AOL Hacks Subscribers' Computers

ctwxman writes "If you're running a recent vintage version of Windows, and connecting to the Internet with an IP address reachable from the outside world, you've probably seen them. They're rectangular boxes that pop-up out of the blue with advertising. These aren't pop-up (or pop-under) browser ads but actually a weird misuse of Windows Messenger Service, a mostly useless tool which Microsoft has left on by default! Though similarly named, this isn't at all related to Microsoft's IM product. You can't block these pop-ups by shutting down ports, because Windows Messenger Service shares some ports with other useful services. The best way to stop the pop-ups requires the user to readjust some internal Windows settings. As you might imagine, many users are reticent to do that. Now, AOL has come up with another solution. They're going into subscribers' machines, without asking and making the adjustments themselves! Though the short term result will probably be good, there are all sorts of implications when your ISP just reaches out and decides how your PC should be configured without your knowledge." The Computer Fraud and Abuse Act makes this clearly illegal; if this were a 17-year-old instead of AOL, the FBI would be investigating.

A0L is L337

[JonoPlop]

...next thing you know they'll change their name to a0l.

(fp?)

This is good for the average AOL user

[jaredmauch]

This is a good thing. Windows messenger is not used by the bulk of the AOL userbase except to receive spam. Disabling something that should have been off by default already and enabled in a true lan/office environment will provide them a better user experience. It will also close one more possible way their possibly unpatched machines will become compromised.

I for one hope that AOL starts distributing the Microsoft patches on their CDs and via their service as well as part of their AOL software updates to encourage people to get the most recent software patches. (fp?)

Re:This is good for the average AOL user

[DrEldarion]

The bad part isn't that they're doing it - that's excellent. The bad part is that they don't even ask permission.

If a dialog box popped up that said, "AOL would like to disable the messenger service on your computer. This will help stop pop-up ads. Would you like to allow AOL to do this? [Allow][Do Not Allow]" then it would be fine. They shouldn't just ASSUME that the user has no use for it.

-- Dr. Eldarion --

Headline is an overreacting attention grabber

Don't get me wrong, I'm not approving of what AOL is doing, but at worst this is "white hat" hacking. This is the sort of stuff that /.ers joke about (and perhaps engage in), chuckling about writing worms that use holes in Windows to get in and then patch the very same holes.

What Else Can AOL Do?

[blunte]

When you have the single largest group of ignorant users in the world, how do you educate them to protect themselves from the MS problems?

I bet AOL did this due to constant complaints from susbscribers about AOL "allowing" or "sending" them popups.

I also bet there's a clause in the AOL agreement (which AOL subscribers have agreed to) that either explicitly allows AOL to configure your computer, or allows them to change their policy at any time, thus allowing that by proxy.

Mandatory Subject Here

[BlackBolt]

Turn off Messenger

Windows messenger is not useless

[jericho34]

echo "your monitor's radiation shield has failed, please evacuate to minimum safe distance" |smbclient -M luserbox doesn't get them every time, but when it does...

You Agreed

[Ageless]

I guarantee that somewhere in some license agreement the users gave AOL permission to do this.

And as for "adjusting Windows internal settings", let's stop the FUD shall we? It's turning off a service. Nothing insidious. If someone recommended that you comment out the telnet line in /etc/inetd.conf would you call it "adjusting Linux's internal settings"?

Everyone knows that turning off Messenger is a good thing. AOL is looking out for their customers. Give em a break.

Re:But the precedent isn't

[jaredmauch]

You're not talking about your "Average" ISP. AOL software uses a VPN client to connect you into the private aol-exclusive content. If this was done by earthlink or some other provider that just provides you ppp and unfiltered bits to the world, then yes, it's a bit more fuzzy, but you need to have the AOL software, and this could be covered by their EULA. People may not like it, but if you don't, use a different provider or OS that doesn't have these issues. I for one defend AOL for taking a good security stance in disabling a service 99.9% of the people likely don't know is running on their system, and for which they could be compromised via.

More to do with company image

[mao+che+minh]

AOL probably realizes that the average customer is going to blame pop-ups on either AOL software, or blame AOL for being unable to prevent them. With competitors like Mindspring offering free software that does block the messenger flaw, people are leaving AOL.

AOL is just protecting their business.

Re:But the precedent isn't

[fredz]

I think jaredmauch hits the nail on the head when he says "You're not talking about your 'Average' ISP." AOL is very paternalistic, giving its customers a nice, safe, easy environment that you or I might find infuriating but that some people really like. Those people who want 'somebody who knows computers' to manage their 'online experience' are the same people who want 'someone who knows computers' to manage their PC.

I think AOL may be accidentally backing themselves into a good business model. You buy the PC and sign up for AOL, and they take care of all of the rest of the technical stuff for you. I won't be signing up anytime soon, but I bet a lot of people would love the service.

Fred