David Cassel (destiny@crl.com)
Thu, 9 Jan 1997 01:32:39 -0800 (PST)
T h e H a p p y H a c k e r ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~ In 1995 a hacker named Happy Hardcore wrote a program that granted unlimited free access to AOL. Yesterday AOL issued a press release applauding his conviction in a court in Virginia. (http://www.prnewswire.com/pdata/19970108-DCW022.html) According to press accounts, Nicholas Ryan -- who studies computer science at Yale university -- was found guilty of a felony offense under the Computer Fraud and Abuse Act: he illegally accessed AOL "and violated AOL's terms of service". But AOL's press release doesn't tell the whole story. The Washington Post reported that in fact, AOL dropped over 370,000 subscribers between March and June of 1996 "for credit card fraud, hacking, etc." [9/16/96] Up until September of 1995, AOL didn't even verify the authenticity of credit card information submitted for free-trial accounts. (And as of last year, they'd distributed over 100 million of them.) Monday AOL shut local phone access to the entire nation of Russia because it couldn't collect enough accurate information to cover their expenses. Ryan was targeted because he created a program used by other hackers--and because he publicly taunted AOL in the program's documentation. He included internal AOL e-mail (stolen by other hackers) discussing the company's plans to thwart his program. Ryan wasn't charged with creating the program, but for accessing the system illegally--a crime he shared with nearly half a million others. For six months of access, he faces a maximum of five years in prison and $250,000 in fines. Under AOL's new value plan, the stolen time would have a cash value of $60. AOL's public statements indicate they want to appear tough on hackers -- especially now that they're seeking revenue from on-line transactions. A press release announcing the appointment of a vice president to AOL's optimistically-named "Integrity Assurance" division stressed her previous employment at the CIA--saying Tatiana Gau wants to "improve the world's most secure online environment". (The phrase "most secure" appeared three times.) Yesterday's announcement even asserted AOL had achieved "the first successful computer fraud prosecution involving an Internet online network." (One technology correspondent quipped, "Maybe it means that Kevin Mitnick is just a figment of Tsutomu Shimomoura's imagination.") AOL's announcement went so far as to claim that AOL is safer than the internet because AOL uses a private network. But safety still depends on how a network is administered. In 1995, a beta of AOL's telnet client put users directly behind their firewalls--and earlier that year, AOL's mail server was accessible via telnet, allowing forged mail from any AOL address. Hackers even took the stage during a 1995 celebrity appearance on AOL--then taunted the scheduled guest and the event sponsors. (http://www.aolsucks.org/security/recondite.html). "I am sure Corporate Communications will be getting some questions about it," read an internal e-mail titled "Hacker Attack In the Rotunda Last Night". Ironically, that message later ended up on the AOL Security Page--"What AOL Does Not Tell You." http://www.netvirtual.com/blank/aol) The next month AOL's CEO Steve Case wrote a letter to all users about hacker problems, arguing that "it happens everywhere", and adding that "when we discover hackers", AOL "aggressively take measures to head them off". But within days of that announcement, hackers were posting internal mail that they'd stolen to the internet. They continued undaunted, posting internal memos, and even Case's home address. In probably the most embarrassing development, in-house mail ABOUT the hackers was being circulated BY The hackers (ftp://ftp.crl.com/users/de/destiny/aol/hacker1) At the time, AOL spokeswoman Pam McGraw told me, "We've encountered these problems in the past, and we make changes to the service as appropriate-- and as we can". The hackers had reverse-engineered AOL's "Rainman" software, which had been mistakenly stored in AOL file libraries accessible by their hundreds of remote staffers. The company fumbled for an explanation--Pam McGraw told the press AOL believed the heist was effected with the Visual Basic macro program AOHell. (Some later attributed her remarks to a deliberate disinformation campaign--especially when, to suppress the program's distribution, AOL later told Boardwatch magazine AOHell contained built-in child pornography. ftp://ftp.boardwatch.com/aohell.txt) But AOL's attempts to cover-up security breaches left their members even more vulnerable. "I went to a bunch of new member chat rooms, used AOHell to fish for passwords, and got 25 of them," one Usenet poster gloated. "Doesn't AOL tell its users to not do that?" There were worse abuses. When AOL realized hackers could "sniff" passwords during TCP/IP connections, staffers say they were warned--but not the customers. "I hope that AOL alerts the General Membership to this problem in a timely manner," one staffer complained, "and not, as in the previous situation, wait until they are forced to by negative news coverage." Sources had told the Wall Street Journal that the 1995 security breach included hackers distributing customer credit card numbers in AOL hacker chat rooms, and AOL had warned staffers about the breach--but didn't tell their users (until the story broke in nationwide news reports.) The staffers complained AOL's hush-hush policy was aimed more at protecting their image than protecting their customers. In a memo warning staffers not to speak to the press, Steve Case countered that "We need everyone's support...to protect AOL's interest". That even applied AOL's content providers. Shortly before hackers took the stage at his live event, the producer of AOL's MacWorld area asked AOL about earlier problems. He told me AOL had attributed them to "some security holes that AOL promised were closed." It was when hackers took the stage that he found they were not. Even AOL's latest statements are suspect. The press release claims that AOL "immediately upgraded its security measures to prevent AOL4FREE or any similar software from working". But Nicholas Ryan told a different story. "AOL found a way to detect users of AOL4Free," began the program's documentation. "However, with only a few lines of additional code AOL4Free is again undetectable!" Tatiana Gau's claims that AOL has a "zero tolerance" policy for hackers is patently implausible. Macromedia's software piracy suit fingered 67 screen names in 1995. And over 70 came into play for the "Hacker Riot" that November--a coordinated attack on the New Member Lounges (http://www.getnet.com/~onion/work/planetmag/current/features/aolside.html) lasting several hours and affecting hundreds of users. This August AOL's Chief Financial Officer even pointed to the fake accounts as a possible culprit for the high figures on their subscriber churn rate. And just six weeks ago hackers doctored text at AOL keyword: legal. (http://www.news.com/News/Item/0,4,5712,00.html). Even yesterday, aolsucks.org received the comment, "AOL SUX!!!!! Thats why I make fake accounts with them!!!" Ironically, the documentation for AOL4Free ends with the classic hacker manifesto "The Conscience of a Hacker." The 1986 document ends, "I am a criminal. My crime is that of curiosity..." And most technology pundits agree. AOL's MacWorld area was mailbombed for a week and a half, with dozens of junk posts to its bulletin boards. "We hate that," their producer told me. "Does that mean the FBI needs to be brought in? Probably not." Chris Flores of Microsoft's Developer Division agreed. "If a Visual Basic program can automate hitting this key and hitting that key, the blame should be on AOL for allowing a certain keystroke to be hit... They should think of AOHell as a blessing. Since they know about it, they know that they have a fault in their system." MacWorld's producer added, "You've got to admire the hacker ethic in a certain way, because it's how things get done...how holes get patched." Indeed, as a result of the hacker presence, AOL began accompanying all e-mail and instant messages with a warning in red letters--that AOL staff will never ask you for your password. One Florida resident with a degree in criminology pointed out on Usenet that this alone wouldn't be sufficient--because password-fishers were incorporating the warnings into their scams! ("Enter your password to confirm that you understand the warning below." "Enter your password now to turn on pass-block, which offers protection beyond the simple password warning given below.") Now AOL's 3.0 software requires users to download small software changes before they can access the system. Unfortunately, there's no way to opt out--which creates a major security hole waiting to backfire. In any case, the hacker presence belies AOL's claims of the "highest level of security". In fact, Wired News reported that "Gau is confident, but she knows she has her work cut out for her. She's already spotted a link on the Web announcing her arrival. It was titled 'Hackers are laughing.'". It was my page. THE LAST LAUGH Within days of its creations, AOL threatened the AOL Security page with charges of copyright infringement. Unfortunately, the tactic inspired three other sites to mirror the documents--which are still there to this day. David Cassel More Information - http://www.wco.com/~destiny/time.htm ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~ Please forward with subscription information and headers in-tact. To subscribe to this moderated list, send a message to MAJORDOMO@CLOUD9.NET containing the phrase SUBSCRIBE AOL-LIST in the message body. To unsubscribe send a message saying UNSUBSCRIBE AOL-LIST to MAJORDOMO@CLOUD9.NET ~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~