Student breaches AOL security
Matt Conover, an undergraduate computer science and math major at Utah State University, who discovered a flaw in America Online’s Instant Messenger service, experienced publicity first hand.
Upon discovering the “hole” in AOL’s programming, Conover said he tried contacting AOL administration, but when it failed, he sent information regarding the “hole” and a program he had designed to demonstrate this hole, to a security e-mailing list.
He said a “hole” like this happens when the programmer makes assumptions about the input he shouldn’t have.
“The developer assumes everyone will use his product in the way it was intended, but there are always people that will abuse it [such as hackers],” Conover said.
Conover said one of the subscribers to the list was most likely an Associated Press writer who contacted him first about running a story.
The publicity snowballed from there, he said. Newspapers including The Washington Post, New York Times, Bloomberg News, Cnet, and radio stations contacted him for interviews. His story was also reported on CNN, CBS and MSNBC.
Conover said it was interesting because unlike most news, he was contacted from a national level, on down until the local level, including articles that ran in The Salt Lake Tribune and The Herald Journal.
Concerning the publicity, Conover said, “[It was] definitely too much too fast, and I found it all overwhelming.”
Conover said he learned from the experience regarding the media. He said, first off that by publishing and demonstrating the vulnerability of AOL Instant Messenger, within 24 hours AOL had it fixed.
Conover said he also learned, “Don’t say anything that you don’t want quoted.”
Conover, who began his professional career in software security four years ago for an Arizona Internet security startup company, leads a team of not-for-profit security professionals. The members of the team spend their extra time – as most hold jobs in computer security – finding “loop holes” in computer software programs which hackers would likely use to exploit and cause destruction (such as viruses).
After finding these holes, they notify others of it so the problem can be fixed and security breaching limited.
The few members of the team live in approximately 10 countries and 14 U.S. states.
“We don’t do anything for money.
“We’re not a hacking group and we avoid illegal activities,” he said.
He said what they do is help prevent people from being vulnerable to hackers. The knowledge they gain by doing this helps them in their regular paying jobs.
Conover said there is an underlying issue that through this received more attention: Full Disclosure vs. Limited Disclosure.
Full Disclosure means everyone (publicly) is immediately made aware they are vulnerable, which forces companies to make changes quickly, Conover said. With Limited Disclosure, companies keep the information within the company, make changes and never inform the public of the former vulnerability.
“This is exactly why we [team members] support Full Disclosure – this problem was fixed within 24 hours and people were no longer vulnerable,” Conover said.
“Vulnerabilities are there whether they [the public] hear about them or not and it’s good people like us are out there” to inform the public when they are vulnerable, he said.
Conover said security problems will never go away.
“We still find security problems that existed a decade ago. There is always new software coming out with security holes,” he said.
Security is often overlooked, he said.