Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Hacks Subscribers' Computers

Posted by michael on from the he-who-has-the-gold-makes-the-rules dept.

ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.

32 of 558 comments (clear)

  1. A0L is L337 by JonoPlop · · Score: 5, Funny

    ...next thing you know they'll change their name to a0l.

    (fp?)

  2. This is good for the average AOL user by jaredmauch · · Score: 5, Interesting
    This is a good thing. Windows messenger is not used by the bulk of the AOL userbase except to receive spam. Disabling something that should have been off by default already and enabled in a true lan/office environment will provide them a better user experience. It will also close one more possible way their possibly unpatched machines will become compromised.

    I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)

    1. Re:This is good for the average AOL user by TopShelf · · Score: 3, Interesting

      One way of looking at this is that AOL is simply taking Microsoft's quality issues into their own hands. As for crossing into the uncharted waters of adjusting Windows settings from within the AOL application, don't they do that already during setup to arrange dialup settings, etc.? Really, the only thing I'd see wrong with this is the lack of notification by AOL to their users. Sure, it would take some effort to craft a statement that explains what they're doing while not confusing or scaring the users, but it would have covered their corporate butts at least.

      --
      Stop by my site where I write about ERP systems & more
    2. Re:This is good for the average AOL user by Bazzargh · · Score: 3, Informative

      Why *doesn't* AOL start putting MS patches on their CD's?

      Because Microsoft told everybody not to, I guess (I know this is about cover-mounted CDs, but thats typically how people get infected with AOL).

    3. Re:This is good for the average AOL user by Nidhogg · · Score: 4, Insightful

      One way of looking at this is that AOL is simply taking Microsoft's quality issues into their own hands.

      That may very well be the scariest thing I've read in years.

    4. Re:This is good for the average AOL user by DrEldarion · · Score: 5, Insightful

      The bad part isn't that they're doing it - that's excellent. The bad part is that they don't even ask permission.

      If a dialog box popped up that said, "AOL would like to disable the messenger service on your computer. This will help stop pop-up ads. Would you like to allow AOL to do this? [Allow][Do Not Allow]" then it would be fine. They shouldn't just ASSUME that the user has no use for it.

      -- Dr. Eldarion --

    5. Re:This is good for the average AOL user by mobets · · Score: 3, Insightful

      the problem with that is that a good number of people would think it was talking about Windows Messenger AKA MSN Messenger. They would then say no and not have this setting turned off like it should be.

      --

      It was me, I did it, I moved your cheese
    6. Re:This is good for the average AOL user by AllUsernamesAreGone · · Score: 4, Insightful

      Theoretically, I agree. But put yourself in the place of AOL - they start asking people whether they want Messenger Service disabled and the first thign they'll see is a massive increase in the number of people phoning the technical support line asking why their computer is asking them this question, then they'll find (as anothe rposter suggested) that many of them will get confused and refuse it and then they'll have yet more people on the phone complaining that something has gone wrong "because fo that fix you did" (when it is likely to be just psychological, or somethign the user has done). Trust me, I've done tech support, the very LAST thing you want to do is ask the average, bearly computer literate user, questions about technical issues on their machines.

      While the ethics are questionable, IMO AOL is aimed at people who are not and have no intention of becoming technically literate, and as such they are dangerous - to themselves and the net - when a known exploit exists on their machines. In exactly this situation, I have no problem with the action. Ys, I'd be annoyed if anyone tried it on my machines, but I'm with an ISP that expects some technical ability.

  3. Headline is an overreacting attention grabber by Anonymous Coward · · Score: 5, Insightful

    Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.

    1. Re:Headline is an overreacting attention grabber by donutz · · Score: 4, Insightful

      Maybe you're new here, but "white hat" hacking is dangerous. Just look at the Welchia worm. Someone tried to fix computers infected with Blaster, but their "white hat" hacking worm only made things worse.

      Good intentions doesn't always mean you let it slide when someone breaks the law.

    2. Re:Headline is an overreacting attention grabber by arcanumas · · Score: 4, Insightful
      The fact that their intention is good means nothing.
      Think of this. I have a custom application that USES this service and when they disable it my company stops working... Do they have the right to do it now?

      --
      Slashdot Sig. version 0.1alpha. Use at your own risk.
  4. What Else Can AOL Do? by blunte · · Score: 5, Insightful

    When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?

    I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.

    I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.

    --
    .sigs are for post^Hers.
  5. EULA by Rosonowski · · Score: 4, Interesting
    EULA.

    That says a lot.
    The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.

    Unethical, yes.
    Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)

    --
    01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
  6. Mandatory Subject Here by BlackBolt · · Score: 5, Informative

    Turn off Messenger

  7. Re:Some people by arivanov · · Score: 4, Interesting

    Yep. Because the reason for this is that this is what the next big worm will be. There is a remote exec hole in the messenger service.

    So for once I think AOL deserves an applause.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  8. Windows messenger is not useless by jericho34 · · Score: 5, Funny

    echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...

    --
    and thus brain shall rule us!
  9. Re:Someone will sue by jaredmauch · · Score: 3, Insightful

    I don't know about the AOL software EULA, it could permit such patching/changing of registry settings. They could also say that it was done in order to preserve the security of their network (ie: having millions of compromised machines via the latest messenger exploit). I don't see anything clearly illegal here.

  10. You Agreed by Ageless · · Score: 5, Insightful

    I guarantee that somewhere in some license agreement the users gave AOL permission to do this.

    And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in /etc/inetd.conf would you call it "adjusting Linux's internal settings"?

    Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.

    1. Re:You Agreed by ComputerSlicer23 · · Score: 3, Interesting
      I'll point out that, recommending you comment out the telnet line, is completely different then when you install pppd it went into your /etc/inetd.conf and turned fiddled with it to turn it off for you.

      I'd be pissed if pppd did that if it wasn't documented clearly (for a variety of reasons, upto and including the fact that I forgot to turn off telnet on a machine I ran). Mostly because the people who wrote pppd shouldn't be fiddling with my inetd.conf settings.

      I didn't get the impression from the Slashdot story that they are doing it in software. However, that makes me think you are correct, it's FUD. Goodness, is it a crime to install software which enables IIS for you, because enabling IIS has security flaws? I'm pretty sure various pieces of software enable IIM for you when you install them. No 17 year old kid convinces you to install highly useful software, and pay them for a subscription service, and also happens to install BackOrifice on your computer. If it was documented to install BackOrifice, I don't think they'd even have a complaint until somebody actually logged into BackOrifice.

      If they wanted to be on the up and up about it, they'd refuse to install AOL until the messagner service was turned off and give you instructions about how to do it. Possible have a dialog box that was set up for you to click okay to approve it, or uncheck this box to leave the service running.

      Kirby

  11. not that hard to block. by cosyne · · Score: 4, Informative

    I think even non-slashdotters colud manage:

    Disabling the Messenger Service

    You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.

    Windows 2000

    1. Click Start->Programs->Administrative Tools->Services
    2. Scroll down and highlight "Messenger"
    3. Right-click the highlighted line and choose Properties.
    4. Click the STOP button.
    5. Select Disable in the Startup Type scroll bar
    6. Click OK

    Windows XP

    1. Click Start->Control Panel
    2. Click Performance and Maintenance
    3. Click Administrative Tools
    4. Double click Services
    5. Scroll down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties.
    7. Click the STOP button.
    8. Select Disable in the Startup Type scroll bar
    9. Click OK

    You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.

    * net send 127.0.0.1 "test"

    (blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg. shtml)

  12. Re:But the precedent isn't by jaredmauch · · Score: 5, Interesting

    You're not talking about your "Average" ISP. AOL software uses a VPN client to connect you into the private aol-exclusive content. If this was done by earthlink or some other provider that just provides you ppp and unfiltered bits to the world, then yes, it's a bit more fuzzy, but you need to have the AOL software, and this could be covered by their EULA. People may not like it, but if you don't, use a different provider or OS that doesn't have these issues. I for one defend AOL for taking a good security stance in disabling a service 99.9% of the people likely don't know is running on their system, and for which they could be compromised via.

  13. More to do with company image by mao+che+minh · · Score: 5, Insightful
    AOL probably realizes that the average customer is going to blame pop-ups on either AOL software, or blame AOL for being unable to prevent them. With competitors like Mindspring offering free software that does block the messenger flaw, people are leaving AOL.

    AOL is just protecting their business.

  14. This reminds me of a Great Hack! by appleLaserWriter · · Score: 4, Funny

    Back when I was the Pool Guy, I had to employ a similar tactic. You see, many customers require pool service. A large subset of these customers require "service" on "ports" that aren't usually associated with pools. As you can immagine, "servicing" these "requests" landed me in hot water on more than a few occasions.

    One day it occured to me that I could simply change my standard contract to unconditionally allow me to preform any additional "service" the customer required. All at no charge.

    Can I sue AOL for prior art?

  15. When did services become... by Godstalk · · Score: 3, Interesting

    "internal Windows settings?" That's like calling daemons internal Unix settings. They are separate programs. Turning them on and off isn't even HARD.

  16. Heh by Salamander · · Score: 3, Funny
    if this were a 17-year-old instead of AOL, the FBI would be investigating.

    According to AOL's online history, AOL is a 17-year-old. OK, it's a bit of a stretch, you have to count from when they went online instead of when they incorporated and they'd still be less than a month away from 18 years, but that's my story and I'm sticking with it.

    --
    Slashdot - News for Herds. Stuff that Splatters.
  17. AOL Users will love it by papasui · · Score: 4, Interesting

    I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.

  18. Re:But the precedent isn't by jaredmauch · · Score: 3, Informative
    AOL did provide it as a choice for users, they were uneducated enough to do it themselves yet were still complaining. You can find such references in the article. Please read it.

    Saying AOL is breaking into their system is just trolling. They are already AOL customers, receiveid an AOL software update for which they're paying a fee for the AOL service (and the required software for the AOL service, remember AOL isn't just internet access. Those of us that remember prodigy, compuserve, etc.. know this quite clearly).

    If you're an AOL customer, complain. If you're not, tell your friends and family to stop using them and why you think that's the case and let them make that choice themselves. This is clearly something you purport to support in your statements.

  19. Bad legal conclusions. by Compulawyer · · Score: 4, Informative
    The Computer Fraud and Abuse Act makes this clearly illegal . . . .

    Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.

    Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.

    Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.

    Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:

    • Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
    • Obtaining financial information or credit reports;
    • Obtains anything of value...
    The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.

    One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.

    --

    Laws affecting technology will always be bad until enough techies become lawyers.

  20. Re:What application? by HughsOnFirst · · Score: 3, Interesting

    When I worked at Cisco, I wrote an app they sell that uses Windows Messenger Service to warn of servers having problems.
    All the uninterruptable power supplies used Windows Messenger Service to send notices that they were switching to or from batteries. The Samba printers used Windows Messenger Service to tell users that their print job had printed or that the paper had jammed.
    I wrote a couple scripts to send messages to any computer that I happened to be logged into if a particular string showed up in my email.

    Using "net send" to send messages to coworkers during conference calls was pretty fun

    The UPS and printer messages are pretty mainstream though.

  21. Re:But the precedent isn't by fredz · · Score: 5, Insightful

    I think jaredmauch hits the nail on the head when he says "You're not talking about your 'Average' ISP." AOL is very paternalistic, giving its customers a nice, safe, easy environment that you or I might find infuriating but that some people really like. Those people who want 'somebody who knows computers' to manage their 'online experience' are the same people who want 'someone who knows computers' to manage their PC.

    I think AOL may be accidentally backing themselves into a good business model. You buy the PC and sign up for AOL, and they take care of all of the rest of the technical stuff for you. I won't be signing up anytime soon, but I bet a lot of people would love the service.

    Fred

  22. Everyone is missing the point by ionpro · · Score: 3, Insightful

    This is AOL's warning shot across Microsoft's bow. They are saying "Don't fuck with us." Think about this -- if AOL can disable random services, they sure as hell can uninstall random software on the users machine. they can disable MSN messeneger by default -- or even REPLACE it with AOL software. They can remove all links to Internet Explorer and replace it with their own browser. They're telling Microsoft that is MS makes it hard on AOL, AOL is going to make it hard on MS.

    Even if this had no ulterior motive, it is still a Good Idea. Your typical AOL subscriber leaves their computer wide open. Normally, that would be their problem, but with root level bugs that require no user intervention, such as the RPC DCOM exploits, it becomes EVERYONEs problem. When my Internet connection is slowed because of the idiots who run cable connections with AOL broadband, it is imperitive that someone step in and patch those machines. You think AOL wants to spend the bandwidth and processor power required to send and/or reject all those packets?

    I am a member of a IT department that supplies a medium-large college with internet access. While we don't actually automatically patch users machines, we do block access to the network for simply being unpatched (by MAC address). Many people would be outraged, but the fact remains that our network is infinitely more secure now then it was 8 weeks ago. Border security is no security at all. I personally welcome AOL's choice in this matter.

  23. RTFA - Nothing is being hacked by mikeswi · · Score: 4, Interesting

    AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.

    Jesus, even for slashdot this is too much FUD.

    Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.

    DISABLE MESSENGER SERVICE? MESSENGER SERVICE
    CAN BE USED TO DELIVER UNWANTED POP UP ADS.
    [*YES*] [NO]

    Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?

    --
    Only on /.