Langa: The AOL Nightmare 'You've Got Problems'The Upgrade Of Death No Matter What VersionBy Fred Langa  | | Fred Langa |
Do AOL6 And MSN Explorer Destabilize Your System? Tracking What These Major Products Do During Installation. Sweeping generalizations are often false. In this column, however, I'm going to start with three that I believe are absolutely true: First: When set up and run properly, Windows offers highly satisfactory levels of stability and security. Second: The key to system stability and security often lies in avoiding needless complexity. And third: Few Windows setups are done properly; those that are, rarely stay that way for long. Long-time readers know that many of the past "Explorer" columns focus specifically on ways you can get your system running reliably; and how to keep it that way. Once you achieve that state - and it's really not that hard - you'll achieve a level of stability that is completely at odds with most people's experiences of (un-tuned, un-optimized) Windows. Properly set up, your system will purr along day after day after day - perhaps even for weeks and months - and will be all but immune to hack-attacks from online sources. Why am I telling you this in a column about AOL6 and MSN Explorer? It's because of that second generality: The key to system stability and security often lies in avoiding needless complexity. You see, both AOL6 and MSN Explorer needlessly increase the complexity of your system setup. One of them makes an almost unbelievable number of unnecessary and even dangerous changes to your networking setup. At best, these changes will make your system less stable; at worst, your system may also be wide-open to hackers, crackers, and other online miscreants. The Tests
I clean-formatted a testbed system: a fairly plain Gateway PII/400 with 128MB of RAM. On the empty C: partition, I installed a fresh copy of Windows98SE. I set up the system's networking so it could access my LAN, and through that, my cable modem (for Internet access). I ensured that the networking setup was correct and contained no security holes, and then verified the setup's correctness with the tools at DSL Reports and Gibson Research. I then downloaded and installed all to-date "critical updates" and security patches from Windows Update. I also installed a new copy of IE 5.5 SP1, with 128-bit encryption. I then ran the Windows Maintenance Wizard and the Langa.Com "CleanAll" tool to delete all junk files from the system. I ran Microsoft's RegClean, Norton's WinDoctor, and Windows' ScanReg (with the /OPT switch) to ensure the system was set up okay, with no Registry errors. I then ran Scandisk and Defrag to ensure there were no problems with the hard drive or the files themselves. With the system in as perfect condition as I could get it, I then used Drive Image to create a byte-for-byte, sector-for-sector image of the hard drive. Working from this image, I would be able to restore the test system to the exact same starting condition for my tests of both AOL6 and MSN Explorer. This way, each program would be given a clean, perfect system on which to work; and any changes made by one program would not affect the other. Much has been written about the features and functions of the new AOL 6.0 and Microsoft's new MSN Explorer, so there's no need to replow that ground. If you need to get to speed on the basics of what these services are and what they offer, check out the Related Links in the upper right-hand corner of main article page. In my tests, my focus was narrow: I wanted simply to see what these programs did to my system's setup. MSN Explorer: Modest Changes
Refreshingly, there's not much to say about MSN Explorer's impact. It downloaded (it's about a 5MB download) and installed smoothly, with no glitches. The MSN Explorer setup program added two new elements to my networking setup (see table below): It installed an unnecessary Dial-Up Adapter, and then bound the TCP/IP protocol to the new adapter. In doing so, it correctly did not enable "File and Print Sharing" for that adapter and protocol. Thus, although it added a small measure of additional and unnecessary complexity to my system, it created no new networking security problems - a good thing. In operation, MSN Explorer consumed about 5 percent more system resources than my original copy of IE, which was left untouched by the addition of MSN Explorer: Everything worked fine in both IE and MSN Explorer. From the viewpoint of system stability, MSN Explorer's small increase in networking complexity and modest decrease in system resources should, by themselves, have no major effects. The software also introduced no discernable changes in system security at all. Although I personally didn't see anything in MSN Explorer that would make me want to use it all the time, if it does offer benefits you desire, then you probably can install and use it without a seriously negative impact on your system's operations or online safety. AOL6: Deep Impact
About a year ago, I tried AOL5 when it was new. But I ended up reformatting my hard drive after the AOL software made myriad clumsy, undesirable, and irrevocable changes to my system. I wasn't alone: AOL5 generated a tsunami of user complaints and even class-action lawsuits. The software had the unwelcome habit of destroying connections to other ISPs, leaving the users able only to connect to AOL - if they could connect to anything at all. Then and now, AOL5 seemed to me to be an amazing example of poor product design and sloppy or even incompetent coding. Although AOL5's destructive system changes could be undone, the process was too complex for many of the "newbie" types who were lured to AOL by ads promising simplicity and ease of use. In fact, AOL5 ended up creating a cottage industry of people who specialized in restoring AOL5-damaged systems. And it was just as well: The AOL5 software developed such a reputation for degrading otherwise perfectly good setups that some ISPs and system vendors came to refuse to offer tech support to anyone who installed AOL5: If you installed it, you were on your own. (I covered the AOL5 software in two columns called AOL 5.0: The Upgrade of Death? and You've Got Problems, AOL.) There is good news about AOL6. It is in fact a better product than AOL5. It's far less aggressive in changing preexisting networking settings, and as such, should cause fewer problems for users who want to retain connectivity with something other than just AOL. And AOL6 does a much better job keeping its own files separate from Windows' system files than did AOL5; this probably also will help improve the stability of systems running AOL6. The software downloaded and installed smoothly, running the first time I tried it - in stark contrast to my horrific experiences with AOL5. In operation, the new software consumed 7 percent of system resources, not a huge amount. But AOL6 is still a beast - it's a 28MB download - and it still retains some of AOL5's ham-handed approach to networking. In fact, it created new complexities and insecurities, as this table shows: Look at all the, er, stuff that AOL6 layers into the networking setup. (And remember, this was a machine that already had full, secure Internet connectivity before AOL6 was installed!) AOL6 starts with a minor change: Like MSN Explorer, it installs an unnecessary Dial-Up Adapter, and then binds the TCP/IP protocol to the new adapter, correctly not enabling "File and Print Sharing" for that adapter and protocol. But AOL6 then adds four more adapters to the system: An AOL Adapter, an AOL Dial-Up Adapter, a second Dial-Up Adapter for VPN (Virtual Private Networking) support, and a Microsoft Adapter for VPN (we'll come back to VPN in a moment). It then binds various protocols to these adapters in a very uneven way: The AOL Adapter and the AOL Dial-Up Adapter both get TCP/IP, and correctly do not get "File and Print Sharing" enabled. Dial-Up Adapter #2 also gets TCP/IP but in that case "File and Print Sharing" is enabled - a potentially huge security hole. Worse, AOL binds IPX to that adapter, creating a potentially dangerous cross-link between the normally internal LAN protocols and the normally external Internet protocols. (For maximum security, you normally do not bind internal networking protocols to a Dial-Up adapter - binding internal and external protocols to the same
adapter can make it easier for someone on the outside to get into your system or LAN.) AOL6 then finishes by binding yet another protocol, NDISWAN, to the VPN Adapter. Most of the above weirdness seems to be directly traceable to AOL's use of VPN technology. Generally, a VPN is used to connect scattered components and resources to a LAN, and/or to each other, via another network. For example, an enterprise might allow telecommuters or home-workers to connect to the main corporate LAN, and to each other, by creating VPN connections over the Internet. A VPN is called "Virtual" because there's really no physically separate network; it's called "Private" because it allows only authorized users to participate, and hides the public portions of the transmissions via means such as heavy encryption. (Because the encrypted VPN data passes "beneath" the normal public Internet, the technique is sometimes called "tunneling.") But why is AOL using VPN? Why did AOL set up a VPN connection on my system with Print and File Sharing enabled; why do my files need to be accessible to the AOL side of the connection? Why did AOL set up a VPN connection on my system in such a way that my supposedly local IPX packets would be bound to the externally-accessible VPN adapter? Right Hand, Meet Left Hand
I went online to AOL's Help areas and FAQs but could find nothing on its use of VPN. I tried the live online tech support, but it wasn't working; the help screen there said there was most likely a "problem with my browser" (I was using the just-installed, integrated browser inside AOL6). I tried the "live help" from AOL volunteers; I waited and waited, but no one attempted to answer my questions about VPN. I then called AOL's tech support phone lines and eventually spoke with a friendly technician who had never even
heard of Virtual Private Networking, and had no idea why AOL6 installed it, what it was used for, or what the security implication were. He tried to dig an answer out of his database (no dice) and then queried his fellow techs: One there provided the unhelpful answer that AOL "needs VPN in order to connect." Gee, thanks for that clarification. I don't want to get carried away: This column isn't about VPN. If you want more information on that technology, Microsoft has a good white paper on VPNs called Virtual Private Networking: An Overview Byte.Com also has a good article on VPNs. But this column is about AOL6 - and for the life of me I can't figure out why it requires VPN technology, or why AOL wants access to my local LAN protocols, or why it wants access to my files. And when I said AOL "requires" VPN, I meant it. As a test, I tried stripping out the VPN stuff: AOL wouldn't run until I reinstalled them. However, I was able to get AOL to run after modifying the VPN components to improve their security. For example, I unbound IPX from the second Dial-Up Adapter; and likewise disabled Print and File Sharing for that adapter. AOL6 ran without complaint, which suggests that AOL's default VPN settings are probably incorrect. I wish I could say I was surprised. I'm guessing that my modifications probably helped improve my security. Alas, I can only say "probably." With no explanation on why AOL needs VPN, it's hard to know what it's trying to do with it, or why, or what the security implications are, or what you can do about them. Worth it?
AOL6 took a perfectly good, secure, five-element networking setup and changed it to an insecure 16-element networking setup. Worse, it installed an unusual technology for reasons unknown and unexplained. Worst of all, AOL made no mention of any of these changes: I only found them because I went looking for them. My guess is that most users never would even notice that AOL had made major - and potentially very unsafe - modifications to their networking setup. It's bad enough to add complex components to a system without offering so much as a clue as to what's going on or why; but when the installation is done sloppily and insecurely, I tend to lose confidence in the software as a whole. Furthermore, if, like me, you believe the adage, "The key to system stability and security often lies in avoiding needless complexity," then you'll see why I dislike AOL6: It's very complex, and demonstrably poorly implemented. There is simply no way that layering in this much extra stuff, of unknown purpose, can possibly help make your system run better. And if, like me, you're very careful about your online security, you'll see why AOL6 makes my neck hair stand up. If AOL wants potential access to my LAN traffic and my files, it had better give me a much better reason than "it needs it to connect." AOL has its ardent supporters, and if you're among them, that's fine. But be aware of what it's doing to your system, and take steps (such as those I did, above) to at least attempt to close the larger security holes that this software appears to create. For me, it's just not worth it. If AOL5 was "The Upgrade Of Death," then AOL6 is "Death Warmed Over." Your Turn
What are your experiences with MSN Explorer and AOL6? Please join the discussion and share your knowledge in the Comments Section! Get rid of AOL! Sign up with OutdoorsUnlimited Today! Related Articles
Slay The AOL Monster An AOL Banned Site? Related Links: Source: TechWeb
   |
