Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Hacks Subscribers' Computers

Posted by michael on from the he-who-has-the-gold-makes-the-rules dept.

ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.

3 of 558 comments (clear)

  1. Mandatory Subject Here by BlackBolt · · Score: 5, Informative

    Turn off Messenger

  2. not that hard to block. by cosyne · · Score: 4, Informative

    I think even non-slashdotters colud manage:

    Disabling the Messenger Service

    You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.

    Windows 2000

    1. Click Start->Programs->Administrative Tools->Services
    2. Scroll down and highlight "Messenger"
    3. Right-click the highlighted line and choose Properties.
    4. Click the STOP button.
    5. Select Disable in the Startup Type scroll bar
    6. Click OK

    Windows XP

    1. Click Start->Control Panel
    2. Click Performance and Maintenance
    3. Click Administrative Tools
    4. Double click Services
    5. Scroll down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties.
    7. Click the STOP button.
    8. Select Disable in the Startup Type scroll bar
    9. Click OK

    You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.

    * net send 127.0.0.1 "test"

    (blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg. shtml)

  3. Bad legal conclusions. by Compulawyer · · Score: 4, Informative
    The Computer Fraud and Abuse Act makes this clearly illegal . . . .

    Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.

    Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.

    Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.

    Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:

    • Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
    • Obtaining financial information or credit reports;
    • Obtains anything of value...
    The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.

    One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.

    --

    Laws affecting technology will always be bad until enough techies become lawyers.