THE TRUTH 7/5/1999 2:25AM
Hello. I am an anonymous person who was well connected with several of the hackers on AOL. I had access to all kinds of information through these associates and employees working for AOL. I never broke the law, or defrauded the system, but I did learn a lot about the security of a company and how that company alters the truth in the media.
So I decided that this would be a good time to present THE TRUTH, about AOL, a recent hack, and about the world in general.
All of this is based on memory, so actual dates are unknown. Time seemed to flow streamlessly. From the beginning of the Q-Link system on the Commadore, the company that was soon to become AOL was prone to hackers. Although the actual numbers of hackers was quite few, as well the entire online population.
I was quite young at the time, although I did have a Commadore and used BBS. I don't remember ever using Q-Link, but I did know a hacker. An old guy with a funny name, he first introduced me to BBS.
I can't say that I was real into computers, mainly just video games. I never used the BBS more than a few times, and soon my Commadore died.
Although I did know Q-Link hackers. Pirating accounts was quite different, but I can't recall hearing about any serious incidents. Although from the beginning staffers interacted with the hackers, who at the time were much more intelligent than the current pranksters of today.
Jump to the McIntosh era, and the versitilty of a tool called ResEdit. The Mac was more elegant, it was art. The exploits of the system were easier on the Mac than the PC, or so it always seemed. Although both exploits were possible on both systems, it just required different programming.
The Mac hackers, whom I knew well, had morphed and cloned accounts. They could get ANYONE's account, read ANYONE's mail, etc. That means they could read your credit card number or any personal information about you.
The security holes exploded and AOL scrambled to patch the problems. From both sides AOL was being attacked. With the AOHell and such programs, chaos would reek havoc on AOL.
Taking over auditioriums during live events, harrassing customers, stealing credit card numbers and passwords, and all the pranks consumed AOL. Online CRIS was accessible to the hackers. The entire system was under their control. People were staying on when the system shut down, tinkering away at AOL's inner most workings.
This soon was patched up and was many years ago. Other things happened with the invent of password stealers and virus type programs. It was evolution, going from phishing, to password stealers, to crackers, and so on.
AOL had arrested Happy Hardcore for breaking into the system. Although there were several others involved, Happy wrote a program called AOL4Free and the Master Blaster. Those tools sent tokens and gave access to more areas of AOL.
A master keyword list was stolen from a related AOL service for the Mac. This list gave access to all the areas.
On AOL the URL aol://1422: or something to that extent, access restricted information. That soon died, but urls were now used for all areas.
The master.aol tool sent the f1 form token, to invoke any forms, including Online CRIS. At the beginning everything was accessible, but soon security set in. Although it was quite slow and still many areas are still accessible.
Then the Area Manager, which allowed PC token sending, emerged and define the FDO area on the PC. FDOs had been used on the Mac. They were the raw code of the form windows. Like a snapshot of the area, which could be saved, changed, and reaccessed.
This tool led to the Designer tool which allowed for FDO programming via the client, instead of the Stratus. It was an intereface tool.
This acted as a compiler for raw atomic code. The Atomic Debugger debugged forms that popped up, so you could learn simply by debugging. Changing the atoms in the FDO form gave all kinds of access, which included changing screen names, reading mail, and signing on. This was what Mac hackers had done a year or two before.
They tried to restrict access to both master.aol and Designer, but they were easily cracked by hacking the resource codes and using a hexeditor.
The Mac did have quite more bizarre stunts then the PC. People filling up the rooms with 20 of the same names, crashing people's computer, changing their name, text manipulation, and so on. This was because their tools allowed early hacking then the PC.
Although their were the crazy staffers that would hack too. After all this happened AOL issued internal access only to CRIS and Stratus. No one remote could use it.
It wasn't too long that the Defender Key and SecurID would emerge, as well as other Promotional tools to interface with the Welcome screen, etc.
The Defender Key was a box that generated codes that communicated with an ISP. The actual number got out, but it requires multiple passwords. Anyone on this Remote LAN line, with the right accounts, could get to Online CRIS, were all member info is held, or any other part of the system. The SecurID was mainly for Rainman, and programming issues. Only a few staffers had Defender Keys.
AOL was branded security tight. Although pranksters still ravished AOL's community, the internal workings of AOL was secure. Token sending and other atom manipulation led to the created of mild pranks, but CC# were to be secured in the system, except those ignorant customers that knowingly gave up their information.
Then a few months back a teenager is arrested again for hacking AOL again.
http://www.usatoday.com/life/cyber/tech/cte673.htm
AOL spokesman Rich D'Amato refused to give details of what was altered or how long the intrusion went undetected. He said the intrusion ''really should mean absolutely nothing for America Online members.''
Well fortunely for AOL members I do know what was altered. As too how long, I'd estimate 2-4 weeks, and maybe longer. I really wasn't interested at the time, but I did like hearing the stories.
A hacker had edited the CCL file to connect to an AOL ops box, which was another server on the system. The TCP/IP CCL file connects to a certain host. He altered it. Once on the system he used exploits for that system to gain root access on the server.
Thus he eventually bounced his way under the firewall AOL had established. He had remote access without a defender key, which meant access to all of AOL.
Next he just needed the accounts with the right access. Soon he had OnlineCRIS and even accounts with access to Credit Card numbers, and all of your personal information, including your mail. The hacker told no one of how to do this and did not commit any malicious acts.
This is what he COULD HAVE DONE...
He could have video taped a spree of hacking, where he hacked the system, major accounts, obtained CC#s and personal information on anyone, change any aspect of the system, and shutdown the system. He did not. What did he do?
He used the exploit for information. To learn how the system worked, simply for educational purposes. Then when time came, he decided to patch the hole. The job of the hacker is more than finding the exploit, its patching the problem. Its the thrill of the accomplishment. It doesn't matter what he does, it is that he has obtain the ultimate access on a system shared by millions.
He talked DIRECTLY with AOL employees in the Ops Sec Division and other areas. You can e-mail Matt Korn at korn@aol.com, whom communicated with the hacker, about your security? Be sure to ask him if AOL employees were knowingly working with a "hacker" that had only early hacked into their network, in order to patch the system. Apparantly AOL employees couldn't understand what they were doing and needed the input for the 18 year old hacker.
The employees even created free accounts for the hacker. Weeks later the FBI
arrested the hacker, after he had helped AOL security to patch the problem. Visit: www.ops.aol.com and don't forget to ask Matt Korn about your security, if you are an AOL customer.
Not very nice to treat a non-malicious hacker, who for simply the thrill of the hunt, hacked AOL then aided and effectively removed the exploit, so no one in the future could commit the same act.
Now he's facing First-degree computer tampering, which has a maximum sentence of 5 to 15 years in prison.
Again AOL's spokesman Rich D'Amato said the intrusion ''really should mean absolutely nothing for America Online members.''
Ask Rich D'Amato if your personal information, including e-mail, your password, and your CREDIT CARD information is important?
This is quite an example of how AOL lies in the media.
For every lying media person who belongs to the Concil on Foreign Relations (Walters, Brokaw, Jennings, all of them), which is controled too by the FED, as well as our money, economy, stocks, commodities, all markets, International Monetary Commission, NBC, ABC, CBS, major magazines, radio stations, and cable companies.
David Cassel, I ask you as an exposer of the truth of AOL, to give that truth more power.
You can't silence the truth, you can only muffle its sound.
Take the power back.
Please do not publish my originating IP, e-mail or other information, nor this line. I wish to remain anonymous, but will contact you in the future after you publish this. I can inform you of complete legal details to get this cased agaisnt the hacker droped (if it was a federal instituion, like the FBI) and expose AOL for their lies. They are lucky he didn't make a video tape of it. :)
AOL contacted those he pulled CC# info on and called the customer saying "AOL advises you to cancel your credit card. If you don't cancel it we aren't at fault for fraudulent charges"
Peace.