AOL fixing Microsoft default settings
Without notice AOL has been modifying the operating system settings of users with AOL software installed on Windows computers. Although complaints about Windows' Messenger pop-up spam continue to grow, few users bother to turn off the Windows' Messenger service. Starting two weeks ago AOL used the self-updating machanism in AOL's software to turn-off the Windows' Messenger service. AOL has turned it off on 15 million users computers so far. http://www.securityfocus.com/news/7278 How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
http://www.securityfocus.com/news/7278
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
Sounds good to me. The potential for these users to be less-than-educated enough about the existance of this "feature" means that the potential for this to increase the overall network security is a good thing. Hopefully they will enable automatic checking and downloading of critical software updates as well. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
Sounds good to me. The potential for these users to be less-than-educated enough about the existance of this "feature" means that the potential for this to increase the overall network security is a good thing.
Hopefully they will enable automatic checking and downloading of critical software updates as well.
The "without notice" part is perhaps somewhat unsettling. I can appreciate that attempting to explain this type of change to the AOL user base would be challenging, but I'd submit that third-party software making OS changes like this without the user's knowledge could be "thin ice" territory. Where is the line drawn once this path is chosen? -Terry
On Fri, 24 Oct 2003, Terry Baranski wrote: :The "without notice" part is perhaps somewhat unsettling. I can :appreciate that attempting to explain this type of change to the AOL :user base would be challenging, but I'd submit that third-party software :making OS changes like this without the user's knowledge could be "thin :ice" territory. Where is the line drawn once this path is chosen? Seems this would be suitable for inclusion in the license agreement to which most check "I agree" without reading. If it hasn't been, it could certainly fall into the "thin ice" category, given the multitude of legal eaglets willing to push for class-actions. In any event, this begs a policy discussion more than an operational one.
On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:
On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
http://www.securityfocus.com/news/7278
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
Sounds good to me. The potential for these users to be less-than-educated enough about the existance of this "feature" means that the potential for this to increase the overall network security is a good thing.
Does anyone know anything about what security has been put in place for this? These quotes troubled me: "So two weeks ago, AOL began turning the feature off on customers' behalf, using a self-updating mechanism in AOL's software." <snip> "Users are not notified of the change..." Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it exploitable? I think the intention is admirable, but it has the potential to be a real nightmare if implemented incorrectly. The fact that it can all happen without the knowledge of the end user means even a savvy users could get whacked if the underlying structure is insecure. C
----- Original Message ----- From: "Chris Brenton" <cbrenton@chrisbrenton.org> To: <nanog@merit.edu> Sent: Friday, October 24, 2003 8:31 AM Subject: Re: AOL fixing Microsoft default settings
Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it exploitable?
I think the intention is admirable, but it has the potential to be a real nightmare if implemented incorrectly. The fact that it can all happen without the knowledge of the end user means even a savvy users could get whacked if the underlying structure is insecure.
AOL has a new function as of 8.0 IIRC that allows them to do repairs and make changes to a users computer using the AOL Computer Checkup (I forget if thats what its actually called, or something like that). Users can use it to fix DUN errors, IE errors, GPF errors, etc. It appears to be an ActiveX control in IE and is probably being used to do this change to the messenger service. I haven't had time to sit there with a packet sniffer to see what it does or how it works exactly. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
I fully approve, so long as there's a documented, opt-me-out process for those that may need that sort of thing....but I think the majority is pretty well served by this sort of thing. Unlike say changes proposed by some companies. I just don't know how far to draw the line, and it needs to be written somewhere what an update is/will do as well.
On Fri, 24 Oct 2003, Sean Donelan wrote:
Without notice AOL has been modifying the operating system settings of users with AOL software installed on Windows computers. Although complaints about Windows' Messenger pop-up spam continue to grow, few
This is a nice thing, but I recall some meeting with AOL Lawyers in which this topic was raised... the end of the discussion happened when they decided they couldn't just arbitrarily alter a users' computer if that alteration wasn't restricted to their software package. I wonder what changed their minds? Or... maybe I'm just misremembering things, it was over a year ago :( -Chris
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
Thankfully our focus is hosting & Colo, not access, so our pool is smaller and (theoretically) smarter. However this hasn't stopped us from doing similar things (such as disable/remove proxy server software) on client computers. Too many times I have called a client and asked "Why are you running a proxy server?" only to hear the reply "What's a proxy server?" (sigh) I suppose I don't bother our clients with a clue, as their servers are already configured properly, and I am just protecting our clueless clients from themselves (or more accurately protecting my network from my clueless clients.) Where it gets weird is when you take advantage of one privilege (like a software installer) to make other changes (disabling services) without permission. (I won't even touch the thick legal-ese of most EULA's which usually force the user to grant this permission beforehand) Where does it stop being "helpful" and start being "harmful"?... As in Microsoft infamous disabling of competitor's products with their installers? Then the question becomes "who is being harmed?" I guess... the end-user or the competitor(s)? Where I draw the line is the security of my own network, which granted is a pretty self-contained little world, unlike so may others here on NANOG. On the other hand, I also have a .sig which is a quote from one of my staff, which illustrates another slippery factor of this particular slope... --chuck goolsbee -- ______________________________________________________ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
-----Original Message----- How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
I've already seen an interesting side effect from a disabled messenger service... With one of those new low-price Intel hardware modems in a P4 running XP, the system will not shutdown properly after a dial-up session with messenger disabled... Just an FYI in case confused AOLers start swamping your helpdesks... :-)
participants (10)
-
Brian Bruns -
Brian Knoblauch -
Brian Wallingford -
Chris Brenton -
Christopher L. Morrow -
chuck goolsbee -
Jared Mauch -
Michael Loftis -
Sean Donelan -
Terry Baranski