Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
America Online

AOL Still Working On AIM Security Hole 118

TeacherReviews.com writes: "According to this article at Newsbytes, AOL has been aware that users' screen names and credit cards can be stolen from not only AIM 4.3, but earlier versions of the instant messenger as well. This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media." This is just the kind of news I could do without, having recently been persuaded to register with AIM and give GAIM a try.
This discussion has been archived. No new comments can be posted.

AOL Still Working On AIM Security Hole

Comments Filter:
  • by bhalvors ( 236837 ) on Saturday December 02, 2000 @04:54PM (#586132)
    This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.
  • Just from what I've seen being a long time user of ICQ, and having used AIM, I think the best IM/Chat program on the 'net now has to be Jabber [jabbercentral.com]. It works similiarly to the other programs, plus it allows you to chat with people on ICQ, AIM, Yahoo!, MSN Messenger. But, you have to have UserNames/Passwords for all those services.
  • ICQ wouldn't be the best choice, no matter who they're owned by. First of all the newest version of ICQ's installation file is 5 megs, uncompressed it takes about 7-8 megs of disk space (just for a messenger program). That and it isn't the most secure IM application either. I found this link [securityfocus.com] on www.securityfocus.com [securityfocus.com] which lets other people access your account. It only affects the user locally, but look at how many college computer labs have ICQ installed on them........
  • AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".

    Ah, but security for AOL's users or for the other companies'?
  • This problem, which allegedly can happen to any AIM user, was first made public by Inside-AOL.com months ago, but AOL decided not to respond until this Thursday under increased pressure from Inside-AOL.com and other media."

    This sort of thing astounds me. Not only is it unbelievably bad business, but it's blood in the water for the litigation sharks circling out there. A big juicy target like AOL would be ripe for a class action suit as we've seen targeted against so many other businesses in the past.

  • by GMontag451 ( 230904 ) on Saturday December 02, 2000 @05:57PM (#586137) Homepage
    How can you get credit cards, AIM doesn't use credit cards

    The reason everyone is talking about this hole allowing people to get credit cards is not because you can somehow find out the credit card number used to open an AOL account. In fact, if there is an AOL account with the same name as an AIM account, it won't work. People are talking about credit card fraud because with someone's AIM password and buddy list, it is a hell of a lot easier to do some social engineering, and that is exactly what some people are doing.

    The way this hole works is by changing a couple variables during runtime in AOL while creating a new screen name. Apparently, there is a variable corresponding to the screen name you want to create, and also a variable that contains two characters which are later prepended to the first variable. The hole is that if you put the first two characters of the name you want to steal in the second variable, and the rest of the name in the first variable, AOLs server will only check the first variable against its user name database.

    A much more detailed explanation here

  • ya but there's lots of red-tape in applying for that fraud liability. And usually from internet scams by the time you know you're credit card is in the hands of a 3l33t h4x0r he's charged possibly thousands of dollars to the card. By the time this all goes through it can have already ruined your credit rating. Once you're in the "bad credit" section of any banks or credit companies it's extremely hard to get out.
  • If you claim that the company doesn't know what went on, then it is implied that there isn't any evidence that the hacker did something "bad." What happened to "innocent until proven guilty"?

    Nothing. The individual involved committed a crime; that he did no damage and had no malicious intent is an argument for a lenient sentence, not a defence.

  • If someone takes the password to your screenname then it doesn't matter HOW you connect to the service -- whether over AIM, Gaim, or Jabber -- the screenname's password has been compromised and you no longer have it.

    ---
    Rob Flynn
  • YET, here we have AOL knowing about a problem for MONTHS and not fixing it?

    If I remembrer correctly, Microsoft, Before They got out of the AIM Network to concentrate on their own IM Userbase, Mentioned that there was a huge security hole in AIM and AOL Blew it off as MS FUD. Maybe they knew about it all along and kept it a secret figuring that someone would find it eventually.

    Personally, I use MSN Messanger. I used to use ICQ then AOL Got hold of it and turned it into the ultimate example of bloatware. How many people can remember when it was a 1.4 meg download? I think it's up to 6 Megs now, has all kind of stupid things like web servers and greeting cards that are almost never used, and they made the E-mail notification into a full featured POS E-mail program that never would read E-mail because it would always screw up the Downloading of headers. and I never used AIM for obvious reasons (It's From AOL)

    The only IM Clients I would Even touch right now is Yahoo Messanger and MSN Messanger. and since MSN Messanger currently has exactly what ICQ had before it became a bloat monster, Thats the one I Use

    --
  • About 4 or 5 months ago my favorite AIM name was stolen out from under my nose and it was used to create an actual AOL account. I immediately brought this to the attention of AOL, but their stance on my situation was "You must have given your password to someone, and now that it belongs to a paying customer we're not going to do a damn thing".

    Now that the problem has been made public, is there anything I can do to get it back?

    ~Panic~
  • ...will be LAIM.

    hehe.

    ;)
  • That might be the case, but it'd still be inaccurate to say 'ICQ caught on even though it had a different protocol'. They developed at least concurrently, and from my experiance ICQ's userbase grew much faster than AIM's (aside from AOL users, of course) initially. MSN or Yahoo messenger might be a valid case, but they still don't have the userbase of AIM. Basically, I'm willing to submit to the evil AOL empire for the sake of being able to contact people easily - almost everyone I know uses AIM, even if they have another messenging service, for the same reason - everyone they know uses AIM. It's hard to take a userbase like that and convert it, because most people don't want to change from what they're used to. For instance, I didn't go on AIM until ICQ started to really suck.

    Just my thoughts - I don't see any new IMs catching on as quickly as AIM and ICQ did, because they were the first (or first mainstream) ones availiable.
  • Um, Slashdot != America. You're seeing a trend on Slashdot. Most people in the US don't mind companies like Sony, Microsoft, and AOL.
  • Well, i think thats nonsense. The only reason i got ICQ was b/c a friend say 'hey check this out, its pretty cool.' Last time i checked, the Yahoo! and MSN IM systems were gaining a userbase fairly quickly. I'd say within a few years, just about 'everyone you know' will have one of these as well. When it comes to these chat programs, i don't think people are as loyal as you would think, and many have at least 2. Especially if they all work pretty much the same (which from what i am told, the MSN equiv. looks alot like AIM).

    I agree that ICQ for windows has begun to suck; i hate that they are using it to advertise, and its way more bloated then it should be. Although the same can be said for AIM, which is why i'm still using one of the 1.x releases. At any rate the linux clones seem to be coming along nicely, so i may switch to that.
  • This would explain the reason why one of the companies I work for, The Williams Companies, force us now to use this really crappy version of ICQ Groupware that I don't even think is being developed anymore.

    This is a multi-billion dollar company that is forcing it's tech support (we support 30,000+ users and three different call centers) to use this communications method that show's us "away" half the time.

    This article, along with a few others, was shown to our managment saying "ack look what they can do to our system intergrity!" when the people pointing out the problem didn't even really know what they are talking about in the first place...

  • AIM? Uhhh. Look at the article. Ask yourself: Do I feel lucky?

    ICQ? Hmmm. Nope. Used to be good, until AOL bought it. Now I wonder whether UINs are going to be vulnerable . . .

    Yahoo! Messenger? Ah, a prima donna company that tries to take ownership of its users' pages. [internetnews.com] I think I'd be better off with AOL . . .

    MSN Messenger? Ah, a "reliable," "free*" product, brought to you by the kind folks at Micro$oft.

    PowWow? Honestly, how many people do you know that have even heard of it, let alone have bothered to create an account?




    * Subject to terms decided by Microsoft. By signing up for MSN Messenger service, you hereby agree to give Microsoft Corporation (hereafter referred to as "We Own Your Soul") sole ownership and possession of any and all inventions, ideas, etc. produced by you (hereafter referred to as "Putty-brain"), including any electrochemical developments and all genetic by-products. These terms are subject to change at our discretion.
  • Nah, he's probably a proper moron.
  • ALEXANDRIA, Va. (AP) - An anonymous AOL employee has leaked news that AOL is still working on creating the AIM security hole that will be the main new feature of AIM 4.5. This new hole will reportedly allow spammers every Friday night to identify and spam AIM users who refuse to have their profiles included in the publicly searchable AIM Member Directory. Spammers are expected to have to pay AOL $1000 to be directed to this new hole. Spammers will be asked to handover to AOL any credit card numbers they are given in subsequent transactions. Any credit cards with no AOL account will mysteriously get one without the user's knowledge.
  • by AviN ( 9933 )
    Welcome to the wonderful world of bloatware.
  • How can they steal my credit card information? I never gave said information to AOL in the first place. Nor does it reside anywhere on my hard drive, so far as i can figure. Is this some sort of "psychic" hack where they can read my mind or something? :)

    If the hole's limited to AIM, and AIM users don't need to provide anything but an email address to access the service, i can't figure how anyone could steal anything more than that.

    In the end they should enforce upon users a permissions based system. Each account gets a master account and 6 user accounts. They should explain the master account as being a sort of "root" account, only use it when you need to change your billing info or your screen names. And then disable "remote" access to it - ei AIM. That'd their worries right there, but at this point it'd cost them millions in order to notify everyone of the change and what to do about it.
  • According to the copyright on my very old version of AIM, it came about in 1996. Thats also when i discovered icq, which wasn't out that long at all at the time. And according to the copyright in my fairly recent version of icq, it also came about in 1996.

    Get your facts straight...
  • As far as the "When you set your away message, the hostiles IM you, and your away message gets sent to them, allowing them to warn you" goes: there's an option to turn off the auto-response and just set the away message in your personal profile.
  • This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation?

    The answer to this question is actually quite simple:

    Corporations, and even the government are finally learning that the net is the great equalizer, and they nave no control over it. In the beginning both the gov't and the corps thought they could control and manipulate things, but over time they learned that they had zero control.

    This is a frightening thing to learn for a person or organization who thought they had utlimate power. So in order to gain back some of the power they lost by entering the internet community they will prosecute to the hilt in an attempt to set examples, because there probably are one or two people who won't hack or crack after they read those Time and Newsweek cover stories about the 14 year old kids who lost their computers and went to jail after hacking the KFC website looking for their secret-sauce recipe.

    The same thing goes for the gov't as well. They ALWAYS over-react... and it's policy. Look at history. Recent examples being Ruby Ridge, Waco, and removing Elian Gonzales from that house in Miami. They go in full force to set examples in the hope that citizens will toe the line and be good little citizens and not do anything except sit around, watch Jerry Springer, and gain weight.

    Rich...

  • How about, "It's their own network, so let them do whatever they want with it"? AIM's protocol was never fully open; the "Open your protocol back up" is just typical open-source drivel. They have an acessible protocol, TOC, which is implemented in their Java-applet clients and most open-source clients. Their binary protocol, OSCAR, is their own property. Some hacked implementations exist for other platforms, but they're not quite perfect.

    AIM is not life-or-death. The only thing they put at risk here is their Good Name (cough). You don't like it? Start your own IM network, and make it "standards-compliant." I'll be too busy chatting with all of my AIM and ICQ buddies to care.
  • by yerricde ( 125198 ) on Saturday December 02, 2000 @04:58PM (#586158) Homepage Journal
    The AIM 4.x license agreement states, in effect, `By installing this software, you agree to the terms. ... You may not use client software not approved by AOL Inc. on AOL's AIM servers.' This is why I use AIM 2.1 [aol.com] (the fastest Win32 AIM client that AOL ever made) on my Windows 98 partition, alongside Everybuddy [everybuddy.com]. I know there's Jabber [jabbercentral.com], but I found its AIM gateway to be a bit unreliable.
  • Actually, ICQ is even better than AIM in these regards. I don't know about the newer version because I hadn't upgraded, but the older ones do not show you ads at all. That goes to another point, that you don't have to upgrade the client all the time. I am running ICQ99b right now and will not upgrade. I tried the 2000 version and I didn't like it, so I went back to the old one. Another advantage is that it doesn't pop up windows while you are working. I hate when I am typing something and then someone sends a message on AIM (I am forced to use it at work) and I end up sending them a message of some code or something. Also, the ICQ protocol is not kept as secret as AIM. There are plenty of clones out there, and I believe ICQ does have a unix version that they made, as well as a palmOS version, mac, and CE in addition to the rest. Also for AIM, there is a java applet that is not too big and you can run to connect to the AIM service. I use it at work on my Sparcstation and have no problems with performance or any lack of features.
  • by atrowe ( 209484 ) on Saturday December 02, 2000 @04:59PM (#586160)
    AOL members, by default, have the same AOL usernames and AIM screennames. By stealing the AIM account of an AOL subscriber, you will be able to change the password and gain access to all other AOL features by using the same screenname/password as that user's AIM screenname/password.
  • Of course, by now you must know that ICQ is owned by none other than AOL,...

    ICQ is a decent product in my opinion, and the opinions of many. Just because it is owned by AOL doesn't mean it is a horrible product. I am pretty sure you are using either Netscape or Internet Explorer. Both of these companies are hated and bashed a lot for their problems and the way they do business. However, that doesn't mean that they don't do something right once in a while.

    ...and that the company is planning on merging the services. (Don't believe me? Download AIM 4.3, and log in using your UIN and password.)

    Well, that is their choice, however, for the year or two that they've owned ICQ, I've never had to stop using the older versions. At this point I have no need to "upgrade" to AIM 4.3 so this doesn't really affect us yet. If they do merge the two and force everyone to upgrade, I see the potential for people finding something else similar to ICQ because it has a lot better features than AIM. In fact, it could be possible for a rogue ICQ network running ICQ groupware servers. I've done that before, and even though that only runs on NT, I believe there is a unix or linux clone that someone made.

    Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.

    Excluding the peer-to-peer part, the exact same could be said for pop/sendmail based email systems. However, we all know how widely used it is. Email, and to a greater extent instant messaging, should not be your main form of communication. I use ICQ to keep in touch with friends and family, not to send credit card orders or discuss top secret plans. I don't want people to read my instant messages, but if they do it will not actually hurt me. It is basically just a toy, like talking on walkie talkies or sending a postcard. If you want some form of encryption, you can encode your messages with pgp quite easily, and I believe there may be an ICQ plugin for doing that as well. Also, as far as security, you mentioned another thing...that the messages from ICQ are peer to peer and do not go through the server. That is one advantage over AIM. If my messages go directly to the person I want to send them to, how can AOL log them?

  • by generic-man ( 33649 ) on Saturday December 02, 2000 @05:01PM (#586162) Homepage Journal
    (2) It only applys to AOL accounts, and not AIM

    No. Is it so hard to read [upside.com] the damn article first?
    Indeed, Graham emphasized in an interview that the attacks were "limited to the AIM system. No one on the AOL platform has had their security compromised."

  • by sjames ( 1099 ) on Sunday December 03, 2000 @08:50AM (#586163) Homepage Journal

    This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS

    There are a variety of reasons. For example, you arrive at home and find a note on your fridge:

    'You really need to get a better lock on your front door. Also, you forgot to carry the two when you balanced last month's bank statement, your milk expired yesterday and you're paying way too much for car insurance. P.S. Purple underwear? What were you thinking? Signed, Mr. 1337'

    Now, as a regular reader of urban myths, the question you have to ask yourself is: 'Did that guy stick my toothbrush up his butt?' or 'Will that embarrasing home video in my underwear drawer end up on a porn site?'

    On the other hand, if all Mr. 1337 did was get into your back yard and have a swim in the pool, it's probably not a big deal.

  • Congratulations. You took the exact same thing that spammers on AOL do with AOL chat rooms and l33t VB pr0ggi3z, and did it with Perl. I'm proud of you.

    Maybe soon someone will figure out a way to gather e-mail addresses by spidering web pages. Could nebby101@hotmail.com fall into the hands of spammers? Could all e-mail addresses be gathered this way? Judging by some mail that I get, "100 MILLION EMAIL ADDRESSES FOR $49.95" is a good place to start checking.
  • by djocyko ( 214429 )
    AOL has been aware that users screen names and credit cards can be stolen...

    where do credit cards come into the picture for AIM? this makes 0 sense to me.

  • "I had a whole plan of this myself, but of course that's WAY against their terms of use."

    hrm. the act of obtaining them or posession of them? might be illegal to run a bot in such a manner, but owning a list of valid im names? someone would just have to harvest them and sell the list. i'm stunned that nobody has done this yet.

    but talk about intrusive! forget a phonecall during dinner, imagine the phone throwing the handset at your head!

    My .02,

  • by cd_Csc ( 151701 ) on Saturday December 02, 2000 @06:03PM (#586167) Homepage
  • From www.inside-aol.com [inside-aol.com]:

    "12/1/00: Better late than never - despite missing their stated deadline for a solution, America Online has managed to put a stop to the theft of Instant Messenger subscriber screen names, according to information received by Inside-AOL.com. We hope that their fix will prove to be a lasting one, and find it greatly satisfying to see that even the largest of companies cannot ignore public pressure indefinitely."

    so, AOL is not completly negligent.

  • by Trepidity ( 597 ) <`delirium-slashdot' `at' `hackish.org'> on Saturday December 02, 2000 @06:53PM (#586169)
    The slashdot blurb says this could lead to credit card numbers being stolen. The articles linked to did not mention this. Furthermore, since registering for an AIM name does not involve giving a credit card number, I fail to see how this is even plausible. Is slashdot just making up news or is there a factual basis behind this allegation?
  • The only IM Clients I would Even touch right now is Yahoo Messanger and MSN Messanger. and since MSN Messanger currently has exactly what ICQ had before it became a bloat monster, Thats the one I Use

    Use TiK [sourceforge.net]. It's l33t.

  • . . . but it doesn't change the fact that he shouldn't have been mucking around on someone else's network to begin with.
    Ahh, you bring up the question that I have on my mind. Really, why shouldn't he have been mucking around? Because you're not "supposed" to? Seriously, what's a good reason for him not to? I think it really comes down to why he was mucking around. If he was doing it because he was trying to see how secure his own private information was, I think he has a right to check that. If someone tells me that my information is being kept private, I'd like to know what measures are being taken and be able to test if it really is secure. Now, I suppose if he was mucking around trying to take other people's private information, then he should be persecuted. Things get really sticky when you try to factor intent into the situation. (and yes, either way, it probably violates a TOS, but then again, I'm not concerned about legal, I'm concerned about fairness)

  • 1. When signing up for aim all they ask is for a username/pw and email, I usually use a fake email anyway, so why does it matter if they get this info?

    and 2. How can you get credit cards, AIM doesn't use credit cards (unless its from the new AIM Phone that aim for windows comes with now, i think thats a pay service)

    ---
    Oh my god, I've been bitch slapped by Slashdot, You Bastard!
  • Makes me thankful that i got off aol itself 6 months after i got onto the net and signed up with a free isp under a name in ohio (yet i am a proud new yorker). sometimes being paranoid pays off.
  • sounds like they pulled a microsoft.

    How long did it take them to "fix" vb script holes in outlook again? :-)
  • Maybe not. You can have different AIM and AOL passwords. Most people will probably pick the same password, but in theory there's no reason why this is necessarily the case.
  • If you read the article linked to up there, it says that they could get AOL members credit card numbers, and AIM members screen names and passwords.
  • You are an idiot. Back in the days of 2 gig Hard drives, a 8 meg install might be considered huge.. now-a-days though, we've got 20 and 40 gig hard drives, and nothing to fill em up with but mp3s. Why not write larger and more feature-rich programs if we've got the processor speed to handle it? If you've got an older computer, then stick with the old version you have, it'll still work.
  • Just so you know, I, and several other people, have had lots of problems with GAIM. It crashes a lot basically. I don't really know quite where the issue is, but thankfully there's plenty of good UNIXen AIM clients out there. I myself use Tik (an emacs-lisp version :-) for those times when I need to get on, which is not too much...

    But just so you know, if you run into problems, try something else.
    -----
  • If I worked at AOL I would want this fixed right away, it has to make you wonder, if they knew about it then way would they let there own accounts remain at danger? It would make me want to fix this problem fast, if even just for my own good.


    ________

  • by iamsure ( 66666 ) on Saturday December 02, 2000 @04:35PM (#586180) Homepage
    AOL's argument against other companies 'connecting' or in their words 'breaking into' their database (of users) has always been "Security".

    They never elaborate, nor specify exactly what criteria have to be met, so others can meet it and get use of their network.

    The FTC was considering possibly forcing them to open up instant messaging, but seemed to back down when AOL said they refused due to security of their customers.

    YET, here we have AOL knowing about a problem for MONTHS and not fixing it?

    Smells like time for a few senators and congressmen to say a few words to AOL about "equal standards".

    Open your protocol back up, AOL.
  • by Anonymous Coward
    Some one should check facts, the artical is a lil bit wrong.
    (1) The exploit was first posted on observers.net
    (2) It only applys to AOL accounts, and not AIM
    (3) It was patched about a month ago.
    -Eternal
  • by RESPAWN ( 153636 )
    Looks like it's time to use ICQ again. Oh wait, that's owned by AOL, too.


    --------------------------------------

  • by jesser ( 77961 ) on Saturday December 02, 2000 @09:21PM (#586183) Homepage Journal
    I just registered [aol.com] sseRud (my screen name minus the first two letters) so nobody can do this to my main screen name. I also registered jsserud and tried to register esserud because the securityfocus [securityfocus.com] and upsidetoday [upsidetoday.com] articles didn't convince me that I didn't need to register them as well. Esserud turned out to already be registered, which surprised me, but it's not important that I own those userids, just that the buggy registration thingie knows they're not available.

    (Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)

    Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.

    --

  • I'm by no means a hacker (or cracker), but I can recognize their importance. If well-intentioned hackers are afraid to help the companies out, then a foreign crackpot will inevitably find the flaw out and exploit it before anyone realizes it. So, I would hope that AOL found some reasonable evidence of fair wrongdoing before blindly prosecuting. The courts are becoming an evil tool of people with more money. Justice will never be served as long as money can buy it.
  • If you read the article linked to up there, you'll see this quote:
    Indeed, Graham emphasized in an interview that the attacks were "limited to the AIM system. No one on the AOL platform has had their security compromised."
    In other words, they could NOT get AOL members' card numbers. This is just a hack that could let people pretend to be me when talking to my buddies.
  • Actually, I truthfully prefer ICQ. I used ICQ99b for quite a while until my most recent format. I do absolutely love the way it doesn't pop up when you get a message. Combine that with the offline messaging feature and it makes ICQ great for trying to coordinate an online game of Counter Strike with friends around the nation. The only problem I had with it was that the vast majority of my friends don't use it. And the ones that do also use AIM, so I never bothered to reinstall it after my format. My roommate however, uses 2000 and it doesn't have any ads as well. And as for squelching the pop-ups in AIM, I usually just keep an away message up with the "disable windows" checkbox checked. I believe that you can still hear when somebody IMs you, but you can answer it at your own leisure.

    As for the alternate versions of ICQ, I believe that I used a version in the past for linux entitled Licq, and had no complaints with it's operation. And AIM Express (the java applet) is also a pretty nice little utility, especially when combined with the latest version of AIM that stores your buddy list on their servers, as well as locally. AIMe's great when you're at some public terminal or a non-windoze box to be able to instant message a friend with a question. Not to mention that keeping your buddylist stored on their server makes it much easier for me to keep my list coordinated between all three of my machines.


    --------------------------------------

  • Well, I guess we know why you don't work for AOL then.
  • by RTMFD ( 69819 )
    Two things:

    1) Just because he's sentenced to 19 years, doesn't mean he'll do 19 years.

    2) Breaking into a computer is viewed by many corporations in the same way as if you broke into their company headquarters, poked around in their file cabinets (if there are any), and then left a note with your name, address and home phone explaining who you were, what you had done, and that you "didn't see anything confidential, steal stuff, or otherwise molest important items."

    I'm sorry to have to say it, but this kid was a friggin' idiot.

  • by dirk ( 87083 ) <dirk@one.net> on Saturday December 02, 2000 @05:12PM (#586190) Homepage
    This may be seen as O-T but, why do companies insist on prosecuting the "illegal entrant" who just plays around on the system, and does no damage other than, possibly, to a company's reputation? In fact, most of the hackers would just explore what they could do, and then send a post to people like Kevin Poulson, or Adrian Lamo describing a WEAKNESS that then allows the company to make a BETTER product? I think that companies that get cracked should prosecute FULLY and VIGOROUSLY, but companies that get hacked should say, "wow, that kinda sucks, thanks for letting us know and not being a thief!" Anyway, just a thought.


    The answer is simply because you can't let anyone get away with it (in general). If someone hacks your system, doesn't seem to break anything, and simply sends you an anonymous message saying so, you REALLY don't know what went on. He may have taken data that you didn't notice, put a trojan or something else you didn't notice, opened up other security holes, etc. Just because someone says that they didn't do anything doesn't mean that they didn't. I think AOL went a bit far in prosecuting this guy if he actually did help them patch the hole, but it doesn't change the fact that he shouldn't have been mucking around on someone else's network to begin with.

  • by SkyIce ( 184974 ) on Saturday December 02, 2000 @05:12PM (#586191)
    from inside aol [inside-aol.com]:
    Update @ 12/1/00: Better late than never - despite missing their stated deadline for a solution, America Online has managed to put a stop to the theft of Instant Messenger subscriber screen names, according to information received by Inside-AOL.com. We hope that their fix will prove to be a lasting one, and find it greatly satisfying to see that even the largest of companies cannot ignore public pressure indefinitely.
  • by mwalker ( 66677 ) on Saturday December 02, 2000 @05:13PM (#586192) Homepage
    Jay Satiro, 19, pleaded guilty Tuesday in Westchester County Court to first-degree computer tampering. He faces up to 15 years in prison.

    The average prison time served after conviction for homicide, willful murder, is 5 years, 11 months. [house.gov]

    First degree computer tampering? A 19 year old with obvious talent belongs in federal prison. You bet.

    The greatest crime you can commit in America is first degree curiousity. [2600.com]
  • Ahh, you bring up the question that I have on my mind. Really, why shouldn't he have been mucking around? Because you're not "supposed" to? Seriously, what's a good reason for him not to? I think it really comes down to why he was mucking around. If he was doing it because he was trying to see how secure his own private information was, I think he has a right to check that.


    In theory this is true, but try it in real life. I have my money in the bank down the street. I still can't try to break in "just to see if my money is secure". To me, computer systems aren't really any different than property for this type of thing. You aren't allowed to muck around in either of them if they aren't yours, simply because we can't factor intent into it. If you get caught before you have done anything wrong, does that mean you weren't going to do anything? Or you just didn't get the chance to? It doesn't matter, because you shouldn't have been there in the first place.

  • by aozilla ( 133143 ) on Sunday December 03, 2000 @11:41AM (#586194) Homepage
    I've seen this happen at companies that I've worked for over and over and over again. You make a client, and a server, talking to each other over a proprietary protocol, and you forget that the client is inherently untrusted. Security through obscurity breeds in these proprietary environments. I've had heated arguments with programmers who insisted that the server was secure because the client was unable to perform certain actions. I've had managers ask me to prove that these problems were security holes by exploiting them, but without modifying the client source code because "the public doesn't have the client source code, so if you need the source code, it can't be exploited". The fact is, if you have any plans of being as big as AOL, your protocol will be reverse engineered, alternate clients will be created, and your security holes will be found.
  • Well, spammers have found interesting ways to try to get these completed user lists. A standard spammer trick is take any address they get at all, and make variants of it for the big ISPs. After all, if there's a barbsmith@someisp.net, there's probably a barbsmith@aol.com. Given the negligable cost of sending spam, it doesn't matter if it only hits one in ten times.

    AT&T gets something in the neighborhood of a million or two bounces from this type of spam, per day.

    --
    "Don't trolls get tired?"
  • My work forced me to get an AIM name. Then they tried to be angry that I put my work email address in instead of my personal one. I'm sure lots of people's jobs require them to use IM, and AOLs is popular.
  • > This is just the kind of news I could do
    > without, having recently been persuaded to
    > register with AIM and give GAIM a try.

    We've already had to deal with Taco this week and his anti-Java stance. Do you think the Slashdot guys could get any more elitist about things?

    -Chris
    ...More Powerful than Otto Preminger...
  • True enough. So, why can't people who love doing this sort of thing be registered, have to physically show up somewhere with several pieces of ID, and a 1M$ Bond, and get a Registered Systems Hacker ID#. Then they could play around and leave their ID#'s as proof of their white-hattedness?
  • Your not describing anything new. People have harvested email addresses for a while. Just describe how to harvest email addresses and then s/email address/screen name/g and bam your post.

    AOL is not as evil as most people like think. With their AIM serivce they provide all the tools to have none/some/all privacy and still chat. People just don't used them and then get their panties in a wad.

    What I disagree with is the warning system which I think is an agressive action and not defensive like they claim. Blocking a user is defensive. Warning actually effect the other screen name's abiliy to use the service which I think is wrong even if I don't agree on how they are useing or taking advantage of it.

    Sorry it turned into a rant.

    Leknor

  • the name-hijack exploit most CERTAINLY applies to users of the standalone AIM... and who's not checking facts? here they can be found: http://Inside-AOL.com the exploit can be SIMPLY thwarted, just register again for AIM and use your current username MINUS the first TWO letters in your username... DOH.
  • oops - typo there... should be "ON SecurityFocus." This article explains how the credit card numbers are comprimised along with some other interesting techincal stuff that seems to have been left out elsewhere.
  • Both harvesting screen names and sending unsolicited communications is against their terms.
  • Well, not all e-mail addresses (most, I'm betting) are AOL screen names.

    Also, the trick is finding "active" screen names. The ones coming in and out of chat rooms are the best cases for that, afaik. Ones that have big buddy lists probably are too.

    There'd have to be a way to automate the process of "hacking" an account, getting the buddy list, and then doing the same on all of those, rinse, repeat.

    I think you need to use that AOL tool though, so it's probably an impossibility to automate such a process.
  • heh.. maybe if you just ask the AOLuser they will give you their credit card number. "How would I know your screen name if I wasn't from AOL?"
  • Actually, we've applied the patches, and are still getting hit by lovebug variants...
  • I have both AOL and AIM, and I registered my AIM screenname (same as my AOL screenname) after I had the AOL account. Despite the fact that they are the same screenname, when I change my AOL password, my AIM password doesn't change, and I have to subsequently change it. Therefore, it seems that there are two different password databases...
  • Open your protocol back up, AOL.

    Ugh, you know what, who the fuck cares what protocol they use. Its so incredibly simple to design another one, why waste time trying to get aol to open something that is reproduced virtually without effort. Look how fast icq caught on...and it has a whole other protocol. Don't give me that everyone has AIM crap...icq is proof that any protocol will do.
  • wait.. has the hole been fixed? it's not clear from the articles.

    --

  • wrong wrong wrong sir. the exploit is only for AIM and, eventho AOL has "FIXED" it, is still exploitable. satanklawz root@inside-aol.com
  • by Technodummy ( 204943 ) on Saturday December 02, 2000 @04:45PM (#586210)
    ".... Earlier this year, a hacker discovered that he had gained access to AOL's internal network. He contacted them and told them about it, then helped them fix it. After it was fixed, AOL turned around and had him prosecuted."

    if you bite the hand that helps you... will it reach again?

  • by generic-man ( 33649 ) on Saturday December 02, 2000 @04:47PM (#586211) Homepage Journal
    Ah yes, the typical "AIM sucks, use ICQ" response to an article like this. Of course, by now you must know that ICQ is owned by none other than AOL, and that the company is planning on merging the services. (Don't believe me? Download AIM 4.3, and log in using your UIN and password.)

    Furthermore, ICQ's security is pathetic. Messages are sent person-to-person directly, opening up unnecessary ports on your system. Your password is sent in plaintext (as opposed to AIM's brilliant method of XOR'ing it with "TicToc") so anyone with a sniffer could find it.

    ICQ and AIM are supported in Everybuddy [everybuddy.com] for Linux. Good app, with no ad banners or ugly "skins" or "wings" like Odigo.
  • read the article at inside-aol.com

    you create an aol account that over gens the AIM account which inturn you need a CC inorder for billing to be authenticated.

    satanklawz
    root@inside-aol.com
  • by nebby ( 11637 ) on Saturday December 02, 2000 @04:47PM (#586213) Homepage
    A while back I was playing with the idea of getting lists of AIM user screen names to use for sending random stuff to at my will. The only way that I knew of to get screen names of AIM users was to either do a search in the directory or look in chat rooms. I also tried generating them, but that didn't work well.

    Of course, the system had to be automated, so I decided to go the route of chat rooms. I wrote a AIM TOC client in Java (and some bot stuff too, but that's another story), hooked it up to some scripts, and before I knew it I had a list of like 500k or so screen names (acquired over a period of like 2 weeks of sitting and harvesting)

    It was fully automated, grabbing the latest open chat rooms from the web at AOL's site and parsing them out via perl script. It was pretty scary, actually. Once or twice I IM'ed a few random ones just to see if I really was getting screen names of real people, and sure enough they were always like "Who the hell is this?" .. it was freaky :)

    I did some more research and realized that was I was doing was against AOLs terms of use, so before it got out of control, I stopped. The names I had gotten, anyway, were just stupid AOL people who were usually less than 14 years old and probably asked "a/s/l" several times an hour.

    This little hole though makes me wonder if there's a way to get a list of ALL the screen names.. the college kids, the working adults, not just the AOL geeks who use the "AIM chat rooms".

    You shouldn't do it because of the legal implications, but I'm betting someone would pay a hefty sum for a list of several million active screen names for IMing advertisements to. I had a whole plan of this myself, but of course that's WAY against their terms of use.

    Or you could just OSS the whole list :)
  • How about this part of the article?
    America Online [NYSE: AOL] said today that it is in the process of closing a security loophole that allowed hackers to steal AOL Instant Messenger (AIM) screen names and, in some cases, access AOL members' credit cards.
  • by pen ( 7191 )
    This is the case now, but for the longest time, AOL displayed this information to anyone who got the password for the master screen name. Furthermore, AOL still has services which allow you to charge stuff to the account's credit card.

    --

  • I don't understand! They told me, "At AOL, your privacy and security are always respected." Mr. Graham has some explaining to do...
  • It may be a stupidity exploit, such as causing a window to pop up and say

    um... we kind of forgot your billing information, username and password.
    Could you tel us what it is again?

    stupidity exploits work rather well on AOL users.

  • by sheetsda ( 230887 ) <doug.sheets@gma[ ]com ['il.' in gap]> on Saturday December 02, 2000 @04:51PM (#586218)
    The article mentions an "AOL hacker". Does this seem like an oxy-moron to anyone else?

    "// this is the most hacked, evil, bastardized thing I've ever seen. kjb"

  • Start your own IM network, and make it "standards-compliant."

    We already did. It's called Jabber [jabber.com].

    I'll be too busy chatting with all of my AIM and ICQ buddies to care.

    There are already Jabber-to-TOC and Jabber-to-ICQ gateways that let Jabber users chat with users on other servers, and they're getting ready to install MSN and Yahoo! gateways.

  • Every well informed geek knows theres about a billion potential buffer overflows in AIM. The funny thing is, not only did AOL deny this fact, but they actually exploited these buffer overflows the weed out non-Aol clients that didn't have these buffer overflows.

    Yet another reason why I don't use Windows or AOL.

  • are you from britain or something? "first reply"?
  • otoh, the site could guarentee that all logs will be publically avaailable after 7 days, so anyone can check whether users are being malicious.

    --

  • Hey, you use AIM 2.1? IM me; I'll make your system crash. :-)

    --

  • Well, to brute force it would take a lot of work.

    The first method is to generate every possible screen name (x characters) and do those. This is too much and too slow, impossible.

    The alternative method is to generate words off a dictionary (pseudo words) using syllables and stuff, since alot of screen names are not real words. This actually worked pretty well in guessing actual names, but again these screen names were usually not active for ages.
  • True enough. So, why can't people who love doing this sort of thing be registered, have to physically show up somewhere with several pieces of ID, and a 1M$ Bond, and get a Registered Systems Hacker ID#. Then they could play around and leave their ID#'s as proof of their white-hattedness?

    How about a creating a (free) system like zeroknowledge where you're anonymous unless the maintainers of the system agree that you've done something bad? Wait, I already see a few problems with that idea:

    - I'm not sure I would want to go through even that little bit of trouble after thinking of some random possible security hole. I just want to see if it's there and if it is, tell the people who own the system.

    - Malicious crackers would probably take a hint and decide to use zeroknowledge (but at least they would become aware of the idea of the idea of white-hat hacking, and they'd still have to pay for zk (I think)).

    - Setting up that kind of service might legitimize the idea that "hacking other people's computers is bad".

    - There's a huge incentive to crack one of the routers for this system: you get to watch people crack other systems, and then you can either "make" them do bad things on the systems they've cracked (and get them in trouble) or crack the systems yourself.

    --

  • When someone breaks into a computer, they can at most delete files or use your DSL for a DoS.

    Or steal banking records, customer lists, credit card numbers, personal email etc. Businesses can easily be seen to live in their computers. That's where all of their information resides. The question was actually why do businesses see a need to prosecute, I just used a home analogy since many people can relate to that better.

    Besides, this person didn't even damage anything. Manslaughter has a much lower sentance.

    I do disagree with the harshness of the penelty. It certainly shouldn't exceed manslaughter or rape.

    So get decent security and don't fret when someone breaks in to your computer. Besides, merely exploring a network (a la nmap etc) is interesting and educational.

    Nmap is more like driving through a neighborhood seeing how many people have decent locks and alarms and who doesn't. At most it is like trying a door knob w/o opening the door (note that in the real world, even that can get you in trouble, especially if you have a record). To me, it isn't cracking until an exploit is tried.

  • by maquina ( 229173 ) on Saturday December 02, 2000 @07:24PM (#586236) Homepage
    The credit card numbers that are mentioned in the article are the ones being traded to acquire more desirable screen names.

    From the Article in Security Focus:
    Credit Cards Abused
    Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.
    Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."
    For full story visit link:
    http://www.securityfocus.com/news/119 [securityfocus.com]

    --------
    Maquina
    http://director.chessmasters.com/maquina [chessmasters.com]
  • What's the big deal? Why are they trying to keep the names secret anyway?

    Surely it would be better to give each user a name (which is public) and a password (which is private). Then if users don't want to receive messages from people they don't know, a simple option in the AIM client would do it.
  • Anyone who already has AOL is too damn stupid to figure out how to steal an account and everyone else wouldn't want an AOL account, even if it is free.
  • by D'Arque Bishop ( 84624 ) on Saturday December 02, 2000 @04:52PM (#586247) Homepage
    Well, true, AIM users who are NOT AOL subscribers are possibly vulnerable, but there were a couple of exceptions to this vulnerability, according to a SecurityFocus article [securityfocus.com]:

    Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

    Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.

    Makes me glad I already have an AOL account as a backup dialup...

  • Jabber [jabbercentral.com] is a Free instant messaging system with a Free server and several Free clients. No AOL needed; however, there are gateways to Yahoo!, MSN, AIM, and ICQ if you have an account on those services.

We cannot command nature except by obeying her. -- Sir Francis Bacon

Working...