tim,
"No so I'm not sure how its corupting the system now"
the following is excerpted from fred langa's winmag.com column, and i'm sure, given what i've just read of your situation, that this will prove to be interesting reading to you. he delves into the deep problems inherent to 5.0, and how they have carried over to 6.0. the reading on 5.0 probably sheds a greater light on the damage caused by 6.0....
*********************************
"AOL6: Deep Impact
About a year ago, I tried AOL5 when it was new. But I ended up reformatting my hard drive after the AOL software made myriad clumsy, undesirable, and irrevocable changes to my system. I wasn't alone: AOL5 generated a tsunami of user complaints and even class-action lawsuits. The software had the unwelcome habit of destroying connections to other ISPs, leaving the users able only to connect to AOL -- if they could connect to anything at all. Then and now, AOL5 seemed to me to be an amazing example of poor product design and sloppy or even incompetent coding.
Although AOL5's destructive system changes could be undone, the process was too complex for many of the "newbie" types who were lured to AOL by ads promising simplicity and ease of use. In fact, AOL5 ended up creating a cottage industry of people who specialized in restoring AOL5-damaged systems. And it was just as well: The AOL5 software developed such a reputation for degrading otherwise perfectly good setups that some ISPs and system vendors came to refuse to offer tech support to anyone who installed AOL5: If you installed it, you were on your own. (I covered the AOL5 software in two columns called AOL 5.0: The Upgrade of Death? and You’ve Got Problems, AOL . )
There is good news about AOL6. It is in fact a better product than AOL5. It's far less aggressive in changing preexisting networking settings, and as such, should cause fewer problems for users who want to retain connectivity with something other than just AOL. And AOL6 does a much better job keeping its own files separate from Windows' system files than did AOL5; this probably also will help improve the stability of systems running AOL6. The software downloaded and installed smoothly, running the first time I tried it -- in stark contrast to my horrific experiences with AOL5. In operation, the new software consumed 7 percent of system resources, not a huge amount.
But AOL6 is still a beast -- it's a 28MB download -- and it still retains some of AOL5's ham-handed approach to networking. In fact, it created new complexities and insecurities, as this table shows:
Original Baseline Win98SE
Networking Setup
Original Setup Plus
AOL6
Original Setup Plus
MSN Explorer
Client for Microsoft Networks
no change
no change
LAN Adapter
(Physical NIC)
no change
no change
IPX/SPX-Compatible Protocol -> NIC
no change
no change
TCP/IP (secure set up) -> NIC
no change
no change
File and Printer Sharing
no change
no change
added: Dial-Up Adapter
added: Dial-Up Adapter
added: TCP/IP (secure) -> Dial-Up Adapter
added: TCP/IP (secure) -> Dial-Up Adapter
added: Dial-Up Adapter#2 (VPN Support)
added: TCP/IP (SET UP INSECURELY) -> Dial-Up Adapter #2
added: IPX/SPX-Compatible Protocol -> Dial-Up Adapter #2 (VPN)
added: Microsoft VPN Adapter
added: NDISWAN -> Microsoft VPN Adapter
added: AOL Dial-Up Adapter
added: TCP/IP (secure) -> AOL Dial-Up Adapter
added: AOL Adapter
added: TCP/IP (secure) -> AOL Adapter
resources available when
online & browsing
winmag.com home page: 88%
resources available when
online & browsing winmag.com: 81% (7% reduction)
resources available when
online & browsing winmag.com:
83% (5% reduction)
Look at all the, er, stuff that AOL6 layers into the networking setup. (And remember, this was a machine that already had full, secure Internet connectivity before AOL6 was installed!)
AOL6 starts with a minor change: Like MSN Explorer, it installs an unnecessary Dial-Up Adapter, and then binds the TCP/IP protocol to the new adapter, correctly not enabling "File and Print Sharing" for that adapter and protocol.
But AOL6 then adds four more adapters to the system: An AOL Adapter, an AOL Dial-Up Adapter, a second Dial-Up Adapter for VPN (Virtual Private Networking) support, and a Microsoft Adapter for VPN (we'll come back to VPN in a moment). It then binds various protocols to these adapters in a very uneven way:
The AOL Adapter and the AOL Dial-Up Adapter both get TCP/IP, and correctly do not get "File and Print Sharing" enabled. Dial-Up Adapter #2 also gets TCP/IP but in that case "File and Print Sharing" is enabled -- a potentially huge security hole. Worse, AOL binds IPX to that adapter, creating a potentially dangerous cross-link between the normally internal LAN protocols and the normally external Internet protocols. (For maximum security, you normally do not bind internal networking
protocols to a Dial-Up adapter -- binding internal and external protocols to the same adapter can make it easier for someone on the outside to get into your system or LAN.)
AOL6 then finishes by binding yet another protocol, NDISWAN, to the VPN Adapter.
Most of the above weirdness seems to be directly traceable to AOL's use of VPN technology. Generally, a VPN is used to connect scattered components and resources to a LAN, and/or to each other, via another network. For example, an enterprise might allow telecommuters or home-workers to connect to the main corporate LAN, and to each other, by creating VPN connections over the Internet.
A VPN is called "Virtual" because there's really no physically separate network; it's called "Private" because it allows only authorized users to participate, and hides the public portions of the transmissions via means such as heavy encryption. (Because the encrypted VPN data passes "beneath" the normal public Internet, the technique is sometimes called "tunneling.")
But why is AOL using VPN? Why did AOL set up a VPN connection on my system with Print and File Sharing enabled; why do my files need to be accessible to the AOL side of the connection? Why did AOL set up a VPN connection on my system in such a way that my supposedly local IPX packets would be bound to the externally-accessible VPN adapter?
Right Hand, Meet Left Hand
I went online to AOL's Help areas and FAQs but could find nothing on its use of VPN. I tried the live online tech support, but it wasn't working; the help screen there said there was most likely a "problem with my browser" (I was using the just-installed, integrated browser inside AOL6). I tried the "live help" from AOL volunteers; I waited and waited, but no one attempted to answer my questions about VPN. I then called AOL's tech support phone lines and eventually spoke with a friendly technician who had never even heard of Virtual Private Networking, and had no idea why AOL6 installed it, what it was used for, or what the security implication were.
He tried to dig an answer out of his database (no dice) and then queried his fellow techs: One there provided the unhelpful answer that AOL "needs VPN in order to connect." Gee, thanks for that clarification.
I don't want to get carried away: This column isn't about VPN. If you want more information on that technology, Microsoft has a good white paper on VPNs called Virtual Private Networking: An Overview msdn.microsoft.com Byte.Com also has a good article on VPNs here byte.com
But this column is about AOL6 -- and for the life of me I can't figure out why it requires VPN technology, or why AOL wants access to my local LAN protocols, or why it wants access to my files.
And when I said AOL "requires" VPN, I meant it. As a test, I tried stripping out the VPN stuff: AOL wouldn't run until I reinstalled them.
However, I was able to get AOL to run after modifying the VPN components to improve their security. For example, I unbound IPX from the second Dial-Up Adapter; and likewise disabled Print and File Sharing for that adapter. AOL6 ran without complaint, which suggests that AOL's default VPN settings are probably incorrect. I wish I could say I was surprised.
I'm guessing that my modifications probably helped improve my security. Alas, I can only say "probably." With no explanation on why AOL needs VPN, it's hard to know what it's trying to do with it, or why, or what the security implications are, or what you can do about them.
Worth it?
AOL6 took a perfectly good, secure, five-element networking setup and changed it to an insecure 16-element networking setup. Worse, it installed an unusual technology for reasons unknown and unexplained. Worst of all, AOL made no mention of any of these changes: I only found them because I went looking for them. My guess is that most users never would even notice that AOL had made major -- and potentially very unsafe -- modifications to their networking setup.
It's bad enough to add complex components to a system without offering so much as a clue as to what's going on or why; but when the installation is done sloppily and insecurely, I tend to lose confidence in the software as a whole.
Furthermore, if, like me, you believe the adage, "The key to system stability and security often lies in avoiding needless complexity," then you'll see why I dislike AOL6: It's very complex, and demonstrably poorly implemented. There is simply no way that layering in this much extra stuff, of unknown purpose, can possibly help make your system run better.
And if, like me, you're very careful about your online security, you'll see why AOL6 makes my neck hair stand up. If AOL wants potential access to my LAN traffic and my files, it had better give me a much better reason than "it needs it to connect."
AOL has its ardent supporters, and if you're among them, that's fine. But be aware of what it's doing to your system, and take steps (such as those I did, above) to at least attempt to close the larger security holes that this software appears to create.
For me, it's just not worth it. If AOL5 was "The Upgrade Of Death," then AOL6 is "Death Warmed Over."
winmag.com
**********************************
two more informative langa aol columns....
You’ve Got Problems, AOL
winmag.com
AOL 5.0: The Upgrade of Death?
winmag.com
:)
mark |
