Slashdot Mirror
AOL Hacks Subscribers' Computers
ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)
I wonder how this will stand up in court when someone decides to sue...and you know someone will.
Yer right, AOL chat rooms are so 1990s. Everything else is just fluff that you can get anywhere else.
--------
Free your mind.
That says a lot.
The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.
Unethical, yes.
Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Yep. Because the reason for this is that this is what the next big worm will be. There is a remote exec hole in the messenger service.
So for once I think AOL deserves an applause.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
You're not talking about your "Average" ISP. AOL software uses a VPN client to connect you into the private aol-exclusive content. If this was done by earthlink or some other provider that just provides you ppp and unfiltered bits to the world, then yes, it's a bit more fuzzy, but you need to have the AOL software, and this could be covered by their EULA. People may not like it, but if you don't, use a different provider or OS that doesn't have these issues. I for one defend AOL for taking a good security stance in disabling a service 99.9% of the people likely don't know is running on their system, and for which they could be compromised via.
I hate to defend AOL, but so what. AOL has been f**king with subscribers computers for years now. From changing TCP/IP to modifying network settings and on and on. They were sued for this kind of this with AOL 5.0, and that was several years ago. This is hardly new behavior from their part.
The only thing newsworthy about this is the fact it is finally actually a beneificial change to the users computer. Frankly, it'd be more newsworthy if they made a change that opened a security flaw instead of closing it. Perhaps this is considered newsworthy because AOL finally did something in the consumers best interest? Otherwise, why the story?
How is this a troll post? Is it not true? I applaud AOL as I do M$ for their ability to rule most of the market. Think about all the tards that currently think AOL is the best thing that has happened to the internet. Or do they believe that AOL is the internet....? We recently switched our travlers from them over to Earthlink and I think it is the best thing I could have done. I am a firm believer that AOL sucks and should be put out of its misery.! Nuf said
alias dir='rm -rf
"internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.
I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.
I'd be pissed if pppd did that if it wasn't documented clearly (for a variety of reasons, upto and including the fact that I forgot to turn off telnet on a machine I ran). Mostly because the people who wrote pppd shouldn't be fiddling with my inetd.conf settings.
I didn't get the impression from the Slashdot story that they are doing it in software. However, that makes me think you are correct, it's FUD. Goodness, is it a crime to install software which enables IIS for you, because enabling IIS has security flaws? I'm pretty sure various pieces of software enable IIM for you when you install them. No 17 year old kid convinces you to install highly useful software, and pay them for a subscription service, and also happens to install BackOrifice on your computer. If it was documented to install BackOrifice, I don't think they'd even have a complaint until somebody actually logged into BackOrifice.
If they wanted to be on the up and up about it, they'd refuse to install AOL until the messagner service was turned off and give you instructions about how to do it. Possible have a dialog box that was set up for you to click okay to approve it, or uncheck this box to leave the service running.
Kirby
When I worked at Cisco, I wrote an app they sell that uses Windows Messenger Service to warn of servers having problems.
All the uninterruptable power supplies used Windows Messenger Service to send notices that they were switching to or from batteries. The Samba printers used Windows Messenger Service to tell users that their print job had printed or that the paper had jammed.
I wrote a couple scripts to send messages to any computer that I happened to be logged into if a particular string showed up in my email.
Using "net send" to send messages to coworkers during conference calls was pretty fun
The UPS and printer messages are pretty mainstream though.
Interesting.. I hadn't thought of that. If Slashdot only posted the stories that create the most heated arguments, Slashdot wins more advertising revenue. Thanks for pointing that out. I now understand how the system works.
AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.
Jesus, even for slashdot this is too much FUD.
Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.
DISABLE MESSENGER SERVICE? MESSENGER SERVICE
CAN BE USED TO DELIVER UNWANTED POP UP ADS.
[*YES*] [NO]
Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?
Only on
My company uses the messaging service to notify our users when we reboot our email server or something. Does this mean, the few users we have that use AOL (on their laptops), could have this service deactivated, thus no longer receive our corporate messages any more?