Return to CLS Bibliography Page
Date: Fri Jan 10, 1997 10:06 am CST
From: David J. Loundy
EMS: INTERNET / MCI ID: 376-5414
MBX: David@loundy.com
TO: * Nicholas Johnson / MCI ID: 103-5393
Subject: LACC: AOL: The Happy Hacker
>Date: Thu, 09 Jan 1997 01:32:39 -0800 (PST)
>From: David Cassel <destiny@crl.com>
>Subject: The AOL List: The Happy Hacker
>Sender: owner-aol-list@cloud9.net
>To: The AOL List <aol-list@cloud9.net>
>
> T h e H a p p y H a c k e r
>
>~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
>
>In 1995 a hacker named Happy Hardcore wrote a program that granted
>unlimited free access to AOL. Yesterday AOL issued a press release
>applauding his conviction in a court in Virginia.
>(http://www.prnewswire.com/pdata/19970108-DCW022.html)
>
>According to press accounts, Nicholas Ryan -- who studies computer science
>at Yale university -- was found guilty of a felony offense under the
>Computer Fraud and Abuse Act: he illegally accessed AOL "and violated
>AOL's terms of service".
>
>But AOL's press release doesn't tell the whole story. The Washington Post
>reported that in fact, AOL dropped over 370,000 subscribers between March
>and June of 1996 "for credit card fraud, hacking, etc." [9/16/96] Up
>until September of 1995, AOL didn't even verify the authenticity of credit
>card information submitted for free-trial accounts. (And as of last year,
>they'd distributed over 100 million of them.) Monday AOL shut local phone
>access to the entire nation of Russia because it couldn't collect enough
>accurate information to cover their expenses.
>
>Ryan was targeted because he created a program used by other hackers--and
>because he publicly taunted AOL in the program's documentation. He
>included internal AOL e-mail (stolen by other hackers) discussing the
>company's plans to thwart his program. Ryan wasn't charged with creating
>the program, but for accessing the system illegally--a crime he shared
>with nearly half a million others.
>
>For six months of access, he faces a maximum of five years in prison and
>$250,000 in fines. Under AOL's new value plan, the stolen time would have
>a cash value of $60.
>
>AOL's public statements indicate they want to appear tough on hackers --
>especially now that they're seeking revenue from on-line transactions. A
>press release announcing the appointment of a vice president to AOL's
>optimistically-named "Integrity Assurance" division stressed her previous
>employment at the CIA--saying Tatiana Gau wants to "improve the world's
>most secure online environment". (The phrase "most secure" appeared
>three times.) Yesterday's announcement even asserted AOL had achieved "the
>first successful computer fraud prosecution involving an Internet online
>network." (One technology correspondent quipped, "Maybe it means that
>Kevin Mitnick is just a figment of Tsutomu Shimomoura's imagination.")
>AOL's announcement went so far as to claim that AOL is safer than the
>internet because AOL uses a private network.
>
>But safety still depends on how a network is administered. In 1995, a
>beta of AOL's telnet client put users directly behind their firewalls--and
>earlier that year, AOL's mail server was accessible via telnet, allowing
>forged mail from any AOL address. Hackers even took the stage during a
>1995 celebrity appearance on AOL--then taunted the scheduled guest and the
>event sponsors. (http://www.aolsucks.org/security/recondite.html). "I am
>sure Corporate Communications will be getting some questions about it,"
>read an internal e-mail titled "Hacker Attack In the Rotunda Last Night".
>Ironically, that message later ended up on the AOL Security Page--"What
>AOL Does Not Tell You." http://www.netvirtual.com/blank/aol)
>
>The next month AOL's CEO Steve Case wrote a letter to all users about
>hacker problems, arguing that "it happens everywhere", and adding that
>"when we discover hackers", AOL "aggressively take measures to head them
>off". But within days of that announcement, hackers were posting internal
>mail that they'd stolen to the internet. They continued undaunted, posting
>internal memos, and even Case's home address. In probably the most
>embarrassing development, in-house mail ABOUT the hackers was being
>circulated BY The hackers (ftp://ftp.crl.com/users/de/destiny/aol/hacker1)
>At the time, AOL spokeswoman Pam McGraw told me, "We've encountered these
>problems in the past, and we make changes to the service as appropriate--
>and as we can".
>
>The hackers had reverse-engineered AOL's "Rainman" software, which had
>been mistakenly stored in AOL file libraries accessible by their hundreds
>of remote staffers. The company fumbled for an explanation--Pam McGraw
>told the press AOL believed the heist was effected with the Visual Basic
>macro program AOHell. (Some later attributed her remarks to a deliberate
>disinformation campaign--especially when, to suppress the program's
>distribution, AOL later told Boardwatch magazine AOHell contained built-in
>child pornography. ftp://ftp.boardwatch.com/aohell.txt)
>
>But AOL's attempts to cover-up security breaches left their members even
>more vulnerable. "I went to a bunch of new member chat rooms, used AOHell
>to fish for passwords, and got 25 of them," one Usenet poster gloated.
>"Doesn't AOL tell its users to not do that?" There were worse abuses.
>When AOL realized hackers could "sniff" passwords during TCP/IP
>connections, staffers say they were warned--but not the customers. "I
>hope that AOL alerts the General Membership to this problem in a timely
>manner," one staffer complained, "and not, as in the previous situation,
>wait until they are forced to by negative news coverage." Sources had
>told the Wall Street Journal that the 1995 security breach included
>hackers distributing customer credit card numbers in AOL hacker chat
>rooms, and AOL had warned staffers about the breach--but didn't tell their
>users (until the story broke in nationwide news reports.)
>
>The staffers complained AOL's hush-hush policy was aimed more at
>protecting their image than protecting their customers. In a memo warning
>staffers not to speak to the press, Steve Case countered that "We need
>everyone's support...to protect AOL's interest". That even applied AOL's
>content providers. Shortly before hackers took the stage at his live
>event, the producer of AOL's MacWorld area asked AOL about earlier
>problems. He told me AOL had attributed them to "some security holes that
>AOL promised were closed."
>
>It was when hackers took the stage that he found they were not.
>
>Even AOL's latest statements are suspect. The press release claims that
>AOL "immediately upgraded its security measures to prevent AOL4FREE or any
>similar software from working". But Nicholas Ryan told a different story.
>"AOL found a way to detect users of AOL4Free," began the program's
>documentation. "However, with only a few lines of additional code
>AOL4Free is again undetectable!"
>
>Tatiana Gau's claims that AOL has a "zero tolerance" policy for hackers is
>patently implausible. Macromedia's software piracy suit fingered 67
>screen names in 1995. And over 70 came into play for the "Hacker Riot"
>that November--a coordinated attack on the New Member Lounges
>(http://www.getnet.com/~onion/work/planetmag/current/features/aolside.html)
>lasting several hours and affecting hundreds of users. This August AOL's
>Chief Financial Officer even pointed to the fake accounts as a possible
>culprit for the high figures on their subscriber churn rate. And just six
>weeks ago hackers doctored text at AOL keyword: legal.
>(http://www.news.com/News/Item/0,4,5712,00.html). Even yesterday,
>aolsucks.org received the comment, "AOL SUX!!!!! Thats why I make fake
>accounts with them!!!"
>
>Ironically, the documentation for AOL4Free ends with the classic hacker
>manifesto "The Conscience of a Hacker." The 1986 document ends, "I am a
>criminal. My crime is that of curiosity..."
>
>And most technology pundits agree. AOL's MacWorld area was mailbombed for
>a week and a half, with dozens of junk posts to its bulletin boards. "We
>hate that," their producer told me. "Does that mean the FBI needs to be
>brought in? Probably not." Chris Flores of Microsoft's Developer
>Division agreed. "If a Visual Basic program can automate hitting this key
>and hitting that key, the blame should be on AOL for allowing a certain
>keystroke to be hit... They should think of AOHell as a blessing. Since
>they know about it, they know that they have a fault in their system."
>MacWorld's producer added, "You've got to admire the hacker ethic in a
>certain way, because it's how things get done...how holes get patched."
>
>Indeed, as a result of the hacker presence, AOL began accompanying all
>e-mail and instant messages with a warning in red letters--that AOL staff
>will never ask you for your password. One Florida resident with a degree
>in criminology pointed out on Usenet that this alone wouldn't be
>sufficient--because password-fishers were incorporating the warnings into
>their scams! ("Enter your password to confirm that you understand the
>warning below." "Enter your password now to turn on pass-block, which
>offers protection beyond the simple password warning given below.")
>
>Now AOL's 3.0 software requires users to download small software changes
>before they can access the system. Unfortunately, there's no way to opt
>out--which creates a major security hole waiting to backfire.
>
>In any case, the hacker presence belies AOL's claims of the "highest level
>of security". In fact, Wired News reported that "Gau is confident, but
>she knows she has her work cut out for her. She's already spotted a link
>on the Web announcing her arrival. It was titled 'Hackers are laughing.'".
>
>
>It was my page.
>
>
>
>THE LAST LAUGH
>
>Within days of its creations, AOL threatened the AOL Security page with
>charges of copyright infringement.
>
>Unfortunately, the tactic inspired three other sites to mirror the
>documents--which are still there to this day.
>
>
> David Cassel
> More Information - http://www.wco.com/~destiny/time.htm
>
>
>~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
> Please forward with subscription information and headers in-tact.
>
> To subscribe to this moderated list, send a message to MAJORDOMO@CLOUD9.NET
> containing the phrase SUBSCRIBE AOL-LIST in the message body. To unsubscribe
> send a message saying UNSUBSCRIBE AOL-LIST to MAJORDOMO@CLOUD9.NET
>~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~>
Return to CLS Bibliography Page