Without notice AOL has been modifying the operating system settings of
users with AOL software installed on Windows computers. Although
complaints about Windows' Messenger pop-up spam continue to grow, few
users bother to turn off the Windows' Messenger service. Starting two
weeks ago AOL used the self-updating machanism in AOL's software to
turn-off the Windows' Messenger service. AOL has turned it off on
15 million users computers so far.
http://www.securityfocus.com/news/7278
How many other ISPs intend to follow AOL's practice and use their
connection support software to fix the defaults on their customer's
Windows computers?
Sounds good to me. The potential for these users
to be less-than-educated enough about the existance of
this "feature" means that the potential for this to
increase the overall network security is a good thing.
Hopefully they will enable automatic checking and
downloading of critical software updates as well.
- jared
I fully approve, so long as there's a documented, opt-me-out process for those that may need that sort of thing....but I think the majority is pretty well served by this sort of thing. Unlike say changes proposed by some companies.
I just don't know how far to draw the line, and it needs to be written somewhere what an update is/will do as well.
This is a nice thing, but I recall some meeting with AOL Lawyers in which
this topic was raised... the end of the discussion happened when they
decided they couldn't just arbitrarily alter a users' computer if that
alteration wasn't restricted to their software package.
I wonder what changed their minds? Or... maybe I'm just misremembering
things, it was over a year ago 
-Chris
How many other ISPs intend to follow AOL's practice and use their
connection support software to fix the defaults on their customer's
Windows computers?
Thankfully our focus is hosting & Colo, not access, so our pool is smaller and (theoretically) smarter. However this hasn't stopped us from doing similar things (such as disable/remove proxy server software) on client computers. Too many times I have called a client and asked "Why are you running a proxy server?" only to hear the reply "What's a proxy server?" (sigh)
I suppose I don't bother our clients with a clue, as their servers are already configured properly, and I am just protecting our clueless clients from themselves (or more accurately protecting my network from my clueless clients.)
Where it gets weird is when you take advantage of one privilege (like a software installer) to make other changes (disabling services) without permission. (I won't even touch the thick legal-ese of most EULA's which usually force the user to grant this permission beforehand)
Where does it stop being "helpful" and start being "harmful"?... As in Microsoft infamous disabling of competitor's products with their installers? Then the question becomes "who is being harmed?" I guess... the end-user or the competitor(s)?
Where I draw the line is the security of my own network, which granted is a pretty self-contained little world, unlike so may others here on NANOG.
On the other hand, I also have a .sig which is a quote from one of my staff, which illustrates another slippery factor of this particular slope...
--chuck goolsbee
> How many other ISPs intend to follow AOL's practice and use their
> connection support software to fix the defaults on their customer's
> Windows computers?
Sounds good to me. The potential for these users
to be less-than-educated enough about the existance of
this "feature" means that the potential for this to
increase the overall network security is a good thing.
Hopefully they will enable automatic checking and
downloading of critical software updates as well.
The "without notice" part is perhaps somewhat unsettling. I can
appreciate that attempting to explain this type of change to the AOL
user base would be challenging, but I'd submit that third-party software
making OS changes like this without the user's knowledge could be "thin
ice" territory. Where is the line drawn once this path is chosen?
-Terry
:The "without notice" part is perhaps somewhat unsettling. I can
:appreciate that attempting to explain this type of change to the AOL
:user base would be challenging, but I'd submit that third-party software
:making OS changes like this without the user's knowledge could be "thin
:ice" territory. Where is the line drawn once this path is chosen?
Seems this would be suitable for inclusion in the license agreement to
which most check "I agree" without reading.
If it hasn't been, it could certainly fall into the "thin ice" category,
given the multitude of legal eaglets willing to push for
class-actions. In any event, this begs a policy discussion more than an
operational one.
I've already seen an interesting side effect from a disabled messenger service... With one of those new low-price
Intel hardware modems in a P4 running XP, the system will not shutdown properly after a dial-up session with messenger
disabled... Just an FYI in case confused AOLers start swamping your helpdesks... 
Does anyone know anything about what security has been put in place for
this? These quotes troubled me:
"So two weeks ago, AOL began turning the feature off on customers'
behalf, using a self-updating mechanism in AOL's software."
<snip>
"Users are not notified of the change..."
Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it
exploitable?
I think the intention is admirable, but it has the potential to be a
real nightmare if implemented incorrectly. The fact that it can all
happen without the knowledge of the end user means even a savvy users
could get whacked if the underlying structure is insecure.
C
AOL has a new function as of 8.0 IIRC that allows them to do repairs and
make changes to a users computer using the AOL Computer Checkup (I forget if
thats what its actually called, or something like that). Users can use it
to fix DUN errors, IE errors, GPF errors, etc. It appears to be an ActiveX
control in IE and is probably being used to do this change to the messenger
service. I haven't had time to sit there with a packet sniffer to see what
it does or how it works exactly.
Interesting question from several angles. Here's the flip side. Our corporate IT department likes to magically download software and configuration changes to us without telling us, which occasionally has the effect of having someone in the middle of a presentation to a customer have something pop up and say "I have installed new software on your laptop, because you need it and it is good for you. Click here to reboot."
um, ...
timing is everything, right?
Personally, I don't ask my ISP or my IT department to randomly change the configuration of my computer. I am very happy for them to suggest changes, but *if* I agree, *I* want to install them when it is convenient for *me*, not when it is convenient for *them*.
That said, this particular configuration change is an improvement...
There is a difference. In most cases the corporate laptop is owned by the
corporation, not the employee. Shouldn't the corporate organization be
able to change its own computers whenever it chooses, regardless of the
desire of its employees.
On the other hand, the ISP does not own the customer's computer. And
despite EULA which say it not sold only licensed to the customer, most
people view their computer as their property not the ISP's.
I agree that changing one’s computer is not the ISP or even the Corp IT departments
job, and could compromise valuable work and or personal information for the individual
user, depending on their setup, security software etc and other applications.
I also would preceive that as a real threat to individual privacy for any individual in
any country of the world who directly purchased and owns their own computer.
For individuals who had their machines custom built to spec with software configured
to meet a certain criterion this would be an outrage and considered hacking and
tampering.
-Henry
I’m not sure “outrage” is the appropriate way to describe this. AOL is probably looking at this from the support point of view.
They get a certain number of support calls complaining about messenger service spam/trickery. The will get many fewer calls complaining that the messenger service has been shut off. The end result is that they save themselves a good bit of money, while helping out a large percentage of their customer base who has the bad luck of being saddled with an inferior OS – good for them! It would be a mistake to confuse AOL’s subscriber base with NANOG’s subscriber base. That which would outrage some of us is seen as a great boon to other sets of users. There is no “one size fits all” here.
When one connects to an online service (which AOL is, rather than being just an ISP, although they do that too) or when one connects to a corporate LAN with a VPN client, they have to accept that there may be some alterations of the local environment. This is a reality of today’s security situation as it intersects with inferior desktop OS’s. There are always other solutions for those who feel that these sort of alterations are unpalatable.