I think the one of the most interesting and overlooked stories about the AOL era, is how the warez scene used bots and AOL's mail system to host every piece of pirated content for years.
Similar to IRC channels with bots that provided lists of available content and used DCC to transfer compressed files in small chunks -- these were still the days of 9600-56k, so transfers larger than floppies were often doomed to fail -- AOL private rooms would be filled with bots that would respond to requests and send files. The difference being that the AOL bots would email a list of available content, which could be a paginated list across multiple emails, or results for a specific search query. Then you would type another command into the chat to request a specific file or release, and the bot would forward you a series of emails with <1.4MB attachments (the maximum size at the time), already stored on AOL servers and ready to download at whatever speed your modem could handle.
It took AOL a long time to catch on to this, and even then, they couldn't keep up with the sheer number of fake accounts being created -- or, as the article points out, accounts made with phished credit cards, of which there were hundreds of thousands floating around and a never-ending supply of new ones as AOL's userbase grew. They effectively hosted the warez scene throughout the 90s, until residential broadband became available and 10-100mbps was common in places like Sweden and Singapore, at which point the scene shifted to IRC and self-hosted top sites (i.e. private FTPs).
It was a remarkably simple solution to a hosting problem, and the folks who organized it all will never get enough credit for their contribution toward creating a generation of graphics experts, for example, who couldn't afford the crazy prices of Photoshop or 3ds Max, but were able to use pirated copies to develop those skills and turn them into careers.
To expand on this a bit, when you mailed an attachment on AOL, it would upload and be hosted on their servers. So when you forwarded that email to someone, the download was just a pointer to the original location on their servers. Warez groups would recruit people for positions likw uploaders with strong connections who would just send tons of mail with attachments (to themselves I think). Then the progz/bots, called Mass Mailers (MMers) would sit in a private chat and wait for commands.
Sending the `/list` command in chat would result in one or more emails with lists of software, usually split up to reduce file size. If I were looking for PhotoShop, I might see something like:
[400] PhotoShop 4.0 (cracked by Foo) 1/4
[401] PhotoShop 4.0 (cracked by Foo) 2/4
[402] PhotoShop 4.0 (cracked by Foo) 3/4
[403] PhotoShop 4.0 (cracked by Foo) 4/4
I'd then send `/send 400-403` in the chat and in a few minutes I'd have four forwarded emails containing a portion of an archive. You'd do this for a bunch of stuff and then when going to bed, let AOL's download manager download everything overnight. AOL did more for the WaReZ scene than anyone else in the mid-to-late 90s.
Actually the most overlooked things about AOL is about how their internal network (Merlin) got breeched through social engineering by a 14 yr old and did not have a clue about it for 5 years. Merlin is their tool that they use internally for their entire customer database and had a RAT installed that allowed people to create admin accounts, view peoples credit card, addresses, names and also allowed people to terminate accounts. AOL had 34 million paying users at this time.
I do not believe there was a RAT installed, I think that was just some not entirely true bragging you heard. rather it was ints(internals) that were in on the game and/or tunnels. Merlin lived inside a LAN, to get to it you’d need to break an SSID account which was always a clever trick. Same trick, 20 years later, can still be used to this day to bypass every MFA mechanism I know presently(aws, BofA, etc), if you are smart. The other option was to install a rat(sub7 was a good one) on an employees home machine and then tunnel through it to AOL when they were logged in with an ssid. Which then allowed you to invoke the forms you needed to do things that normally only employees could do.
You ever wondered why so many l33ts were from Virginia? They were using mom and dads int accounts when they weren’t looking to lookup account info, then have a friend call in to reset the passwords. Installing a PWS on one of those home PCs was priceless, as you always have the employees password.
Any source for this? Interested to read more. I feel the whole AOL saga would make a great Netflix documentary series. Lots of interesting wrinkles, like the acquisition of Winamp.
I don't have a source but in my Technology specialized HS a classmate came in with a THICK looseleaf ringbound book filled with Names, address, phone and credit card info. Each sheet was in tiny print and absolutely filled to the brim. I'd have to guess there were easily over 500 pages print front and back. He said it was from AOL hacking. I was just noob playing with the AOHell prog and didn't really utilize the app for anything more than "busting" into Lobbies that were full.
Those were just text files showing form submissions from fake billing(phishing) pages. I’d guess.
If it wasn’t a “non”(a cc never used at AOL before) it was low value, credit cards were a dime a dozen back then. Only Nons were really high value to ao-hackers. Or cards with the bank phone number, from the back of the card, so you could find out how much available credit they had.
Phished credit cards? For a long time a silly credit card generator got past whatever simple
check was performed when an account was created, allowing you access for a week or so until I guess an actual charge attempt was made. (This must have been around 1994 or 1995).
Heck, you didn’t even necessarily need a credit card in the earliest of days, when AOL (as well as EarthLink and CompuServe in fact) still let you pay using bank routing details. As long as the routing number was tied to a bank the service could lookup, it would take whatever account number you gave it and you were on the web!
I won’t say how I learned this, but maybe the context clues will fill you in on how it ended when six months into discovering the internet for the first time, my family got a visit from the local PD and some gentlemen from “a government office down state”.
I was 13 at the time. Not much came out it but some very strong words from a local magistrate, who ultimately showed clemency and dropped the affair with orders that I remain “off the web” for a year.
My father on the other hand…was not so eager to let that one go, heh.
I was in a similar situation in the mid 90's when I was 13 and wanted to get online but wasn't allowed to. I ended up finding a loophole in where if I launch the Prodigy installer from the CD, it would dial up to the Internet to get a local list of servers. I found that I could minimize the full screen installer and could use Internet for about 10 minutes before it kicked me off. I could only do this when my parents were not around and I had to constantly run a long telephone cable to their room and unplug their phone as that was the nearest jack. That worked for good while. :)
Got tired of burning through free trial AOL CD's and decided to "borrow" the username and password from Windows 95 Dial up networking provider at local high school.
Went home and war dialed that local prefix (next city over) until I found the carrier number.
My story was being a 10 year old in the mid-90s and dialing up the Apogee BBS using a number displayed in some shareware game's splashscreen. Turns out that hour-long call to Garland Texas (from Toronto) resulted in a really hefty phone bill, which I was asked to help out with since I had a paper route at the time.
I learned a similar lesson about the difference between LATAs and area codes around the time AOL went to unlimited.
All of the Toledo numbers were constantly busy, so I tried other "local" numbers and ended up discovering that the Findlay number would usually answer. I set that as the default and thought nothing more of it, while all of us used it for hours a day.
The phone bill that arrived at the end of the month was quite large.
> I was 13. Not much came out it but some very strong words from a local magistrate, who ultimately they showed clemency.
Same thing happened to a friend. After that, I got into music and developed a more "healthy" approach to the internet... using it to learn about synthesizers and download the occasional cracked plugin.
Back in the 90s, gas station pump receipts still printed the full credit card number on them. Usually when you found one left behind, it was a corporate gas card that was useless.
But occasionally you'd find someone who left behind their Visa or Mastercard number.
Even in the early 2000s this was a thing in some places. I remember working at a store that printed the full CC# on the customer's receipt. As an employee, it would've been ridiculously easy to steal credit card information. You could just print a second copy of the receipt after the customer left.
This was especially workable in small towns, even back then you still need the zip code to pass validation, which small towns usually only have one of.
It actually went the other way with AOL. In the early days you could use generated credit card numbers and account would last up to a week. Then they started checking numbers so everyone switched to fake bank accounts. Those accounts typically lasted 2-5 days.
That saved my ass. Had been on AOL for a month or so, by stealing my dads CC number out of his wallet. Just happened to look at what the bill was going to be and it was something stupid like $400 (mid 90's dollars, so like a grand today).
I quickly found a fake CC generator and updated the CC. I was panicked for about a week..but he never found out. It never hit his CC, and then I was changing the CC every couple of weeks whenever I got a warning.
Yeah; GitHub is orders of magnitude better than Planet Source Code ever was, but the high of posting your sick new vb5 BAS with “A+++++++++” in the title and getting all the gloves isn’t really the same today.
Also, irc and newsgroups were amazing back then. I was just talking with some friends in discord about our days with mIRC scripts, in particular Invision 2 and Excursion.
I feel like AOL scripting was this weird subculture of teenagers who did VB vs the slightly older generation with their perl / C and Linux tinkering. I didn’t personally get into FreeBSD until FreeBSD 4, and I felt kinda late to the party. This was around the time, for me, when Knoppix was cool and the world outside of Windows felt magical.
Now, two decades later, instead of being some FSF dreamscape, sleep states and hybrid graphics on laptops cause problems across Win, Mac, and Linux, haha.
My only fear is maybe our generation of hackers are old now and cryptocurrency is the place where the naughtiness is happening and we don't take it seriously because we are older.
I never used AOL. It just seemed dumb to have that abstraction layer to the internet when other providers just went straight to the web. AOL keywords drove me crazy hearing radio ads "use AOL Keyword _____".
Instead of this bot driven email, I made use of the alt.binary.mac.applications and similar newsgroups.
But this email system you describe sounds exactly AOLish version of newsgroups. A way of holding someone's hand while the powerusers just went straight to the source.
In the US, one of the key things that Prodigy (remember them?), AOL and some other providers had was that they had a lot of "local" phone numbers instead of "long distance". This meant that your connection was a single charge and didn't rack up with time. That was a BIG deal.
In addition, email addresses were still sufficiently uncommon and hard enough to get hold of that people were using "unmentionable" means to get them even up to about 1994 or so.
Outside the US there was Infovia from the Telefonica ISP which was pretty much the same as AOL.
Local, isolated nets and no flat rates until 1999 or 2000.
AOL wasn't an abstraction layer to the internet, it was its own online service.
To get on the actual internet, you had to wardial the telephone exchanges and happen to luck upon an unsecured university dialin server, from which, if you had a printout of IP addresses from a book or BBS, you could telenet to other servers to use gopher, ftp, irc, MUDs, etc. All plain text mode of course.
AOL on the other hand was a lot more user friendly and lively, just dialin with a graphical interface and tons of groups, chat channels, games, etc. just right there.
It wasn't until the internet was finally opened up to the public in the late 90s that AOL added an abstraction layer over the internet. Even then, it likely had all types of modem available, where, for instance, I tried IBM's ISP but it used modems that were incompatible with the modem that came installed in my IBM PC.
> 10-100mbps was common in places like Sweden and Singapore
Oh yeah, I remember sometime in the 90s talking to a Dutch guy that had a 6/6 SDSL connection and ran a server in their own home. I thought he must have been a billionaire but was blown away to discover they worked on assembly line.
this was how I got into programming. got my first copy of Frontpage off one of those Warez rooms and put my site on aol hometown. it was animated gifs and NES roms. sponsored by cyberthrills(?) casino. surprisingly I never got a payment lol
Fortune City for me, eventually convinced my dad to pay for a boxed copy of Macromedia Flash 4 and a real hosting account with front page extensions. I think it even did PHP, which led to lots of messing around with every PHP CMS under the sun, including a lot of time with PHP-Nuke.
I never really figured that every hour spent messing with all that would translate into so much more value than any of my school work. The scope of our computer courses at school was basically touch typing and MS Office 97/98.
JS snow was top-tier, as were flashing holiday lights with transparent backgrounds around the site for the holidays. Bonus points for midi choons.
It was truly a lit time when you could control browser window size and position on the desktop from within JS, even eject the CD ROM! Free cup holder JS jokes freaked out the older folks. So good.
There were even hijacked AOL keywords with warez. The internal site builder had a simplistic BBS forum type thing, I remember one of those being used to link files. Very convenient!
IRC was always the source of these files. The uploaders would go on irc and Usenet then use winrar to split them into mail attachments. AOL was just a distribution model to those that didn’t know how to use IRC. But it certainly didn’t come after, it was there long before and during this era.
A lot of the fileserve bots on IRC were hosted on rooted international and .edu boxen.
So essentially we should thank all the inexperienced Linux admins of the early 90s for having so many easy to compromise machines on unmonitored networks and then forgetting about them. ;)
AOL OH accounts with no rate limits on chat sends, were the most fun. You could essentially dos whole rooms offline. calling AOL to get mail rate limits lifted was always fun too, explaining why you needed unlimited sending throughout. It was also interesting how many AOL employees were in on the game too, specially once people started paying for names.
The year was 2003 and I was in my second year of CS undergrad. I saw a cool utility in AOL instant messenger that recorded the username of every user that looked at your profile. I cloned it and added it to my profile. A few of my dorm mates liked it and asked me to put it in their profile. Even more people came asking and I made a simple website (buddytracker.us) where you could add the utility to your profile. I did no marketing but every profile using buddytracker had a hotmail like link to get your own profile tracker. The first month I had 30 users, the second 500, the third 5000, then 50000. The following year 3 million people had added a profile tracker. It was a life changing experience allowing me to pay off my student loans, travel and take a non-traditional career path. I work on side projects to this day and AOL is where I got my start.
At the time there were websites where you answered surveys for a chance to win an iPod. Questions like Burger King or McDonalds? Etc. They paid $0.50 for each user that started a survey and $2.00 for each completed survey.
Oh jeez. Installing PS1 mod chips for friends and coworkers is what leveled-up my soldering skill.
I never accepted money for it, initially did one just for the challenge. Then when word got around work, I had a bunch of well-placed people who owed me favors. Good times, good times.
If anyone is interested, I have an archive of a lot of AOL progs[0].
These got me into programming and I made a couple of my own that are now completely lost to time.
ccoms (chat commands) were my favorite. The program would scan the chat and when you sent a command, it'd do whatever you asked and send a response back to the chat for everyone to see. Basically turning the AOL chat into a public command line. One of the more popular things people used it for was for playing pirated music. You'd send `play rammstein` to the chat, and it'd start playing a random Rammstein song from your mp3 collection.
I started writing one later[1], although I haven't touched it since 2016. It'd connect to your spotify account, instead.
Also, it seems Mark Zuckerberg was in the scene. He apparently wrote Darth Phader (a fader.) A fader would make your text in chats fade colors by injecting html to change the text color between each character. So, your text would start blue and fade to red further along in the message, then maybe go back to blue, it was all configurable in most of them.
Edit: I can't believe I left this out, but there's also a facebook group[2], Justin has a site with a lot of content about progs[3], and I recently stumbled on the AOL Underground Podcast[4].
Wow, very cool. I see at least 3 programs I wrote or helped with in the AIM section. I'll have to dig out my source code to see if any others are present. Definitely going to spin up a VM and see them run again. Thanks for this.
You're going to run into issues with ocx files. You can search around for them online, but it's a real hassle downloading them to older versions of Windows because SSL support has moved on from what Windows 95/98/ME/2000 can handle.
I've found I can either hit the download without https from the Windows box, or copy them to an S3 bucket and use an http URL to download it out of the bucket.
Unbelievable! It looks like the prog I made in 6th grade is on there. Gotta download into a VM to make sure it’s mine and not someone using the same name. I’ll update this thread when I know.
I cannot believe you have subzero on there. I'm sure there are others of the same name, but I wrote one of them. I was a huge Mortal Kombat / SubZero fan (right - down - right - high punch). I may have the source code buried on some floppies in storage.
This is amazing. Just the other day, I was thinking about how the AOL progs scene set my career in motion before I even knew what software engineer was.
Your archive just gave me my nostalgia fix for the next month. Thanks.
My first "hacking" success was with an ad-supported ISP called NetZero. The app logged you on to the web and had a persistent ad-banner on the screen. If you opened a full-screen app - in my case Starcraft - it would kick you off the internet.
However, I discovered that if you killed the NetZero application at just the right time (after connecting to the network but before the ad banner was initialized), you could stay online with no ad-banner and pwn some Zerg.
Even better was that if you looked at the logs it would show the hidden credentials for dialing in. You could copy those and create your own dial up connection without using the app at all
Even better even better: the password encoding scheme was rot13 prefixed with a zero and postfixed with a one. I made a keygen for it. Completely forgot about it until this very moment!
haha, finally I hear someone else did this. yes exactly, I enabled logging of the PPP connection and pulled the creds, I remember feeling like I could do anything after discovering this.....the good days!
I used NetZero for a summer by setting up a dumb dialer machine that shared its network connection to the rest of the house. The dumb dialer autoconnected to NetZero when outbound traffic was detected and since there was no monitor plugged in no one ever saw the ads. Was a pretty simple solution for a couple broke college guys.
There was a related service around this time that basically paid you to use the internet. But they only paid you if you were actively running their banner ads. Of course, this was rife for abuse through scripts that faked your activity. I ended up writing some of my own before they went bankrupt.
I think even more than mailtools/fileservs and punters, my favorite thing about AOL progz was just being more expressive. When you hung out in TeenPoolParty13, you could be extra cool by sending text that was wavy, or mixed colors, or different sizes, fonts, etc when the actual UI didn't let you use that many options. But it let you embed HTML (and I guess UTF) so with a prog you could be more expressive, or just plain weird.
I've never forgotten how progz, Geocities, and MySpace all showed that people want to express their individuality and experiment if you give them the chance. But the boring commercialism of the 2010s internet killed the user's ability to be special.
I have an inkling of the pendulum swinging the other way. Even beyond the usual “all the nerd boys are stoked about iMacs having colours again after decades of boring grey”, there are other hints at people increasingly pushing for more self-expression online. I hope that the next Facebook is a bit more like MySpace in this regard, though that’s certainly an extreme pipe dream.
I was just thinking about progz! I miss those and cant even find any examples of them documented on the internet. Where has the rainbow color text gone?!
This could have been written about me. I remember going to a friends house one night and seeing FateX for the first time. We spent a night mass mailing people and causing general chaos online. I went home and got my hands on Hellraiser, AO Korn, Pepsi, Havok, MIB, and a slew of other progz which I cant remember their names.
One day I asked my dad how they were made and he said he had some vague idea. So he took me to CompUSA and we left with a Learn Visual Basic in 24 hours book and Visual Basic software box. I went off and started writing my own programs and hanging out in various AOL related programming chat rooms. I made IRL friends from people that were part of that scene and that I met in those chat rooms. I have very fond memories of the internet back then.
I was 13 at the time I started coding AOL progz and went on to have a career in software development because of it.
Methodus Toolz + Shit Talker Version 1.2 By Jaundice back when you could make free Skype calls to land lines. People still answered the phone and couldn’t fathom that they were talking with a computer.
I have described this world to a few people in my life recently, and look back on it very fondly.
Everyone was anonymous, everyone was crazy motivated, and it was a wild west of credit card theft, software theft, and more.
I wrote a few prolific mass mailers and servers, was pretty well known in the scene, and was only 12/13 years old.
I learned to program, create great user experiences, and more.
My servers were the first to have plain text search: /server send photoshop instead of /server send 26-40
It also hosted the lists via a PHP webapp, tracked metrics on the web across users of the app, and connected to IRC.
It was a wonderful time of chaos, rapid learnings, and intrinsic motivation that shaped my life forever. If not for this period of time in my life, I dont know where Id find myself.
Discord bots, while wayyy more of a walled garden, brought me a lot of joy from the combination of short feedback loop (very easy to make bots do relatively complex things) and large userbase of more-tech-savyy-than-average users
I hooked up OpenAI into my bot to allow GPT-3 like prompting in the servers I'm in; created a way to search for youtube videos and play them in a voice channel, and other dumb, fun things.
Making it scale seems like it would be doable, but for now I'm keeping it to the servers I'm active in
A more interesting bit of AOL era ephemera was that we used away messages as people use Twitter today. In the AOL client you could set a short message (just a few hundred characters) as an away message that others would see if they had you in their contacts. People started to constantly set themselves 'away' with messages about what they were up to, how they were feeling, etc. I'm sure this likely influenced Jack Dorsey and the other early folks at Twitter since they were growing up and using AOL at the same time.
My friend once (23 years ago) sent a wall at a local community college and had a Unix admin angrily stare at him through the classroom window. I distinctly remember him saying “if they didn’t want me to do that they shouldn’t run walld” and I couldn’t disagree lol
Good to see an article around this era of "hacking" (writing punters in VB). I haven't seen too much about it and I'd love to know if there are others.
My fondest recollection was that there was a Pokemon battling type game (Pokemon Platinum, I think?) where you could battle Pokemon over chat. The creator had hard-coded his AOL username into the binary to unlock a bunch of moves and skills. We figured out you could load the binary into a hex editing app and change the screen name - only problem was, it had to be the same length as the creator's: 9 characters. So made a new screen name, the one that stuck with me for the next 10-15 years, so I could unlock some pointless features in an AOL program. But it introduced me to Visual Basic, hex editing, and generally being interested in tinkering with computers and software.
Those literally got me started programming back in the day. The developers name was GerbilFan, I believe. There was a few different versions of the Pokemon battler app - some of them were Gym-editions (meant to be used by friends of theirs I guess?) that, if I'm remembering correctly, let their team have powerful Pokemon guaranteed. I actually learned how gradients work because of the gym-themed background gradients in the program (blueish for water, redish for fire, etc).
The punter/proggie scene definitely got me into programming. Articles like this bring such a special kind of nostalgia. It was both educational and for me at the time, it was very rebellious. My parents did not want me downloading any of these things on our family computer. My friends and I would share floppy disks of punters as contraband.
Learning Visual Basic and the open source community of .bas files was ahead of its time. The tutorials and programming guides, the general willingness to share information.
I learned how to write C++ from a random guy who went by LostSideDead. If you happen to be reading this sir, thank you for spending so much time teaching a kid how to write code. I’ve made a long career of it and I love it.
I have the prog scene to thank for some of my first forays into code. Mostly I was just decompiling existing progz, and re-skinning them and then we had a little crew that would re-release them. Not bad for 6th/7th graders. It was so much fun.
Not really hacking AOL, but I found that you could get the passwords in plain text from the Filesystem, which meant I could get around the parental controls and use it when I wanted!
Submitted it to “happy hacker” and it got in the newsletter, I was super chuffed as a 13? yr old!
Edit: I had a thing called “aol admin tools” which I have no idea if it was legit or not but could see lots more than I could normally lol
The "modal tool" I think they called it. It was accessed from a asterisk-marked drop-down menu.
T4nk by Kai, empee3 player by freeza and A.S.S. (AOL spamming system) by Mikey were my favorite AOL proggies. I remember hanging out in the private room "vb" a lot, with all the crackers and spammers chatsending their rates
For lame progz, I loved Gothic Nightmares by Masta. Every time it opened it'd play the intro to ICP's Great Milenko and just made you feel like you were some cool hacker dude lol. Mikey's VIP spammer was pretty awesome too, except he inserted his own affiliate links in every n message so he was probably making a lot of money from a lot of unsuspecting IM spammers.
I remember carding hosting, creating a site, calling it dk-online and uploading every spammer and email harvester we had, then posting a bunch of affiliate links. I think I made like $800 in AdultRevenueService webmaster referrals before the site was taken down.. good times..
Happy Hacker- that's a blast from the past I had nearly forgotten about. Do you happen to know if any culture like this still exists today? I am sure there is something somewhere, but it was a fairly significant part of the early internet, these days, I am sure it still exists, but it seems to be in far more obscure corners of the internet. I wouldn't even know where to start, but I would suspect discord might be hosting a lot of this type of discussion.
1. 25 years ago a 28.8k modem and Cyrix 486 with 8mb ram on AOL had better end-user performance than today’s most popular web apps. There is still no mass-market equivalent to the appeal of those chat rooms. Technology will never defeat latency bloat of tracking hooks.
2. The anonymous or weakly pseudonymous internet was a superior user experience. It felt like an escape to freedom, similar to traveling to another country with chosen friends. The strong identity internet feels like surveillance more than escape. It leads me to believe that ‘the metaverse’ will always suck, not matter how good the technology gets.
3. What killed AOL? They had two separate generations of internet dominance, first the entire stack, and then with messenger after the ISP disruption. A company that can lead a massive growth industry, and then pivot to a successful product after their own disruption seems like a solid blue chip. I know what happened, they started focusing on old incompetent subscribers by giving them a familiar interface poorly replicated on the browser. But how? Who thought this was a good idea?
DSL and cable killed them. I had aol until the cable company offered high speed and by that time I wasn’t really using AOL as a client as I had moved to Linux. My parents still used windows and had no problem just using Netscape/IE or whatever since the browser had by then become the killer app.
My take is that the independent dial-ups killed their ISP business long before cable (1996). Then came their $2/mo IP-only service, which was okay, but slow to develop new features. Then came the AIM days, which seemed to dominate an entirely new epoch of the internet, the P2P era, although nobody was making profit. Next was the cloud/advertising/platform epoch, and they disappeared. No effort at all to win that market, develop something new, or to extend the relevance of AIM by integrating with social platforms.
If I had to guess, I’d say that Time Warner destroyed their investor appeal. Wall Street was ready to fund 10 years of internet innovation losses, but not for old media. Throwing away investor money like that is just shockingly obtuse, had to be a decision made by a hostile board that was taking a cut of the merger.
If someone built the same featureset as AOL had, I bet it would be faster today. I remember massive annoying delays, computers freezing and crashing, not to say anything about download speeds.
I think our memories of the past are rosy, plus they are not making a direct comparison. IRC chat programs are pretty snappy when they have feature parity; Slack is bloated because it does a whole lot more than AOL Chat.
Whether you like the features or want to pay for them with the decreased performance, that's a different issue that I have no opinion on.
If I recall correctly, the primary method of "punting" was to send an instant message with a bunch of unclosed HTML tags, which the client's renderer wouldn't be able to handle and would crash the AOL application.
The unclosed tags were one method, and the other was applying a different formatting to every character. Even one or two messages of maximum length was enough to crash the client.
An IM with repeating <h1><br> tags until you hit the character limit was good for about 30 seconds of lag/freezing on the Mac client. 10 of those in fast succession would pretty much make you have to restart your computer.
I looked further and found each cipher was simply doing a
character offset, meaning each cipher was a Caesar Cipher.
The offsets were 70, 97, 116 and 101, respectively. If you
look up the corresponding ASCII code for those numbers, you
get the word “Fate”. I tried out this new decoding strategy
and was able to successfully decode a directory of MaGuS’
files. I had broken the code! MaGuS was using what is known
as the Vigenere Cipher, and for that particular directory,
“Fate” was the pass-phrase.
I recently rewrote the code in Javascript just for fun. I'll have to post it somewhere someday.
---
Tangentially related, I once stole a 4-character AIM screenname from someone who infected a computer at my school with some backdoor. I found his IP address via `netstat`, and then was able to access his C: drive because Windows File Sharing was turned on with anonymous access. I guess he didn't even have a firewall to block the port. I copied his registry database, and decrypted the AIM password and changed it. He got it back by using AOL's password reset by email tool.
This one is definitely a nostalgia blast. As a 15 year old kid, it was very empowering to discover what you could do to programmatically bypass rules that were apparently in place for everyone else to adhere to.
There's still mirrors of AOL-Files on the web somewhere. I was looking at my profile I submitted to their "AOL People" directory back in '98 not too long ago
I was expelled from school for having a website where I listed downloads of all the AOL tools I could possibly find. There were thousands... The school network administrator somehow found my website and decided that these AOL tools were being used "to hack the Macintosh network and slow it down". I protested to the school principal that they were completely unrelated, but as a 13 year old interested in hacking, I didn't have any credibility. That followed me around on my permanent record and other schools treated me like a criminal.
Joke's on them, though. I learned to teach myself everything (since they refused to), dropped out of school, and got a job at a start-up. Don't stay in school, kids - hack for fun and profit!
This reminds me of how ignorant most adults & teachers were back then about the internet.
When I was in 10th grade (~1995) my high school had a new class called "U.S. History with Internet". Kudos to my school for trying to include the internet in the curriculum, but what it amounted to was 3 days a week of normal history class and 2 days spent in the computer lab. Ostensibly we were supposed to be doing history research on the internet, but of course we did anything but. The best part was they had the shop teacher teach for the internet days. He knew less about computers than most of us 15 year-olds. He'd slowly read directions off a paper - "Type in the U R L bar..." and we'd already be 5 steps ahead of him.
My friend got in trouble for looking at homemade bongs, but the hilarious part is that the teacher was convinced he was actually looking up bomb making instructions and that "bong" was some sort of obfuscation.
Oh to reminisce about the adventures from the days when it all began. One could power on the PC and go make breakfast all the while a script executes after boot to "dial up" the wan. From the kitchen one listened to the audible feedback of the process as the spinning disk clattered and then the dopamine rush hits as the modem is dialing up, hoping the modem pool was not overloaded. Bbs, Irc, war dialing, AOL hax, NetZero punts and all the great fun is where several nerds found their calling, this nerd included. Some things have changed for the better while some things have changed for the worse yet here we are connecting everything, secure or not.
Maybe I should write an article titled "How Lotus123 macros got me interested in programming".
I wrote such a complicated program that I found out Bill Gates was wrong: 640K was not enough for everyone. But I realized that I could divide my mess of macros into categories, save them in separate files, and then selectively import only those that were being used at the time with a "root" set of macros. I was 18 or 19 at the time. It was many moons later when I learned about virtual memory and swap space, I realized I'd implement my own version of virtual memory/swap. In a very caveman like fashion. All without messing with someone else.
It isn't lol. AOL just released search records and didn't initially redact all identifying information in the searches. They obviously got sued
Ig it's useful from an aesthetic standpoint: we all get to see the raw, unfiltered stuff people typed into a search bar at one point.
But something that would be interesting: what if this was the norm, and everything anyone ever types was public domain? Imagine if this just suddenly happened. I don't think we as a society would be able to handle it, we'd probably just try to cover it up.
Pepsi Prog was the one that led me into an AOL warez mailserver chat to obtain a pirated copy of Visual Basic 4 to try and build my own prog. At 11 years old.
I later forwarded the email with the VB4 installer attached to it to another AOL user. AOL detected that and terminated my family's account.
AOL hacks are what got me into software development. Learning APIs and writing client servers and file access was super cool. Hex editing binaries followed by patching stuff and debuggers to do memory hacking paved the way. Demoscene 64k compos will always hold a special place in my heart.
AIM subprofiles were my first foray into writing HTML, hosting web servers, and "hacking." I used a server called SmallHTTPServer to host my subprofile that I later ended up bundling into a self-extracting ZIP file. The trick was to make people think the ZIP was just photos. When you did Direct Connect to people, you could see their IP address in your command prompt. So when they opened the ZIP it started serving their C:\ drive over FTP/HTTP at a known IP. Good times.
One of the first serious HTML pages I remember editing was a clone of an "AOL InstaKiss" page that was used for phishing.
Spoofed email address sends you an email with a link to an instakiss some secret admirer sent you, you get there and are presented with a very official-looking login, credentials are logged and it passes you through to some generic instakiss card.
I didn't create the cloned page, but I did maintain a copy of it for a while.
We got a few admin-level accounts this way (various levels of admin).
Admin accounts were kinda like nukes, it was good to have some to protect yourself from other nefarious teenagers messing with your normal accounts.
Dos32.bas with Visual Basic was my first intro to programming. There was no useful search so you had to navigate through webrings to get programming tutorials. There were also networks of private vb channels where the hackers hung out, those were always fun to drop in on.
Maybe I’m looking back with rose-colored glasses but I remember Visual Basic being intuitive and approachable for beginners in a way that I haven’t seen since.
The fader text is a nice touch too, that immediately makes me nostalgic.
> Maybe I’m looking back with rose-colored glasses but I remember Visual Basic being intuitive and approachable for beginners
I think those are indeed some heavily tinted glasses. I got a job programming out of HS but took night classes to get a degree in network admin. The first programming class I took was VB (never used it before) and completed the semester project the first day, then added a bunch of extra features the next class and was asked to help teach other students because the guy couldn't keep up with everyone that needed serious help (literally everyone). Still not sure if it was because they were overthinking the structure of programming or if their thought processes just didn't naturally gel with it. Changing the way they thought about it seemed to work best
The positive was finding joy in helping them learn, the negative was the next semester in a networking course we were learning outdated tech and was asked to help again. Instead of paying the school to teach their classes, I continued to spend my work lunch in the server room with the admin guys showing me the ins & outs of networking/servers etc and I helped them with their scripting skills. Never went back to school - it was a complete joke.
Man, unless people were in this world they don't quite understand it. I miss those days, because those days sparked my desire to become a programmer. Without groups like UPS I would never have gotten hold of tools like VB at the time I needed it to as a teenager to create that spark.
This is exactly where my programming career started. I was a young kid, aged 11 or 12, learning Visual Basic 5 & 6, making UIs that were backed by coms
(I think that's what they were called?) downloaded off the internet.
I wasn't knowledgeable enough to write the coms but I could make interfaces that called the functions within them. I made little apps that let you change the chat colours and phishing apps to message people so you could appear like an AOL staff member and maybe get their username and password.
Those same chatrooms are where I was exposed to pornography for the first time. My innocence never recovered from that, but it is what it is.
Yep, idling to win out chatroom ownership when AOL reset the server. Using Tameclone to flood out clients and Uccom (or bizkit047's version of it) to take over and moderate. It was my first real move into programming and running a server in my basement.
I still have all of my source code. My only claim to fame was I wrote a program to automate the generation of ICQ accounts (which could login to AIM for botting, and were harder to ban since you couldn't setup a wildcard match for the screen names being all "random" numbers.) Apparently it was good enough that someone felt it was worth cracking my crappy copy protection.
Do you remember an old ICQ program that generated accounts with user defined numbers so long as they weren't already in use? The software was hosted on a page with quite a few other ICQ related applications. I'd love to find an archive of the site.
mIRC scripting was/is incredibly underrated, and was used for so much more than chat bots, as well. Among other things made easy, it provided a method of accessing raw sockets that allowed for basic IP spoofing, which was a boon for all sorts of inventive and mischievous behavior.
mIRC scripting was great. The first real useful script I wrote connected to babelfish.altavista.com with raw sockets around the time that came out and would scrape the HTML results from queries for realtime chat translation. Their backend was basically SYSTRAN, so it was like SYSTRAN for IRC via HTTP scraping.
Had to set the incoming and outgoing languages manually before any chat and avoid doing it in any high traffic channels, but was fine for private messaging. You had to write in a kind of simplified verbosity without expressing too much style or culture in order to have the most successful communication. That experience alone taught me a lot.
It wouldn't surprise me if someone out there had already setup some rudimentary IRC translation before ~1997 without even needing to do an HTTP request by just having a word replacement flat file, but wasn't aware of one released publicly. Didn't share it at the time, because I was concerned it wouldn't scale well if it became popular and spammed the server with requests.
Never did buy a license for mIRC and haven't really been on IRC since probably 2009 due to a mixture of Google Wave and Steam chat being sufficient, but ought to get around to that to give it the respect it deserved.
This is a flashback to some memories I had completely forgotten about. I remember getting into the 'super admin' backend of AOL back in the day. That was so much fun.
I'm with you guys here. My first program was an AOL...program. Learned how to program by copying some kids I met in private AOL chat rooms.
My first commercial program (shareware) was a legit AOL add-on (AoLOL!). Designed, built, and redesigned several times before I had the courage to ship it. Visual Basic 3.0. Used Win32 API to attach my program to the AOL toolbar (for AOL 2.5 and AOL 3.0). Had folks from all around the country send me a $14.95 check via US mail.
I was programming in VB6 (and hanging out in the vb6 private chat on AOL) in these days. I made a custom mp3 player with chat coms & feedback called 3pm, an AIM account storage utility (AIMs were like our NFTs I guess) called whorehouse (I was 16).
I had a couple of "naughty" projects at the time, that netted me some cash as well. Stated generically, automated affiliate marketing using AOL. I made about $6,000 my junior and senior years of high school, and a couple of friends did as well using my program. It was fully hands-off besides having to restart it sometimes, although the code felt like a house of cards, even to me then as a total novice programmer.
Wondering if anyone here was part of the AIM screen name cracking gig that was going on around the same time? Writing some of these crackers was one of my first experiences in programming and I also credit it with being a formative experience.
There were quite a few people who were interested in finding new methods used to brute force passwords as well as writing programs similar to what the article describes, good times
Not really a hack, but AOL provided some free web hosting at members.aol.com/~[your screen name]. When they increased the character count in screennames from 8 to 10 I immediately created some to "domain squat". My most successfully was "ikillkenny" which I used to host my mildly popular South Park screensaver website.
Grew up on this stuff. Still fondly remember the warez bots in channels that would forward emails with archives attached for pirated software, often in 1.44MiB increments since it had to fit on floppy disks.
It was a gateway for many of us into other distribution mediums for pirated software. I was part of that scene for years helping with various tasks as a teenager.
I still remember AOHell and similar tools, was interested as a kid in how the credit card # generation worked and learned about the method payment processors used to validate credit card numbers. But I was mostly interested in the punting feature, me and my friends used to spend hours doing that to each other
people confuse what it's always like to be a teenager in every generation with what happened in the world when they were teens.
"remember when everybody programmed in GW Basic?" no, that time never existed, but a certain set of people at a particular time in history got exposed to programming and that's what was available and understandable to them. In the fat part of the adoption curve for product lifecycles, that number of people can dwarf the number of pioneers who knew other languages like C, but their experience is not an accurate or detailed history of computer science.
AOL was a blip, a big, fat blip, whereby a certain generation of teens discovered computing, and while it was important personally to some people, in no way was AOL ever important, it was just froth.
Neopets for social engineering/scamming - converting "disposable" digital cameras into reusable (solder in a USB port, do...something to gain access to the memory to download files) was my introduction to hardware and firmware/software hacking and reverse engineering. Nowhere near enough of it stuck at the time, and I kinda wish I had gotten more in depth then, but ~19 years later those core interests have turned into skills...
People have pirated cassettes, VHS, floppy disks, CDs, USB drives. Some decades ago people even connected other people's hard drives into their computers.
Then people pirated over phone, BBS, LAN parties, the Internet.
Shit, there might be even people pirating shit over Ham radio.
I was just thinking about these the other day, incredibly timely HN post. The look of all these progs was always so cool to me as a kid. Would love to see some old screenshots!
I feel like the same is happening with bots in todays chat platforms. I know some kids who first got into programming because they wanted to program a discord bot.
I am so much a product of this generation, I had forgotten so much of what this article mentions, but damn, this brought it back. I remember doing the exact punting scam, along with my first and only script kiddie DDOS back then (I was maybe 8 years old, and thought Bill Gates was my bully and that Linux was going to take over the world)
Tangent, I started work on remaking "You've Got Mail" a few months ago, with an updated ethos, focusing on decentralized web.
It's weird to cry over an article so unemotional, but, that era made me into who I am today.
Progz were sort of the gateway drug to real hacking of AOL. There was a headbanger dude named Beav who archived most progs for download on his Angelfire website LensHell. There's still an archive available (https://lenshellprogarchive.com)
Progz were mostly for annoyance and were either released as one purpose programs, such as a punter to boot people offline, or a fader to color text in chat when colors were introduced, or an OH Scroller that scrolled endless text to disrupt chat (you would run these on hacked overhead aka "OH" accounts used by staff that didn't get auto-booted for scrolling). Some progs were sort of All-In-One programs where they had maybe a punter feature, a fader feature, etc. These all in one progs usually had a bunch of useless stuff like an "echo bot" or "trivia bot" or whatever. Some had more nefarious purposes like termers which were used to get people's accounts terminated. Things like punters and termers were usually short-lived as AOL would catch on to whichever method they were using an patch it.
The article talks about the open-source sharing nature of progz, and maybe that was true for the folks who lived in the vb private chats or who released their BAS files (dos32.bas was my first ever intro to coding), but many in the hacker scene were typical teenage boys who would constantly try to one up each other and prove how leet or oldschool they were...and new methods weren't always widely shared. The biggest status symbols for AOL hackers were leet screen names, like "Boss" or "Hack". Even more leet were 3chars which were the smallest amount of characters in a screen name and thus hard to get. The leetest of all were restricted names that had banned words, like "FuckAOL" or were only 2chars like "DJ", or indents like " MrLeet" since they were seemingly impossible to make.
In order to get these screen names, hackers would find ways to steal account information to reset the passwords, or use tools like Sub7 to infect users and then steal their passwords. More technically savvy hackers would exploit holes in AOL's systems such as the "sign up" page which was the source of a really famous hack in 2000. Other hackers were adept at finding ways to convince AOL to terminate an account for supposed threats. Because of this, most AOL hackers had an extensive numbers of <>< or phished accounts to avoid a rival hacker from terming you "perm" account which was usually paid for by your parents. The term phish and its associated progz, phishers, phish tanks, etc., were actually coined on AOL.
Some guys from the scene are legendary. One guy who used AOL on a Mac would often find exploits only he could use, including one where he stole pretty much every 3char name available. Rumor has it he went on to create a very popular online game where users are slithering snakes. :-)
> the "sign up" page which was the source of a really famous hack in 2000
I'm not sure if this is the same exploit, but there was an exploit where you could steal usernames from people during signup. The victim's username had to be an AIM-only account (never linked to a paid AOL account). Then with some sorcery, you bypassed the "invalid name (already taken)" UI block and the backend would make an AOL account with the username.
I stole "christ" from someone this way. Sorry, Chris T. I was 16 years old. A friend stole it from me later, and then someone TOS'd it after that (banned it using a mod account).
Random people would message the account all the time, as if it were actually God, and ask for advice. 16 year old me did my best to give well-considered advice.
> including one where he stole pretty much every 3char name available
Interesting. I think people in my friend circle were in possession of two until AIM pretty much died ('zad' and 'baz'--only 75% sure I got the 2nd one right). Guess they got lucky!
I think it was the same exploit which used free.aol.com. They had a 3-step sign up process with the first step letting you choose a name. It would validate the name was >= 3 chars in length, started with a letter, and didn’t contain banned words. Once validated, the name was stored in a hidden input value in the source of the second page. Someone saved the webpage offline so you could replace the sn variable with any name not on use on AOL. Then open it locally and go right to step 3 where you enter credit details. This let you creat indents, 2chars, banned words, and steal AIMs.
AOL would let you play wav files in a chat room that everyone, who had that file on their system, would hear. You could play the default AOL sounds like {S gotmail and everyone in the chat would hear "You've Got Mail". When someone found out you could send {S con\con or {s aux\aux, you could clear out an entire chatroom since all other chatters would get a BSoD.
There were email punts as well that would crash the app if opened. It was very entertaining as a child to punt someone on your buddy list and hear the door slam as they repeatedly tried to open an email with a too good to be true subject line.
Different AOL versions had different exploits, too. For some versions, if you sent a single IM with a font size of 9999999999999999999999999999999999999... It would lock up their whole machine and they'd soon drop offline.
my biggest sense of pride back in the day was being "unpuntable". the process was insanely simple, delete or move aol's RichText.dll file and the client defaulted to plaintext. i would also use older versions of the client (i think 2.0 and older did not support HTML).
people would try to punt me and all i'd see in the IM window are the various (and there were many) combinations of HTML tags, which i would save and use myself to manually punt others.
Similar to IRC channels with bots that provided lists of available content and used DCC to transfer compressed files in small chunks -- these were still the days of 9600-56k, so transfers larger than floppies were often doomed to fail -- AOL private rooms would be filled with bots that would respond to requests and send files. The difference being that the AOL bots would email a list of available content, which could be a paginated list across multiple emails, or results for a specific search query. Then you would type another command into the chat to request a specific file or release, and the bot would forward you a series of emails with <1.4MB attachments (the maximum size at the time), already stored on AOL servers and ready to download at whatever speed your modem could handle.
It took AOL a long time to catch on to this, and even then, they couldn't keep up with the sheer number of fake accounts being created -- or, as the article points out, accounts made with phished credit cards, of which there were hundreds of thousands floating around and a never-ending supply of new ones as AOL's userbase grew. They effectively hosted the warez scene throughout the 90s, until residential broadband became available and 10-100mbps was common in places like Sweden and Singapore, at which point the scene shifted to IRC and self-hosted top sites (i.e. private FTPs).
It was a remarkably simple solution to a hosting problem, and the folks who organized it all will never get enough credit for their contribution toward creating a generation of graphics experts, for example, who couldn't afford the crazy prices of Photoshop or 3ds Max, but were able to use pirated copies to develop those skills and turn them into careers.