Cool. I wrote the AOLserver flap library and the whaops backend, and the ugly version of the front end (someone took my ugly stuff and made it nicer). The vector was the AOLserver ops team had a well known admin password that granted access in the default configuration to exec shel commands on the host. They fortunately did not notice that I had an undocumented command to send arbitrary msgs to arbitrary queues in the topology. We switched to two factor authentication for prod logins a few months later. And the person that got the AOLserver password was arrested.
Oh yeah you are right no jumped to conclusions. Nice link there, the AOLserver tho was just a web server, not the whole server framework or OS. https://github.com/aolserver/aolserver It was written by some company that we bought. It was also the basis for Greenspun’s excellent book on database backed web sites.
Yeah, and on rereading the original article, the hack was just guessing the passwords to admin AIM accounts. I hope it wasn’t mine! From my perspective that is “works as designed”. I don’t think the TFA was ever put into AIM login, but it was all a while ago. But anyways, nice to seem one of the dumb names I came up with in the press. I also wrote wam (web authentication module), Hermes (messenger of the Gods - like buddy list but where users could add data sources to the list, with filters or alarms), Ewoks (“external web Oscar knowledge server”, an http server that allowed for easy integration into the server message framework we used) and re-wrote morf “master Oscar registration facility”. The original was a custom written no-SQL DB and we moved it to Sybase with sharding.). All C. All event loop based. All really solid infrastructure written by people doing it for the third time. Fun times. Had an actual agile process and brought the coolness of the internet to many people for the first time.
paste did not hack anything he is just an archivist of aol lore. my pr0gz are on there i found them while searching for {s gotmail to add to my phone alert notifications. we follow each other on twitter and he's just a wholesome dude with no sketchy background other than writing vb pr0gz with the rest of us in aol://2719-2-2-vb
I was referencing the content of the post and its discussion of Jay Satiro’s felony convictions. The domain looks to be a great archive of old AOL things.
you're talking about cameron "cam0" lacroix who got that and a default ssh key. he was raided on frederick street for that at age 14, but being a minor and a legend at opssec he was not charged or arrested - just raided for good measure by bill zaleski (sp) at 703.265.4040 :)
Back in 2000 or so, it seemed a status symbol of how many RSA tokens you had on your keychain. The more you had, the more important systems you had access too.
Don't forget that PayPal's original idea was a Palm Pilot app that replaced all those pesky hardware tokens.
Ha, cool. How many tokens did you ever see at once? :D
Presumably PayPal were intending to do an app + hardware module - or was this essentially "LeT's MaNaGe RSA KeYs UsInG NoN MeMoRy PrOtEcTeD CoMmOdItY HaRdWaRe RuNnInG a NoN SaNdBoXeD KeRnEl"?
Yeah physical tokens from RSA (I think) We even rigged up CVSD so you couldn’t push code without the rsa token for each push. (Not actually sure anymore that CVS commit to remote was called push).
I had a family member working for an AOL call center around that time, the physical token they had was from RSA. At least at the time, it was required for nearly anything, including logging into the customer desktop application.
All I remember is having to look at each file and figuring out if the diff between 1.13.0.4 and 1.13.0.5 should be applied to 1.16 and then for the next file it was 1.15.1.2 and 1.15.1.4 and so on for each file. That was after AOL had slowed down to the point where you didn’t just release each change but batched they up into releases called QARs (QA Requests where you documented all the changes and stuff to test etc.). So earlier, merging from released point fixes back to the latest version wasn’t common and cvs wasn’t good at it. Later it was more common and what now is a two minute git pull —rebase was a half day.
Also by then, the super genius software folks started getting replaced by MBAs who would rather developers be idle than work on stuff that wasn’t prioritized.
Two factor auth (password + RSA token) was used for vpn/ssh from home and to access high security stuff (which I never got access to) at Yahoo when I joined in 2004. If AOL was having trouble with security, requiring it for admin tools would have been reasonable and feasible in 2005.
The tokens are not intended to be servicable. Even if you replaced the battery, you couldn't set the time, so I don't think you could sync your token and your verifier.
And I don't know if these things had protections against being opened anyway.
Earlier than that (at least as far back as 2003, my memory is hazy but it might have been 2001) I was using RSA based tokens for TFA to access on-prem systems at a couple of our clients for product support purposes. At least one of those was significantly smaller than AOL would have been in 2005. So the tech was readily available and had been for some time, AOL had the resources to scale it out to their key infrastructure, and after a significant hack I can believe that even in those relatively naive days there would have been plenty enough management impetus to Make It Happen.
my bank used 2FA (auth codes or so called "transaction codes" send in physical mail to approve transactions) in the late 90s early 2000s. so 2fa isn't some new invention, funny how it took basically 2.5 decades until it become quite mainstream... now that i think of it, it's actually quite concerning that 2fa didn't have widespread adoption earlier - as soon as smart phones became common.
they had 2fa before most orgs and even launched a beta for the public called "AOL PASSCODE". aim had 2fa i remember host guide something with the password "pepper" had it in 2002.
was common in some parts of finance also, as i recall this pre-2008. folks had pager-looking things that flashed OTPs. i think bloomberg terminals were partially responsible for driving the use of 2fa.
I do remember that. Little key fobs with one time codes. But that's still 3 years later. But apparently according to some of these comments large tech places were using 2FA in 2000 and as early as '98 or '99 which still surprises me, not really having seen it become ubiquitous until recently, and really only around things for banking and purchasing.
the only one I remember had a Metallica intro. progz are a big part of why I grew up to be a programmer. also, those old Warez chat rooms were the shit! I remember it once took all night to download a cracked racing game that was 14mb over 28.8
It was extremely popular! There was an endless supply of VB6 bas files that you could cobble together your own progz with, so the bar of entry was pretty low. Hell, I had the AOL 3.0 client with admin tools installed (star tool, and rainman?) when I was like 14? You could dig around staff pages and see warez uploaded to random hijacked keywords.
It's amusing to think back at how hilariously insecure the entire platform was. Really crazy in retrospect. I made so many friends then, don't know what you have until it's gone.
I had the AIM “fragile” which I got from the Regime2K exploit. I had been off AOL for a couple years when I noticed the account password was reset. I kept recovering it but the hacker was always able to get it back, even when the email was mine. I had already left the AOL scene as I was in the beginning stages of my career so I just gave up. I always wondered if they had just found a new method, but it seemed like they had to have insider access because of how consistent they were in taking it back. Wonder if was one of these two guys. Oh well, I love reading stories of the AOL days.
Hi this author is unexposed and not entirely accurate in his reporting. We (dfntsc) hacked Cris,Merlin, Gandalf, and whaops.
I even stole juberti's name and took "Justin" (aim only account) until it was frauded by opsec44 at the behest of a snitch very late to the game calling himself "defiant"
Kim zetter wrote about our antics 20 years ago I am just posting this here because the title is misleading and is demonstrative of the author's ignorance and absence from the scene given we dont know each other and I consider myself aoleet in a very very small circle. I know dime (Dave) and his brother that's mentioned in the article. My boy helped him write his fdo token scanner in addition to making his own *toolZ. I do not know this author.
Nice pictures but they are not even his. Clout chaser.
E: The author is kevin/pad. A groupie from conferences with no technical apitutde. U may know him as the founder of the Minerva token which got owned (since technically inept)
Anyway, read this article like it was written by a groupie and not an authority on the subject /active participant.
When cryptome.org got defaced and hacked we were monitoring pad snitching in jya@earthlink.net emails from pad@yayo.org.
Its our culture we should be proud of it. Especially since many of us were spending our childhoods together virtually. The internet was much different then but I sincerely appreciate it when those of us who were around then, in any capacity, reminisce.
There are no more new AOLers and those with fun memories associated with the platform are always going to be more special to me than many others just because that's where I learned to computer and I've many delightful experiences there.
I can’t upvote this comment enough. It really speaks to something I’ve felt for so long about AOL. You are right that it was a different Internet, one where we teens could make mistakes while coming of age on a new communications medium without lifelong consequences we see so many young people fall into now. AOL got me into programming and tech in general. I also met some great people who, despite perhaps never meeting them face-to-face, made an impact on the person I came to be. It’s a shame that nearly all of those relationships ended, but it is what it is. I love when stories like this pop up once in a while because it feels good being reminded that I’m not alone in my experiences.
Disclaimer: The person I am replying to is an unhinged, imaginative drug addict and confidence man. He crafted his post to look like he didn't already know I wrote the blog post.
Let's clarify everything since you are a liar.
> We (dfntsc) hacked Cris,Merlin, Gandalf, and whaops.
You hacked CRIS and Merlin like everyone else. You never popped WHAOPS. Ever. I'd need a more reliable source than you - you're a known liar and you've only publicly proven it ITT.
> The author is kevin/pad. A groupie from conferences with no technical apitutde.
I rarely if ever hung out in SE/phreaker conferences with you skids. After my time. You mean to imply that the second you popped up I was a groupie? You were brand new, and you've never left that category in my mind because your skills haven't progressed. I have no technical aptitude? The same week I turned in a Slack RCE you were bragging about simple XSS on Twitter. You've always been a charlatan.
> Anyway, read this article like it was written by a groupie and not an authority on the subject /active participant.
A groupie? Not an authority on the subject? I've been in contact with Dime about the post. Since you "know" him - ask him yourself. Then ask him whether he sent me his Delphi browser for my own personal use around the time WHAOPS got popped.
> When cryptome.org got defaced and hacked we were monitoring pad snitching in jya@earthlink.net emails from pad@yayo.org.
You dumbasses used my website as a launchpad to claim the defacement.
Nobody ratted on you.
Someone, other than me, e.g. not "pad@yayo.org" emailed the cryptome guy a URL to your thread. I had to shut down yayo.org with a disclaimer saying we didn't endorse illegal activity. Nobody wanted skid heat from a website defacement. You idiots were barely allowed to hang out with us as is and cryptome only sealed the deal. Never change Justin. Apologies to the rest of you for the AODrama - but I felt obligated to reply to this disgruntled lunatic and his readers with some unbiased clarification based in reality. You've always been a pain in my ass, dude. Get off my jock once and for all. The cognitive dissonance involved in you calling me a groupie.
Yikes.
and not for nothin' we're in our thirties null - but i'll happily go back and forth with you if you want brokeboi
Commenters here need to follow the rules regardless of how wrong someone is or you feel they are—maybe you don't owe them better, but you owe this community better if you're participating in it. Our goal is to be a web forum that doesn't eventually fry itself the way they usually do.
sir the only articles written about your internet impact have been by your own hand, and they're not entirely accurate. the whole scene knows it and calls me to respond to your submission here while minding my own business doing my thing since i am an actual verifiable authority on this subject to other respected domain leaders and you're just attention seeking because your life sucks. on your 2nd hn account talking to me
this guy wasn't even around yet when whaops was hacked by dime. that's how new he is. i've been chatting with dime and he confirmed his friend didn't "help him code" anything
"null" here is slandering me over a personal beef spanning 15 years, and on reddit he was doing it in conjunction with xyrix and/or virus - due to the same 15+ year personal beef i have with that whole crew - or they have with me, rather. they follow me around the internet and attack like hyenas when i write or do anything public facing. these dudes are factually obsessed with me and i'm still not entirely sure why. it's flattering at least
null, you're not an authority on some shit you weren't even around for. calling me a groupie spectator to aol hacking, or to imply i didn't surf lan and wreck 500 - 1,000+ ints throughout my ao-career. you're out of your mind. nobody actually in the know would make the claim that pad wasn't deeply involved in ao-hacking. i was there in 1997 loading up punters for aol 2.5 - whereas you didn't come around until 2004. an authority. ha
as far as what's written about me - none of it was planted, or because i was caught for ridiculous bullshit like bothering celebrities and people with lexnex xs
