOL hacked my computer, can you help me?" Give me a break.
Over several years of having to support numerous AOL users, I came across and had to work around over a dozen changes it silently performs that break other programs.
A few that come to mind:
- It transparently converts all
.jpg and .gif files requested over HTTP to its proprietary ART format. - It replaces many system
.dlls with its own version. - It breaks so many things in its Web Browser (which is basically an IE container) that when combined with numerous native IE bugs makes supporting it a nightmare.
- They cache content so aggressively that they ignore no-caching directive in HTTP request header when they choose to
I know that AOL is getting it up their butt financially, and I can't say I feel sorry for them."You mortals are so obtuse." -Q
How long did it take you to find that? How long did it take from installing windows with it enabled until you realized you needed to do that? You just gave me a long sequence to follow. That means one of two things: either windows has thousands (that is more than 1000!) of different things that need to be adjusted for any given person; or Windows makes everything you might want to adjust hard to find. Eitherway Windows cannot claim ease of use when this needs to be adjusted on every different computer.
Go read the Design of Everyday Things sometime, it will open your eyes.
I just installed v. 9.0 of AOL just to get their agreement. Below you will find the agreement in its entirety. One thing to note..... I do not see anywhere they inform the user they have the ability to modify their os settings other than the base install. Happy Reading.
Welcome and thank you for joining America Online ("AOL"). By registering for AOL membership or using AOL services and products, you agree to be bound by this Member Agreement and the rules and policies published on AOL (including AOL's Community Guidelines and Privacy Policy). You also agree to transact electronically with AOL.
1. ABOUT THE AOL TERMS OF SERVICE
This Member Agreement, the Community Guidelines and the Privacy Policy collectively make up the AOL Terms of Service. The AOL Terms of Service govern your AOL membership and your use of the AOL Online Service and any of the AOL Services (as defined below). Certain features and services offered by AOL and its Suppliers (such as AOL Call Alert, AOL Instant Messenger, Broadband for AOL, and MusicNet on AOL) contain additional terms or guidelines that supplement this Member Agreement and will govern the use of those services. You will have an opportunity to review the additional terms before you sign up or use those services.
2. DEFINITIONS
AOL will use the following terms in this Member Agreement:
a. Account - The original account you open when you register for AOL membership through which you obtain access to the AOL Online Service and other AOL Services, and all sub-accounts or other accounts opened under your original account.
b. AOL Online Service - The primary U.S. subscription online information, entertainment, communications and transactions service, including all Software for accessing and using the service.
c. AOL Services - The AOL Online Service and all other websites, services and products offered by AOL.
d. Content - Information, software, games, communications, photos, video, graphics, music, sound and other materials provided by or through the AOL Services.
e. Software - Any software made available from AOL or a Supplier, whether preinstalled, given on a medium, provided by download or upgrade, or made available online that enable you to access and use AOL Services.
f. Supplier - Any third-party distributor of AOL Services, any third-party provider of Software for AOL Services, and any third-party provider of Content for AOL Services and any third-party telecommunications provider.
3. QUALIFICATIONS FOR MEMBERSHIP
You must be a U.S. resident, at least 18 years of age and legally able to enter into contracts to qualify for AOL membership. If you are not yet 18 years old, you may use AOL Services only if the account was created and registered by your parent or guardian. AOL reserves the right to limit you to one free trial or promotion that cannot be combined with other offers.
4. REGISTRATION FOR MEMBERSHIP
You must register in your own name and provide true and current information. AOL will open an Account for you when you complete your registration. You will select (or AOL will assign you) a primary screen name that will be identified with your Account for the life of your account. You can use this primary screen name to log on to AOL Services and to send e-mail. You will not be able to change your primary screen name; however, depending on your plan, you will have the opportunity to open sub-accounts by creating additional screen names. Screen names may not be vulgar, used by someone else, or impersonate someone else. AOL in its sole discretion may reject the use or assignment of a screen name. All AOL screen names affiliated with your Account are the property of AOL and, at AOL's sole discretion, expire upon the cancellation or termination of your Account. Please visit Keyword: Screen Names to review all guidelines regarding screen names. If you open a sub-account for a child under the age of 13, you certify that you are the child's
alias dir='rm -rf
Yeah, normally an irrational attack on Windows plays here, but you managed to fuck it up. You suck, and that sure makes you mad.
AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.
Jesus, even for slashdot this is too much FUD.
Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.
DISABLE MESSENGER SERVICE? MESSENGER SERVICE
CAN BE USED TO DELIVER UNWANTED POP UP ADS.
[*YES*] [NO]
Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?
Only on
One of the best decisions AOL has ever made. Their users are stupid enough to use AOL software, so they definitely don't know what the Services panel is. Disabling something that can only annoy them left on is a Good Thing.
----
---- "Excuse me. Where's the children's gun section?"
BWAHAHAHAHAHAHAHAHAHAAH
Just another in a long list of reasons not to use proprietary operating systems.
The original posting does make a good point: why is it Okay for corporations (and the government for that matter) to hack the public's PCs, and not Okay for the general public?
Do as I say, not as I do is not acceptable - and elevates corporations to the position of a soverign government - which they emphatically are not!
90% of the world's problems can be traced back to men that think they are above the rule of law.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Dunno where you got the idea that you can't block these ports.. At your firewall or router, block 135, 137-139, and 445 TCP/UDP incoming. Voila, problem solved.
This will block people from seeing your shares outside the local network as well, but I consider that a bonus. I don't want windows filesharing to work over the internet. Local area network only for that sort of stuff is fine with me.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
AOL users are typically computer illiterate. 99% of them will never figure out basic computer security on their own. By taking this sort of action on it's end, AOL is closing the door to larger interventions, perhaps legislative, that could effect us all.
I note that after the last email worm, Bruce Scheiner said that he thought it was time for a license to go onto the internet. I don't know if he was being serious, but the reporter took it seriously!
"Furthermore, he said, AOL won't change settings unless the user has administrative privileges on that computer - something employees generally don't have on their work machines."
Except for 95/98 machines, which have no concept of admin, and zillions of w2k/xp boxes that companies do indeed roll out where the user is an admin.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
No, the best way to stop the pop-ups is to use a real firewall and don't trust Windows to be secure. I don't even trust software-based firewalls like ZoneAlarm, because they run on individual machines and seem too easy to compromise. I run Windows at home (for Photoshop mostly), but I never even saw the RPC and SQL worms because those ports just aren't accessible from the outside through my firewall (a 4-year-old Netgear that keeps on working).
My company uses the messaging service to notify our users when we reboot our email server or something. Does this mean, the few users we have that use AOL (on their laptops), could have this service deactivated, thus no longer receive our corporate messages any more?
>Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.
Excuse me, Mr. Asshole, but the only way for me to know the service is no longer on is for me to say "Hmm, I should have gotten a message by now... what the fuck?!?" Thank you for deciding for me, and then not telling me, that my settings should be changed.
How fucking hard would it have been for AOL to ship something that briefly explains the vulnerability and says "Click here and we will turn it off for you."?
> "I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Well, you heard it boys, start writing all those anti-Nimda, anti-CodeRed, anti-Slammer viruses! After all, with this mentality, why stop at "providers"? Why can't just *anyone* decide how every other computer on the Net should be set up?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
if u are using aol and u'r reading /., u need to seek medical help immediately.
in essence, the two should never be mixed, like mixing bleach and ammonia in a not-so well-ventilated room.
You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services.
Aren't those "useful ports" just the NETBIOS ports? While those are certainly useful on a local network they should never be allowed out onto or in from the internet. AOL should simply block 137-139 and 445 both outbound and inbound. This wouldn't break any services on the local network, wouldn't require them to touch subscibers machines and would protect against a host of other worms/viruses/hackers that exploit netbois.
What kind of lamer needs to look up the word woot in a dictionary?
AOL or any admin of a network can do just about
.
anything they want if it deals with the overall
security of there network/users.
That would include scanning for and removing/dissabling anything they see as a securtity threat
Easier than "turning off ports" in windows is to just shut down the messenger service all together.
From Windows XP, you can right click on My Computer and choose manage. Click on services and applications. Choose the services section under that. The MMC will show all the services and their startup condition. Find the "Messenger Service". Right click and select properties. Choose stop, and manual for the startup.
These pop-ups will go away.
I personally would hate for my ISP to change settings on my PC, whether they think they are doing me a favor or not.
But, a simple solution would be to pop up a dialog with a quick explanation of the problem, and give users the choice to turn it off or not.
The simple solution is to use common sense and courtesy, ask before you fsck with other people's sh!t.
JWall: GUI client for IPTables
It's the idiot's fault who has ancient, insecure windows (and ancient, insecure AOL) in the first place.
NBC did a similar thing and got away with it. This college kid is looking at 10 years jail time. Discrepencies like this make me *hate* America. Ultimately, America will pay.
Their business has no business in my box!
99.999% of AOLusers don't qualify under the very precise definitions given in the cited section of US code.
As to good Idea or not? Well remembering back to when I worked tech support for AOL, it probably is a good idea. As others have noted, many AOLusers not only don't know how to close weaknesses, many don't want to even know the weaknesses exist to be closed, or that there is a way to close them. They just want the annoying things to go away so they can get back to a/s/l checks in the chat rooms, or surfing their interweb.
I'm too lazy to compose a creative sig.
You're a doodyhead.
Messanger has a perfectly legitimate use in any environment.
^Z
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Does your fucking company use aol?
it seems rather pointless don't you think? i mean if they can read the e-mail saying "the e-mail server is back up" isn't that like saying "They sky is blue"? Just a little obvious.
AOL is not doing this malicously they are plugging a security flaw. This seems like a good and responsible thing not an abuse, if AOL used this for thier own ads this would be bad but plugging a open hole is a benifit for thier mostly nontechnical users. You may not like AOL but this sounds good.
When your software has owners, so does your computer. When they fight you lose. That's what EULA really means.
AOL needs to send out Knppix CDs or similar and just forget about controling the user's computer. They would be better off simply removing the user from Microsoft's control than trying to fight over the platform.
Friends don't help friends install M$ junk.
If something like this backfires, then A) you know who is responsible and B) the responsible person can TURN IT OFF.
For most viruses and worms, neither A) nor B) can be guaranteed, which is why releasing worms into the wild is ALWAYS a bad idea, whether their payload is benign or not.
Proactive "hacking" of machines by ISPs is actually relatively easy to justify from a network-reliability point of view. As a network admin I frankly couldn't care less if you need Windows Messanger - if you're running it unpatched on my network then you're putting the rest of my network and the rest of my users at risk, which is unacceptable. So, basically, I agree with Russ. Go AOL!
Host your own websites, anywhere!
Actually, if this were a 17 year old instead of AOL, the FBI couldn't care less.
IRC networks deal with channels containing potentially thousands of drones (compromised windows machines waiting for commands to start DDoS attacks), and unless you can prove that there has been a significant amount of damage, they really don't care. Some ISPs don't really care either. Luckily the dyndns hostnames that most of the bots use to find their "control server" are generally run off places that do take abuse seriously.
</rant>
AOL can blatantly "hack" into a users computer like this and make significant changes to settings and nothing happens. But a teenager does some simple hex editing and creates a variant of blaster and gets prosecuted to hell.. Something seems wrong here.
Can anyone point me to a way to get rid of them? Thanks.
The sole purpose of the Internet is to get porn and bomb making plans into the hands of children.
The above support for AOL's actions is based on the fact that if I recall correctly, there are remotely expoitable problems with the Windows Messenger service. If my memory is playing tricks on me and the ONLY point was to disable annoying popups, then I don't condone this particular hack. But for an equivalent hack to close the Blaster hole or other similar ones, my argument is valid and I stand by it. :-)
Host your own websites, anywhere!
*Cough*,*Gag*,*spits*
Spread the RC luvin'
AOL can do this and they want to send me to prison?
I found this on the microsoft page linked in the article above:
WORKAROUND
To work around this issue, turn off the Messenger service. To do so, follow these steps:
1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Messenger.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
HTH
--
Long-term effects of Bush deficits
Many Thanks.
The sole purpose of the Internet is to get porn and bomb making plans into the hands of children.
It isn't difficult. It is as easy as typing
sc stop messenger
sc config messenger start= disabled
on the command line.
If typing things on a DOS style prompt scares you, you can go into control panel and disable the messenger service.
Your simple mind obviously can't deal with more in depth issues.
shut that down on them. There are many things left running that the user doesn't know about regardless of how often they use it. The ISP should not touch a persons provate property unless allowed. Watch and see...they will stop soon.
I wonder if anyone has any traffic dumps that might show how AOL manages to do this. I wouldn't be able to avoid laughing if someone discovers a way to exploit this, just because of the fact AOL wrote their software with the capability.
From Verizon TOS
Too scary for me...I never agreed and activated the service...took advantage of my 30day money-back guarantee also specified in that document. But then I found PdaNet for my Treo, and life is good.
-fister
I'll reprhase my above comment...
That's what my non-windows-based HARDWARE firewall is for. No one's getting into my box, dammit!
And my not having AOL in the first place.
You see? You see? Your stupid minds! Stupid! Stupid!
AOL is merely correcting a poorly chosen default, and experience suggests that AOL users don't know how to change default settings -- that is why they are AOL users.
tone
Quick, off the top of your head and with only one command, how do you install a service on a Debian box to share a directory with an old PowerMac 6100 running MacOS 8.6?
:)
sudo apt-get install apache ?
-- This space for lease, low setup fee, inquire within!
Durely the sensible option is ot ensure people have working firewalls? Then there wouldn't be the problem in the first place.
Martin Piper
Owner - ReplicaNet and RNLobby
In Soviet Russia, you fix your own computer!
I'm in a foul, horrible, terrible mood, so bear with me. AOL's action is a two edged sword.
Can we all not agree that there are people out there who're truly too damn stupid to use a computer? What AOL has done is a Good Thing. "But they are remotely doing things to users' computers without their consent!" some of you cry. Well, what were the spammers doing? "But it's the inherent lack of security in Windows that's really at fault!" you object. Yes it is, but what can you do? Outlaw use of Windows, make everyone use Linux? Uh-huh, yeah, right, pull the other one, it has bells on it. Grandma and crazy old Uncle Pete using Linux? They'd find a way to fsck up a Mac. My solution? Outlaw stupidity. Shoot every stupid person in world, and burn their bodies to make absolutely sure their DNA doesn't survive. I'm serious. Kill every damn idiot in the world, young and old, male and female. Nothing would improve *society*, never mind secure computing, more.
This brings up an even more important issue.
Does anyone know if there is a list and description of the various services that run under Windows and their function? Many applications install services that are ambiguous and it would be helpful to be able to weed out the unnecessary services to improve performance and security.
I've read nothing much yet, but from my position, I agree with AOL interfering with users' PC's. I do not think this sets a good precedent, in fact I do not think it should set a precedent. That said, taking it in isolation, it is better that AOL interfere in order to prevent a greater harm. (As an analogy, I am comparing AOL's actions with those that are justified as reasonable force in defense of someone else.)
In short: I do not agree with ANY precedent set by AOL's actions, but as an isolated action with a good justification (which mainly affects those that aren't savvy enough to sort things out for themselves) I agree with AOL's action.
John_Chalisque
The world is full of non-geek AOLers. Their advertising said, "So easy to use, anyone can do it." Box computers by the millions shipped with the little "Click here for 2 Free months of AOL" on the desktop.
Computers are marketed at the masses. All the advertising implys it is like a stereo, hook it up and go! Of course, we know it is far more complicated than that now. Security is suddenly important and most non-geeks are completely ignorant about it.
I must agree with the uncomfortable feeling it gives me to have someone switching stuff on or off inside your machine, but it's about time AOL took responsibility for the millions of insecure boxes they have put on the net.
I wonder how much of the timing of this is related to to the latest critical warning issued this week by MS which was directly related to this service. Perhaps AOL is trying to stave off millions of tech support calls when the worm is released.
There is nothing so powerful as an idea whose time has come.
For anyone who wants to remove Windows Meesenger from their computer but doesnt know how, click here [grc.com] for the download page of a program written by William Gibson
I am not a subscriber to AOL so please excuse my ignorance.
I am assuming that AOL does this without asking the user if they can do this and without informing the user that they are doing this?
That is what AOL is doing wrong.
AOL needs to tell the user that Microsoft has this stupid system service on by default and that it won't damage anything if they turn it off. You will stop getting those stupid pop-ups.
Let us preceed? Yes or No.
If AOL did that then I would applaud them.
Microsoft should be so bold.
AOL requires the use of proprietary software, correct? If so, then why not include a basic firewall with the program instead of playing white-hat? It accomplishes the same thing without ethical dillemas.
Maybe the reason there is stuff like that still floating around in Windows is Bill helped to write it. If we could see the headers or main code of the Messenger Service, I bet there are comments by "Bill G" in there. Wherever Bill G has been, other developers fear to tread. Maybe that's the reason why they haven't done sensible things like disable access to the service from non-LAN interfaces. Anyone inside Microsoft care to confirm this?
I actually got sick of my firewall logging these messages and took a block of them and put them into one massive spam page. http://spam.djekz.com
Surprisingly, I went from getting 5-6 hits a day to 30-35 a day because of people searching for keywords in search engines. Sorry to be starting a new thread...
If the majority of your subscribers are infants (ignorant) then you have to treat them as such. The baby gate in the hall, the electrical socket plugs, and the curtain lines... Keep them proxied and out of my hair!!! I get more spam from "Regular ISP's" wind-ho's virus tainted trash then AOL. Keep the newbies where they belong---Supervised!!!! If you are stupid enough to sign up for AOL then you deserve it Drink Schlitz and boycott most pies....
apt-get install netatalk
apache is a weberver, not a fileserver.
Anyone know if AOL reserves the right to do this as part of their terms of use? Last I looked, MS does with Windows.
-- Slashdot: When Public Access TV Says "No"
... that is, they're talking about the SMB protocol messenging service - not MSN.
IMHO the right answer is to block ports 137, 138, 139 and 445 to cut this, and all the other SMB crap, off entirely. If you need SMB service - use IPSec and tunnel it like you should be anyway. IMHO having SMB exposed to the internet is madness.
just so you know...NO the FBI wouldn't care if some 17 year old went around and changed users registry settings...why? Because simply doing that alone doesn't cost hundreds of thousands of dollars in damage....and yes that is the only time the FBI will care...when large sums of money are involved. So happy hacking...and make sure you have a few other ISPs ready and willing to give you an account when your current ISP pulls the cord.
I don't use AOL, so correct me if im wrong ..
... also, 90% of this story is very old news, for those of you who were born this morning, the last round if big viruses were propagated through the mis-use of that MS network messenger.
but isn't it a bit ironic that AOL - the king of popups and brutal advertising stuck in their own subscriber's faces - is complaining about these popups?
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
should have been off by default already and enabled in a true lan/office environment
;)
Funny. If you're running AOL in a LAN computer, you aren't doing any work, are you? If you truely need office instant messenging capabilities, install A0L's free IM client. You already have an internet connection, so if the full A0L goes ahead and turns off your LAN popups, then you got in trouble because of a few home-browser-intended side-effects
Face it, these new things AOL offers are good for the home user, and it will only make things better. Free "antivirus protection" and the registry cleaning may be offered in offices, where A0L won't be installed often --and at home, you will need but probably won't have access to these products. It's nice, then that someone is doing some work.
You know how many people's machines we dissinfected repeatedly who refused to switch from their ubiquitous virus-causing email program to a less ubiquitious one that our IT department REQUIRED? It became a nightmare to remove viruses because we could not just FORCE our own protection on the users, even if it meant involuntary countering measures because of their declining our "innoculation."
I say, if simply because it was 15 million computers A0L fixed, let them do it. These users won't notice, but savvy computer people will thank them that someone is taking some tedious friends'-system maintenance off their backs.
"Wireless : LAN
I had AOL when I started using the Net and years after I got rid of AOL, I was searching through all my computer files to find stuff to delete and lo and behold I had over 30 AOL files on my comp. All of these files had slightly changed usernames so if you did a search of the text of all files for any of your AOL usernames you would never find them. Dannon78 might become Da78nnon or something like that. So what did AOL hide on my computer? Well, they had purchases that I made on the Net using AOL, some emails that I had sent and recieved and some other random information. All of these files were at the very bottom of my list when I did the view all files option. AOL really doesn't want you to find these files!
Or, you just needed to think of some seemingly intelligent explanation, since you realize he had called you out on your mistake. We know your pain, and it's OK. It's OK to hurt.
This is not part of my post. It's my signature. I bet you're disappointed.
By definition, a webserver serves 'files'.
You just got out-pedanted.
Idiot.
You're doing it wrong.
I was called in to do tech support on an old computer (it had a "Wave Modem", a sound card modem combo, just as bad at both tasks as it sounds and which ended up being the problem with the machine getting online, but thats another story) Apparently the girls brother reformatted and reinstalled everything, and now "the coputer doesn't work." I turn it on when I get there, and it boots fine... I ask what she means, and she says, "Nooo - the COMPUTER" while pointing at the AOL icon on her desktop with her index finger and looking at me like _I'm_ the one wiht no idea whats going on.
You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services.
Only if you consider having your file/printer sharing open to the whole internet to be "useful services". They may be useful in a LAN, but even the most primitive firewall should have a way to separate those.
No to mention bazillions of worms also using these very same ports, including but not limited to the RPC nasties.
Block away, these should not be open to the world under any circumstances!
Remember, AOL is the same company that refuses to remove ads from AIM (AOL Instant Messenger). They're too money-hungry. AOL is just taking advantage of poor security measures by Microsoft. It's a far cry from hacking. It all just boils down to the least informed gets exploited the most. Sure, it's bad ethics. But the color green is something that companies use to overlook ethics.
About two months ago, I was booted off Blueyonder's Surfunlimited dial-up service. I'd installed a proxy on port 4480 so the computer in the next room could get on the net. Unbeknownst to me, my simplistic firewall wasn't actually blocking access to that port from the Internet.
About six months after installation, Blueyonder initiated a scan of every computer on their network on various ports, including port 4480. My machine popped up as being open, and my account was suspended just after the next bill was due to be paid (how well-timed).
Despite the inconvenience, I now have my Surfunlimited account back after a few quick phone calls to Tech Support and an email to abuse@blueyonder.co.uk. The hole got patched, and I'm here to post this message.
AOL don't need to hack people's computers. If a user is running something that's a security risk, just eject them from the network until they aren't a security risk. Easily done, and no ethical hangover.
--
TechnicalFool