Slashdot Mirror
AOL Hacks Subscribers' Computers
ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.
...next thing you know they'll change their name to a0l.
(fp?)
I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)
Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.
When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?
I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.
I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.
.sigs are for post^Hers.
That says a lot.
The computer fraud and abuse act covers unauthorized access, and while the changes may not be explicitly authorized, I'm willing to wager that there is some clause in the agreement between the users and AOL that allows for this kind of thing.
Unethical, yes.
Legal? Possibly. I haven't used AOL in about six years, and even then, I don't think that I looked at the EULA (if there even was/is one)
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Turn off Messenger
Yep. Because the reason for this is that this is what the next big worm will be. There is a remote exec hole in the messenger service.
So for once I think AOL deserves an applause.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...
and thus brain shall rule us!
I guarantee that somewhere in some license agreement the users gave AOL permission to do this.
/etc/inetd.conf would you call it "adjusting Linux's internal settings"?
And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in
Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.
I think even non-slashdotters colud manage:
. shtml)
Disabling the Messenger Service
You can disable the Messenger service if you want to although doing so may result in Windows not being able to alert you to some conditions. A list of circumstances when Windows will use the Messenger service to pop up informative windows isn't available right now but may include things like "print job complete", anti-virus, and event logger status messages. Also, "new mail" notifications may not be available in an Exchange/Outlook environment.
Windows 2000
1. Click Start->Programs->Administrative Tools->Services
2. Scroll down and highlight "Messenger"
3. Right-click the highlighted line and choose Properties.
4. Click the STOP button.
5. Select Disable in the Startup Type scroll bar
6. Click OK
Windows XP
1. Click Start->Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services
5. Scroll down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable in the Startup Type scroll bar
9. Click OK
You can verify the service is disabled by typing the following at a command prompt. If no message appears, the Messenger service has been disabled.
* net send 127.0.0.1 "test"
(blatantly ripped from http://www.jmu.edu/computing/security/info/winmsg
You're not talking about your "Average" ISP. AOL software uses a VPN client to connect you into the private aol-exclusive content. If this was done by earthlink or some other provider that just provides you ppp and unfiltered bits to the world, then yes, it's a bit more fuzzy, but you need to have the AOL software, and this could be covered by their EULA. People may not like it, but if you don't, use a different provider or OS that doesn't have these issues. I for one defend AOL for taking a good security stance in disabling a service 99.9% of the people likely don't know is running on their system, and for which they could be compromised via.
AOL is just protecting their business.
Back when I was the Pool Guy, I had to employ a similar tactic. You see, many customers require pool service. A large subset of these customers require "service" on "ports" that aren't usually associated with pools. As you can immagine, "servicing" these "requests" landed me in hot water on more than a few occasions.
One day it occured to me that I could simply change my standard contract to unconditionally allow me to preform any additional "service" the customer required. All at no charge.
Can I sue AOL for prior art?
I can almost gurantee that about 95% of all AOL users will be thrilled. I'm a supervisor for a broadband services department and we often get customer's who switch from AOL only to find that spam/pop-ups/porn/etc on the unfiltered internet is so anonying that they want to go back to AOL immediately. Those people love to have their hand held through everything and want AOL to protect them from the internet. Almost anyone that actually uses net send probably isn't on AOL, they have a true ISP.
Ummm, no it doesn't. Should AOL be doing this? HELL NO. If AOL did it to MY system, I can guarantee I would be filing a lawswuit. But it would be a CIVIL suit, not a criminal action.
Why you ask? Because criminal statutes are drafted very carefully and interpreted narrowly. The reason for that is that it is a basic legal principle that people should have adequate notice of what is a crime and what is not.
Now before I get flamed by everyone who has heard the saying, "Ignorance of the law is not an excuse," let me tell you that "notice" of the law is provided by publishing the law so it is publically available.
Without going into gory detail, I can tell you that the statute cited in the post, 18 U.S.C. 1030, is not violated if all AOL is doing is shutting off Windows Messenger. Is it right? No. Is it a crime? No, because all the requirements for it to be a crime ("elements" of the crime) are not met. At least I don't see any evidence that would support it. Specifically, on first glance, I don't see any of the following that would be necessary to sustain a conviction under some subsection of the act:
- Obtaining information from the computer that the United States has determined needs to be protected (or some other information that can be broadly categorized as potentially harmful to the interests of the country);
- Obtaining financial information or credit reports;
- Obtains anything of value...
The list goes on, but you get the point. What you SHOULD be asking is why the FBI is not prosecuting SPAMMERS under this act. There are sections that would cover some types of spamming activities.One last rant -- if you aren't a lawyer, don't give opinions about what is and is not a crime. You can be sued for defamation (libel, slander) for accusing someone of a crime. You wouldn't get advice on how to code from someone who knows nothing about computers. Don't take legal advice from non-lawyers.
Laws affecting technology will always be bad until enough techies become lawyers.
I think jaredmauch hits the nail on the head when he says "You're not talking about your 'Average' ISP." AOL is very paternalistic, giving its customers a nice, safe, easy environment that you or I might find infuriating but that some people really like. Those people who want 'somebody who knows computers' to manage their 'online experience' are the same people who want 'someone who knows computers' to manage their PC.
I think AOL may be accidentally backing themselves into a good business model. You buy the PC and sign up for AOL, and they take care of all of the rest of the technical stuff for you. I won't be signing up anytime soon, but I bet a lot of people would love the service.
Fred
AOL is not hacking anything. It's an update to their software that does this, not some 1337 a0l h4x0r tech blowing past the firewall.
Jesus, even for slashdot this is too much FUD.
Granted, AOL should at least prompt the damn user. Turning off a service without asking is unacceptable.
DISABLE MESSENGER SERVICE? MESSENGER SERVICE
CAN BE USED TO DELIVER UNWANTED POP UP ADS.
[*YES*] [NO]
Oh wait, my bad. This is a multi-billion dollar corporation. Why should they give a shit what their customers want?
Only on