David Cassel (destiny@crl.com)
Thu, 9 Jan 1997 01:32:39 -0800 (PST)
T h e H a p p y H a c k e r
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
In 1995 a hacker named Happy Hardcore wrote a program that granted
unlimited free access to AOL. Yesterday AOL issued a press release
applauding his conviction in a court in Virginia.
(http://www.prnewswire.com/pdata/19970108-DCW022.html)
According to press accounts, Nicholas Ryan -- who studies computer science
at Yale university -- was found guilty of a felony offense under the
Computer Fraud and Abuse Act: he illegally accessed AOL "and violated
AOL's terms of service".
But AOL's press release doesn't tell the whole story. The Washington Post
reported that in fact, AOL dropped over 370,000 subscribers between March
and June of 1996 "for credit card fraud, hacking, etc." [9/16/96] Up
until September of 1995, AOL didn't even verify the authenticity of credit
card information submitted for free-trial accounts. (And as of last year,
they'd distributed over 100 million of them.) Monday AOL shut local phone
access to the entire nation of Russia because it couldn't collect enough
accurate information to cover their expenses.
Ryan was targeted because he created a program used by other hackers--and
because he publicly taunted AOL in the program's documentation. He
included internal AOL e-mail (stolen by other hackers) discussing the
company's plans to thwart his program. Ryan wasn't charged with creating
the program, but for accessing the system illegally--a crime he shared
with nearly half a million others.
For six months of access, he faces a maximum of five years in prison and
$250,000 in fines. Under AOL's new value plan, the stolen time would have
a cash value of $60.
AOL's public statements indicate they want to appear tough on hackers --
especially now that they're seeking revenue from on-line transactions. A
press release announcing the appointment of a vice president to AOL's
optimistically-named "Integrity Assurance" division stressed her previous
employment at the CIA--saying Tatiana Gau wants to "improve the world's
most secure online environment". (The phrase "most secure" appeared
three times.) Yesterday's announcement even asserted AOL had achieved "the
first successful computer fraud prosecution involving an Internet online
network." (One technology correspondent quipped, "Maybe it means that
Kevin Mitnick is just a figment of Tsutomu Shimomoura's imagination.")
AOL's announcement went so far as to claim that AOL is safer than the
internet because AOL uses a private network.
But safety still depends on how a network is administered. In 1995, a
beta of AOL's telnet client put users directly behind their firewalls--and
earlier that year, AOL's mail server was accessible via telnet, allowing
forged mail from any AOL address. Hackers even took the stage during a
1995 celebrity appearance on AOL--then taunted the scheduled guest and the
event sponsors. (http://www.aolsucks.org/security/recondite.html). "I am
sure Corporate Communications will be getting some questions about it,"
read an internal e-mail titled "Hacker Attack In the Rotunda Last Night".
Ironically, that message later ended up on the AOL Security Page--"What
AOL Does Not Tell You." http://www.netvirtual.com/blank/aol)
The next month AOL's CEO Steve Case wrote a letter to all users about
hacker problems, arguing that "it happens everywhere", and adding that
"when we discover hackers", AOL "aggressively take measures to head them
off". But within days of that announcement, hackers were posting internal
mail that they'd stolen to the internet. They continued undaunted, posting
internal memos, and even Case's home address. In probably the most
embarrassing development, in-house mail ABOUT the hackers was being
circulated BY The hackers (ftp://ftp.crl.com/users/de/destiny/aol/hacker1)
At the time, AOL spokeswoman Pam McGraw told me, "We've encountered these
problems in the past, and we make changes to the service as appropriate--
and as we can".
The hackers had reverse-engineered AOL's "Rainman" software, which had
been mistakenly stored in AOL file libraries accessible by their hundreds
of remote staffers. The company fumbled for an explanation--Pam McGraw
told the press AOL believed the heist was effected with the Visual Basic
macro program AOHell. (Some later attributed her remarks to a deliberate
disinformation campaign--especially when, to suppress the program's
distribution, AOL later told Boardwatch magazine AOHell contained built-in
child pornography. ftp://ftp.boardwatch.com/aohell.txt)
But AOL's attempts to cover-up security breaches left their members even
more vulnerable. "I went to a bunch of new member chat rooms, used AOHell
to fish for passwords, and got 25 of them," one Usenet poster gloated.
"Doesn't AOL tell its users to not do that?" There were worse abuses.
When AOL realized hackers could "sniff" passwords during TCP/IP
connections, staffers say they were warned--but not the customers. "I
hope that AOL alerts the General Membership to this problem in a timely
manner," one staffer complained, "and not, as in the previous situation,
wait until they are forced to by negative news coverage." Sources had
told the Wall Street Journal that the 1995 security breach included
hackers distributing customer credit card numbers in AOL hacker chat
rooms, and AOL had warned staffers about the breach--but didn't tell their
users (until the story broke in nationwide news reports.)
The staffers complained AOL's hush-hush policy was aimed more at
protecting their image than protecting their customers. In a memo warning
staffers not to speak to the press, Steve Case countered that "We need
everyone's support...to protect AOL's interest". That even applied AOL's
content providers. Shortly before hackers took the stage at his live
event, the producer of AOL's MacWorld area asked AOL about earlier
problems. He told me AOL had attributed them to "some security holes that
AOL promised were closed."
It was when hackers took the stage that he found they were not.
Even AOL's latest statements are suspect. The press release claims that
AOL "immediately upgraded its security measures to prevent AOL4FREE or any
similar software from working". But Nicholas Ryan told a different story.
"AOL found a way to detect users of AOL4Free," began the program's
documentation. "However, with only a few lines of additional code
AOL4Free is again undetectable!"
Tatiana Gau's claims that AOL has a "zero tolerance" policy for hackers is
patently implausible. Macromedia's software piracy suit fingered 67
screen names in 1995. And over 70 came into play for the "Hacker Riot"
that November--a coordinated attack on the New Member Lounges
(http://www.getnet.com/~onion/work/planetmag/current/features/aolside.html)
lasting several hours and affecting hundreds of users. This August AOL's
Chief Financial Officer even pointed to the fake accounts as a possible
culprit for the high figures on their subscriber churn rate. And just six
weeks ago hackers doctored text at AOL keyword: legal.
(http://www.news.com/News/Item/0,4,5712,00.html). Even yesterday,
aolsucks.org received the comment, "AOL SUX!!!!! Thats why I make fake
accounts with them!!!"
Ironically, the documentation for AOL4Free ends with the classic hacker
manifesto "The Conscience of a Hacker." The 1986 document ends, "I am a
criminal. My crime is that of curiosity..."
And most technology pundits agree. AOL's MacWorld area was mailbombed for
a week and a half, with dozens of junk posts to its bulletin boards. "We
hate that," their producer told me. "Does that mean the FBI needs to be
brought in? Probably not." Chris Flores of Microsoft's Developer
Division agreed. "If a Visual Basic program can automate hitting this key
and hitting that key, the blame should be on AOL for allowing a certain
keystroke to be hit... They should think of AOHell as a blessing. Since
they know about it, they know that they have a fault in their system."
MacWorld's producer added, "You've got to admire the hacker ethic in a
certain way, because it's how things get done...how holes get patched."
Indeed, as a result of the hacker presence, AOL began accompanying all
e-mail and instant messages with a warning in red letters--that AOL staff
will never ask you for your password. One Florida resident with a degree
in criminology pointed out on Usenet that this alone wouldn't be
sufficient--because password-fishers were incorporating the warnings into
their scams! ("Enter your password to confirm that you understand the
warning below." "Enter your password now to turn on pass-block, which
offers protection beyond the simple password warning given below.")
Now AOL's 3.0 software requires users to download small software changes
before they can access the system. Unfortunately, there's no way to opt
out--which creates a major security hole waiting to backfire.
In any case, the hacker presence belies AOL's claims of the "highest level
of security". In fact, Wired News reported that "Gau is confident, but
she knows she has her work cut out for her. She's already spotted a link
on the Web announcing her arrival. It was titled 'Hackers are laughing.'".
It was my page.
THE LAST LAUGH
Within days of its creations, AOL threatened the AOL Security page with
charges of copyright infringement.
Unfortunately, the tactic inspired three other sites to mirror the
documents--which are still there to this day.
David Cassel
More Information - http://www.wco.com/~destiny/time.htm
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
Please forward with subscription information and headers in-tact.
To subscribe to this moderated list, send a message to MAJORDOMO@CLOUD9.NET
containing the phrase SUBSCRIBE AOL-LIST in the message body. To unsubscribe
send a message saying UNSUBSCRIBE AOL-LIST to MAJORDOMO@CLOUD9.NET
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~