File: /files/New-Files/20001231/aol6_security

/files/New-Files/20001231/aol6_security_questioned.txt

          From: Spiritsevp@aol.com
Subject: [illusions] Fwd: AOL 6.0 security questioned
Date: 9 Dec 2000 11:25:43 -0500
To: illusions@beyond-the-illusion.com, InTheShadows@egroups.com,
        visited@smartgroups.com

-=> Illusions Mailing List

--part1_b5.4501db2.2763b81f_boundary
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

--part1_b5.4501db2.2763b81f_boundary
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: 
Received: from  rly-xd01.mx.aol.com (rly-xd01.mail.aol.com [172.20.105.166]) by air-xd05.mail.aol.com (v77.14) with ESMTP; Fri, 08 Dec 2000 20:45:03 -0500
Received: from  coollink.net (coollink.net [169.132.8.9]) by rly-xd01.mx.aol.com (v77.27) with ESMTP; Fri, 08 Dec 2000 20:44:31 -0500
Received: from spiker.coollink.net (ip230.denver25.co.pub-ip.psi.net [38.31.7.230])
	by coollink.net (8.9.3/8.9.3) with ESMTP id TAA02850;
	Fri, 8 Dec 2000 19:16:21 -0500
Message-Id: <4.3.2.7.2.20001208171157.022733e0@pop3.coollink.net>
X-Sender: spiker@pop3.coollink.net
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 08 Dec 2000 17:18:16 -0700
To: (Recipient list suppressed)
From: spiker 
Subject: AOL 6.0 security questioned 
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======4F631029======="; x-avg-checked=avg-ok-2F5F1030

--=======4F631029=======
Content-Type:  text/plain; charset=us-ascii; format=flowed; x-avg-checked=avg-ok-2F5F1030

Source:
The Register
http://www.theregister.co.uk/

AOL 6.0 security questioned
http://www.theregister.co.uk/content/6/15306.html

By: Thomas C Greene in Washington

Posted: 07/12/2000 at 15:39 GMT

The annoyingly buggy AOL 6.0, carefully engineered to redeem its hopelessly 
buggy 5.0 predecessor, brings up a few spyware-esque security issues, 
according to WinMag.com columnist Fred Langa who actually went so far as to 
install it (talk about journalistic sacrifice).

"About a year ago, I tried AOL 5.0 when it was new.  But I ended up 
reformatting my hard drive after the AOL software made myriad clumsy, 
undesirable and irrevocable changes to my system," Langa reports in a 
recent column.

AOL's latest newbie trap seems to offer better, if not actually good, 
stability, but installs something like eleven superfluous networking 
protocols, among them what Langa characterises as a "dangerous"
Virtual Private Networking (VPN) set-up.

"Dial-Up Adapter #2 also gets TCP/IP but in that case 'file and print 
sharing' is enabled - a potentially huge security hole.  Worse, AOL binds 
IPX to that adapter, creating a potentially dangerous cross-link between 
the normally internal LAN protocols and the normally external Internet 
protocols," he says.

This is no understatement.  Unless a user knows what he's doing - and AOL 
clients rarely fall into that category - file and print sharing is the 
easiest of all security holes for malicious third parties to exploit.
Indeed, there's little we can think of that could make one's box less 
secure on the Net.

So what's up with that?  Does AOL want access to users' files for some 
diabolical purpose?

Langa doesn't think so.  Grotesque technical incompetence, not malevolence, 
strike him as the chief operator here.  "I was able to get AOL to run after 
modifying the VPN components to improve their security." he reports.

"For example, I unbound IPX from the second Dial-Up Adapter; and likewise 
disabled print and file sharing for that adapter.  AOL6 ran without 
complaint, which suggests that AOL's default VPN settings are probably 
incorrect."

Unfortunately, 6.0 wouldn't run with the VPN set-up disabled, so we can 
assume that AOL definitely wants it there, whether the user does or 
not.  The problem is that the company attracts precisely the sort of newbie 
user who's unlikely to know that file and print sharing is a suicidal 
option and to have less than a clue as to how to muck about successfully 
with network settings.

AOL, we're disappointed to report, was unable or unwilling to return our 
call by press time and explain the rationale behind this apparent security 
faux pas.  We'll be delighted to update the story if and when they do.

--=======4F631029=======
Content-Type:  text/plain; charset=us-ascii; x-avg-checked=avg-ok-2F5F1030

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.217 / Virus Database: 102 - Release Date: 12/1/00

--=======4F631029=======--

--part1_b5.4501db2.2763b81f_boundary--

--
-=> Discuss the illusions of reality....
-=> Illusions Mailing List - Illusions@beyond-the-illusion.com
-=> http://www.beyond-the-illusion.com/mailman/listinfo/illusions/

Disclaimer: The file contained in the box above or displayed in a separate window from a link in the box above is NOT owned nor implied to be owned by BeYoND THe iLLuSioN. Most files at BeYoND THe iLLuSioN are originally from public Bulletin Board Systems (BBS) which were popular in the days before the Internet or from gopher, web, and FTP sites from the early days of the Internet which no longer exist today. Essentially, all files were acquired from the public domain in one for or another.

However, there have been occasions when copyright protected material has appeared on BeYoND THe iLLuSIoN without permission of the copyright holder. In these instances, we have and will continue to remove the copyright protected file as soon as it is brought to our attention. This can now be done using our Report Copyright Material form. Fill out the form, and the webmaster will be notified of the situation.

There are also times when files found on BeYoND THe iLLuSioN have a real home somewhere else on the Internet. In these instances, we will gladly replace the file with a link to its true home whenever it is brought to our attention. If you know of the true home of any of these files, you can use our Report Original URL form to bring it yo our attention.