David Auerbach Explains the Inside Baseball of MSN Messenger vs. AIM

← Back to Stories (view on slashdot.org)

David Auerbach Explains the Inside Baseball of MSN Messenger vs. AIM

Posted by timothy on Tuesday April 22, 2014 @03:33AM from the doesn't-seem-that-long-ago dept.

In N+1 magazine, David Auerbach explains what it was like in the "Chat Wars" of the late '90s, when he was the youngest person on the team developing Microsoft's brand-new messaging app, in the face of America Online's AIM, the 900-pound gorilla in the room. Auerbach explains how he used a network analyzer to fake out AOL's servers into letting Microsoft's client connect to AIM as well. "AOL could only block Messenger if they could figure out that the user was using Messenger and not AIM. As long as Messenger sent exactly the same protocol messages to the AOL servers, AOL wouldn’t be able to detect that Messenger was an impostor. So I took the AIM client and checked for differences in what it was sending, then changed our client to mimic it once again. They’d switch it up again; they knew their client, and they knew what it was coded to do and what obscure messages it would respond to in what ways. Every day it’d be something new. At one point they threw in a new protocol wrinkle but cleverly excepted users logging on from Microsoft headquarters, so that while all other Messenger users were getting an error message, we were sitting at Microsoft and not getting it. After an hour or two of scratching our heads, we figured it out." Eventually, though, AOL introduced x86 assembly code into the login protocol, and that not only stymied the MSM team, but led to some interesting warfare of its own. Auerbach's story sheds a lot of light on both good and bad aspects of corporate culture at the start of the 21st century, at Microsoft as well as other companies.

86 comments

Min score:

Reason:

Sort:

Imagine all this brainpower by 50000BTU_barbecue · 2014-04-22 03:35 · Score: 3, Interesting

if it were applied to actually useful things? We'd have the green leisure society figured out for the entire planet.

--
Mostly random stuff.
1. Re:Imagine all this brainpower by Anonymous Coward · 2014-04-22 03:41 · Score: 1
  
  Yeah; all that effort, on both their parts, and where did it get them?
  
  It got them XMPP and Facebook eating their lunch while they squabbled amongst themselves.
  
  You'd hope a company as big as Microsoft might have learnt something from that, but apparently the message got lost.
2. Re:Imagine all this brainpower by Anonymous Coward · 2014-04-22 03:41 · Score: 0
  
  if it were applied to actually useful things? We'd have the green leisure society figured out for the entire planet.
  Uh, some of this was applied to make it useful. It's called FOSS.
  And the Trillian client has been around for quite some time. While I can appreciate the efforts of a hacker armed with a network analyzer, all of his efforts seem rather pointless when you look at the universal nature of clients that pretty much work with anything today. Basically he reverse-engineered the network stream and protocols involved. Not exactly a secret-handshake level strategy..
3. Re:Imagine all this brainpower by Richard_at_work · 2014-04-22 03:44 · Score: 4, Informative
  
  This all sounds very very similar to the whole BitKeeper fiasco, where Andrew Tridgell watched the traffic between a real BitKeeper client and the server in order to determine the procotol used, with an eye to creating an open source client.
  BitKeeper found out and withdrew the free client licences, which was a problem since the Linux kernel project used BitKeeper at the time - due to Trudgells involvement, BitKeeper refused to supply gratis licenses to anyone working for OSDL, which included Linus Torvalds...
  The shitstorm that ensued resulted in Linus starting the Git project.
4. Re:Imagine all this brainpower by 50000BTU_barbecue · 2014-04-22 03:45 · Score: 1
  
  Uh, fine, you can still contribute to FOSS by working on less futile things.
  
  --
  Mostly random stuff.
5. Re:Imagine all this brainpower by rasmusbr · 2014-04-22 03:51 · Score: 1
  
  if it were applied to actually useful things? We'd have the green leisure society figured out for the entire planet.
  First you need to define the concept of "actually useful things" in a way that will evaluate the same for all people. Good luck with that.
6. Re:Imagine all this brainpower by Anonymous Coward · 2014-04-22 03:53 · Score: 4, Insightful
  
  And the world is better off for it.
7. Re:Imagine all this brainpower by Anonymous Coward · 2014-04-22 04:03 · Score: 0
  
  Uh, fine, you can still contribute to FOSS by working on less futile things.
  Less futile things?
  The free game Flappy Bird was generating over $50,000 every day in advertising revenue.
  At what point would you like me to assume those masses actually want something useful and "less futile"..
8. Re:Imagine all this brainpower by jythie · 2014-04-22 04:07 · Score: 1
  
  Well, since we are a society that places a high value on monetary gain, since both of these products resulted in profits (ok, that is debatable) for both of their companies then by many standards they were quite useful.
9. Re:Imagine all this brainpower by Sarten-X · 2014-04-22 04:53 · Score: 1
  
  Pretty much.
  Thanks to the Browser Wars and the other various corporate battles of the 90's, and the ensuing minor triumphs of open-source (especially BSD-licensed) compatibility projects, compatibility is a growing expectation among consumers, whether they realize it or not.
  Websites are now peppered with "log in with Facebook" buttons and "Tweet this" links. Consumer devices tout how they integrate with everything people already use. Customers expect that interoperability will be a standard feature, rather than just an add-on that might be nice. I suspect it's partly due to having widespread access to the Internet's vast supply of media: People understand that the world of caccessible resources is far larger than any single company will provide.
  There are a few holdouts in this area (Microsoft, specifically, and anyone who thinks DRM is a good idea), but overall I think we're doing much better than we were in the bad old days of the 90's... Does anyone else remember having to install proprietary networking stacks?
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
10. Re:Imagine all this brainpower by whoever57 · 2014-04-22 05:31 · Score: 1
  
  This all sounds very very similar to the whole BitKeeper fiasco, where Andrew Tridgell watched the traffic between a real BitKeeper client and the server in order to determine the procotol used
  Not really, according to this article, Tridg connected to the Bitkeeper server using telnet, then typed "help" and got most of the information required.
  
  --
  The real "Libtards" are the Libertarians!
11. Re:Imagine all this brainpower by digitalhermit · 2014-04-22 08:55 · Score: 1
  
  Hell, sounds like the best way to get cool software is to piss of Linus.. :D
  I'm seeing subsurface show up in the weirdest, non-techy places now.. Apparently it's quite an improvement over other products.
12. Re:Imagine all this brainpower by Stuarticus · 2014-04-23 00:02 · Score: 0
  
  Useful: Not MSN.
  
  --
  If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
13. Re:Imagine all this brainpower by Rakarra · 2014-04-23 13:24 · Score: 1
  
  Thanks to the Browser Wars and the other various corporate battles of the 90's, and the ensuing minor triumphs of open-source (especially BSD-licensed) compatibility projects, compatibility is a growing expectation among consumers, whether they realize it or not.
  I really wish this was the case, but I've been seeing more and more lately attempts to lock down protocols and clients. Back when, anyone could connect to any IRC server with any IRC client. Pidgin could connect to AOL's AIM network (and still can). But recently, Steam Chat -- you can't do anything on it outside of the incredibly shitty Steam client. There's at least a third party plugin for pidgin to connect to skype, but it requires Skype to be to be running and all communications go through that.
  I just like having all my IM networks and contacts in one chat client that I control.
14. Re:Imagine all this brainpower by kriston · 2014-04-24 09:14 · Score: 1
  
  And now I try to imagine all the brainpower wasted on getting a handle on how git sees things rather than using the best tool for the job at hand.
  
  --
  Kriston
ICQ? by Anonymous Coward · 2014-04-22 03:36 · Score: 0

Wasn't ICQ the biggest player back then?
1. Re:ICQ? by Barsteward · 2014-04-22 03:44 · Score: 1
  
  it seemed to be outside the US.
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
2. Re:ICQ? by Anonymous Coward · 2014-04-22 05:42 · Score: 0
  
  Oddly...
  http://www.wired.co.uk/news/archive/2010-05/03/why-icq-is-so-important-to-russia
So if I did this ... by gstoddart · 2014-04-22 03:44 · Score: 4, Interesting

If I did this, I would likely be facing criminal charges ... how is it that corporations can do this kind of stuff with impunity?
There seems to be a huge double standard in the way 'people' who are people are prosecuted under the law, versus how 'people' who are corporations are.
And once again, I will take the opportunity to say the problem is the notion that you have 'people' who are corporations.

--
Lost at C:>. Found at C.
1. Re:So if I did this ... by Anonymous Coward · 2014-04-22 03:56 · Score: 2, Informative
  
  If implementing a protocol was illegal, Samba would be shut down because it implements the SMB file sharing protocol.
  This is about AOL failing to stop other from implementing their protocol. While you could argue (somehow) that the behavior was malicious, it was legal. Just as those multi-messenger programs with support for AIM, ICQ, and a couple other chat protocols were perfectly legal as well.
2. Re:So if I did this ... by jythie · 2014-04-22 04:09 · Score: 1
  
  Keep in mind this was pre-DMCA, so it was much harder to go after someone for reverse engineering a protocol. Today on the other hand companies sue each other all the time over reverse engineering, and did in the past too using conventional copyright, patent, or trade secrets laws. So in general, corporations can not 'do this stuff with impunity', they can get their asses sued off.
3. Re:So if I did this ... by gstoddart · 2014-04-22 04:10 · Score: 1
  
  If implementing a protocol was illegal, Samba would be shut down because it implements the SMB file sharing protocol.
  Implementing a protocol may not be illegal, but if I
  
  used a network analyzer to fake out AOL's servers into letting Microsoft's client connect to AIM as well
  you can bet your ass I'd be facing criminal charges.
  This is about more than making something work with a protocol, it's about explicitly spoofing what you're doing to the servers in question.
  Something about unauthorized access to a server and all that.
  
  --
  Lost at C:>. Found at C.
4. Re:So if I did this ... by Anonymous Coward · 2014-04-22 04:25 · Score: 0
  
  IIRC, in the ol' days Samba did the same thing to Windows file and print sharing and, wasn't there an anecdote about MS also constantly changing their SMB protocol to block out Samba? Seems fair is fair.
  I believe at one point MS even swapped their new security protocol for an (much) earlier version that was proven to be far less secure, just to create incompatibility with Samba. I'm talking pre-AD days here, I think they're playing nicer nowadays, but haven't checked for a couple of years
5. Re:So if I did this ... by immaterial · 2014-04-22 04:26 · Score: 2
  
  It's not mimicking the protocol that seems (to me) like it should be illegal, but rather using AOL's chat servers when you explicitly do not have permission to do so. AOL pays to run and maintain those for the benefit of their customers, not for the benefit of Microsoft. To me is feels something like a crappy restaurant handing its customers a plate of food and a red suit jacket and then telling them, "our dining room kind of sucks. Go down the street, third door on your right is a restaurant with a better view and awesome service. If you wear this jacket they'll think you're part of tonight's wedding reception and you're set."
6. Re:So if I did this ... by UnknowingFool · 2014-04-22 04:37 · Score: 1
  Reverse engineering isn't illegal as long as it is done right. The start of the PC started when Compaq reverse engineered the BIOS on IBM PCs. Stealing information outright is illegal. Breaking encryption is illegal. There are many grey lines.
  For example the battle between Palm and Apple on iTunes syncing with Palm Pre devices. Now it wasn't illegal for Palm to have their Pre devices pretend to be iPods so that they could use iTunes to sync up media. But it did cross a line as Palm basically was piggy-backing on Apple's work on their iTunes software without permission or some sort of an agreement. It seemed to me that Palm was taking a short cut at Apple's expense.
  The original intent of Palm was to allow Pre to sync up with the media on a computer. Now Palm had a number of ways of doing this.
  
  Write their own rival to iTunes which included player, syncing, store, etc.
  This may have taken a lot of resources and time which Palm did not have.
  Get an agreement with Apple so that iTunes would sync up Palm devices as well.
  Apple probably would say no but they certainly did not want to do so after Palm did it without permission.
  Be less ambitious and write a smaller syncing software program that read Apple's iTunes XML files.
  The XML files are plain text and unencrypted and can be read. In fact many 3rd party utilities that "clean up iTunes" do this.
  Get the Palm Pre to pretend it is an iPod so that it can be synced.
  This is what Palm chose and in the end the USB Compliance Organization called out Palm for violating their rules on USB IDs.
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
7. Re:So if I did this ... by Anonymous Coward · 2014-04-22 04:48 · Score: 0
  
  It is one thing to analize the SMB protocol on a server that you are running yourself.
  Or what Microsoft did with trying to connect to an AIM server that was running at AOL.
  But this was in the 90s there were no real laws against hacking yet.
8. Re:So if I did this ... by gstoddart · 2014-04-22 05:00 · Score: 4, Informative
  
  IIRC, in the ol' days Samba did the same thing to Windows file and print sharing and, wasn't there an anecdote about MS also constantly changing their SMB protocol to block out Samba? Seems fair is fair.
  Well, that was MS being their usual selves ... but that was being dickheads and arbitrarily changing the protocol. This was MS being dickheads and spoofing connections to a server.
  I believe you can't stop me from reverse engineering a protocol between two servers that I control. But when you start messing about with servers someone else controls, nowadays that would be a criminal act.
  I remember implementing something in 1993/1994 which read/wrote files on a FAT file system, straight out of a Microsoft published book in terms of how it was structured, completely from scratch in terms of the raw IO. When several years later they started suing people for using the FAT filesystem I remember thinking "but you've completely documented it, and it's pretty easy".
  I don't have a problem with reverse engineering protocols, but manipulating specific servers is getting a little sketchy.
  
  --
  Lost at C:>. Found at C.
9. Re:So if I did this ... by Richy_T · 2014-04-23 02:53 · Score: 1
  
  FAT was a patent. Patents are supposed to be documented.
So the take away is... by 140Mandak262Jamuna · 2014-04-22 03:44 · Score: 4, Insightful

The AOL coders did not try to incorporate a challenge and response system based on public/private keys. Or use some sort of digital signature in their clients to authenticate themselves as the "true build" from AOL. Not surprised. After all they wrote AOL.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:So the take away is... by Anonymous Coward · 2014-04-22 03:57 · Score: 0
  
  For the server to authenticate the client, there needs to be some sort of private key in the client. What prevents somebody from getting this key off the client’s executable file ?
2. Re:So the take away is... by Anonymous Coward · 2014-04-22 03:58 · Score: 0
  
  Also learned here: MS violated the DMCA.
3. Re:So the take away is... by gstoddart · 2014-04-22 03:59 · Score: 3, Insightful
  
  Not surprised. After all they wrote AOL.
  Well, there was a time when someone believed AOL was worth enough to buy Time Warner with just stock.
  Good times ... an era with some of the most graphic examples of the stock market losing track of how money and value actually works.
  That more or less convinced me right then and there it was all a fairy tale, and the ABCP-caused meltdown of '08 has only reinforced that.
  Let's face it, the stock market is a big Ponzi scheme which is often completely detached from reality.
  Convince enough people that it makes sense for a company to be trading at a value equal to 100 years worth of income, or that junk debt is AAA rated ... and you can scoop up lots of money too.
  
  --
  Lost at C:>. Found at C.
4. Re:So the take away is... by Anonymous Coward · 2014-04-22 04:06 · Score: 0
  
  Doesn't matter - if you have the code that generates the response, you can still pull apart the code and generate the same response. It would've been harder certainly, but not impossible.
5. Re:So the take away is... by Anonymous Coward · 2014-04-22 04:08 · Score: 0
  
  The AOL coders did not try to incorporate a challenge and response system based on public/private keys.
  This would require one of the keys to be known to the client, which makes it only a matter of time before it's exposed.
  What they did instead was rather clever: they used the client binary itself as the secret, thus bringing the force of copyright law into play to prevent the distribution of the "secret"... allowing the secret to be provided in the clear without risk that it would wind up in Microsoft's client.
  I personally think that's a rather clever hack, and much better than any DRM system could have been pre-DMCA.
6. Re:So the take away is... by Anonymous Coward · 2014-04-22 04:08 · Score: 0
  
  Embed it in a proprietary runtime blob (like Flash), and use a secure key enchange mechanism from within there, so you can only see encrypted traffic in and out of the blob. Given enough optimization and obfuscation, it would be very tricky to get the key out again. And when you do, you can just push out a "security update" to rejig everything and start again.
7. Re:So the take away is... by SuricouRaven · 2014-04-22 04:08 · Score: 1
  
  In 1998? The ban on exporting >40bit encryption from the US was only relaxed in 1996, and it took until 2000 for the executive order to be fully implemented. The AOL legal department probably cautioned against it. Besides, it still wouldn't be entirely secure: One side of the key would have to be embedded in the client, where it could be extracted. Plus it would make intercepting messages in transit very difficult, something which would likely earn the ire of the government - the NSA was not so famous as it is today, but it still existed, and would likely have sent men of deniable identity around to warn any company deploying a large scale secure communications platform.
8. Re:So the take away is... by MozeeToby · 2014-04-22 04:14 · Score: 1
  
  The DMCA that didn't exist at the time...
9. Re:So the take away is... by Anonymous Coward · 2014-04-22 04:21 · Score: 0
  
  Find a way to copyright the key, and go after anyone who just copies it... might not work well at stopping open source code involving an "unofficial" patch, but would stop big companies from using the key.
10. Re:So the take away is... by Sarten-X · 2014-04-22 04:37 · Score: 2
  
  Convince enough people that it makes sense for a company to be trading at a value equal to 100 years worth of income
  Buy a stock at 100x income, hold on to it for five years, then sell it for 100x income. Assuming "income" scales with inflation, the net result is that you gained 5 years' worth of dividends. If the company does well, the sale price may be significantly higher than its purchase price.
  Note that the actual numeric value of "income" is irrelevant to the net profit. Change matters and dividends matter, but the price of "one share" is largely immaterial. That's why people who actually understand the stock market will look at other metrics (usually change-related) rather than just the price.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
11. Re:So the take away is... by bigpat · 2014-04-22 04:42 · Score: 1
  
  Let's face it, the stock market is a big Ponzi scheme which is often completely detached from reality..
  That implies that the money comes from the bottom up and feeds into a pyramid. Actually it is in very large part the opposite with the Federal Reserve creating new money, feeding it into the banks and Federal Government and all that new money trickling down through Wall Street and Federal contractors then eventually a little bit eventually gets through to the real production oriented economy where food gets grown and transportation and energy get produced. At each level very unproductive people are spinning their wheels and calling that work and taking a bigger and bigger cut just because they can.
  The problem isn't that it is a ponzi scheme, for the most part the problem is that the capital isn't flowing up from individuals but rather the capital is trickling down from the top with the top being determined in a false meritocracy which is thinly veiling a more insidious form of entrenched elitism.
  And it isn't a huge problem that people are getting paid to spin their wheels like this, with a lack of truly necessary jobs for people to do suck wheel spinning is a good way to keep people occupied doing something challenging yet meaningless, the problem is when the system becomes so overtly corrupt that the real producers get fed up with producing something of necessity and being rewarded with worthless trinkets while unworthy people are living lavishly wasteful lives while others go without necessities. It really is undermining freedom and democracy to be perpetuating this system of economics where capital is trickling down and concentrated in fewer and fewer hands at the top.
12. Re:So the take away is... by Anonymous Coward · 2014-04-22 04:53 · Score: 0
  
  Sadly more and more companies, like microsoft in those days, didn't pay dividend.
  So people were just gambling that the stock price would go up.
  However if a company will never pay out dividends then the stock is intrinsically worthless. Since eventually the company will become bankrupt without ever paying dividends.
13. Re:So the take away is... by 140Mandak262Jamuna · 2014-04-22 04:59 · Score: 1
  
  You don't have to encrypt the whole message. Just create a 4 byte digest of the message, salt it, encrypt it and append it to the message. The server can just verify the digest has been encrypted using a known signature. The encryption need not be strong. Much less than 40 bits would do. In fact even symmetric key encryption (where anyone dredging through the binary can find the keys) would be sufficient. The aim is not to make it uncrackable. The aim is to force Microsoft to "sign" as AOL. The moment AOL calls it AOL signature, if Microsoft ever uses it, it would be committing forgery. The lawyers will stop it.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
14. Re:So the take away is... by Sarten-X · 2014-04-22 05:26 · Score: 1
  
  It will indeed be "worthless", unless the company has a non-dividend profit-sharing plan, or produces a product the investor wants to see happen, or if the investor wants control over the company's management, or if any other reason holds true.
  There are many reasons to invest, that some would consider to be quite valuable.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
15. Re:So the take away is... by gstoddart · 2014-04-22 05:52 · Score: 1
  
  So people were just gambling that the stock price would go up.
  And this has changed how exactly?
  Does Facebook give dividends?
  I'm sorry, but there's still a lot of evidence that people buy stocks on the assumption it's going to keep going up indefinitely, and not because of any sound fundamentals about the stock.
  Which is why an IPO is usually a joke ... the big investors just buy it and flip it to make a killing, then after the first few days the guys left holding the bag are wondering how they're going to get their profits.
  Pretty much exactly like when Red Hat and a bunch of others were going IPO.
  
  --
  Lost at C:>. Found at C.
16. Re:So the take away is... by cusco · 2014-04-22 05:52 · Score: 1
  
  And most companies require you to invest your money in the Ponzi scheme if you want them to help fund your retirement in any way at all. My statistics professor, whose day job was an actuary for the insurance industry, said, "Insurance is a big casino, and the companies have made sure everyone is required to play. And the house will always win." I'd have to say the same about the stock market.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
17. Re:So the take away is... by Anonymous Coward · 2014-04-22 06:03 · Score: 0
  
  We already know how well it works releasing a binary with the "true build" signature embedded in it. Like what happened for DVD or Bluetooth... Please, think harder next time, there is no way you can give a binary to somebody and trust it afterwards.
18. Re:So the take away is... by Desler · 2014-04-22 06:18 · Score: 1
  
  Sure it did.
  
  On July 22, 1999, Microsoft entered the chat markets with MSN Messenger Service. Our AOL “interop” was in it.
  DMCA became law effective October 28, 1998.
19. Re:So the take away is... by Anonymous Coward · 2014-04-22 06:25 · Score: 0
  
  From TFA:
  
  On July 22, 1999, Microsoft entered the chat markets with MSN Messenger Service. Our AOL “interop” was in it.
  From wiki:
  
  signed into law by President Bill Clinton on October 28, 1998
20. Re:So the take away is... by Anonymous Coward · 2014-04-22 06:39 · Score: 0
  
  Stock market could be irrational for a long time, but over long term (5-10 years) the price is right.
  Also if you you think that a stock is overpriced; don't buy it and find another one that is underpriced.
21. Re:So the take away is... by Anonymous Coward · 2014-04-22 17:53 · Score: 0
  
  Yet you have OTC markets where you can sell your bags to anyone with a clue.. But the only people who get involved are the pump and dumpers. Such a shame when the ones with ridiculous amounts of money are the ones controlling the puppets within the market
And then they both died. by Anonymous Coward · 2014-04-22 03:47 · Score: 0

The End.
Why didn't AOL add encryption? by Anonymous Coward · 2014-04-22 03:49 · Score: 0

I realize it would've required users upgrading, but at the time this was going on, most of the people using AIM were pretty comfortable with that process.
It was a smart move by Microsoft though. Why use the AIM client which can only talk to AIM users when you can use MS to talk to AIM and MS users?
900-pound gorilla? by Anonymous Coward · 2014-04-22 03:54 · Score: 0

I guess even our sayings are getting fatter, because I've always heard it as "800-pound gorilla" :P
1. Re:900-pound gorilla? by StarFace · 2014-04-22 04:33 · Score: 1
  
  It is a mixed metaphor too, as it includes the elephant in "the room". This person sprays idiomatic English like a Hollywood scriptwriter describing the process of hacking.
  
  --
  V
Hello, Security. Nice to meet you. by Minwee · 2014-04-22 03:58 · Score: 5, Insightful

But AOL’s client had a security bug in it, called a buffer overflow. [...] AOL knew about this bug in their program and now they were exploiting it! That was what all those double zeros were for—they were just filling up space in the program’s buffer until they hit the end of the AOL client’s buffer and started overwriting executable code with the remainder of the protocol message. AOL was causing the client to look up a particular address in memory and send it back to the server.
There's something that you could always count on AOL for -- Respect for the users. Most companies, when faced with a trivially exploitable buffer overflow that could cause their chat client to execute arbitrary code would classify it as a bug and feel compelled to fix it, but that's not the AOL way. Instead they changed it from a bug to a feature which enhanced security by verifying the client's identity.
And if somewhere along the way someone else used it to own an army of AOL-zombie PCs, then that's just the price you pay. You can't make an omelette without breaking a few arms.
This is how it's supposed to work by DeTech · 2014-04-22 04:18 · Score: 1

Big Slow Giants squabbling over long rotten carcasses leave room for small flexible innovators with disruptive tech. Although, It's a shame them roped creative people into participating in their access control war...
Another reason not to use nonstandard software by Kludge · 2014-04-22 04:22 · Score: 0

People need to learn not to use non-standard software controlled by corporations for their communications. For me, no Skype, no Facebook, no stupid crap.
1. Re:Another reason not to use nonstandard software by gstoddart · 2014-04-22 04:24 · Score: 3, Interesting
  
  Which leaves you working with technologies nobody you know has any idea about, and no interest in getting.
  Though, judging by your UID, you might still be using usenet. :-P
  
  --
  Lost at C:>. Found at C.
2. Re:Another reason not to use nonstandard software by bigpat · 2014-04-22 04:54 · Score: 1
  
  I still use email after 30 years, but I'll be damned if I remember any of my AOL screen names. Facebook is a trend on the down slope in a long line of trendy online communities and not a distinct communications platform. AOL is a lesson for Facebook in that if a company tries too hard to keep control of a proprietary communications system then it will loose out to another company that will be less controlling.
3. Re:Another reason not to use nonstandard software by dunezone · 2014-04-22 06:47 · Score: 1
  
  Do you use a phone? Do you browse the Internet? Do you drive an automobile? Did you file your taxes?
  
  No matter what you do unless you live in the middle of the woods you will always be exposed to software that you have no control over. Even if you're using open sourced software to communicate with people the messages are still transmitted over corporate owned hardware which means they can easily copy your message even if its encrypted.
Read it wrong and made it better by Anonymous Coward · 2014-04-22 04:27 · Score: 0

Read it as David Attenborough and was much more excited. Then read what it actually said, now I'm not so excited
post-DMCA by Mariner28 · 2014-04-22 04:36 · Score: 3, Informative

Technically, it was post-DMCA. It was signed into law in 1998 - same year Auerbach graduated. But the lawsuits didn't really begin until Napster hit it big and was sued by Metallica in 2000. AOL wasn't as smart as a bunch of metal-heads, I guess.

--
"A little misunderstanding? Galileo and the Pope had a little misunderstanding."
Re:Hello, Security. Nice to meet you. by Anonymous Coward · 2014-04-22 04:44 · Score: 0

I was struggling with "Insightful" and "Funny" as a moderation for this...
Good story, but a little long by derideri · 2014-04-22 04:45 · Score: 1

I really enjoyed reading about the little war between Microsoft and AOL during the chat heyday. However the author went into asides that were 3x longer than the actual story he was trying to tell, going through the entire history of Microsoft and Apple.
1. Re:Good story, but a little long by idontgno · 2014-04-22 08:34 · Score: 1
  
  I dunno. I kinda liked the bit about going down to Morganville with an onion tied to his belt.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
2. Re:Good story, but a little long by gmhowell · 2014-04-22 19:10 · Score: 2
  
  I dunno. I kinda liked the bit about going down to Morganville with an onion tied to his belt.
  Well, you're new around here, and probably a kid (judging by your UID), but I can assure you, that was the fashion at the time.
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
3. Re:Good story, but a little long by Anonymous Coward · 2014-05-02 00:15 · Score: 0
  
  You're just a 1 line fart posting troll gmhowell. Nothing more.
Re:Hello, Security. Nice to meet you. by ThatsDrDangerToYou · 2014-04-22 04:51 · Score: 2

But AOL’s client had a security bug in it, called a buffer overflow. [...] AOL knew about this bug in their program and now they were exploiting it! That was what all those double zeros were for—they were just filling up space in the program’s buffer until they hit the end of the AOL client’s buffer and started overwriting executable code with the remainder of the protocol message. AOL was causing the client to look up a particular address in memory and send it back to the server.
There's something that you could always count on AOL for -- Respect for the users. Most companies, when faced with a trivially exploitable buffer overflow that could cause their chat client to execute arbitrary code would classify it as a bug and feel compelled to fix it, but that's not the AOL way. Instead they changed it from a bug to a feature which enhanced security by verifying the client's identity.
And if somewhere along the way someone else used it to own an army of AOL-zombie PCs, then that's just the price you pay. You can't make an omelette without breaking a few arms.
'Round here we calls 'em armlettes.
as if we care by Anonymous Coward · 2014-04-22 04:52 · Score: 0

As if either of these platforms are actually relevant.
History repeats itself by ptaff · 2014-04-22 04:53 · Score: 5, Insightful

Yeah, those long forgotten chat-silo days when you needed an ICQ account, an AIM account, a MSN account, a Yahoo account to reach all your friends... fortunately XMPP/Jabber would solve all of this, and even Google would embrace the open standard with their new GTalk.
Oh! wait... it was a bait and switch.
Don't be evil does not mean be good.
1. Re:History repeats itself by Animats · 2014-04-22 05:13 · Score: 1
  
  Yeah, those long forgotten chat-silo days when you needed an ICQ account, an AIM account, a MSN account,
  Now you need a Twitter app, a Google app, etc.
  Take a look at the mechanism Twitter uses to lock out non-Twitter clients they don't like. There's a cryptographic authentication system in Twitter using OAuth to do that. Twitter routinely yanks the credentials of developers who do things they don't like, such as filter out ads.
2. Re:History repeats itself by RyuuzakiTetsuya · 2014-04-22 05:22 · Score: 1
  
  Yes, because gutting a service's revenue stream should always be seen as a sign of goodwill on the part of a developer right?
  
  --
  Non impediti ratione cogitationus.
3. Re:History repeats itself by Anonymous Coward · 2014-04-22 17:58 · Score: 0
  
  There's a cryptographic authentication system in Twitter using OAuth to do that.
  That was the fucking idea behind OAuth. Too many times, a bad client would join a network and wreck havoc on those that innocently participated. OAuth was designed to allow anyone externally to connect while still allowing the operator to control who can and cannot connect. In the late 90s and early 2000s, this did not exist and you could not share authentication between servie providers. Now that it is allowed today, we cry foul when the operator executes actions the very protocol was designed to allow.
  I would like to see what you kids can create to replace OAuth that isn't subject to the inherent flaws that exists prior to OAuth.
And from the other side... by RyuuzakiTetsuya · 2014-04-22 05:30 · Score: 1

History of AIM.
can't wait, in ten years, everyone can talk about the fights and struggles to get Facebook, iOS, Android, et al. out the door.
Gotta be some epic stories in there somewhere.

--
Non impediti ratione cogitationus.
Exactly, what if AIM implemented DRM... by jopsen · 2014-04-22 05:37 · Score: 1

If I did this, I would likely be facing criminal charges...
In the US, yes....
Just imagine if AIM had encrypted the communication with a key hardcoded into their client... Then accessing the server with a third party client could be unauthorized access of computer system in violation of the computer fraud act, or at least violation of DMCA, by breaking DRM.
1. Re:Exactly, what if AIM implemented DRM... by jimbolauski · 2014-04-22 06:51 · Score: 2
  
  They couldn't use the DMCA, Lexmark put an authentication chip on their toner cartridges and sued SCC for reverse engineering their chip for cheaper cartridges. The supreme court sided with SCC in 2004 and then sided with them in 2014 when SCC asked for damages from Lexmark for the false copyright claims. Essintally you can't claim copyright infringement because you are granting access with your protocol so accessing with a copy of your protocol is no different.
  
  --
  Knowledge = Power
  P= W/t
  t=Money
  Money = Work/Knowledge so the less you know the more you make
2. Re:Exactly, what if AIM implemented DRM... by jopsen · 2014-04-22 11:25 · Score: 1
  
  They couldn't use the DMCA, Lexmark put an authentication chip on their toner cartridges and sued SCC for reverse engineering their chip for cheaper cartridges. The supreme court sided with SCC in 2004 and then sided with them in 2014 when SCC asked for damages from Lexmark for the false copyright claims. Essintally you can't claim copyright infringement because you are granting access with your protocol so accessing with a copy of your protocol is no different.
  Interesting... But in the case of a messenger service, AIM could probably modify their EULA and claim copyright on all messages exchanged over the network.
  In which case DMCA would apply.
3. Re:Exactly, what if AIM implemented DRM... by jimbolauski · 2014-04-23 03:45 · Score: 1
  
  If they were planning on actually copyrighting their customers messages they would have to pay $35 a message. There is also the issue of one of their customers sending copyrighted material which AOL would then claim as their own.
  
  --
  Knowledge = Power
  P= W/t
  t=Money
  Money = Work/Knowledge so the less you know the more you make
Trust by Anonymous Coward · 2014-04-22 06:02 · Score: 0

This is exactly why you can't trust corporations. [short version] Corporations are full of humans..
[long version] searching for an angle, hiding behind the protection of incorporation, and doing everything they can to get rich quick.. On the surface, they only attempt to look on the up and up, but everyone knows better. Just below the surface, there is a feverishly frantic feeding frenzy.
[epilogue] *Trust is just another word in their bag of tricks for the greediest of corporations to shape public policies for enacting laws designed to fill their coffers so they can build their underground cities and steal our rock and roll icons for their live elevator music.
What's good for the goose.... by Dcnjoe60 · 2014-04-22 06:37 · Score: 1, Insightful

Well, when MS was presented with a closed, proprietary format, their solution was to reverse engineer it and admitting what a burden that was and how it hindered interoperability. Maybe they should re-evaluate their position on the Microsoft Office formats.
1. Re:What's good for the goose.... by David_W · 2014-04-22 06:58 · Score: 4, Informative
  
  Maybe they should re-evaluate their position on the Microsoft Office formats.
  But, but... the Microsoft Office formats are open and documented!
2. Re:What's good for the goose.... by Anonymous Coward · 2014-04-22 10:21 · Score: 0
  
  SPECIAL DEAL ON ALUMINUM SIDING.
  Works great on bridges, dog houses, green houses*.
  * Only for nocturnal plants.
3. Re:What's good for the goose.... by Anonymous Coward · 2014-04-23 07:45 · Score: 0
  
  Why is PP modded Informative? I'm 99.9% sure he was trying to be funny. (If you don't think so, take a look at any of the ECMA descriptors for the Microsoft Office formats at the link he's referenced.)
There's nothing new in the article by Anonymous Coward · 2014-04-23 01:17 · Score: 0

I just read the article and was thinking ‘haven't I read this before?’
Turns out I have. There is nothing new in this article. And this has been on Slashdot multiple times already, the first time in 1999.