Last significant update: 11 October 1997
This information can be freely reproduced in any medium, as long as the information is unmodified.
Thanks to Nick Winter for first bringing this to our attention on 5 October, 1997.
Here's the email I originally received about this, with the inevitable commentary:
----- Beginning of email -----
> Have you all run into this one before?
It's new to me. I've interspersed some comments within the text below.
[snip] > Forwarded message: > From: x_aol40_x@hotmail.com (Ex Aol) > To: x_aol40_x@hotmail.com > Date: 97-10-04 12:48:43 EDT > > >From a former AOL employee: > > I'll try and cut through the crap, and try to get to the point of this > letter. I used to work for America Online, and would like to remain > anonymous for that reason. I was laid off in early September, but I > know exactly why I was laid off, which I will now explain:
Remain anonymous to whom? Certainly not AOL, if this is true, for they'd be sure to know. One must, therefore, ask this:
Why does the author want to remain anonymous to US?
> Since last December, I had been one of the many people assigned to > design AOL 4.0 for Windows (AOL 4.0 beta, codenamed Casablanca). In > the beginning, I was very proud of this task, until I found out the true > cost of it. Things were going fine until about mid-February, when me > and 2 of my colleagues
Hmmm. Odd that a professional would use the pluperfect "I had been" and then in the same paragraph write as the subject "me and 2 of my colleagues."
> started to suspect a problem, an unexplainable 'Privacy Invasion', with > the new version. One of them, who is a master programmer, copied the > finished portion of the new version (Then 'Build 52'), and took it home, > and we spent nearly 2 weeks of sleepless nights examining and debugging > the program, flipping it inside-out, and here is what we found. > Unlike all previous versions of America Online, version 4.0 puts > something in your hard drive called a 'cookie'. (AOL members click href="aol://4344:1047.g334.8411481.532897009">here for a > definition). However, the cookie we found on Version 4.0 was far more > treacherous than the simple internet cookie. How would you like > somebody looking at your entire hard drive, snooping through any (yes, > any) piece of information on your hard drive.
Since AOL is client software, it certainly can do anything to a computer that a program can do.
> It could also read your password
Big Deal. AOL stores the password on the local hard drive IN CLEAR TEXT anyway, so this is a red herring. To me, this security loophole sounds like a more pernicious security hole than that about which the author is writing....
> and log in information and store it deep in the program code.And the point is .... ?
> Well, all previous versions, whether you like it or not, have done this > to a certain extent, but only with files you downloaded. As me and my > colleagues discovered,There it is again.
> with the new version, anytime you are signed on to AOL, any top aol > executive, any aol worker, who has been sworn to secrecy regarding this > feature, can go into your hard drive and retrieve any piece of > information that they so desire. Billing, download records, e-mail, > directories, personal documents, programs, financial information, > scanned images, etc ... Better start keeping all those pictures on a > floppy disk!Possible, but unlikely. After all, the AOL code is there on the local machine, and it is easy in theory to reverse engineer the code at least to see whether the client software could send out local data when given a remote request.
> This is a totally disgusting violation of our rights, and your right to > know as well. Since this is undoubtably 'Top Secret' information that I > am revealing, my life at AOL is pretty much over.Gee. I'd say that as soon as he was fired, it was pretty much over.
> After discovering this information, we started to inform a few other > workers at America Online, so that we could get a large enough crew to > stop this from happening to the millions of unfortunate and unsuspecting > America Online members. This was in early August. One month later, all > three of us were unemployed. We got together, and figured there was > something we had to do to let the public know. > > Unemployed, with one of us going through a divorce (me) and another who > is about to undergo treatment for Cancer, our combined financial > situation is not currently enough to release any sort or article.Never heard of the new media, eh?
> We attepted to create a web page on three different servers containing > in-depth information on AOL 4.0, but all three were taken down within 2 > days. We were running very low on time (4.0 is released early this > winter), so we figured our last hope to reveal this madness before it > effects the people was starting something similar to a chain letter, > this letter you are reading. Please do the following, to help us expose > AOL for who they really are, and to help us and yourself recieve > personal gratification for taking a stand for our freedom: > 1. Forward this letter to as many people as you can (not just friends > and family, as many as you can!)Classic hoax brouhaha.
> 2. Tell people who aren't on America Online in person, especially > important people (Private Investigators, Government workers, City > Council)... about an unconfirmed rumor, thereby lessening our reputations unless it proves to be true.
> 3. If the information about the new version isn't exposed by the time > aol is released early this winter, for your own protection, DON'T > DOWNLOAD AOL 4.0 UNDER ANY CONDITION !!!Well, that may be good advice -- I wouldn't recommend AOL to anyone who has access to U-M stuff, and probably not to anyone else either.
> Thank you for reading and examining this information. Me and my > colleaguesThere it is AGAIN!
> hope that you will help us do the right thing in this situation.Ok, time for me to make a decision on this, I suppose. The right thing, in my view, is to consider this a hoax:
2. It's a news posting just made today; looking at DejaNews, I see it only at alt.romance and rec.sports.gambling -- not exactly newsgroups known for computer-savvy users, though I'm sure they have their share. Certainly there are more germane places to post, though this may be merely a matter of newsgroup propagation.
3. It targets AOL users -- again, as a class, not a group of sophisticated computer users.
4. It was posted to the different UseNet groups under different email addresses; one is confusedom@aol.com (Confused them?). This person has posted exactly 2 posts, according to DejaNews, the other being "The ULTIMATE Seduction Method for Men" which, in my analysis, looks a trifle unlikely to succeed:
"6. Make a lot of money, dress well, look good, and turn down every
woman who approaches you....UNTIL you have the woman of your
dreams doing it.
"When she does give in, just say "Strip Now." Then command her as
if she were your toy.
"Probability of success: 100 percent."
I don't think I'm likely to believe much this person writes....
The other poster's address is the12thrse@aol.com (The 12th Ruse?), and s/he has posted only this, ever.
> Enjoy America Online (just kidding!). > Regards, > A former AOL employeeYeah, right.
I hereby dub thee a hoax.
-BPB
----- End of email -----
If someone forwards this to you, PLEASE don;t send it to all and sundry. Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- informing the originators that this is a hoax. I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/hoaxes/aol-privacy-invasion.html) or to another reputable site, like DataFellows (leaving our site).
-BPB
visits to this page since 11 October, 1997 4:24 EDT