Forgot your password?
typodupeerror
America Online

AOL's AIM Exploits Buffer Overflow On Purpose 121

Posted by Roblimo
from the it's-not-a-bug-it's-a-feature dept.
Scott Hutton writes "CNN is carrying a story that states that AOL is exploiting a buffer overflow in their own client in order to detect and lock out Microsoft AIM clients. That's the first time I've seen someone use a buffer overflow to 'enhance' security."
This discussion has been archived. No new comments can be posted.

AOL's AIM Exploits Buffer Overflow On Purpose

Comments Filter:
  • by Uart (29577)
    AOL has a computer setup to detect non AIM users, and then it sends them a long IM (from user AOLINSTANTMESSENGER) twlling them why they arebeing disconnected, and then 10 seconds later you are logged off. Thats the latest trick anyway, before this, AOL just gave all MSN users an automatic "evil" level of 1782% which automattically logs them off.
  • There is no buffer overflow in AIM that AOL exploits as client verification. If there was, the Free OSCAR clients would not work. This does not include gaim, which uses TOC; TOC is an "open" wrapper to OSCAR, not a native AIM client per se. The Free OSCAR clients include cLAIM, gtkFAIM, and naim. I know that at least naim works, and mfaim (in development) works. None of these have the buffer overflow, yet they continue to work. Therefore, it is very unlikely that AOL is screening people out through a buffer overflow.

    For future reference, could we please make a distinction between OSCAR and TOC? They are two totally different protocols. TOC stores all your settings on an AOL server, and the client just interfaces with that "proxying server," for lack of a better term. OSCAR stores all your settings locally and interfaces with the Real AIM Servers. AOL loves it when we use TOC, because it keeps all the power in their hands. Which is why i spend my time working on an OSCAR client ;^)

    For more info on naim, check out http://naim.n.ml.org [ml.org], and http://www.auk.cx/faim/protocol/ [www.auk.cx] has good (and very incomplete) info on the AIM protocol. And, as a side note, there are preliminary steps for gaim to use OSCAR as well, but that's still in progress.

    This is the first time i've seen the Community listen to blatant M$ hype, and quite frankly, i'm disappointed.

    /jbm
  • I had to re-read the article several times to figure out what they were trying to report. Even now, I'm not sure I understand what the issue is.

    As I interpret the article, the AOL *client* is sending 256 bytes (the expected amount) followed by 24 bytes. This is somehow supposed to overflow the buffer on the AOL *server*. The AOL server detects the extra bytes and knows that it is an AOL client.

    Extra data not in the spec is NOT the same thing as a buffer overflow exploit. If the server wants to see those 24 bytes it is NOT a buffer overflow. It's simply an omission from the specification.

    If this is how things work, the "buffer overflow bug" is on the server side, not the client side.

    In this case, suggesting that the AOL client has a "buffer overflow bug" is misleading. Implying that the bug somehow compromises security for users of the AOL client is malicious deception. The client is *sending* extra data, not receiving it.

    I don't want to suggest that anyone is trying to create hysteria by misusing the term "buffer overflow". We all know that the phrase "buffer overflow" is a sure way to get the attention of security folks.

    As I read the article, though, it's just 24 extra bytes being sent to the server. If the server expects it and handles it, it's hardly a security issue. Are those 24 bytes actually writing into executable memory with a jump instruction? I find that hard to believe.

    Or maybe I just missed something in the article....
  • Not at all. The previous flap wasn't over whether AOL was secure or not, but rather over the fact that Micorsoft got caught astroturfing again.

    And the hilarious thing, the poetic justice if you will, is that while Microsoft was clumsily trying to call the kettle black without anyone knowing who the pot was, the pot itself was found to be dirty [news.com] with respect to messaging software security. (As if MS's security problems are actually news anymore.)

  • Finally! I've been reading all these posts just waiting for someone to point this out. What AOL has been doing has been kind of childish, but then again, it's the computer industry! It's been childing since infancy! But what MS has been doing is even worse. Basically they are stealing AOL's proprietary protocol. And this whole thing about buffer overflow being a security hole... MS should worry about it's own flaws before going off on someone elses... And besides, AIM has always been about 200 times more reliable and secure that ICQ for me... I've never lost a message for been spoofed on AIM like on ICQ... so what if I can't send e-mail w/ it? that's what all the other email clients I have are for!
  • Well, AOL would get that server shut down promptly. MS could keep putting up more servers "without their knowledge," but they'd have to keep releasing new versions of their client to connect to the new proxies (or their users would have to keep reconfiguring the clients to use different proxies). For the long term, it'd be unworkable.
  • The AOL client simply sends a longer message that is recognized specially. A buffer overflow is not needed in order to do this, and that's probably not how it's done. I doubt that someone would purposely, not to mention needlessly, introduce a horrible defect into their software. So the whole bit about AOL compromising security is just Microsoft FUD against AOL. I don't think that the ``security'' company in question have any clue how big the actual receive buffer size is that is declared in the software but are just hypothesizing. AOL is using Microsoft tactics against Microsoft, and it's pissing Microsoft off. :)
  • Actually, for a while AOL was encouraging people to use its servers, in an attempt to gain market share. They published all the specs for the protocol and even released some source code. If you want people to stay off your server, publishing specs to your protocols and inviting people to use your server is not the way to go about doing it.

    "Besider loser in case you've forgotten," while AOL is of course not using this overflow maliciously, the point is that it is one. The other point is that AOL seems to be trying to limit access to its servers to only the clients that it likes. They'll let the Linux client in, but not Yahoo and Microsoft. The point is that if you have a server which you make available to software other than your own, without requiring prior licenses, then you have to make it available to all clients. This is why Microsoft is not "tresspassing" on AOL's property - and believe me, if MS was doing anything illegal, lawsuits would be flying within seconds.
  • Ok, why do some people feel the need to type in all caps? Caps are more difficult to read, and they don't make you right or more important. They just make you look like a twit. Also, please re-read your posts for grammar(sp) and punctuation. They are both our friends and help others understand the ideas in your head.
  • Hm. How about, then, the 'blessed binary' method with public-key authentication? For all you non-[ex-]Netrek players, Netrek servers generally bar non-blessed clients with a crypto challenge, so that modified ('borg') clients get bounced.

    I believe that it has been worked around with a proxy and some cleverness, but it complicates the matter and does *not* require that the client have a known buffer overflow problem.

    Network clients do not have any business accepting more data than they can handle.
  • The way I read the article was that the *client* sends back more information than the server expects, to receive. So the "buffer overflow" is actually on the server, which I'm certain AOL has fixed (if it ever was a security issue to begin with). Also, IRC servers will ban based on clients too. Does anyone remember IPhone? The client would connect to an IRC server and from there connect to other clients. Now the people who made IPhone had their own servers, which were modified with a very poor method of locking out irc clients. It wasn't long before IPhone users started using standard IRC servers, and then not long before patches were available to IRC servers to block IPhone users.

    The way I see this whole situation is that AOL owns the servers, they can dictate whatever rules they want for accessing the servers. If they want to say, "You MUST use our software if you are going to access our servers using the OSCAR protocol!" that's fine. I'd say the same thing if the situation were reversed.
  • AOL released the specs to TOC, a text-based slimmed down version of their binary OSCAR protocol. Microsoft is using OSCAR, not TOC. This probally is illegal, if EULAs are enforcable, since I'm guessing the aim EULA comes with the standard no-reverse-engineering clause, and I strongly doubt Microsoft pulled the specs for the protocol out of it's proverbial ass.
  • William Gibson must be having a field day if he's reading anything about this. Corperate Computer Warefare at it's best. hehe Im sure it's only going to get worse before it gets better, but will we be seeing a new book from Gibson based on the scenario? Could be a good one.

    IceBerg
    "When all other possibilities have been eliminated, whatever is left, no matter how unlikely, must be the answer" -- Sherlock Holmes
  • The point is that AOL did NOT keep their protocol proprietary. They released specs to it. (Well, to a slightly simpler ascii version, but that makes little difference.)

    It makes all the difference in the world. Regardless of whether you side with AOL or Microsoft or whoever on this one, you should be able to see the line here... AOL released specs to the open TOC protocol (albeit with a clause stating that it could change without warning at any time; kudos to them for not doing that to us!) in order to allow people to write unsupported clients. They did *not* release specs to the Oscar protocol.

    I don't know exactly what their line of reasoning is to do this, but it seems to me that since they have an established method for unapproved clients to connect, their argument that the Oscar protocol was to remain closed is, if anything, stronger.

    My $0.02...

  • There is an UnOfficial OSCAR implementation. It is used by a few clients. Again, naim [ml.org] is the most common OSCAR client that i know of, thought cLAIM (link not handy) has been around for awhile. naim uses libfaim, which is a tolerable implementation of the OSCAR protocol.

    Also, gaim has been released as an oscar client. I need to read the freshmeat newsletters more often ;^)

    oh the joys of being OT
    /jbm
  • As much as as the libertarian in me is disgusted by the lengths that AOL has gone to keep AIM proprietary, my overwhelming reaction to this story is: Man, the guys who came up with this are gods! If this buffer overflow really works as described, and is intentional, this is the coolest hack I've seen in a long time.
  • You'll note that instead of, as another poster suggested, MSN would insert this bug into their software, they are now responding to the packet, without coding a overflow in their software.
    They're responding to "the packet"? What packet are they getting? Or, do you mean that they're responding [differently] to the original packet send to the MS IM client from the server, so that the server will think their AOL IM? I didn't quite get that, because my initial thought was that you meant that MS was responding differently to the "buffer overflow" [packet], which I didn't understand because I was thinking: "MS isn't getting the packet! The server is!"

    Stupid me..

    Clarification would be helpful, though, because I'm curious as to what exactly MS is doing to make their IM client 'work.'
  • How are they stripping people of choice? It's their product, if they don't want MS hacking into their messaging system, let them build up their own defenses... stupid defenses but defenses nonetheless.
  • The buffer overflow is only run on WIN32 clients.

    The clients tell the server what version they are long before the server sends the buffer overflow packet. Microsoft chooses to emulate the WIN32 client because it has a lot more features than other clients.

    To verify, take a sniffer and capture a trace file of the connection sequence. Only when connecting with the v2 Win32 client will you see this particular packet contents being sent.

    Read the technical analysis at http://www.robertgraham.com/pubs/aol-e xploit [robertgraham.com]
  • What an interesting mechanism to get the truth out, eh? I think politicians call these "deniable leaks".
  • The point is that AOL did NOT keep their protocol proprietary. They released specs to it. (Well, to a slightly simpler ascii version, but that makes little difference.) Now apparently they want to retract the ability to use their protocol - this is very obviously to the disadvantage of users. In response, Microsoft is simply emulating their client, which to the best of my knowledge is not illegal.
  • I *thought* that the original article didn't make much sense.

    Moderators, I know you can determine the quality of posts without my help. If I had the power, though, I'd be bumpin' this one up a few notches. :)
  • ...expecting accuracy and facts and stuff. Another poster put up an article [robertgraham.com] with some analysis.


    Now I'm going to spend all night reading flames from people who were smart enough to skip the article. :)
  • The specs I've seen for a few different IM's all seemed to be rather crappy and ill thought out. Does anyone know if any of the IM protocols or proposed protocols are actually flexible, secure, and peer-peer? IMO w/out those three simple things the protocol is doomed as time passes regardless of who has the most users now. IPX seems to have lost to TCP/IP even though it had the majority of the market up to a few years ago. Remember all the IPX enabled multiplayer games? I have not followed it closely but I liked the protocol being used by Jabber which is based on XML and seems to be fairly flexible. Flexibilty is the key in a protocol such as this I think, even if it is unsecure and client-server at conception if it is flexible enough it can easily adapt as time goes on w/out breaking backwards compatibility. [jabber.org]

    Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's. :P
  • The specs I've seen for a few different IM's all seemed to be rather crappy and ill thought out. Does anyone know if any of the IM protocols or proposed protocols are actually flexible, secure, and peer-peer? IMO w/out those three simple things the protocol is doomed as time passes regardless of who has the most users now. IPX seems to have lost to TCP/IP even though it had the majority of the market up to a few years ago. Remember all the IPX enabled multiplayer games? I have not followed it closely but I liked the protocol being used by Jabber [jabber.org] which is based on XML and seems to be fairly flexible. Flexibilty is the key in a protocol such as this I think, even if it is unsecure and client-server at conception if it is flexible enough it can easily adapt as time goes on w/out breaking backwards compatibility.

    Also I love the idea of having multiple IM's work under one client. AOL, ICQ, Yahoo, MSN, whatever all workable as plugin's to the client program so I only have to know one interface and can communicate to everyone under a single user list. Third, I'd love to be able to store my contact list, history, etc on a server of my choice rather than having to ftp the whole thing from machine to machine every time I need it. Just please spare me the quota idea. This is one reason I continue using ICQ the most, because Yahoo and some others limit the number of people in your contact list. How stupid is that, I am not allowed to know so many people. Well excuuuuuse meee! Arghh but please don't crypt local db files either such as ICQ does, this is causing me huge problems because I need to merge several lists under the same UIN but from different computers into a single list and it is fairly impossible. It's the OS's job to keep unauth'd people from reading my files, if Windows doesn't let Windows users upgrade to Linux as I'll do as soon as I can merge and export my ICQ db's. :P
  • Who cares if there are no ads in it now, I do aggree that the MS Messager is stealing from what AOL built up, they are using some of the ad revenue to pay for the service, while MS is screwing aol out of $$$
  • This was spread by the Microsoft employee who was posing as a consultant to discredit AOL. The trick of it is, after Microsoft denied having anything to do with the "consultant" emails, they said that the allegations were correct and that AOL was exploiting a buffer overflow to keep MS out of their AIM network. After some posturing about what a failure of security it was to exploit such a bug, they conceded it was possible that what they were looking at may not be a bug after all, but a feature of some sort. In other words, they're miffed and guessing at what's giving them trouble, and the pop media is picking up on it and taking Microsoft's word for it.
  • I don't think you can sue someone for using your trademark if it is functional. For example, many BIOS's used to have an IBM Copyright string in a special place so that DOS would run properly. This isn't considered a copyright or trademark violation.

    Copyrights and trademarks are generally for non-functional protection, while patents are for functional protection.

    (I am not a lawyer -- thank god)

    >>
    I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement.
  • So you're condoning the use and abuse of known bugs, instead of fixing them?

    We don't know that it's a bug yet. We don't know how much MS paid this company to say it's a bug. Mindcraft anyone? As others have mentioned here, all we know is that AOL is sending a longer string then was technically published. Is this a problem? We don't know, it most likely isn't.

    No. That would mean I would be receiving for free, what everyone else has to pay for. As soon as AIM, and GAIM, and TiK (if it still works) cost me a monthly fee, then a company who was allowing me access to that for free (while everyone else paid) would be in the wrong.

    AIM is not free. It does cost money to run the service you know. However, instead of charging you, they use advertising to offset the expenses. When the MSN client provides access to the service, AOL loses it's ability to pay for the service.

    I didn't say Microsoft. This *isn't* about Microsoft (and I'm curious why everyone thinks it is.. who of you bashed Gaim?), its about a company trying to do for free, what others can do for free (unless the people who developed Gaim are partnered with AOL..?)

    Any company has the right to work with anyone they want. If AOL wants to give certain groups the ability to use their service and not give other companies the same ability, that is their choice and right. Local companies in this area do it all the time. For instance, a bakery might provide free products to the local soup kitchen, but not the local resteraunt. It is about Microsoft trying to steal something from AOL, that AOL doesn't choose to give.

    More about MS and AOL [twistedpair.net]

    -Brent
  • I'm a little confused. The article that suggests my posting get bumped, itself gets bump to 2, but mine (which I think is very helpful bit of signal in the noise) remains at 1. Not that I really want to get bumped; I'm just a little curious as to how /. works.
  • The owners of IRC servers ban abusive people, not programs - they will not ban you because of the IRC client you use.

    That's not actually completely true; does anyone remember when Microsoft Comic Chat came out? It dumped all kinds of crap data in band (for the character emotions and so forth), such that it was extremely obnoxious to be in a channel with people using it. Having to put up with "(#WEIFEOU#@5*UR)" or some crap at the beginning of every send phrase got very annoying, very fast. You got 5 or so people in a channel using the client, and it basically killed the conversation for everyone else.

    Even worse, in the first few versions, the CTCP implementation was severely broken -- it sent PRIVMSGs instead of NOTICEs for replies, which could have resulted in infinite loops between the two clients trying to respond to each other. (although it generally didn't, as that version of Comic Chat provided no way for a user to send CTCP messages ... thankfully)

    However, a lot of people still thought MS CC was really cute. Once they were using the client, they didn't really give a damn if they were dumping crap in channels -- they couldn't see it themselves, so why should they care? It finally got so bad that channel operators began to ban CC users on sight. Things continued to spiral downwards, though, and some IRC networks were compelled to politely (or often not so politely) ask people to stop using the Comic Chat client, "or else".

    Today, although the functionality has, I believe, now been folded into the current Microsoft chat product, you won't see it used on normal IRC networks, nor is it a default. We won, but barely. It took a concerted effort on the part of the channel and server adminsitrators to preserve the networks for the rest of us.

    I'm not really sure how or if this relates to the AOL/MS IM war, but I just felt like this little bit of history might be relevent somehow.


    ---
  • AOL absolutely has the right to keep their protocol proprietary, and in fact I think that MS's use of AOL's servers via OSCAR is tantamount to theft of services.

    I agree that AOL has a right to keep its protocol proprietary. I also have a right not to use it. This is exactly why I don't use AOL IM.
  • Have you ever tried to wonder around microsoft.com with a non-MS browser?

    Even better than this is trying to access any MS page with the Internet Explorer bundled with NT 4.0 (IE version 2.0 build 1381)? It can't load the page at all, instead giving bogus error messages like:

    Directory Listing Denied

    This Virtual Directory does not allow contents to be listed.


    Netscape, OTOH displays the pages quite reasonably.
    --
  • If UCITA becomes tha law of the land (And I hope that it does NOT) all AOL has to do is tinker with the protocol a little again to break MS' client and if MS compensates they've broken the reverse engineering provision of UCITA.

    Though I despise both parties in this dispute I have to side with AOL. AOL's servers handle all of the IM traffic and it's not right for M$ to be able to use AOL's servers for free and make money by selling advertising on their client. This is like me getting a copy of Win9X and duplicating the CD and distributing my copies with a copy of a CD-Key generator.

    AOL has every right to break M$' client. It's their protocol, they're their servers. M$ is once again acting like a bull in a china store. AOL is the only company with the muscle to fight them off. Imagine AOL office, platform independant office suite that you get as a part of your internet connection fee.

    In today's world David can not fight Goliath. You need another philistine to do the deed.

    LK
  • I read this somewhere last week. Can't remember where. Why so slow? :-)

    Paul
  • Then you haven't been paying very close attention. I chalk this one up to MS getting a taste of its own. My quandary is, I can't decide who's the more despicable in this case, so I'll just kick back and watch with glee as two of my least favorite companies make better the case for my favorite OS.
  • Yes, it is a buffer-overflow exploit. The article had a factual error in it. The server sends more data than the client expects; a field 0x0100 bytes long is sent 0x0118 bytes of data. To read the original technical analysis, go to http://www.robertgraham.com/pubs/aol-e xploit [robertgraham.com].
  • basicaly, if the client doesnt send the 24bytes of overflow back to the server, then the server determines that its not the AOL client, but the MS client. the MS client will NOT send the 24extra bytes.
  • An earlier story on Slashdot, MS Dirty Pool Against AOL [slashdot.org], referenced a sv.com article which claimed that this buffer exploit was a rumor floated by an MS employee. It would appear that either the CNN or sv.com article or the is factually incorrect and that some people have some apologizing to do.
    --
  • I am consistently surprised that gaim still works with all these client-blocking things that AOL keeps putting on their servers.
  • From the article, and another related, it seems that this is not really a buffer overflow exploit, but instead just a bug in the client software that sends more information than is requested by the server.

    An exploit would be a discovered bug in the server code that allowed an engineered packet masquerading as the client to obtain privleges or information from the server, or possibly crash or disable it. This, instead was handled by the server in a graceful manner, but now is actively being checked for in order to allow AOL to shut out MS.

    As they talk of an 'intercepting user' or some such, that is something that any IM could be vulerable to, bug or not..


    This goes along with a pet peeve of mine at work. I must hear 'buffer overflow' twice a day. In fact, in addition to the Y2K verification forms I have to sign for in-house software put in production, on some servers I have to sign 'no buffer overflow vulnerabilities' certs as well..

    Many VP's and high level managers think that this is the only type of security hole that can exist. They also seem to think that it always exists. Ahh, well.. they also say the network was 'hacked' when a virus shows up from some user with a screen saver from home.
  • Yea, and TiK still works too(but that was made by aol). I guess you can't d/l it from aol's site anymore though.
  • The CNN story states that someone from Network ICE [networkice.com] reported the exploit and that Network ICE's BlackICE intrusion-detection application has been updated to allow for the AOL exploit, but to monitor for alterations to the original code, but the Database of Intrusions detected by BlackICE [networkice.com] mentions nothing of an AIM buffer overflow. It's possible that this is another phony email from an MS employee or some other AOL-hater.
  • I submitted this to /. right after the Bugtraq posting came out (last Tuesday). One wonders why /. rejects the technical details but accepts the mainstream press, especially since nerds typical hate the mainstream press for being either devoid of technical details, or getting them wrong.
  • My BeAim works fine also, apparently the only client that's affected is the MS Client.. =) quite frankly I could care less. Aol stated that they are refusing the MS client due to security issues, it's their software and their choice.
  • Actually, ICQ is _not_ client-server... by default it tries to do peer to peer... if that doesn't work then it will fall back onto client-server.

    Since it's usually peer-to-peer, it makes sense that the software would have to know what the IP address is... They have an option to "hide IP" from other people, but only the official client actually does, and even that is easily broken.

    You don't really think all those files you transmit through ICQ actually go through the ICQ servers do you? Where would they get THAT much bandwith?
  • Why exactly shouldn't they keep it proprietary? Who pays for the server? Who pays for the bandwidth? Not Microsoft. AOL gets money from ads, so why should they let Microsoft come along and make people use their client instead of AOL's so Microsoft can get revenue when they don't have to maintain the servers? kcin
  • by ljavelin (41345)
    Heh, I'm surprised MSNBC didn't report it first. Or maybe MSNBC wanted CNN to report it first.

    To continue with the conspiricy theories ... I wonder how many former AOL employees now work for Microsoft? Betcha it's at least one more than zero...
  • Attitudes such as yours have convinced me that Ken Thompson was right about Linux.

    Forgive my ignorance, but what did Ken Thompson say about Linux?

    At any rate, from a technical perspective, Linux still lags considerably behind commercial UNIXes, and even NT. UNIX and NT aren't standing still either.

    I'll ignore the NT comment (that holy war isn't worth the time) and simply remind you that Linux is a variety of Unix. There's no such thing as the single Unix anymore.

  • as of a couple weeks ago you could d/l it from aol's website.. it's just that the main page was missing. the .tar.gz file was still there, though, and linked to from freshmeat. i think all they did is take down the main page, not the download..
  • More or less Linux is a hybred of Minux and Herd.
    It's more Herd than Minux however.

    Linux won't crush Windows alone.
    Linux makes a very good hacker os and an ok server and in those areas Linux dose a better job that 9x and NT. This strikes a blow at the Windows image of an os for "everyone".
    Linux just gets the ball rolling.
    Solarus, SCO Unix and BSD can attack on the high end server area where as MacOs and BeOs attacks on the multimedia and user friendly area.
    OS/2 and SGI can take on Windows in the workstation department.
    This leaves Windows with the gamers.
    Windows is a decent game os and other oses don't compeate in that area.
    But when an os is reduced to just playing games it's life is over.
  • Not meaning to piss anyone off.. but this probably isn't the best thread (Blizzard being blocked) to be calling for censorship, reguardless if they "love Microsoft" or not. The caps, yes, the opinion, no.

  • "We reserve the right to refuse service to anyone."

    I agree...but I sure hope that you are against the prosecution of MS with this attitude -- otherwise you're a hypocrite.


    Have you ever tried to wonder around microsoft.com [microsoft.com] with a non-MS browser? It's not very pleasant. But while we may bitch about it, and not think it a very bright move, no one has tried to force them to allow Netscape users access.
  • I'm curious about an aspect of this.

    Is there a limit on what format the image has to be in? Does it have to be well distributed or documented? Or is there an additional filed trademark on the sequence of bits in the image? If not, anyone could make up a format on the fly that reads some specific data and turns it into a trademarked logo. It seems if there are no limitations, this would be a field day for nuisance lawsuits.

    Secondly, it seems if someone were to find out the string of bits with no knowledge that they were a bitmapped image, and prove it (IE: hack at the Gameboy code and figure out what string of bits makes it run games), Nintendo would have a hard time filing a suit that wouldn't get thrown out.

    It also seems interesting in that it implies a trademark on a particular chunk of data. Heck, randomly searching the net, after a while, would probably turn up something--a binary, a JPEG, whatever--that contains a 15x15 bitmapped representation of AOL's logo. Does this mean that, if some AOL wonk was feeling nasty, they could file an infringement suit on some poor shmuck or demand he take down some image because of this? Or, God forbid, another annoyance tactic in the Scientologist's lawyer attacks?

    I am in no way familiar with trademark laws, so I am genuinely curious about this...

  • Check out DonkPunch's user info page [slashdot.org]. See all those 2's and 3's? He's been moderated up so much that Slash recognizes him and bumps him up automatically. No moderator sat down and decided his post was more worthy than yours.

    You can tell automatic moderation because there'll usually (always?) be no tag on it. "(Score:2)" rather than "(Score:2, Informative)" or whatever.
  • Yes I know that ICQ is from AOL too, but at least it's not directly involved with this mess.

    To me we should create a instant messaging protocol that would be secure (If I didn't gave permission to someone then someone can't have acess to my status), distribuited (why have only one server?), open source, multi-plataform (this shold be usable for mac, windows and all other OSes users too).

    I think that it's rather easy to create it using existent protocols, HTTP for files and messages and irc for chat.

    Is there something like this being developed?
    --
    "take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"

  • realy, i totaly agree with hepkat. aol has given a
    • FREE
    product to everyone to use for
    • FREE
    . now that ive mentioned that its
    • FREE
    , i can ramble on about how it is childish to want free email as well.
    i can not see for any reason why people want aol to give out all of its services for free, and why ms is having a hissy fit about tiny little glitches, while ms has many of its own glitches.
    in adendum, i say aim is a good
    • FREE
    source of chatting.
    finale
    fini
    peace out.
  • I take issue with your assertion that C and C++ are "lame." Sure, you have to be diligent to ensure that your code does not allow for overflow exploits. But the added freedom lets you make your code tighter and faster. I'll certainly take C/C++ over Java any day.
  • The update is currently in beta and will probably be released next week. In any case, the intrusion is now listed [networkice.com].
  • >that some people have some apologizing to do.

    Not really because the mircosoft guy was and still is wrong. This isn't the typical buffer overflow exploit at all. It seems like AOL is using those extra 24 or so bits as a kind of checksum or key to their servers. In other words if you don't have the key to the door (like mircosoft doesn't), you don't get in. This really doesn't fit the description of the typical buffer overflow exploit does it?

    Besides loser in case you've forgotten, Microsoft and the users of the Mircosoft software are tresspassing on AOL property (The AOL servers). AOL has told Microsoft to get lost. Therefore AOL has every right to ban the use of the Mircosoft software on *AOL*'s servers, just like the owners of the IRC servers can and have banned people from acessing their networks. You idoitic microsoft supporters had better realize the the fact that you don't have a damned right to acess *ANYTHING* that doesn't belong to you. In other words grow the fucking hell up.
  • _slightly_ offtopic (dammit dont moderate me down), but is aim protocol client server or peer to peer? also msn protocol ... i dont know what ietf is doing but doesnt peer to peer make infinitely more sense in the case of messsaging?
  • The full geeky explanation is at http://www.robertgraham.com/pubs/aol-e xploit [robertgraham.com]. Basically, in one of the login packets, AOL sends more data than the client expects, causing the buffer overflow, which then changes some of the values in response packet.
  • Just to be fair, I guess I'll put on my politician's hat and answer this:

    AOL absolutely has the right to keep their protocol proprietary, and in fact I think that MS's use of AOL's servers via OSCAR is tantamount to theft of services.

    However, at a time when Bill Gates is called the antichrist just because he wants to keep some of his IP to himself, we need to apply the same standards of morality to everyone. AOL could have kept their email system proprietary, too, (way back in, what, 1991?), but to do so would have been a disservice to their customers as well as the rest of the Internet. If there was ever a situation calling for a little good will on the part of AOL, this is it.

    But coming from a guy who always rooted for the Empire just because their Star Destroyers were so cool, I still think this buffer overflow gimmick is genius. :-)
  • Intrusion discussed in press on tuesday, supposedly confirmed on monday.

    Posted to web site on Sunday, after posting to /.

  • AOL provides the free service not as a nicety, but as a way to produce cash. AOL gets profits from AIM in the form of advertising. MS's users use the servers w/o any compensation to AOL at all.

    Remember, companies rarely to anything to be nice, but rather to make money.

    And AOL has the right to do anything they want with their servers... They own them! It's like the signs in restaurants: "We reserve the right to refuse service to anyone."
  • FWIW, AOL opened the TOC protocol (which every free client uses) not OSCAR (which has a few more features and which MS is using).
    --
  • "No. That would mean I would be recieving for free, what everyone else has to pay for. As soon as AIM, and GAIM, and TiK (if it still works) cost me
    a monthly fee, then a company who was allowing me access to that for free (while everyone else paid) would be in the wrong.

    I didn't say Microsoft. This *isn't* about Microsoft (and I'm curious why everyone thinks it is.. who of you bashed Gaim?)"

    Actually this IS about Microsoft. The difference is that GAIM, TiK etc are all based on an open protoc released by AOL for public use called TOC, along with special TOC servers that make the connection to the actuall AIM servers. Think of the TOC servers as a firewall router setup to protect the AIM servers by allowing only limited but functional access.

    Microsoft isn't using the TOC protocol or servers in their client. Instead they reversed engineered the OSCAR protocol which was never published and reserved strictly for AOL Instant Messenger. By doing this MS is bypassing the TOC server/firewall setup and accessing the AIM servers directly as if they are AIM clients.

    In this regard MS is illegally cracking into the AIM servers against AOL's wishes and bypassing their security. btw the TOC servers and protocols do not require you to have an AOL account as they are open to anyone.
  • The previous article was about how the rumor was initiated by a microsoft employee who was (very naively) pretending to be a third party. He lied about who he was, but he what he said about the code is confirmed by the current piece. Here's the relevant sentence from the previous article:

    In his message, he asserted that America Online is using a programming error that has created a security flaw -- one not found in Microsoft's clone program -- to detect the Microsoft Messenger program.

  • I'm surprised AOL hasn't implemented a fairly easy method of stopping non-authorized clients. They could merely take a small (15x15 pixels or something) BMP of a trademarked logo (such as the AOL logo), and use it as a "key" to access the servers. Official AIM clients would transmit this logo to the servers for authentication, but Microsoft could not implement that in its client without being sued for trademark infringement. AOL could then authorize gaim and the other non-Windows AIM clients to use the logo free of charge, so they wouldn't be inconvenienced, and AOL would retain its control of the Windows clients, keeping Microsoft out.

    This method works, and has legally been tested, as this is the method Gameboy uses to keep non-licensed developers from writing Gameboy games. If a game doesn't have the gameboy trademarked logo at the beginning of its ROM, the Gameboy refuses to play it.
  • Most messenging protocols are peer-to-peer and client-server. 90% of a messenger protocol has to deal with issues other than sending messages, for which peer-to-peer would make sense. This includes the ability for you to find your buddies in the first place. If I travel to Europe and dialin with my notebook, how are you going to find me except through a common server?

    Even peer-to-peer messenges have problems. One of which is that this remove anonimity; what happens with lots of protocols like IRC is that cr/hackers nuke/flood other people's IP address. Not to mention the problem of when both sides are behind firewalls/proxies, and thus cannot create a direct connection between each other.
  • Sorry, someone had to say it.
    might as well have been me.
  • BUGTRAQ? They covered this a while ago....
  • TiK uses the TOC (Talk to Oscar) protocol, an ascii protocol that AOL has given free. MS however uses oscar... And aol isn't to happy about that...
  • To my knowledge, all of the AIM alternatives (other than Microsoft's) use the TOC protocol, which is a simplified, open (at least, it used to be open), and slightly crippled version of the OSCAR protocol that AIM and Microsoft use. It's actually lots of fun to play with, writing little Tcl scripts to automate IMing and stuff...

    But Tik and GAIM users should be thankful that Micrsoft went to the trouble of reverse-engineering OSCAR instead of just using TOC, because if they had, I'm sure TOC would be gone by now.

Advertising is a valuable economic factor because it is the cheapest way of selling goods, particularly if the goods are worthless. -- Sinclair Lewis

Working...