David Cassel (destiny@wco.com)
Sat, 29 Mar 1997 04:11:57 -0800 (PST)
H a p p y H a r d c o r e G o e s H o m e
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
No jail time for Happy Hardcore.
Saying he wrote "a naughty program that allowed AOL access for free,"
Tatiana Gau, AOL's security chief, pointed to the hacker's conviction in
an interview with the "AOL Insider" column February 10 as evidence that
AOL had a "zero-tolerance policy" against "bad guys." "Happy Hardcore
could be fined up to $250,000 and sent to jail for five years," Gau
gloated.
Happy's fine was $50, according to C|Net's Paul Festa.
( http://www.news.com/News/Item/0,4,9221,00.html ) The Yale university
student was sentenced to two years probation, six months of home
confinement "and a fine", AOL announced in a press release.
(http://biz.yahoo.com/bin/jump?/prnews/97/03/28/aol_x0001_1.html+aol+97+03)
They noted the hacker would also pay $62,000 in restitution--less than the
tuition for four years at Yale.
Gau's claim of a "zero-tolerance" policy also seems overstated. A January
Reuters story ( http://micro1.mscc.huji.ac.il/~msweasel/pr2.html ) cited
prosecutors statements that the hacker's program had been used over 2,000
times a day. Friday AOL's Assistant General Counsel John Ryan conceded
that this was the first time an online service had ever successfully
convicted a hacker on federal felony charges. "I have visions of all
AOL4FREE hackers getting simultaneously whacked," an AOL UNIX programmer
e-mailed a colleague in 1995. But instead, that message--which began "Heh
heh heh"--was stolen by hackers, and delivered to Happy Hardcore so he
could upgrade his program (according to the program's documentation).
Later versions of the program would "let you log on as any account on the
system," the hacker wrote--adding "Oops, I guess someone already did
that..."
It seems Happy Hardcore wasn't AOL's biggest threat. "Somewhere, somehow,
someone came across an old tool that only guides were supposed to have,"
says a web page written by "Weasel". Now in his third year at UCLA, he
remembers how hackers used the tool. "One could call up the sign on page,
insert a name, but bypass the password field entirely. This allowed you
to sign on to anyone's AOL account without verification!"
(http://micro1.mscc.huji.ac.il/~msweasel/)
Dialogue boxes in the Guide tool revealed a startling discovery: each
"page" on the AOL system was identified by a record and library number.
"If you know the right number, you have access to that page, even if there
is no way to get to it through the layman's viewer." ("It's part of AOL's
Rainman system," a former customer service staffer confirmed. "Rainman
depends on assigning a numeric ID to a different segment of the system.")
"With this method," Weasel writes, "they found their way into the insider
AOL Resource Center, Guide chat rooms, insider files, back doors into chat
arenas, Tech Live areas, and other strange and wonderful goodies."
The hackers had hit the jackpot, and they began cataloging numbers and the
AOL areas they corresponded to. Soon, they had learned how to use the
software's features. "Tools for moderating large chat arenas and back
doors into them allowed users to break on-stage during major AOL events,"
the page observes. "One rowdy user named Puss managed to break into the
Tech Live area and began shouting to all of the people in 20 or so
technical support rooms that Macs rule, AOL and PCs bite, and Steve Case
must die."
Power had slipped into hacker hands. "An ordinary AOL user with this
information now had the power to find the passwords, personal information,
and credit card information of millions of subscribers to AOL as well as
the power to kick or terminate anyone on the system." The page describes
their antics--one hacker "played around with this new trick by sitting in
the warez rooms and entertaining everyone as he was signed on as
TOSadvisor, the highest ranking security official on AOL..." Why did they
do it? "Information should be free... This is one of the primary reasons
that the internet was created," Weasel writes--"to broadcast and share
information."
Happy Hardcore shared that philosophy. "All too often these days, hackers
tend to be like packrats," he wrote in the documentation for AOL4Free.
"Obsessed with status, they'll hoard every bit of information they find,
useless or not, in an effort to impress their peers with how little they
choose to reveal of how much they claim to know." To the young computer
science student, it seemed unfair. "They dispense their knowledge drop by
drop, and enjoy forcing newcomers to beg and grovel in front of dozens in
exchange for almost no effort on their part...I will make no secret of the
techniques I used to create AOL4Free."
And then he divulged them all. "A huge percentage of the actual work done
in presenting the AOL experience is done not by the 'host' computer, the
ones in Vienna, Virginia, but by the client AOL application you're running
on your home Mac/PC," his document continued. "There's nothing you can do
about the host, but you can, with enough skill, make the client do
whatever you want." In the case of AOL4Free, the software was told to
stop the billing. "Enjoy the party while it lasts!" Happy
concluded--ending his document with the 1986 text "Conscience of a
Hacker." ( http://www.joltcola.com/hackermanifesto.html ) One line gives
a hacker rationale. "We make use of a service already existing without
paying for what could be dirt-cheap if it wasn't run by profiteering
gluttons...."
Calling his program "a patch", Happy included the manifesto in its
entirety. It also says their targets "cheat, and lie to us and try to
make us believe it's for our own good," then notes the final irony: "yet
we're the criminals." Then it reaches its conclusion.
"My crime is that of outsmarting you, something that you will never
forgive me for."
THE LAST LAUGH
Users logging onto AOL Friday saw an ad for an unusual product. It
offered a CD-ROM of the Bible which allows you to "Connect to AOL's
Religion & Beliefs Club for daily verses, discussions and web sites!"
If you're not satisified with your bible, "you can return it within 30
days for a Full Refund."
David Cassel
More Information - http://www.wco.com/~destiny/time.htm
http://micro1.mscc.huji.ac.il/~msweasel
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
Please forward with subscription information and headers in-tact.
To subscribe to this moderated list, send a message to MAJORDOMO@CLOUD9.NET
containing the phrase SUBSCRIBE AOL-LIST in the message body. To unsubscribe
send a message saying UNSUBSCRIBE AOL-LIST to MAJORDOMO@CLOUD9.NET
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~