Slashdot Mirror
AOL Hacks Subscribers' Computers
ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.
When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?
I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.
I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.
.sigs are for post^Hers.
The typical AOL user is vulnerable no matter which angle you take. It's like if a new ISP service was started by the "...For Dummies" company. As a user you'd have a big Kick Me sign on your back.
I don't know about the AOL software EULA, it could permit such patching/changing of registry settings. They could also say that it was done in order to preserve the security of their network (ie: having millions of compromised machines via the latest messenger exploit). I don't see anything clearly illegal here.
I guarantee that somewhere in some license agreement the users gave AOL permission to do this.
/etc/inetd.conf would you call it "adjusting Linux's internal settings"?
And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in
Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.
actually, the FBI won't investigate without a reported loss of $10K (see The Cuckoo's Egg by Cliff Stoll - tho i don't know how this has changed since cliff wrote his goofy book.
of course, given some of the claims made of damages by corporations (cough! nytimes! cough!), perhaps all these users could claim 10million in damages with about as much plausability and get an investigation!
-Frank"Other bands play, but Manowar KILLS"
AOL is just protecting their business.
AOL sucks and should be put out of its misery.
Don't you mean 'put out of our misery'... AOL and it's users run around in their own ignorant bliss... Maybe we should support them seceeding from the internet...
Snooze and you lose your sushi.
One way of looking at this is that AOL is simply taking Microsoft's quality issues into their own hands.
That may very well be the scariest thing I've read in years.
"Presumably their EULA allows them to do this sort of stuff."
Isn't it Federal law?
How can a contract go against federal law?
Maybe the US is more screwed that previously thought.
Putting the romance back into necromancer.
The bad part isn't that they're doing it - that's excellent. The bad part is that they don't even ask permission.
If a dialog box popped up that said, "AOL would like to disable the messenger service on your computer. This will help stop pop-up ads. Would you like to allow AOL to do this? [Allow][Do Not Allow]" then it would be fine. They shouldn't just ASSUME that the user has no use for it.
-- Dr. Eldarion --
I think jaredmauch hits the nail on the head when he says "You're not talking about your 'Average' ISP." AOL is very paternalistic, giving its customers a nice, safe, easy environment that you or I might find infuriating but that some people really like. Those people who want 'somebody who knows computers' to manage their 'online experience' are the same people who want 'someone who knows computers' to manage their PC.
I think AOL may be accidentally backing themselves into a good business model. You buy the PC and sign up for AOL, and they take care of all of the rest of the technical stuff for you. I won't be signing up anytime soon, but I bet a lot of people would love the service.
Fred
Note that AOL actually offered their users a simple one click tool to disable Windows Messanger and almost no one used it. At that point they went to this tactic. I have some queasy feelings about this as well, but overall I am in favor of it. Quite frankly, AOL is doing a service to the Internet as a whole by closing one of the many gaping whole in Windows on several million hosts.
I hope this helps.
No, it doesn't.
You can't turn customers from AOL just by saying what you said on /.
The customers has their rights. The single customer can be stupid by buying from AOL. But when the majority of US home customers are buying the service from AOL *AND* AOL is breaking the privacy and property of customers without even notifying them - that is a crime and it must be punished.
My solution is better - US goverment must either consider the pulling back AOL license (isn't ISP business licensed in USA?) or explicitely say to AOL: No! Don't do it again!. Some restitution fine (5B?) won't hurt poor american economy too :)
Less is more !
Welchia had a flaw that is easily fixed. Simply propagating less effectively would've gotten rid of it's DoS effects.
Now the fact that after patching the PC, it opened up another hole in PCs it was on, to allow backdoor access by the creator of welchia, is a different story. That's not "white hat" by my definition of the word.
If that's a service he'd like to pay for, I don't see anything wrong with that. I figure AOL users are pretty much self selected to fall into the same camp, so I don't understand the outrage (particularly since it's probably covered in their agreement with their users).
This is AOL's warning shot across Microsoft's bow. They are saying "Don't fuck with us." Think about this -- if AOL can disable random services, they sure as hell can uninstall random software on the users machine. they can disable MSN messeneger by default -- or even REPLACE it with AOL software. They can remove all links to Internet Explorer and replace it with their own browser. They're telling Microsoft that is MS makes it hard on AOL, AOL is going to make it hard on MS.
Even if this had no ulterior motive, it is still a Good Idea. Your typical AOL subscriber leaves their computer wide open. Normally, that would be their problem, but with root level bugs that require no user intervention, such as the RPC DCOM exploits, it becomes EVERYONEs problem. When my Internet connection is slowed because of the idiots who run cable connections with AOL broadband, it is imperitive that someone step in and patch those machines. You think AOL wants to spend the bandwidth and processor power required to send and/or reject all those packets?
I am a member of a IT department that supplies a medium-large college with internet access. While we don't actually automatically patch users machines, we do block access to the network for simply being unpatched (by MAC address). Many people would be outraged, but the fact remains that our network is infinitely more secure now then it was 8 weeks ago. Border security is no security at all. I personally welcome AOL's choice in this matter.
the problem with that is that a good number of people would think it was talking about Windows Messenger AKA MSN Messenger. They would then say no and not have this setting turned off like it should be.
It was me, I did it, I moved your cheese
>Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.
Excuse me, Mr. Asshole, but the only way for me to know the service is no longer on is for me to say "Hmm, I should have gotten a message by now... what the fuck?!?" Thank you for deciding for me, and then not telling me, that my settings should be changed.
How fucking hard would it have been for AOL to ship something that briefly explains the vulnerability and says "Click here and we will turn it off for you."?
> "I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Well, you heard it boys, start writing all those anti-Nimda, anti-CodeRed, anti-Slammer viruses! After all, with this mentality, why stop at "providers"? Why can't just *anyone* decide how every other computer on the Net should be set up?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Windows messenger is part of windows, not AOL's software.
So is the Start Menu, dial-up networking, the modem driver, etc.
Theoretically, I agree. But put yourself in the place of AOL - they start asking people whether they want Messenger Service disabled and the first thign they'll see is a massive increase in the number of people phoning the technical support line asking why their computer is asking them this question, then they'll find (as anothe rposter suggested) that many of them will get confused and refuse it and then they'll have yet more people on the phone complaining that something has gone wrong "because fo that fix you did" (when it is likely to be just psychological, or somethign the user has done). Trust me, I've done tech support, the very LAST thing you want to do is ask the average, bearly computer literate user, questions about technical issues on their machines.
While the ethics are questionable, IMO AOL is aimed at people who are not and have no intention of becoming technically literate, and as such they are dangerous - to themselves and the net - when a known exploit exists on their machines. In exactly this situation, I have no problem with the action. Ys, I'd be annoyed if anyone tried it on my machines, but I'm with an ISP that expects some technical ability.
If something like this backfires, then A) you know who is responsible and B) the responsible person can TURN IT OFF.
For most viruses and worms, neither A) nor B) can be guaranteed, which is why releasing worms into the wild is ALWAYS a bad idea, whether their payload is benign or not.
Proactive "hacking" of machines by ISPs is actually relatively easy to justify from a network-reliability point of view. As a network admin I frankly couldn't care less if you need Windows Messanger - if you're running it unpatched on my network then you're putting the rest of my network and the rest of my users at risk, which is unacceptable. So, basically, I agree with Russ. Go AOL!
Host your own websites, anywhere!
The above support for AOL's actions is based on the fact that if I recall correctly, there are remotely expoitable problems with the Windows Messenger service. If my memory is playing tricks on me and the ONLY point was to disable annoying popups, then I don't condone this particular hack. But for an equivalent hack to close the Blaster hole or other similar ones, my argument is valid and I stand by it. :-)
Host your own websites, anywhere!
I don't understand how this is really all that new. I mean, I understand the "slippery slope" argument about third parties modifying one's configuration, but this is HARDLY the first example of it. For instance, when you do one of those "Self-guided installs" for cable or DSL, it usually involves running some program from a CD provided by the cable company or ISP. It checks all your settings, installs the TCP/IP protocol if it wasn't there before, creates and enables the Ethernet connection, turns on DHCP, etc. They also typically add crap to the registry that "brands" Internet Explorer, so that it now says "Internet Explorer - Powered by GiantCableCo" on the title bar, and the animated IE activity logo is replaced by the corporation's logo. This is common even for generic PPP dialup services. They just hand you a program that says "Here, run this self installer." It creates the connection for you, enters the settings in Outlook Express for the email servers, and probably brands your IE.
I view all of those things as equally or more intrusive than simply disabling a service. In fact I think it's worse, as I'm sure many people are bothered by the fact that their IE home page is changed to comcast.net, and that their computer now says "Powered by Time Warner Roadrunner" or whatever. Disabling a service is both useful to the end user and not instrusive, which you can't say of these install programs that brand your browser, change your homepage and email settings, and mess with your TCP/IP stack.
This is just another case of special attention because it's AOL and we happen to dislike them. Everybody's been doing the crap for a long time now, in much more intrusive ways and no one has complained about them "hacking people's computers."