The AOL List: Back Doors

David Cassel (
Sun, 29 Jun 1997 19:12:40 -0700 (PDT)

			    B a c k   D o o r s


"Have you ever noticed how dull this file library was?" 

That message appeared in the Fantasy Library of AOL's "Fictional Realm" 
area.  "Today's fantasy is titled 'AOL is a secure world'," it continued. 
Every file in the library had been replaced with a screen-shot of a hacked
AOL content area.

The 13 images included a screen-shot of AOL's in-house customer records
tool, Online Cris, displaying the home phone number, address, and five
screen names for a staffer in AOL's "Virtual Leaders Academy."  
( )  After "Staff FTP Places"
and "How we hacked it", the final file offered an in-house tool for
modifying AOL content called Master AOL 2.5 -- "a tool meant for the
programmers, and Rainman script writers to edit/debug/etc. the areas they
make on AOL," a hacker page boasted in February.
( )

Four days after the June 23 attack, the National Computer Security
Association warned AOL users of the "significant prevalence" of programs
which surreptitiously steal AOL users' passwords when downloaded and
executed -- citing "hacker activity directed primarily at AOL users."  
( )  AOL's "Vice President of
Integrity Assurance" added to the press release that AOL was taking
appropriate measures to keep their members informed. 

But were they?  A January memo titled "Trojan Horse Update" advised
customer service staffers that "From a Corporate Communications
perspective, the access issue is predominant...  That message must be
focused, and material about virus safety will likely draw negative media
attention...  For now, the best PR approach seems to be low key." 
( , ) 

By March, it was affecting users.  One subscriber described her experience
to the AOL List after her 12-year-old son's password was stolen by a
Trojan Horse. 

March 31 	- 	Spoke to on-line support staff.

"He told me that a 'specially trained' technician would have to call to
help me find and remove program.  Earliest call would be two days later."

April 2 	- 	No phone call.  Returned to on-line support staff.

"We set all of Thursday morning as a window for a phone call (which, of
course, never came)."

April 2 	- 	On-line support staff advises her to phone AOL 
			and change password by phone.  

"After two calls and a 20 minute wait, I got through to an AOL employee
who said passwords can't be changed off-line."

"She said to please e-mail her the next day if not called..."

   April 4 	- 	Mail sent
   April 5 	- 	Nothing
   April 6 	- 	Nothing
   April 7 	- 	Nothing
   April 8 	- 	Nothing
   April 9 	- 	Mail is read.

"I ended up talking to a friend of an on-line friend...  He found the
problem and helped me remove it in a matter of minutes." 

April 10 [Ten days later]

"I get a call from AOL on my answering machine saying 'in the course of
regular maintenance, unrelated to your account, we have discovered that
your password may have been compromised.'"

The subscriber contacted the AOL List after reading a quote the AOL List
had gotten from Tatiana Gau the week before -- "We keep our ear to the
ground and monitor closely and respond very quickly when we are alerted to
a situation."  The affected subscriber wrote that the quote "about sent me
into hysterics..." 

The Vice President of Integrity Assurance had been responding to a
security hole in which hackers accessed AOL subscriber credit card numbers
once their passwords were obtained.  Gau previously claimed this was not
possible -- but was proven wrong. 

AOL's latest warnings came a full two weeks after similar warnings were
issued to content providers.  A June 13 in-house memo blamed a rash of
nine earlier hacker incidents on AOL content providers falling for the
Trojan Horse programs. ( )  Yet
Friday ( ) 
Gau told Wired News that there was no evidence hackers used
passwords to break into accounts.  In fact, the Newsbytes News Network
( )
reported that Trojan Horse programs were being used on AOL overhead
accounts as far back as November. 

Even the NCSA's co-founder, David Stang is skeptical.  Now President of
Seven Lock software, he told PC World radio that security precautions AOL
touted against the programs would be meaningless.  "[D]espite the vendor's
claims, probably fewer than 1% of the world's Trojan's, maybe a thousandth
of 1%, would be caught by an anti-virus product..."  He warns that Trojan
Horse programs might actually be distributed through AOL's own file
libraries.  "Good for them for scanning. Not good enough.  Yes there are
likely Trojans there, and yes, this is likely to become a craze among
youngsters..."  His conclusion? "It could be the downfall of AOL."

Two days later, hackers had hit another AOL content area.  Steve Case's
September community update said back-to-school activities would find
families "exploring our academic assistance areas."  Sunday they'd find a
pointer to the "Kick ass Lithium Node Website"  ( 
-- still displaying a photograph of Tatiana Gau, along with her phone
number and screen name.

The menu offered a link to an AOL area apparently created by the hackers
with links to in-house AOL content, plus a message leaving greetings for
49 other hackers.  "Mute & Bmbr provide some schooling of their own" read
the area's caption ( ).  It also
offered a boast that "Just because they have the money and hardware,
doesn't mean we should follow their rules."

AOL's rules have always been controversial.  Two days earlier -- as
password-fishers worked AOL's chat rooms -- AOL issued a letter to members
praising the Supreme Court's recent declaration that the Communications
Decency Act was unconstitutional.  But when the legislation was originally
passed, the Electronic Freedom Foundation's Mike Godwin read an excerpt
from a James Joyce novel at a rally in San Francisco -- then told the
crowd, "That's the sound of indecency for you. And it's a measure of the
climate of fear created by Congress that America Online might have banned
that very language from my user profile if I'd included it there."  
( ) 

Godwin reminded the crowd of a recent incident, when "a couple of weeks
ago AOL felt impelled to delete all user profiles that include the word
'breast' -- much to the dismay of countless breast cancer survivors." 
Godwin concluded that Congress's "crazy actions have created a world in
which the word 'breast' is something to fear."  On the same spot, 16
months later, Godwin cheered the act's overturning -- and issued a
warning.  "Every time someone says they don't believe in freedom of
speech, a little justice and progress dies somewhere." 

In fact, when AOL signed on as a co-plaintiff to the lawsuit, The American
Library Association Journal published a letter from a member "appalled,"
who wrote that "I have been told by AOL workers that AOL cancels hundreds
of customer's accounts each week for transmitting print or nonprint
transmission through them that they subjectively deem to be 'indecent'... 
Until AOL stops censoring information, I do not think that the American
Library Association should have any relationship with AOL and its
censorious ilk, much less accept them as 'friends' and associates..." 
( ) 

Even posters on an AOL board about Barry Manilow are upset about AOL's
censorship threats.  One regular told the AOL List they were warned
Wednesday "If things get so out of hand this board has to be taken down a
second time it will *not* be coming back anytime soon."  Hackers have
already indicated in the past that one reason AOL is targeted 
( ) is the restrictions AOL
places on speech.  And many see AOL's stance as hypocritical. Steve Case's
letter concedes that 75% of AOL households with young children don't use
the Parental Controls -- yet Case, overlooking AOL's risque content, wrote
that "There is a lot of material on the Internet that we, too, believe
kids shouldn't have access to."  Recently AOL President Ted Leonsis
quipped that, in fact, he knew the content of 99% of the Instant Messages.
"Hi, male or female?"

And that perception is wide-spread.  When chiding AOL's advertising-based
model, HotWired's Ned Brainard opined that while advertisers can reach CNN
viewers in a single location, "AOL's 'viewers' are fractured into
thousands of tiny groups of 10 or fewer, with most of them propositioning
each other." ( ) 
AOL may hope to earn $2.00 an hour off that population.  When users enter
AOL's on-line backgammon, their icons appear fully clothed.  But when the
game begins, the icons appear in their undershirts.  (With chat windows
below them...) 

Ignoring protests over gaming fees, Case called new pricing plans "a
balanced approach" -- but publicity over security problems have already
frightened potential game users.  "I'm wondering if I have an 'in the
wild' virus here," one subscriber posted to an AOL virus board. "Every
time I sign on here lately this annoying screen pops up...  Is this a
password sniffer or what?"  The subject line announced they'd caught the
"Worldplay Games" Trojan. 

In fact, the yellow splash screen appearing again and again was created by
AOL, to point users to their pay-to-play games area.  But even more
troubling are the mandatory downloads of an upgrade to AOL's web browser.
"You have no option to accept, decline, or abort the whopping 24 minute
download," one user complained.  "It takes 50 minutes to download with a
14.4 modem," wrote another.  The download reportedly targets all users of
AOL's Windows 95 software -- and subjects them to a procedure long
considered a security risk: remote modification of files on the user's own

Case's Community update failed to warn users about the downloads -- or
acknowledge ongoing mail problems ( )
which, as of Friday, had lingered for over two weeks.  
(,4,12012,00.html )  "Is the Postmaster a
volunteer job or something," one user complained in AOL's "Postmaster"
area.  "[S]urely they don't pay them to just ignore us..." 

Case's optimism is drawing skepticism.  One industry observer wrote, "I
can hear the AOL subscribers muttering under their breath...  'Progress? 
Christ, what about all those damn busy signals?' " 
( )  AOL's callousness over
customer relations even drew negative attention from the Boston Globe
Friday ( ),
which used the word "fiasco" to describe the pricing controversy and
comparing it to ongoing problems with AOL's congested network.  But the
busy signals were deliberate, according to AOL's Senior Vice President of
Marketing.  "I think it would have been a wholly incorrect strategy at
that point to prudently try to grow the company slowly," Jan Brandt told 
Direct magazine.  "Unfortunately, we sacrificed some customer goodwill at
the time. But there's no question we needed to participate in that land
grab.  I mean, look at who's breathing down our necks."

The forced optimism may not be enough.  The value of AOL's stock has
dropped in each of the last seven sessions -- losing over 10% of its
value.  AOL's Stockwatch area mysteriously deleted the listings for June
20 and June 24 -- two days when the stock price fell -- in, ironically,
AOL's "Full Disclosure" area.  And the historical quotes that are provided
don't match those presented by AOL in their on-line stock portfolios.  AOL
may be encountering the same glitches reported over three months ago ( ) -- when one software company's
stock lost more than half its value after AOL incorrectly reported its
price.  Even the stock advice provided by AOL content providers are
suspect. "Investors who replicated the much-ballyhooed 'Fool Portfolio' a
year ago, when its popularity was at its peak, have seen their holdings
decline 27% because of some less-than-propitious stock picks," Business
Week noted ( )

When accurate, web-based stock quotes are obtained,
(  one thing becomes
clear:  AOL is underperforming the NASDAQ composite. 


"America Online Wins PC World's World Class Award for Best Online Service; 
Second Consecutive Year," read the AOL press release.  
( ) "The editors,
readers, and an expert panel of PC World magazine have spoken..." 

"America Online earned our judges' ire--and the Loser of the Year
Award -- by delivering nothing but busy signals to it's 8 million
members last winter," the magazine writes 
( ) 
"Talk about a love/hate relationship," they concede.  After citing AOL's
interface and content, they wrote "Now if only you could log on." 
( )

     David Cassel
     More Information -


  Please forward with subscription information and headers.   To subscribe
  to this list, type your correct e-mail address in the form at the bottom
  of the page at -- or send e-mail to MAJORDOMO@CLOUD9.NET
  containing the phrase SUBSCRIBE AOL-LIST in the the message body.  

  To unsubscribe from the list, send a message to MAJORDOMO@CLOUD9.NET
  containing the phrase UNSUBSCRIBE AOL-LIST.