Re: AOL fixing Microsoft default settings
Title: Re: AOL fixing Microsoft default settings I’m not sure “outrage” is the appropriate way to describe this. AOL is probably looking at this from the support point of view. They get a certain number of support calls complaining about messenger service spam/trickery. The will get many fewer calls complaining that the messenger service has been shut off. The end result is that they save themselves a good bit of money, while helping out a large percentage of their customer base who has the bad luck of being saddled with an inferior OS – good for them! It would be a mistake to confuse AOL’s subscriber base with NANOG’s subscriber base. That which would outrage some of us is seen as a great boon to other sets of users. There is no “one size fits all” here. When one connects to an online service (which AOL is, rather than being just an ISP, although they do that too) or when one connects to a corporate LAN with a VPN client, they have to accept that there may be some alterations of the local environment. This is a reality of today’s security situation as it intersects with inferior desktop OS’s. There are always other solutions for those who feel that these sort of alterations are unpalatable. -- Daniel Golding Network and Telecommunications Strategies Burton Group From: Henry Linneweh <[EMAIL PROTECTED]> Date: Tue, 28 Oct 2003 14:59:12 -0800 (PST) To: Sean Donelan <[EMAIL PROTECTED]>, Fred Baker <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: AOL fixing Microsoft default settings I agree that changing one's computer is not the ISP or even the Corp IT departments job, and could compromise valuable work and or personal information for the individual user, depending on their setup, security software etc and other applications. I also would preceive that as a real threat to individual privacy for any individual in any country of the world who directly purchased and owns their own computer. For individuals who had their machines custom built to spec with software configured to meet a certain criterion this would be an outrage and considered hacking and tampering. -Henry Sean Donelan <[EMAIL PROTECTED]> wrote: On Tue, 28 Oct 2003, Fred Baker wrote: > Personally, I don't ask my ISP or my IT department to randomly change the > configuration of my computer. I am very happy for them to suggest changes, > but *if* I agree, *I* want to install them when it is convenient for *me*, > not when it is convenient for *them*. There is a difference. In most cases the corporate laptop is owned by the corporation, not the employee. Shouldn't the corporate organization be able to change its own computers whenever it chooses, regardless of the desire of its employees. On the other hand, the ISP does not own the customer's computer. And despite EULA which say it not sold only licensed to the customer, most people view their computer as their property not the ISP's.
Re: AOL fixing Microsoft default settings
I agree that changing one's computer is not the ISP or even the Corp IT departments job, and could compromise valuable work and or personal information for the individual user, depending on their setup, security software etc and other applications. I also would preceive that as a real threat to individual privacy for any individual in any country of the world who directly purchased and owns their own computer. For individuals who had their machines custom built to spec with software configured to meet a certain criterion this would be an outrage and considered hacking and tampering. -HenrySean Donelan <[EMAIL PROTECTED]> wrote: On Tue, 28 Oct 2003, Fred Baker wrote:> Personally, I don't ask my ISP or my IT department to randomly change the> configuration of my computer. I am very happy for them to suggest changes,> but *if* I agree, *I* want to install them when it is convenient for *me*,> not when it is convenient for *them*.There is a difference. In most cases the corporate laptop is owned by thecorporation, not the employee. Shouldn't the corporate organization beable to change its own computers whenever it chooses, regardless of thedesire of its employees.On the other hand, the ISP does not own the customer's computer. Anddespite EULA which say it not sold only licensed to the customer, mostpeople view their computer as their property not the ISP's.
Re: AOL fixing Microsoft default settings
On Tue, 28 Oct 2003, Fred Baker wrote: > Personally, I don't ask my ISP or my IT department to randomly change the > configuration of my computer. I am very happy for them to suggest changes, > but *if* I agree, *I* want to install them when it is convenient for *me*, > not when it is convenient for *them*. There is a difference. In most cases the corporate laptop is owned by the corporation, not the employee. Shouldn't the corporate organization be able to change its own computers whenever it chooses, regardless of the desire of its employees. On the other hand, the ISP does not own the customer's computer. And despite EULA which say it not sold only licensed to the customer, most people view their computer as their property not the ISP's.
Re: AOL fixing Microsoft default settings
At 11:13 AM 10/23/2003, Sean Donelan wrote: How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers? Interesting question from several angles. Here's the flip side. Our corporate IT department likes to magically download software and configuration changes to us without telling us, which occasionally has the effect of having someone in the middle of a presentation to a customer have something pop up and say "I have installed new software on your laptop, because you need it and it is good for you. Click here to reboot." um, ... timing is everything, right? Personally, I don't ask my ISP or my IT department to randomly change the configuration of my computer. I am very happy for them to suggest changes, but *if* I agree, *I* want to install them when it is convenient for *me*, not when it is convenient for *them*. That said, this particular configuration change is an improvement...
Re: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Sean Donelan wrote: >b. Disable file/printer sharing That roots MSDE, and it's not an even vaguely obvious connection between the two. That's one of the problems with fiddling with Windows - screwing with one thing often breaks something apparently totally unrelated. -- --- #include Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
Re: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Sean Donelan wrote: > Microsoft has asked ISPs to make changes on its behalf, such as enabling > the XP firewall. But is it wise for an ISP to change the settings on > a user's computer? If Microsoft is reluctant to make the changes itself, > what problems is the ISP creating? Increased tech support expense for other Microsoft products.
Re: AOL fixing Microsoft default settings
I believe this has resulted in a few lawsuits from companies such as Gator, which take offense to their "adware" being removed by the ISP... Of course, 99% of the time it's installed via a "click-wrap" EULA for some 3rd party software such as Kazaa. It would be just as easy to uninstall it via another EULA for the ISP's custom dialup/PPPoE/PPPoATM/whatever client. :-) e. Remove spyware/trojans/remote access software And so on, through all the changes recommended by the Center for Internet Security (http://www.cisecurity.org/)
Re: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Stewart, William C (Bill), RTSLS wrote: > Most ISPs don't provide users with a heavy-duty client that > replaces or patches lots of the operating system's functions, > though may will offer friendly customized browsers for > users who want them, and a few misguided carriers will > provide drivers for PPPoE or other evil excuses for protocols (:-) Looking at the top 10 US residential ISPs (covering an estimated 60%+ of all residential accounts), as far as I can tell all of them include a fairly sophisticated support client. "Expert" users may not install it, but I suspect the bulk of the users do. > Generally, ISPs tell you the network settings to use on Windows, > and tell you or let you guess for other popular operating systems, > and they may give you a friendly dialer program that > knows how to find their nearest POP but doesn't mess around much. There is a difference between what is done, and what is possible. The support clients distributed by AT&T, Earthlink, UnitedOnline/Netzero, MSN and AOL have amazing capabilties to "fix" a user's account after the user mucks up the computer. Microsoft has asked ISPs to make changes on its behalf, such as enabling the XP firewall. But is it wise for an ISP to change the settings on a user's computer? If Microsoft is reluctant to make the changes itself, what problems is the ISP creating? a. Enable firewall b. Disable file/printer sharing c. Shut down "uncessary services" like Windows Messenger d. Install patches/enable auto-update e. Remove spyware/trojans/remote access software And so on, through all the changes recommended by the Center for Internet Security (http://www.cisecurity.org/)
Re: AOL fixing Microsoft default settings
Most ISPs don't provide users with a heavy-duty client that replaces or patches lots of the operating system's functions, though may will offer friendly customized browsers for users who want them, and a few misguided carriers will provide drivers for PPPoE or other evil excuses for protocols (:-) Generally, ISPs tell you the network settings to use on Windows, and tell you or let you guess for other popular operating systems, and they may give you a friendly dialer program that knows how to find their nearest POP but doesn't mess around much. Making major changes to a user's OS violates the principle of Least Astonishment (which is usually a policy problem, not an operational one, though you could argue that having a random network protocol not work quite right on Windows is less astonishing to most users than a flood of popups), but it also often fails to work successfully on security-compromised machines, which is an operational issue. So it won't stop viruses or trojans or spammerbots or crackers or spyware or worms or bad ActiveX or Javascripts. On the other hand, it could reduce some risks on machines that aren't cracked, and could reduce the spam level they receive, and can protect most of the users who aren't doing anything fancy, so as long as it's part of some friendly user interface menu and can be turned on and off it's ok. The alternative place to provide this kind of protection is in the network edge, which is probably the dial POP for most AOL users. If you implement it in a way that can be turned on or off per user, that's usually much cleaner, usually more scalable, and can work even when user machines are compromised. Bill Stewart, [EMAIL PROTECTED]
Re: AOL fixing Microsoft default settings
- Original Message - From: "Chris Brenton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 24, 2003 8:31 AM Subject: Re: AOL fixing Microsoft default settings > > Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it > exploitable? > > I think the intention is admirable, but it has the potential to be a > real nightmare if implemented incorrectly. The fact that it can all > happen without the knowledge of the end user means even a savvy users > could get whacked if the underlying structure is insecure. > AOL has a new function as of 8.0 IIRC that allows them to do repairs and make changes to a users computer using the AOL Computer Checkup (I forget if thats what its actually called, or something like that). Users can use it to fix DUN errors, IE errors, GPF errors, etc. It appears to be an ActiveX control in IE and is probably being used to do this change to the messenger service. I haven't had time to sit there with a packet sniffer to see what it does or how it works exactly. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
Re: AOL fixing Microsoft default settings
On Fri, 2003-10-24 at 00:22, Jared Mauch wrote: > On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote: > > http://www.securityfocus.com/news/7278 > > > > How many other ISPs intend to follow AOL's practice and use their > > connection support software to fix the defaults on their customer's > > Windows computers? > > Sounds good to me. The potential for these users > to be less-than-educated enough about the existance of > this "feature" means that the potential for this to > increase the overall network security is a good thing. Does anyone know anything about what security has been put in place for this? These quotes troubled me: "So two weeks ago, AOL began turning the feature off on customers' behalf, using a self-updating mechanism in AOL's software." "Users are not notified of the change..." Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it exploitable? I think the intention is admirable, but it has the potential to be a real nightmare if implemented incorrectly. The fact that it can all happen without the knowledge of the end user means even a savvy users could get whacked if the underlying structure is insecure. C
RE: AOL fixing Microsoft default settings
> -Original Message- > How many other ISPs intend to follow AOL's practice and use their > connection support software to fix the defaults on their customer's > Windows computers? I've already seen an interesting side effect from a disabled messenger service... With one of those new low-price Intel hardware modems in a P4 running XP, the system will not shutdown properly after a dial-up session with messenger disabled... Just an FYI in case confused AOLers start swamping your helpdesks... :-)
RE: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Terry Baranski wrote: :The "without notice" part is perhaps somewhat unsettling. I can :appreciate that attempting to explain this type of change to the AOL :user base would be challenging, but I'd submit that third-party software :making OS changes like this without the user's knowledge could be "thin :ice" territory. Where is the line drawn once this path is chosen? Seems this would be suitable for inclusion in the license agreement to which most check "I agree" without reading. If it hasn't been, it could certainly fall into the "thin ice" category, given the multitude of legal eaglets willing to push for class-actions. In any event, this begs a policy discussion more than an operational one.
Re: AOL fixing Microsoft default settings
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers? Thankfully our focus is hosting & Colo, not access, so our pool is smaller and (theoretically) smarter. However this hasn't stopped us from doing similar things (such as disable/remove proxy server software) on client computers. Too many times I have called a client and asked "Why are you running a proxy server?" only to hear the reply "What's a proxy server?" (sigh) I suppose I don't bother our clients with a clue, as their servers are already configured properly, and I am just protecting our clueless clients from themselves (or more accurately protecting my network from my clueless clients.) Where it gets weird is when you take advantage of one privilege (like a software installer) to make other changes (disabling services) without permission. (I won't even touch the thick legal-ese of most EULA's which usually force the user to grant this permission beforehand) Where does it stop being "helpful" and start being "harmful"?... As in Microsoft infamous disabling of competitor's products with their installers? Then the question becomes "who is being harmed?" I guess... the end-user or the competitor(s)? Where I draw the line is the security of my own network, which granted is a pretty self-contained little world, unlike so may others here on NANOG. On the other hand, I also have a .sig which is a quote from one of my staff, which illustrates another slippery factor of this particular slope... --chuck goolsbee -- __ There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. -Bill, digital.forest tech support
RE: AOL fixing Microsoft default settings
> > How many other ISPs intend to follow AOL's practice and use their > > connection support software to fix the defaults on their customer's > > Windows computers? > > Sounds good to me. The potential for these users > to be less-than-educated enough about the existance of > this "feature" means that the potential for this to > increase the overall network security is a good thing. > > Hopefully they will enable automatic checking and > downloading of critical software updates as well. The "without notice" part is perhaps somewhat unsettling. I can appreciate that attempting to explain this type of change to the AOL user base would be challenging, but I'd submit that third-party software making OS changes like this without the user's knowledge could be "thin ice" territory. Where is the line drawn once this path is chosen? -Terry
Re: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Sean Donelan wrote: > > > Without notice AOL has been modifying the operating system settings of > users with AOL software installed on Windows computers. Although > complaints about Windows' Messenger pop-up spam continue to grow, few This is a nice thing, but I recall some meeting with AOL Lawyers in which this topic was raised... the end of the discussion happened when they decided they couldn't just arbitrarily alter a users' computer if that alteration wasn't restricted to their software package. I wonder what changed their minds? Or... maybe I'm just misremembering things, it was over a year ago :( -Chris
Re: AOL fixing Microsoft default settings
I fully approve, so long as there's a documented, opt-me-out process for those that may need that sort of thingbut I think the majority is pretty well served by this sort of thing. Unlike say changes proposed by some companies. I just don't know how far to draw the line, and it needs to be written somewhere what an update is/will do as well.
Re: AOL fixing Microsoft default settings
On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote: > http://www.securityfocus.com/news/7278 > > How many other ISPs intend to follow AOL's practice and use their > connection support software to fix the defaults on their customer's > Windows computers? Sounds good to me. The potential for these users to be less-than-educated enough about the existance of this "feature" means that the potential for this to increase the overall network security is a good thing. Hopefully they will enable automatic checking and downloading of critical software updates as well. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.