- - - - - - - - - -

T A B L E__T A L K

Which techno-buzzwords do you love to hate? Let it out in Table Talk's Digital Culture area

- - - - - - - - - -

R E C E N T L Y

Let's Get This Straight
By Scott Rosenberg
Technospeak, part 2: A turnkey solution in every pot
(02/05/98)

The Net's new turf wars
By Rebecca Vesely
Domain name mavericks take their case to Washington
(02/04/98)

The little city that could
By Doug McLellan
Tacoma's power company rolls its own Net and cable service
(02/03/98)

Drudging admiration
By Mike Godwin
Why the gossip may win in court -- but lose in the press
(02/02/98)

Let's Get This Straight
By Scott Rosenberg
The unholy union of technobabble and marketspeak
(01/30/98)

BROWSE THE ARCHIVES FOR Let's Get This Straight

AOL^{'s insecurity complex}

________THE ONLINE SERVICE CAN'T EVEN KEEP

________ITS OWN STAFF BULLETIN BOARDS PRIVATE.

BY DAVID CASSEL | You've probably heard about the "other" Timothy McVeigh -- the sailor who found himself the target of Navy discharge proceedings for violating its "don't ask, don't tell" policy, after America Online divulged the real-life name behind his online profile.

At this point, only a district judge has prevented the Navy from completing the discharge. After a firestorm of press coverage, AOL CEO Steve Case issued a special "Community Update" to try to mollify anger. "We have always recognized that privacy was an absolutely central building block for this medium," Case argued, "so from day one we've taken steps to build a secure environment that our members can trust."

But Case's words rang hollow. The McVeigh affair wasn't an isolated incident. In the ensuing coverage, other subscribers also came forward with stories about AOL's loose lips. And only days after that controversy arose came the latest in a long sequence of disturbing AOL security breaches, undermining AOL's claim that it provides a "secure environment."

Around midnight Jan. 26, I received a mysterious e-mail message: "Before you miss the whole thing, you should really try and check out keyword: TA."

Since I edit a mailing list about AOL, I sometimes receive tips about hacked content. So I dutifully visited AOL's "Traveler's Advantage" area, which normally promotes innocuous travel-related services. ("Win a romantic Getaway for Two OR $5,000 CASH!")

It was different that Monday. As with many previous acts of high-tech vandalism, the title of the window had been changed in the middle of the night. Instead of "Welcome to AOL Travelers Advantage!" the page read, "Lithium Node was here." (This wasn't the first time AOL had heard from "Lithium Node": Last June, the same group converted AOL's "Academic Assistance Center" into a kind of hacker resource center, complete with manifesto.)

But this attack offered a new twist: Below the substitute title lay a menu linked to dozens of AOL staff bulletin boards. Following the links led to private boards reserved for conversations among AOL's online staff -- including staffers of "The Rosie O'Donnell Show" and AOL's own army of volunteers. Ironically, one area included an essay on the word "confidentiality," saying users should observe confidentiality policies, and "we should take pride in our ability to do so, and set an example for other staffs."

Though the material was apparently meant to be off-limits to the public, it wasn't. A week later, one of the boards sported an announcement outlining a pending policy change. Staffers were told that "Beginning February 4, 1998, Keyword TCB will be viewruled." In other words, AOL was going to restrict access to "The Community Building," a gathering place for AOL's online staff. This tactic was "becoming increasingly important," the memo stated, to assure that an area "is limited to its intended audience, and not available for viewing by others."

The bulletin boards linked from the giant index that had appeared the week before were soon to be roped off. But the obvious question -- why this no-brainer protection wasn't already in place -- went unaddressed. The announcement stated hopes that the board "remains a safe and secure area."

I can't say I was surprised by any of this; AOL has a long history of security and privacy problems. In 1995 hackers accessed the e-mail of CEO Case and other executives. One message -- describing AOL's meeting with the FBI to crack down on hackers -- was even posted to Usenet newsgroups. The hacks continued over the years, and grew more sophisticated. Last April my mailing list uncovered a trick that allowed access to any subscriber's credit card number if they'd revealed their password. AOL had stated this wasn't possible.

While there's no information on how many subscribers were affected, an omnipresent population of ill-wishers compounds any AOL security breach. In September 1996 the Washington Post reported that AOL canceled 370,000 accounts in one three-month period for "credit card fraud, hacking, etc." I once counted over 300 troublemakers massing in chat rooms for an en masse demonstration of dissatisfaction.

N E X T_P A G E | Big AOL Brother is watching you