First: When set up and run properly, Windows offers satisfactory levels of stability and security. Second: The key to system stability and security often lies in avoiding needless complexity. And third: Few Windows setups are done properly; those that are, rarely stay that way for long.

Long-time readers know that many past issues and columns have focused specifically on ways you can get your system running reliably; and how to keep it that way. Once you achieve that state -- and it's really not that hard, once you get the hang of it -- you'll achieve a level of stability that is completely at odds with most people’s experiences of (un-tuned, un-optimized) Windows. Properly set up, your system will purr along day after day after day -- perhaps even for weeks and months -- and will be all but immune to hack-attacks from online sources.

Why am I telling you this in a item that's supposed to be AOL6 and MSN Explorer? It's because of that second generality: The key to system stability and security often lies in avoiding needless complexity.

Any time you add any new software to your system, you increase the complexity of what your operating system has to deal with. Sometimes, it's worth it: Even if a new program is (ahem) less than perfect, its benefits may outweigh its drawbacks.

Other times, a new program adds so much complexity and/or creates so many problems--- immediate or potential--- that the drawbacks overwhelm any possible benefit.

Like any other application, when you add either AOL6 or MSN Explorer to your system, you'll increase your overall system complexity. But while MSN Explorer's changes are minor, AOL6 makes an almost unbelievable number of unnecessary and even dangerous changes to your system's networking setup--- some of them so bizarre even AOL's own support technicians are at a loss as to explain what's going on. (I know: I called them.). At best, AOL6's changes are likely to make your system less stable; at worst, AOL6 may render your system wide-open to hackers, crackers, and other online miscreants.

Some of AOL6's changes can be remedied *if* you know exactly where to look and what to do; other changes AOL6 makes cannot be undone at all without fatally breaking the AOL6 installation.

I'll tell you everything I found out about both AOL6 and MSN Explorer--- including how I tested them and exactly what changes they both made to my test system. I'll also tell you which of the adverse changes can be undone, and which cannot. But it's a whole article in itself, and is way too much to cram into a newsletter. Instead, I've made these tests the focus of the new "Explorer" column at http://www.winmag.com/columns/explorer/2000/25.htm.

If you're using AOL6, or may someday do so, check out the column!

Follow-up Column

In this week's "Explorer" column, I recount how AOL6 took my perfectly good, secure, five-element networking setup and changed it to an INsecure 16-element networking setup. Worse, it installed an unusual (VPN--virtual private networking) technology for reasons unknown and unexplained. Worst of all, AOL made no mention of any of these changes: I only found them because I went looking for them. My guess is that most users never would even notice that AOL had made major -- and potentially very unsafe -- modifications to their networking setup. (See http://www.winmag.com/columns/explorer/2000/25.htm)

Also, in that column, I'll show you how AOL insists on setting up a VPN (Virtual private networking) connection that potentially gives AOL access to your files and to other computers on your LAN (if you're on a LAN).

None of AOL's help systems or human support techs could tell me anything at all about AOL's use of VPN--- which is strange, because AOL has offered optional VPN services since at least version 4. But AOL6 is the first version that force-feeds VPN to you, unasked-for, and with no option to decline; and none of the AOL support people or mechanisms can explain why.

Some LangaList readers had ideas: For example,

• Steve Klimback wrote:
  Regarding the VPN technology that AOL6 is installing. First and foremost, I had a similar experience with AOL technical support wherein the technician didn't know or understand VPN technology. After pointing him to the Microsoft site and explaining it in layman's terms, he concluded that it was unnecessary and should be removed from the system. When I explained that it prevented AOL from connecting, he found that "very strange." [I] concluded that it could really only be used for one or two things:
  1. Create a secure connection to the AOL server via TCP/IP on a LAN with broadband internet access. This is done in an attempt to subvert various security measures implemented by IT staff so that a connection can be created regardless of existing firewall/proxy security services.

  2. Create a secure connection to the AOL server via TCP/IP over a modem connection.

  In my mind, not only are both scenarios pointless but they are potentially harmful (as you noted in your article). Short of that, I really cannot come up with any sort of reason for using VPN technology.

• Joel Diamond (Technical Director of WUGNET http://www.wugnet.com/ ) also wrote:

  This may explain the file sharing on the part of AOL6...

  1. AOL5 stored IM buddy lists locally, AOL6 puts your buddy lists on AOL servers

  2. AOL5 stored your address book locally, AOL6 puts your address book on AOL servers

  I figured that in order for AOL6.0 software to accomplish this change from AOL 5.0 users to AOL 6.0, they had to enable file sharing. Yeh, it's all part of AOL ANYWHERE strategy, but AOL 6.0 is mandating these significant changes in their software without telling their customers nor providing the information through it's help system, it's website, it's companion documentation, it's customer service, etc...

  As to the VPN and Printer Sharing changes instituted with AOL 6.0, that is is beyond my ability to reason why...

Because the File Sharing and VPN are installed together, one reasonable conclusion is that both Steve and Joel are right: Perhaps AOL wants to synchronize its files with yours, and is setting itself up to do so "under the covers" via VPN, without your knowledge.

But once any shared files are accessible via a network connection, *all* your shared files -- up to the entire contents of your hard drive -- may also be accessible. Depending on what security measures you've set up, it may be ridiculously easy for someone to hack in and take whatever they want from your system.

I admit this is guesswork because AOL won't or can't explain itself. It won't or can't say why it needs an ongoing live VPN connection between you and its servers. It won't or can't say why it wants access to your files and LAN traffic.

I seriously doubt that AOL is malevolent or has evil intent. But I do believe that AOL's programming abilities are lackluster at best, and thus I will not entrust my online security to them. Plus, even if AOL's intentions are completely benign, AOL6 users may well become an irresistible target for crackers who wish to try to exploit the software's needlessly complex and potentially insecure setups.

What's your AOL experience? Am I being too harsh? Click over to http://www.winmag.com/columns/explorer/2000/25.htm and join in the discussion!

Follow-up Column

In the current "Explorer" column (at http://www.winmag.com/columns/explorer/2000/25.htm ) I examined the many changes that AOL6 effects when it's installed, and (among other things) speculated on why AOL *requires* the use of an unusual, complex and potentially-insecure Virtual Private Networking setup. I had to speculate because AOL's support areas and live human help couldn't or wouldn't offer any explanation.

Then, in the last issue, I presented the educated guesses of some readers as to why AOL used so complex a networking setup. But it appears all our guesses are wrong: I heard from the Corporate Communications people at AOL; they set up a conference call featuring a half-dozen AOL execs and software engineers so they could explain why AOL6 does things the way it does. Their explanations:

--->VPN: The VPN networking lies dormant for the vast majority of users. The VPN setup is active only for people who are using AOL's own broadband services (AOL/Time Warner). For everyone else--- everyone using dial-up, and everyone connecting via other, non-AOL broadband media (non-AOL cable, DSL, etc), the VPN stuff is installed, but not used.

--->The AOL Adapters: Similarly, all the added AOL-specific adapters normally lie dormant. They're used only in cases where other means of connection fail; and then they're used as a fall-back means to connect.

-->Complexity: There are two issues here. We'll deal with the philosophic one (should unneeded networking components be installed in the first place?) later. But there's also a practical issue: In AOL5, the software was already so complex that some setups exceeded the ability of Windows to provide the needed number of connections, causing some people simply to lose connectivity. (See http://support.microsoft.com/support/kb/articles/Q230/2/33.ASP )The AOL execs explained that although AOL6 installs a far more complex networking setup than did AOL5, AOL6 correctly modifies system software and NETTRANS.INF to ensure that there's an adequate number of available TCP connections. (See http://support.microsoft.com/support/kb/articles/q217/7/44.asp )

--->Security: AOL doesn't alter or guide the Windows networking setup process at all, mainly for fear of breaking things. Instead, AOL6 allows Windows to use its defaults when the AOL software requests that the OS install additional networking components, and that's how non-Internet protocols (such as IPX) and potentially dangerous bindings (such as Print and File Sharing) can end up attached to the AOL networking additions. AOL knows that IPX and Print and File Sharing don't belong on their connections, so they filter out those packets with a server-side firewall.

--->Lack of Documentation: AOL strives for "black box" operation: "Just plug it in and go." AOL felt that adding installation options about VPN and such would interfere with the ultra-simple user experience they're trying to achieve.

--->The Rationale: AOL assumes that their users are probably non-technical; that their users are with AOL for the long haul; and that everything should be optimized to make AOL work properly regardless of what connection type the user has now or may have in the future. That's why AOL6 installs everything for everyone. Although you may not need *any* of AOL's additional networking components, you may someday sign up with AOL/Time Warner broadband, so therefore you get VPN; because DUN may not work correctly at some point in the future, you get the AOL5-style "AOL Adapters" installed now; because AOL assumes you don't know about or don't want to be bothered with security, AOL allows potentially-insecure connections to be created, but then supplies security filters on their end of the connection.

OK, that's all internally consistent: As long as you agree with AOL's assumptions, it all makes a kind of sense.

You'll have to decide for yourself if it makes sense for *you.*

As for me: I told you my biases. In the column cited above, I state that "The key to system stability and security often lies in avoiding needless complexity." Layering in all this networking stuff because some of it might someday be needed by some users seems rather, er, heavy-handed.

--> My Take:

• I believe AOL chose the wrong path by installing networking components on a "just in case they might be needed someday" basis rather than as-needed and when-needed. Needless extra complexity is never a good thing in PC setups.
• I believe that networking security should be established at the PC side of *any* outbound connection, and should not rely on a distant server to try to correct security flaws in the connection because the flaws may remain---and be exploitable--- when you're NOT connected to the server that's trying to protect you.
• I believe that AOL should tell interested users what it proposes to do to a system, a priori, and then tell those users after the fact what it actually did. (To preserve the "black box" user experience for newbies, this detailed information could be made available under an "advanced user" option at install-time.)
• And finally, I believe there's no excuse for AOL's own tech support staff and systems not to have a clue about any of the above. If you call and specifically ask about this stuff--- which is in every copy of AOL6--- you ought to be able to get an answer.

===
This item reprinted with permission from The LangaList (a free email newsletter available at http://www.langa.com/newsletter.htm), Copyright (c) 2000 Langa Consulting."
===

For more information on the Tulsa Computer Society click here