Hacker News new | past | comments | ask | show | jobs | submit login
The first and last time AIM was hacked (g.livejournal.com)
82 points by todsacerdoti 26 days ago | hide | past | favorite | 57 comments

Cool. I wrote the AOLserver flap library and the whaops backend, and the ugly version of the front end (someone took my ugly stuff and made it nicer). The vector was the AOLserver ops team had a well known admin password that granted access in the default configuration to exec shel commands on the host. They fortunately did not notice that I had an undocumented command to send arbitrary msgs to arbitrary queues in the topology. We switched to two factor authentication for prod logins a few months later. And the person that got the AOLserver password was arrested.

Re: AOLServer, Are you thinking of Jay Satiro (Ref: http://justinakapaste.com/from-o0o-of-aol-files/) ?

The author implies that the whaops hackers had their own malware, written in Delphi, to do the on-lan redirection.

Oh yeah you are right no jumped to conclusions. Nice link there, the AOLserver tho was just a web server, not the whole server framework or OS. https://github.com/aolserver/aolserver It was written by some company that we bought. It was also the basis for Greenspun’s excellent book on database backed web sites.

Yeah, and on rereading the original article, the hack was just guessing the passwords to admin AIM accounts. I hope it wasn’t mine! From my perspective that is “works as designed”. I don’t think the TFA was ever put into AIM login, but it was all a while ago. But anyways, nice to seem one of the dumb names I came up with in the press. I also wrote wam (web authentication module), Hermes (messenger of the Gods - like buddy list but where users could add data sources to the list, with filters or alarms), Ewoks (“external web Oscar knowledge server”, an http server that allowed for easy integration into the server message framework we used) and re-wrote morf “master Oscar registration facility”. The original was a custom written no-SQL DB and we moved it to Sybase with sharding.). All C. All event loop based. All really solid infrastructure written by people doing it for the third time. Fun times. Had an actual agile process and brought the coolness of the internet to many people for the first time.

paste did not hack anything he is just an archivist of aol lore. my pr0gz are on there i found them while searching for {s gotmail to add to my phone alert notifications. we follow each other on twitter and he's just a wholesome dude with no sketchy background other than writing vb pr0gz with the rest of us in aol://2719-2-2-vb

I was referencing the content of the post and its discussion of Jay Satiro’s felony convictions. The domain looks to be a great archive of old AOL things.

you're talking about cameron "cam0" lacroix who got that and a default ssh key. he was raided on frederick street for that at age 14, but being a minor and a legend at opssec he was not charged or arrested - just raided for good measure by bill zaleski (sp) at 703.265.4040 :)

two factor authentication in 2005?

Back in 2000 or so, it seemed a status symbol of how many RSA tokens you had on your keychain. The more you had, the more important systems you had access too.

Don't forget that PayPal's original idea was a Palm Pilot app that replaced all those pesky hardware tokens.

Ha, cool. How many tokens did you ever see at once? :D

Presumably PayPal were intending to do an app + hardware module - or was this essentially "LeT's MaNaGe RSA KeYs UsInG NoN MeMoRy PrOtEcTeD CoMmOdItY HaRdWaRe RuNnInG a NoN SaNdBoXeD KeRnEl"?

According to _Founders at Work_, they just reverse-engineered the keys and emulated them on a Palm Pilot

> "LeT's MaNaGe RSA KeYs UsInG NoN MeMoRy PrOtEcTeD CoMmOdItY HaRdWaRe RuNnInG a NoN SaNdBoXeD KeRnEl"

In retrospect, this would have been at least as good as the real securid dongles.

Yeah physical tokens from RSA (I think) We even rigged up CVSD so you couldn’t push code without the rsa token for each push. (Not actually sure anymore that CVS commit to remote was called push).

I had a family member working for an AOL call center around that time, the physical token they had was from RSA. At least at the time, it was required for nearly anything, including logging into the customer desktop application.

I didn't use it myself, but I've heard "check in" used colloquially for what seems to be `cvs release`.

All I remember is having to look at each file and figuring out if the diff between and should be applied to 1.16 and then for the next file it was and and so on for each file. That was after AOL had slowed down to the point where you didn’t just release each change but batched they up into releases called QARs (QA Requests where you documented all the changes and stuff to test etc.). So earlier, merging from released point fixes back to the latest version wasn’t common and cvs wasn’t good at it. Later it was more common and what now is a two minute git pull —rebase was a half day.

Also by then, the super genius software folks started getting replaced by MBAs who would rather developers be idle than work on stuff that wasn’t prioritized.

Two factor auth (password + RSA token) was used for vpn/ssh from home and to access high security stuff (which I never got access to) at Yahoo when I joined in 2004. If AOL was having trouble with security, requiring it for admin tools would have been reasonable and feasible in 2005.

Netscape used RSA SecurID tokens when I joined in 1996. I still have kine, but the battery long since expired.

Presumably you can get a new watch battery for it, non?

The tokens are not intended to be servicable. Even if you replaced the battery, you couldn't set the time, so I don't think you could sync your token and your verifier.

And I don't know if these things had protections against being opened anyway.

The worst part about doing operations with the RSA tokens is that you can only use each code one time and it takes a full minute to get a new code.

Waiting for the code to roll to get through a couple jumphosts is pretty excruciating.

Earlier than that (at least as far back as 2003, my memory is hazy but it might have been 2001) I was using RSA based tokens for TFA to access on-prem systems at a couple of our clients for product support purposes. At least one of those was significantly smaller than AOL would have been in 2005. So the tech was readily available and had been for some time, AOL had the resources to scale it out to their key infrastructure, and after a significant hack I can believe that even in those relatively naive days there would have been plenty enough management impetus to Make It Happen.

my bank used 2FA (auth codes or so called "transaction codes" send in physical mail to approve transactions) in the late 90s early 2000s. so 2fa isn't some new invention, funny how it took basically 2.5 decades until it become quite mainstream... now that i think of it, it's actually quite concerning that 2fa didn't have widespread adoption earlier - as soon as smart phones became common.

Besides RSA tokens which sibling comments have already mentioned, smartcards were also used for 2FA back then.

The old style tokens were widely in use in the late 90s through to the early 2000s.


Definitely used one up to 2013 and only stopped because I left the company.

My bank even had me use one of those until 2009 or 2010!

they had 2fa before most orgs and even launched a beta for the public called "AOL PASSCODE". aim had 2fa i remember host guide something with the password "pepper" had it in 2002.

I had RSA two factor at an .edu in 2000, and they were there for a while. We called em “enigma cards”.

was common in some parts of finance also, as i recall this pre-2008. folks had pager-looking things that flashed OTPs. i think bloomberg terminals were partially responsible for driving the use of 2fa.

World of Warcraft players were using it in 2008.

I do remember that. Little key fobs with one time codes. But that's still 3 years later. But apparently according to some of these comments large tech places were using 2FA in 2000 and as early as '98 or '99 which still surprises me, not really having seen it become ubiquitous until recently, and really only around things for banking and purchasing.

I've used 2FA in the 90s.

What did you use it for? Work?

Toolbar overlays (sptoolz was my jam), punters, faders (sup), macros, aw yeah those were the days.

Did a super quick search and found some real throwbacks:




the only one I remember had a Metallica intro. progz are a big part of why I grew up to be a programmer. also, those old Warez chat rooms were the shit! I remember it once took all night to download a cracked racing game that was 14mb over 28.8

I remember back in 2011 people were still hijacking AIM accounts. Mark Zuckerberg was apart of the AOL underground scene according to Steve Case(Former CEO of AOL). https://qf0.github.io/blog/2020/01/28/Mark-Zuckerberg-was-a-...

It was extremely popular! There was an endless supply of VB6 bas files that you could cobble together your own progz with, so the bar of entry was pretty low. Hell, I had the AOL 3.0 client with admin tools installed (star tool, and rainman?) when I was like 14? You could dig around staff pages and see warez uploaded to random hijacked keywords.

It's amusing to think back at how hilariously insecure the entire platform was. Really crazy in retrospect. I made so many friends then, don't know what you have until it's gone.

Can confirm, got "Death" as a gift in 2011.

I had the AIM “fragile” which I got from the Regime2K exploit. I had been off AOL for a couple years when I noticed the account password was reset. I kept recovering it but the hacker was always able to get it back, even when the email was mine. I had already left the AOL scene as I was in the beginning stages of my career so I just gave up. I always wondered if they had just found a new method, but it seemed like they had to have insider access because of how consistent they were in taking it back. Wonder if was one of these two guys. Oh well, I love reading stories of the AOL days.

Hi this author is unexposed and not entirely accurate in his reporting. We (dfntsc) hacked Cris,Merlin, Gandalf, and whaops.

I even stole juberti's name and took "Justin" (aim only account) until it was frauded by opsec44 at the behest of a snitch very late to the game calling himself "defiant"

Kim zetter wrote about our antics 20 years ago I am just posting this here because the title is misleading and is demonstrative of the author's ignorance and absence from the scene given we dont know each other and I consider myself aoleet in a very very small circle. I know dime (Dave) and his brother that's mentioned in the article. My boy helped him write his fdo token scanner in addition to making his own *toolZ. I do not know this author.

Nice pictures but they are not even his. Clout chaser.

E: The author is kevin/pad. A groupie from conferences with no technical apitutde. U may know him as the founder of the Minerva token which got owned (since technically inept)

Anyway, read this article like it was written by a groupie and not an authority on the subject /active participant.

When cryptome.org got defaced and hacked we were monitoring pad snitching in jya@earthlink.net emails from pad@yayo.org.

Clout chaser and groupie for sure

20+ later and the AODrama is still flowing. This is ridiculous and great lol.

Its our culture we should be proud of it. Especially since many of us were spending our childhoods together virtually. The internet was much different then but I sincerely appreciate it when those of us who were around then, in any capacity, reminisce.

There are no more new AOLers and those with fun memories associated with the platform are always going to be more special to me than many others just because that's where I learned to computer and I've many delightful experiences there.

I can’t upvote this comment enough. It really speaks to something I’ve felt for so long about AOL. You are right that it was a different Internet, one where we teens could make mistakes while coming of age on a new communications medium without lifelong consequences we see so many young people fall into now. AOL got me into programming and tech in general. I also met some great people who, despite perhaps never meeting them face-to-face, made an impact on the person I came to be. It’s a shame that nearly all of those relationships ended, but it is what it is. I love when stories like this pop up once in a while because it feels good being reminded that I’m not alone in my experiences.

Disclaimer: The person I am replying to is an unhinged, imaginative drug addict and confidence man. He crafted his post to look like he didn't already know I wrote the blog post.

Let's clarify everything since you are a liar.

> We (dfntsc) hacked Cris,Merlin, Gandalf, and whaops.

You hacked CRIS and Merlin like everyone else. You never popped WHAOPS. Ever. I'd need a more reliable source than you - you're a known liar and you've only publicly proven it ITT.

> The author is kevin/pad. A groupie from conferences with no technical apitutde.

I rarely if ever hung out in SE/phreaker conferences with you skids. After my time. You mean to imply that the second you popped up I was a groupie? You were brand new, and you've never left that category in my mind because your skills haven't progressed. I have no technical aptitude? The same week I turned in a Slack RCE you were bragging about simple XSS on Twitter. You've always been a charlatan.

> Anyway, read this article like it was written by a groupie and not an authority on the subject /active participant.

A groupie? Not an authority on the subject? I've been in contact with Dime about the post. Since you "know" him - ask him yourself. Then ask him whether he sent me his Delphi browser for my own personal use around the time WHAOPS got popped.

> When cryptome.org got defaced and hacked we were monitoring pad snitching in jya@earthlink.net emails from pad@yayo.org.

You dumbasses used my website as a launchpad to claim the defacement.

Nobody ratted on you.

Someone, other than me, e.g. not "pad@yayo.org" emailed the cryptome guy a URL to your thread. I had to shut down yayo.org with a disclaimer saying we didn't endorse illegal activity. Nobody wanted skid heat from a website defacement. You idiots were barely allowed to hang out with us as is and cryptome only sealed the deal. Never change Justin. Apologies to the rest of you for the AODrama - but I felt obligated to reply to this disgruntled lunatic and his readers with some unbiased clarification based in reality. You've always been a pain in my ass, dude. Get off my jock once and for all. The cognitive dissonance involved in you calling me a groupie.


and not for nothin' we're in our thirties null - but i'll happily go back and forth with you if you want brokeboi

Hey - you're welcome to post about your work here but please stay within the site guidelines: https://news.ycombinator.com/newsguidelines.html. You broke them badly with this comment!

Commenters here need to follow the rules regardless of how wrong someone is or you feel they are—maybe you don't owe them better, but you owe this community better if you're participating in it. Our goal is to be a web forum that doesn't eventually fry itself the way they usually do.

sir the only articles written about your internet impact have been by your own hand, and they're not entirely accurate. the whole scene knows it and calls me to respond to your submission here while minding my own business doing my thing since i am an actual verifiable authority on this subject to other respected domain leaders and you're just attention seeking because your life sucks. on your 2nd hn account talking to me

dear admins,

this guy is baiting me

dear readers,

that is what gaslighting looks like

this guy wasn't even around yet when whaops was hacked by dime. that's how new he is. i've been chatting with dime and he confirmed his friend didn't "help him code" anything

"null" here is slandering me over a personal beef spanning 15 years, and on reddit he was doing it in conjunction with xyrix and/or virus - due to the same 15+ year personal beef i have with that whole crew - or they have with me, rather. they follow me around the internet and attack like hyenas when i write or do anything public facing. these dudes are factually obsessed with me and i'm still not entirely sure why. it's flattering at least

null, you're not an authority on some shit you weren't even around for. calling me a groupie spectator to aol hacking, or to imply i didn't surf lan and wreck 500 - 1,000+ ints throughout my ao-career. you're out of your mind. nobody actually in the know would make the claim that pad wasn't deeply involved in ao-hacking. i was there in 1997 loading up punters for aol 2.5 - whereas you didn't come around until 2004. an authority. ha

as far as what's written about me - none of it was planted, or because i was caught for ridiculous bullshit like bothering celebrities and people with lexnex xs

The main reason I donate to archive.org is to keep this alive:


Btw: anyone know where hypah is these days?

I heard, and I’m not making this up, that he is the guy who made the Slither.io game.

Interesting. Last I knew he created livememe.com and that website looks very similar (he was good at flash). Thanks for the tip!

You may also like this version: https://mattmazur.com/projects/aol-files-com/

Man, the people page is an extreme punch in the gut. I know of at least one who is dead. I can't believe it was 25 years ago. :(

Oh, nice! I found myself on the people page. Thanks for the share!

This stuff still happens, even to tech BigCos like Amazon https://imgur.com/a/yaI4B

Note the "Customer account search" with which you can easily find anyone who has ever used Amazon.

Nice, brings back some good memories. That's all I'm going to say though! hahaha

The days of AOHell!

> the private chat "macfilez"

ah yes, IRC

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact