Slashdot Mirror

← Back to Stories (view on slashdot.org)

David Auerbach Explains the Inside Baseball of MSN Messenger vs. AIM

Posted by timothy on from the doesn't-seem-that-long-ago dept.

In N+1 magazine, David Auerbach explains what it was like in the "Chat Wars" of the late '90s, when he was the youngest person on the team developing Microsoft's brand-new messaging app, in the face of America Online's AIM, the 900-pound gorilla in the room. Auerbach explains how he used a network analyzer to fake out AOL's servers into letting Microsoft's client connect to AIM as well. "AOL could only block Messenger if they could figure out that the user was using Messenger and not AIM. As long as Messenger sent exactly the same protocol messages to the AOL servers, AOL wouldn’t be able to detect that Messenger was an impostor. So I took the AIM client and checked for differences in what it was sending, then changed our client to mimic it once again. They’d switch it up again; they knew their client, and they knew what it was coded to do and what obscure messages it would respond to in what ways. Every day it’d be something new. At one point they threw in a new protocol wrinkle but cleverly excepted users logging on from Microsoft headquarters, so that while all other Messenger users were getting an error message, we were sitting at Microsoft and not getting it. After an hour or two of scratching our heads, we figured it out." Eventually, though, AOL introduced x86 assembly code into the login protocol, and that not only stymied the MSM team, but led to some interesting warfare of its own. Auerbach's story sheds a lot of light on both good and bad aspects of corporate culture at the start of the 21st century, at Microsoft as well as other companies.

18 of 86 comments (clear)

  1. Imagine all this brainpower by 50000BTU_barbecue · · Score: 3, Interesting

    if it were applied to actually useful things? We'd have the green leisure society figured out for the entire planet.

    --
    Mostly random stuff.
    1. Re:Imagine all this brainpower by Richard_at_work · · Score: 4, Informative

      This all sounds very very similar to the whole BitKeeper fiasco, where Andrew Tridgell watched the traffic between a real BitKeeper client and the server in order to determine the procotol used, with an eye to creating an open source client.

      BitKeeper found out and withdrew the free client licences, which was a problem since the Linux kernel project used BitKeeper at the time - due to Trudgells involvement, BitKeeper refused to supply gratis licenses to anyone working for OSDL, which included Linus Torvalds...

      The shitstorm that ensued resulted in Linus starting the Git project.

    2. Re:Imagine all this brainpower by Anonymous Coward · · Score: 4, Insightful

      And the world is better off for it.

  2. So if I did this ... by gstoddart · · Score: 4, Interesting

    If I did this, I would likely be facing criminal charges ... how is it that corporations can do this kind of stuff with impunity?

    There seems to be a huge double standard in the way 'people' who are people are prosecuted under the law, versus how 'people' who are corporations are.

    And once again, I will take the opportunity to say the problem is the notion that you have 'people' who are corporations.

    --
    Lost at C:>. Found at C.
    1. Re:So if I did this ... by Anonymous Coward · · Score: 2, Informative

      If implementing a protocol was illegal, Samba would be shut down because it implements the SMB file sharing protocol.

      This is about AOL failing to stop other from implementing their protocol. While you could argue (somehow) that the behavior was malicious, it was legal. Just as those multi-messenger programs with support for AIM, ICQ, and a couple other chat protocols were perfectly legal as well.

    2. Re:So if I did this ... by immaterial · · Score: 2

      It's not mimicking the protocol that seems (to me) like it should be illegal, but rather using AOL's chat servers when you explicitly do not have permission to do so. AOL pays to run and maintain those for the benefit of their customers, not for the benefit of Microsoft. To me is feels something like a crappy restaurant handing its customers a plate of food and a red suit jacket and then telling them, "our dining room kind of sucks. Go down the street, third door on your right is a restaurant with a better view and awesome service. If you wear this jacket they'll think you're part of tonight's wedding reception and you're set."

    3. Re:So if I did this ... by gstoddart · · Score: 4, Informative

      IIRC, in the ol' days Samba did the same thing to Windows file and print sharing and, wasn't there an anecdote about MS also constantly changing their SMB protocol to block out Samba? Seems fair is fair.

      Well, that was MS being their usual selves ... but that was being dickheads and arbitrarily changing the protocol. This was MS being dickheads and spoofing connections to a server.

      I believe you can't stop me from reverse engineering a protocol between two servers that I control. But when you start messing about with servers someone else controls, nowadays that would be a criminal act.

      I remember implementing something in 1993/1994 which read/wrote files on a FAT file system, straight out of a Microsoft published book in terms of how it was structured, completely from scratch in terms of the raw IO. When several years later they started suing people for using the FAT filesystem I remember thinking "but you've completely documented it, and it's pretty easy".

      I don't have a problem with reverse engineering protocols, but manipulating specific servers is getting a little sketchy.

      --
      Lost at C:>. Found at C.
  3. So the take away is... by 140Mandak262Jamuna · · Score: 4, Insightful

    The AOL coders did not try to incorporate a challenge and response system based on public/private keys. Or use some sort of digital signature in their clients to authenticate themselves as the "true build" from AOL. Not surprised. After all they wrote AOL.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:So the take away is... by gstoddart · · Score: 3, Insightful

      Not surprised. After all they wrote AOL.

      Well, there was a time when someone believed AOL was worth enough to buy Time Warner with just stock.

      Good times ... an era with some of the most graphic examples of the stock market losing track of how money and value actually works.

      That more or less convinced me right then and there it was all a fairy tale, and the ABCP-caused meltdown of '08 has only reinforced that.

      Let's face it, the stock market is a big Ponzi scheme which is often completely detached from reality.

      Convince enough people that it makes sense for a company to be trading at a value equal to 100 years worth of income, or that junk debt is AAA rated ... and you can scoop up lots of money too.

      --
      Lost at C:>. Found at C.
    2. Re:So the take away is... by Sarten-X · · Score: 2

      Convince enough people that it makes sense for a company to be trading at a value equal to 100 years worth of income

      Buy a stock at 100x income, hold on to it for five years, then sell it for 100x income. Assuming "income" scales with inflation, the net result is that you gained 5 years' worth of dividends. If the company does well, the sale price may be significantly higher than its purchase price.

      Note that the actual numeric value of "income" is irrelevant to the net profit. Change matters and dividends matter, but the price of "one share" is largely immaterial. That's why people who actually understand the stock market will look at other metrics (usually change-related) rather than just the price.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  4. Hello, Security. Nice to meet you. by Minwee · · Score: 5, Insightful

    But AOL’s client had a security bug in it, called a buffer overflow. [...] AOL knew about this bug in their program and now they were exploiting it! That was what all those double zeros were for—they were just filling up space in the program’s buffer until they hit the end of the AOL client’s buffer and started overwriting executable code with the remainder of the protocol message. AOL was causing the client to look up a particular address in memory and send it back to the server.

    There's something that you could always count on AOL for -- Respect for the users. Most companies, when faced with a trivially exploitable buffer overflow that could cause their chat client to execute arbitrary code would classify it as a bug and feel compelled to fix it, but that's not the AOL way. Instead they changed it from a bug to a feature which enhanced security by verifying the client's identity.

    And if somewhere along the way someone else used it to own an army of AOL-zombie PCs, then that's just the price you pay. You can't make an omelette without breaking a few arms.

  5. Re:Another reason not to use nonstandard software by gstoddart · · Score: 3, Interesting

    Which leaves you working with technologies nobody you know has any idea about, and no interest in getting.

    Though, judging by your UID, you might still be using usenet. :-P

    --
    Lost at C:>. Found at C.
  6. post-DMCA by Mariner28 · · Score: 3, Informative

    Technically, it was post-DMCA. It was signed into law in 1998 - same year Auerbach graduated. But the lawsuits didn't really begin until Napster hit it big and was sued by Metallica in 2000. AOL wasn't as smart as a bunch of metal-heads, I guess.

    --
    "A little misunderstanding? Galileo and the Pope had a little misunderstanding."
  7. Re:Hello, Security. Nice to meet you. by ThatsDrDangerToYou · · Score: 2

    But AOL’s client had a security bug in it, called a buffer overflow. [...] AOL knew about this bug in their program and now they were exploiting it! That was what all those double zeros were for—they were just filling up space in the program’s buffer until they hit the end of the AOL client’s buffer and started overwriting executable code with the remainder of the protocol message. AOL was causing the client to look up a particular address in memory and send it back to the server.

    There's something that you could always count on AOL for -- Respect for the users. Most companies, when faced with a trivially exploitable buffer overflow that could cause their chat client to execute arbitrary code would classify it as a bug and feel compelled to fix it, but that's not the AOL way. Instead they changed it from a bug to a feature which enhanced security by verifying the client's identity.

    And if somewhere along the way someone else used it to own an army of AOL-zombie PCs, then that's just the price you pay. You can't make an omelette without breaking a few arms.

    'Round here we calls 'em armlettes.

  8. History repeats itself by ptaff · · Score: 5, Insightful

    Yeah, those long forgotten chat-silo days when you needed an ICQ account, an AIM account, a MSN account, a Yahoo account to reach all your friends... fortunately XMPP/Jabber would solve all of this, and even Google would embrace the open standard with their new GTalk.

    Oh! wait... it was a bait and switch.

    Don't be evil does not mean be good.

  9. Re:Exactly, what if AIM implemented DRM... by jimbolauski · · Score: 2

    They couldn't use the DMCA, Lexmark put an authentication chip on their toner cartridges and sued SCC for reverse engineering their chip for cheaper cartridges. The supreme court sided with SCC in 2004 and then sided with them in 2014 when SCC asked for damages from Lexmark for the false copyright claims. Essintally you can't claim copyright infringement because you are granting access with your protocol so accessing with a copy of your protocol is no different.

    --
    Knowledge = Power
    P= W/t
    t=Money
    Money = Work/Knowledge so the less you know the more you make
  10. Re:What's good for the goose.... by David_W · · Score: 4, Informative

    Maybe they should re-evaluate their position on the Microsoft Office formats.

    But, but... the Microsoft Office formats are open and documented!

  11. Re:Good story, but a little long by gmhowell · · Score: 2

    I dunno. I kinda liked the bit about going down to Morganville with an onion tied to his belt.

    Well, you're new around here, and probably a kid (judging by your UID), but I can assure you, that was the fashion at the time.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon