Slashdot Mirror
AOL Hacks Subscribers' Computers
ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
...next thing you know they'll change their name to a0l.
(fp?)
I hope this helps.
--- Ban humanity.
I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)
I wonder how this will stand up in court when someone decides to sue...and you know someone will.
Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.
When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?
I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.
I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.
.sigs are for post^Hers.
This has nothing to do with MSN Messenger. Even the summary says this, you didn't even need to RTFA.
LordBodak's journal.
That says a lot.
The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.
Unethical, yes.
Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Turn off Messenger
Install AOL on there PC. Get Hacked Sue
Beware of those who profit off the docile and persecute the unbelievers.
The typical AOL user is vulnerable no matter which angle you take. It's like if a new ISP service was started by the "...For Dummies" company. As a user you'd have a big Kick Me sign on your back.
Yep. Because the reason for this is that this is what the next big worm will be. There is a remote exec hole in the messenger service.
So for once I think AOL deserves an applause.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Yeah, but the idea of your ISP fuX0ring your computer isn't so cool. But at the point where you use an OS that *lets* your ISP do that shit, AOL isn't the greater evil.
-Looking for a job as a materials chemist or multivariat
Microsoft Security Analyst
- Remotely corrected flaws in the Microsoft Windows operating system
- Reason for leaving: Incarceration by the Federal Bureau of Investigation, 2004-2006
echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...
and thus brain shall rule us!
I guarantee that somewhere in some license agreement the users gave AOL permission to do this.
/etc/inetd.conf would you call it "adjusting Linux's internal settings"?
And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in
Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.
I think even non-slashdotters colud manage:
. shtml)
Disabling the Messenger Service
You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.
Windows 2000
1. Click Start->Programs->Administrative Tools->Services
2. Scroll down and highlight "Messenger"
3. Right-click the highlighted line and choose Properties.
4. Click the STOP button.
5. Select Disable in the Startup Type scroll bar
6. Click OK
Windows XP
1. Click Start->Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services
5. Scroll down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable in the Startup Type scroll bar
9. Click OK
You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.
* net send 127.0.0.1 "test"
(blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg
This is a service, as mentioned, and so it can be stopped. Right click my computer -> manage -> Services and Applications -> Services -> right click on Messenger, and click disable. Can you linux users really not figure out the simplest things in Windows?
actually, the FBI won't investigate without a reported loss of $10K (see The Cuckoo's Egg by Cliff Stoll - tho i don't know how this has changed since cliff wrote his goofy book.
of course, given some of the claims made of damages by corporations (cough! nytimes! cough!), perhaps all these users could claim 10million in damages with about as much plausability and get an investigation!
-Frank"Other bands play, but Manowar KILLS"
Git along hapless users. Cck! Chk! Git! C'mon users, git!
US Democracy:The best person for the job (among These pre-selected choices...)
I hate to defend AOL, but so what. AOL has been f**king with subscribers computers for years now. From changing TCP/IP to modifying network settings and on and on. They were sued for this kind of this with AOL 5.0, and that was several years ago. This is hardly new behavior from their part.
The only thing newsworthy about this is the fact it is finally actually a beneificial change to the users computer. Frankly, it'd be more newsworthy if they made a change that opened a security flaw instead of closing it. Perhaps this is considered newsworthy because AOL finally did something in the consumers best interest? Otherwise, why the story?
AOL is just protecting their business.
How is this a troll post? Is it not true? I applaud AOL as I do M$ for their ability to rule most of the market. Think about all the tards that currently think AOL is the best thing that has happened to the internet. Or do they believe that AOL is the internet....? We recently switched our travlers from them over to Earthlink and I think it is the best thing I could have done. I am a firm believer that AOL sucks and should be put out of its misery.! Nuf said
alias dir='rm -rf
Back when I was the Pool Guy, I had to employ a similar tactic. You see, many customers require pool service. A large subset of these customers require "service" on "ports" that aren't usually associated with pools. As you can immagine, "servicing" these "requests" landed me in hot water on more than a few occasions.
One day it occured to me that I could simply change my standard contract to unconditionally allow me to preform any additional "service" the customer required. All at no charge.
Can I sue AOL for prior art?
"internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.
According to AOL's online history, AOL is a 17-year-old. OK, it's a bit of a stretch, you have to count from when they went online instead of when they incorporated and they'd still be less than a month away from 18 years, but that's my story and I'm sticking with it.
Slashdot - News for Herds. Stuff that Splatters.
AOL sucks and should be put out of its misery.
Don't you mean 'put out of our misery'... AOL and it's users run around in their own ignorant bliss... Maybe we should support them seceeding from the internet...
Snooze and you lose your sushi.
I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.
Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.
Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.
Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.
Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:
- Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
- Obtaining financial information or credit reports;
- Obtains anything of value...
The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.
Laws affecting technology will always be bad until enough techies become lawyers.
There's a few subtle differences here... a: Microsoft's auto updates automatically update MICROSOFT Products, not go in and turn off a service that is not their own, and (while most say it is worthless and just a big security hole) actually may be in use by some people. 2: Microsoft Auto Updates while enabled by default still CAN be disabled, before they even do anything, as the default setting is set to prompt you before it even downloads. While I have no sympathy for any sap using AOL and getting their computer fussed with by their ISP run by shaved apes, I also disagree strongly with said shaved apes thinking it's ok to just go in and fix things their way. I also agree that the Messenger service SHOULD be disabled... but not by an ISP.
If you can't beat your computer at chess, try kick-boxing.
When I worked at Cisco, I wrote an app they sell that uses Windows Messenger Service to warn of servers having problems.
All the uninterruptable power supplies used Windows Messenger Service to send notices that they were switching to or from batteries. The Samba printers used Windows Messenger Service to tell users that their print job had printed or that the paper had jammed.
I wrote a couple scripts to send messages to any computer that I happened to be logged into if a particular string showed up in my email.
Using "net send" to send messages to coworkers during conference calls was pretty fun
The UPS and printer messages are pretty mainstream though.
Welchia had a flaw that is easily fixed. Simply propagating less effectively would've gotten rid of it's DoS effects.
Now the fact that after patching the PC, it opened up another hole in PCs it was on, to allow backdoor access by the creator of welchia, is a different story. That's not "white hat" by my definition of the word.
This is AOL's warning shot across Microsoft's bow. They are saying "Don't fuck with us." Think about this -- if AOL can disable random services, they sure as hell can uninstall random software on the users machine. they can disable MSN messeneger by default -- or even REPLACE it with AOL software. They can remove all links to Internet Explorer and replace it with their own browser. They're telling Microsoft that is MS makes it hard on AOL, AOL is going to make it hard on MS.
Even if this had no ulterior motive, it is still a Good Idea. Your typical AOL subscriber leaves their computer wide open. Normally, that would be their problem, but with root level bugs that require no user intervention, such as the RPC DCOM exploits, it becomes EVERYONEs problem. When my Internet connection is slowed because of the idiots who run cable connections with AOL broadband, it is imperitive that someone step in and patch those machines. You think AOL wants to spend the bandwidth and processor power required to send and/or reject all those packets?
I am a member of a IT department that supplies a medium-large college with internet access. While we don't actually automatically patch users machines, we do block access to the network for simply being unpatched (by MAC address). Many people would be outraged, but the fact remains that our network is infinitely more secure now then it was 8 weeks ago. Border security is no security at all. I personally welcome AOL's choice in this matter.
I just installed v. 9.0 of AOL just to get their agreement. Below you will find the agreement in its entirety. One thing to note..... I do not see anywhere they inform the user they have the ability to modify their os settings other than the base install. Happy Reading.
Welcome and thank you for joining America Online ("AOL"). By registering for AOL membership or using AOL services and products, you agree to be bound by this Member Agreement and the rules and policies published on AOL (including AOL's Community Guidelines and Privacy Policy). You also agree to transact electronically with AOL.
1. ABOUT THE AOL TERMS OF SERVICE
This Member Agreement, the Community Guidelines and the Privacy Policy collectively make up the AOL Terms of Service. The AOL Terms of Service govern your AOL membership and your use of the AOL Online Service and any of the AOL Services (as defined below). Certain features and services offered by AOL and its Suppliers (such as AOL Call Alert, AOL Instant Messenger, Broadband for AOL, and MusicNet on AOL) contain additional terms or guidelines that supplement this Member Agreement and will govern the use of those services. You will have an opportunity to review the additional terms before you sign up or use those services.
2. DEFINITIONS
AOL will use the following terms in this Member Agreement:
a. Account - The original account you open when you register for AOL membership through which you obtain access to the AOL Online Service and other AOL Services, and all sub-accounts or other accounts opened under your original account.
b. AOL Online Service - The primary U.S. subscription online information, entertainment, communications and transactions service, including all Software for accessing and using the service.
c. AOL Services - The AOL Online Service and all other websites, services and products offered by AOL.
d. Content - Information, software, games, communications, photos, video, graphics, music, sound and other materials provided by or through the AOL Services.
e. Software - Any software made available from AOL or a Supplier, whether preinstalled, given on a medium, provided by download or upgrade, or made available online that enable you to access and use AOL Services.
f. Supplier - Any third-party distributor of AOL Services, any third-party provider of Software for AOL Services, and any third-party provider of Content for AOL Services and any third-party telecommunications provider.
3. QUALIFICATIONS FOR MEMBERSHIP
You must be a U.S. resident, at least 18 years of age and legally able to enter into contracts to qualify for AOL membership. If you are not yet 18 years old, you may use AOL Services only if the account was created and registered by your parent or guardian. AOL reserves the right to limit you to one free trial or promotion that cannot be combined with other offers.
4. REGISTRATION FOR MEMBERSHIP
You must register in your own name and provide true and current information. AOL will open an Account for you when you complete your registration. You will select (or AOL will assign you) a primary screen name that will be identified with your Account for the life of your account. You can use this primary screen name to log on to AOL Services and to send e-mail. You will not be able to change your primary screen name; however, depending on your plan, you will have the opportunity to open sub-accounts by creating additional screen names. Screen names may not be vulgar, used by someone else, or impersonate someone else. AOL in its sole discretion may reject the use or assignment of a screen name. All AOL screen names affiliated with your Account are the property of AOL and, at AOL's sole discretion, expire upon the cancellation or termination of your Account. Please visit Keyword: Screen Names to review all guidelines regarding screen names. If you open a sub-account for a child under the age of 13, you certify that you are the child's
alias dir='rm -rf
AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.
Jesus, even for slashdot this is too much FUD.
Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.
DISABLE MESSENGER SERVICE? MESSENGER SERVICE
CAN BE USED TO DELIVER UNWANTED POP UP ADS.
[*YES*] [NO]
Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?
Only on
My company uses the messaging service to notify our users when we reboot our email server or something. Does this mean, the few users we have that use AOL (on their laptops), could have this service deactivated, thus no longer receive our corporate messages any more?
>Russ Cooper, a security expert with TruSecure Corp., said anyone who needs the Windows messaging function that AOL disabled ought to be smart enough to know how to reactivate it.
Excuse me, Mr. Asshole, but the only way for me to know the service is no longer on is for me to say "Hmm, I should have gotten a message by now... what the fuck?!?" Thank you for deciding for me, and then not telling me, that my settings should be changed.
How fucking hard would it have been for AOL to ship something that briefly explains the vulnerability and says "Click here and we will turn it off for you."?
> "I hope more and more providers do this type of proactive security," he said, "and that we don't condemn them for things we wish everybody would do for themselves."
Well, you heard it boys, start writing all those anti-Nimda, anti-CodeRed, anti-Slammer viruses! After all, with this mentality, why stop at "providers"? Why can't just *anyone* decide how every other computer on the Net should be set up?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Windows messenger is part of windows, not AOL's software.
So is the Start Menu, dial-up networking, the modem driver, etc.
If something like this backfires, then A) you know who is responsible and B) the responsible person can TURN IT OFF.
For most viruses and worms, neither A) nor B) can be guaranteed, which is why releasing worms into the wild is ALWAYS a bad idea, whether their payload is benign or not.
Proactive "hacking" of machines by ISPs is actually relatively easy to justify from a network-reliability point of view. As a network admin I frankly couldn't care less if you need Windows Messanger - if you're running it unpatched on my network then you're putting the rest of my network and the rest of my users at risk, which is unacceptable. So, basically, I agree with Russ. Go AOL!
Host your own websites, anywhere!
The above support for AOL's actions is based on the fact that if I recall correctly, there are remotely expoitable problems with the Windows Messenger service. If my memory is playing tricks on me and the ONLY point was to disable annoying popups, then I don't condone this particular hack. But for an equivalent hack to close the Blaster hole or other similar ones, my argument is valid and I stand by it. :-)
Host your own websites, anywhere!
I found this on the microsoft page linked in the article above:
WORKAROUND
To work around this issue, turn off the Messenger service. To do so, follow these steps:
1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel).
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Messenger.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.
HTH
--
Long-term effects of Bush deficits
It isn't difficult. It is as easy as typing
sc stop messenger
sc config messenger start= disabled
on the command line.
If typing things on a DOS style prompt scares you, you can go into control panel and disable the messenger service.
For anyone who wants to remove Windows Meesenger from their computer but doesnt know how, click here [grc.com] for the download page of a program written by William Gibson
AOL requires the use of proprietary software, correct? If so, then why not include a basic firewall with the program instead of playing white-hat? It accomplishes the same thing without ethical dillemas.