Computer geeks, and my shiny white ass

OK, another of many computer related questions. I’m afraid the answer to this might be far too in depth for this MB, but I’m going to ask it and hope for the best. Hope some of you insanely intelligent computer veterans can help me out. If you guys don’t feel that you can’t do the answer justice here please direct me to a website where I can try and teach myself. Here goes.

First let me lay out my perdicament. Between my home and work computers I get alot of overlap in my online surfing. My company is a start-up and they are very permissive of what I use my internet connection for. Because of a bitch commute I stay late in the office and use the equipment for personal things. This is with the bosses explicit consent, and porn isn’t a problem. So before you get the impression I’m a total lech, I’m going to get on with the technical stuff.

I run Win98SE at home and WinNT at work. The home system runs with a software firewall and cable modem, while the office set up runs on a 100baseT network plugged into a Windows proxy server and a T1. The tools i’m concerned about are AIM, mIRC, ICQ and, secondarily, media files.

All of my friends send me the typical e-mails with porn or other crude attachments and I occasionally do a little baiting or chatting on AIM and ICQ, and of course waste some time in mIRC (although less than I’d like). So knowing how everything in the world is logged, I began to wonder what information is exactly stored and started wondering if I should cover my shiny white ass a bit in case policy changes or the boss gets pissy at me. Secondarily I just wonder what embarrassing, if not incriminating, items a bored net admin could read of mine.

So, in the office setting what volume of information can the typical net admin gather when I use AIM and IRC? Short of using a keystroke monitor can the read my chat logs even if I tell AIM and mIRC not to save them? Does it record the IP of the other person, and what types of stuff is saved on either the proxy/network logs or on my local computers hard drive (for both home and office).

What about with a .mpeg I d/l or get sent to me? If I delete it and empty my trash bin can it still be resurrected (by someone other than the FBI)? If I don’t delete it can someone track where that file came from, based on local information? What about in the proxy?

How realistic to think any of these communications could be parsed out of the tons of internet activity in the office?

Does a proxy server track what is transfered across it? Or just where it from and going?

Basically do I need to worry about someone getting into the proxy servers and reading all my personal conversations? What about someone getting onto my computer and digging up the chat logs (presuming I don’t save them) and reading them? (No, no cybersex…its still an office)

Another nugget that this got me wondering about is a few months back I had my hard drive replaced. The old one was sent into the manufacturer for recycling or disposal or whatever. Now I imagine they wouldn’t have much trouble getting the files on the drive itself since I didn’t reformat it, but how much of my internet and general computer activity could they deduce beyond the content of the media and documents?

Sorry for the long non-specific question, I don;t know much about log files and registries and what ever else Windows saves to disk without telling me.

So the jist of what you are saying Omni is, you are concerned about the information your employer can or can’t see.

Well, here’s a site you may want to look at to see what your employer can or can’t see if they have similar software:

http://www.adavi.com/

Now since I am not up on proxy servers I can’t tell you a whole lot. However, even though I am not a genius when it comes to computers, I don’t think you should have too many problems with regards to AIM, mIRC and ICQ. As long as you aren’t keeping logs I don’t think that your employer should be able to access your communications. Most are server based outside your company.

Also, if you are accessing personal email (presumably via a web based email server) then you shouldn’t have too much to worry about. I can access my personal/business email from my email client at the office (although I use the web based system instead and recommend anyone else to do so.)

If you download a file and delete it then empty the trash can you should be in the clear. This is provided they aren’t tracking your system like the above software site I mentioned.

That’s my 2 cents.

A proxy server could be set up to log IPs, top level domains, of what is sent across it. Websites aren’t terribly difficult to track. Basically, like techchick68 pointed out, given the right software they can probably track whether or not you’re typing with one hand, and how many times per day. (Yeah, yeah, it’s an office, but don’t you ever get lonely there late at night?) :wink:

As far as AIM, ICQ, mIRC traffic, without local logs you saved yourself on your hard drive, it’s going to be a real pain in the ass for them to get chat contents. They would have to set up a sniffer to monitor and record packets to and from the ports used for these applications. This is highly unlikely. The emails, make sure they are all web based, and none of them is sent to your corporate account. Corporate email can get backed up to long term storage, and at this point the incriminating evidence could be there for months or years. Don’t give out your work address to friends and tell them to stop using it.

I wouldn’t worry too much about what you’re doing/have done. But keep your finger in the wind.

One at a time:

They could pretty much read what you send and what you receive as you’re in the act. If they were so inclined.

A keystroke monitor on your local machine wouldn’t be necessary, as there is no doubt a packet monitor on the server, which is one of the ways they could read what you send/receive in question #1.

Can they save this to a log? Certainly…but most don’t because of the sheer bulk of the files. I don’t want to make you paranoid or anything, but is also possible that your local machine could specifically be flagged for logging.

If they’re logging at the server level, the short answers are “yes” and “everything”. Otherwise, the info is probably just stored locally.

Understand, though, that extra and altered IP’s can appear in the log, depending on the firewall/proxy in use. Also, there’ll be a lot of trash in the log because of encryption, compression, and out-of-order packets.

Heh–easily, just by using the DOS “undelete” command.

There are two methods for zotting a file beyond all hope of resurrection:

  1. Simply Defrag. This is NOT 100% reliable.
  2. Get a program such as Scorch, which overwrites and inverts any file you specify.

A single overwrite will suffice for the casual snoop. For FBI/CIA snoops, you’ll need to use multiple overwrites including an inversion process to foil these guys…

No…generally speaking, the mail with the attached file (or at least the header from the mail) would be required in order to find out who sent it to you.

Back to the paranoia thing, if they’re specifically logging you, then they could easily map your access.

Otherwise, it would be a bitch.

Normally, just the addresses. Sometimes, file names are also included…so if they see “ButtNakedBimbo.Gif”, it might catch some IT dude’s eye–better to rename it to “Flowchart.Gif” or something. :wink:

Better yet, ZIP it so that IT won’t know that it’s a GIF. Don’t forget to fix the ZIP log.

I wouldn’t worry, but I would realize that it’s a distict possibility. It’s done frequently by bored IT personnel for kicks. Give 'em a copy of Quake to keep occupied (trust me, it works!)

Probably not…though again, if they’re logging at the server level, it’s possible, though there will be quite a bit of trash to wade through.

Bad move.

While they really couldn’t tell who you were chatting with or all of the sites you visited, they CAN read your swap file–which could possibly be complete with some URLs, passwords, credit card info, buddy lists, you name it.

Using a deleter like Scorch to periodically delete your swap files is a very good idea (shut down to DOS, THEN Scorch it (overwrite AND invert,) then power down.)

-David

No one here has yet mentioned the use of PGP, especially a real cool utility by Network Associates called PGPDisk. PGPdisk is a “virtual disk” program that allows to create PGP-encrypted drives that can be mounted at-will as any drive letter you desire.

Since my laptop has extremely sensitive work materials on it, including the entire development environment and source code for a $110,000 piece of software, I put the whole development environment in a PGPDisk, and mount every time I reboot. That way, it is pretty much impossible for anyone searching my PC to find any trace of the source code, should my laptop be lost or stolen.

Some of you know I write erotica - well, all of that is stored on another PGPDisk that I can mount at leaisure as well. I also put my Outlook mail folders on the PGP drive as well.

PGPDisk takes surprisingly little overhead under NT (It works for NT/95/98). The difference between doing a complete rebuild of my calcs (2300 files, about 1.3 million lines of code, written by little ol’ me) on a PGP versus an non-PGP disk is about 42 minutes, versus 30 minutes. So a small slowdown in exchange for safety. It is also very crash-stable - I have only had 1 PGPDisk go “bad” after quite honestly several hundred crashes of NT that required a powerdown. In fact, I’ve had to install NT 6 more times than PGPDisk.

Another very cool thing - you can make your virtual disk a compressed NTFS drive on a FAT drive, thus saving tons of space and getting a small cluster size. Very neat. (Doesn’t work under 95/98 tho)

Sure gives me some peace of mind anyhow.

Thanks for all the help so far, and keep it coming, I’m actually learning something here.

Anthricite, not to sound too dense, but what do you mean when you say “mount” (all sexual innuendos are unintended)?

On the porn thing. Thanks for the advice on how to safely store those files. The input is helpful, but you can rest assured that their presence on my machine isn’t a major problem since half of the stuff is sent to me by the CEO. Same goes for the website traffic and where I’ve been. I know they can log what sites I visit and shit, but that fact isn’t really a concern. I guess my higher concern is my personal and private canversations and the routes that some of the files and chats come from. I’m not doing anything illicit (I’m a good boy) so the FBI proof overwrites and inversions aren’t really worth my time, but thanks for the 411.

Basically I have a little paranoia that some bored net admin (its a reasonably small office so I don’t think I’d have to be flagged specifically to make it realistic they could figured out who’s saying what) could find out what I say and who I say it to. I guess I’m just new to this whole not being a freewheeling college student or home user who doesn’t need to answer too, or trust anyone else.

Thanks for the advice on e-mails, my e-mail traffic is fairly tame and I don’t generally use the company address for much, but if I did want to I’d definately use hotmail.

SoulFrost, about the AIM/IRC stuff, you said they could read what is said back and forth while I’m in the act, but what about after? Secondly does AIM encrypt this stuff at all? I’m not sure where I’d have to look to figure this out, so I’d at least make them break the encryption and sniff out the traffic if need be. You’re answer differs from the others, what are you condsidering that they aren’t?

I’m sure I’ll think of more stuff. Thaanks for the help so far, please keep any new tidbits coming.

If I recall, it is possible to intercept AIM messaging. I know I’ve seen encryption for it popping up. I think I read it on slashdot.

Your best defense is the CEO being on your side. Easy to tell which way the wind is blowing.

Outside of that, you have to realise you can be super paranoid, and have a computer that takes 50 minutes to boot simply because of all the security restricions. Kind of like how easy it is to read all sorts of personal stuff off of someone’s Browser. You can secure your browser to the point that using the web is actually impossible.

How much paranoia can you afford? :slight_smile:

Don’t worry Omniscient, if you’re afraid some 'Net admin’s gonna stumble upon your stuff, you can bet on your grandmother’s tomb(if she’s passed away) that he’s doing the exact same thing, so you acutally catch him at his own game, if he tried to ridiculise you… :wink:

To “mount” a virtual disk means to have the software open the file as a virtual drive, thus when I mount my development drive in the morning, I click on the file (a 500 MB file), enter the 30-or-so-digit PGP password, and then I suddenly have a “Z” drive available, that for all purposes appears to be a 100% normal drive that I can copy, install applications, run programs, or whatever on. As soon as I “un-mount” the drive by re-booting, hitting the “panic key”, or right-clicking and selecting “unmount”, it’s as if the drive never existed.

It still sounds like at least for your e-mail PGP mail might work for you. The problem is the people on both ends need to be running the software.

Yup, another satisfied user of PGP here. I do not understand how people will leave vital information unencrypted an a computer disk. If your laptop is stolen with it goes all your important information. My neigbors were burglarized and their computer stolen. Yes, all their bank and credit card information is in the hands of the burglars now :slight_smile:

For safety I do two things: Encrypt all information I would not want others to see and backup the entire hard disk once in a while. I just plug in a second hard disk and copy the entire partition.

It is amazing how people donate their old computers and neglect to wipe out their important information. There was also the case of a guy who sent his computer in for repair and the repair people found some illegal porn and turned him in.

Nothing really…just my own personal experience. There are so many different possible configurations of server/proxy/firewall/software that it’s impossible to say exactly how yours will behave.

All I can really give is a “this is what I’ve run into most often” answer.

Unless they’re logging the traffic, they would not be able to know what you said afterward.

AOL in general uses a token system. I’m not sure if this applies to AIM or not. If so, then the logs would be seriously garbled.

For instance, this is a log section of me logging onto AOL–this section is ONLY the log-on…no chat, mail, IM, nothing.

Example 1:



%-----------------09/14/00 - 18:17:30-----------------%
*** Starting circular dump ***
Circ: OUT - Type: INIT, pktlen = 52, TX = 127, RX = 127, CRC = df28

03 6D 56 00 72 00 00 00 05 0F 00 00 25 89 63 52 | .mV.r.......%.cR
07 0A 10 80 06 04 00 00 00 00 03 5F 00 00 01 20 | ..........._...
03 58 02 00 08 00 00 00 00 00 00 00 00 00 00 00 | .X..............

Circ: IN  - Type: ACK, pktlen = 3, TX = 127, RX = 127, CRC = 11b7

Circ: IN  - SD (SID = 39737, pktlen = 11, TX = 16, RX = 127, CRC = ec70)
53 44 9B 39 E2 20 00 00 ?? ?? ?? ?? ?? ?? ?? ?? | SD.9. ..????????

uni_void
uni_void

:: Screen Name and Password transmission edited out ::

uni_start_stream
  man_set_context_globalid <1>
  var_number_set <A, 0>
  var_number_save <A, 0>
  man_end_context
uni_end_stream

Circ: IN  - AT (SID = 17, pktlen = 70, TX = 18, RX = 16, CRC = 1e8f)
41 54 00 11 20 01 E2 2A 24 22 4F 33 0D 06 2D 59 | AT.. ..*$"O3..-Y
6F 75 20 61 72 65 20 6E 6F 74 20 61 75 74 68 6F | ou are not autho
72 69 7A 65 64 20 74 6F 20 75 73 65 20 74 68 65 | rized to use the
20 4D 61 73 74 65 72 20 54 6F 6F 6C 2A 20 22 4D |  Master Tool* "M
2C 40 27 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ,@'???

uni_start_stream
  cm_start_tool_download 22x
  if_last_return_true_then <1>
  async_error_box 59x 6Fx 75x 20x 61x 72x 65x 20x ...
  cm_mark_tool_invalid <34>
  async_exit_aux 01x
  uni_sync_skip <1>

Circ: IN  - 02 (SID = 0, pktlen = 7, TX = 19, RX = 16, CRC = 4ebf)
30 32 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | 02..?????

Circ: IN  - AT (SID = 17, pktlen = 11, TX = 20, RX = 16, CRC = 7ed6)
41 54 00 11 20 01 4D 04 ?? ?? ?? ?? ?? ?? ?? ?? | AT.. .M.????????

    uni_start_stream
    async_online 00x

Circ: IN  - At (SID = 266062, pktlen = 24, TX = 21, RX = 16, CRC = a6de)
41 74 04 0F 4E 20 01 0D 25 09 49 52 43 20 43 68 | At..N ..%.XXXXXXXXXXX
69 6C 6C 20 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | XXXXXXX .???????????

uni_start_stream
* UNKNOWN prot/atom/datalen: 13, 37, 9
    uni_end_stream

Circ: IN  - AT (SID = 17, pktlen = 40, TX = 22, RX = 16, CRC = 8a0e)
41 54 00 11 40 01 41 29 2C A1 00 26 F2 B0 85 80 | AT..@.A),..&....
05 00 00 00 00 81 25 21 62 25 94 14 00 00 DB B7 | ......%!b%......
CB 62 2C 26 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .b,&.???????????

      uni_start_stream 00x
      man_set_context_globalid <1>
      var_number_set <A, 2552496>
      var_number_save <A, 0>
      idb_start_obj "b"
      idb_atr_globalid <20-0-219>
      idb_atr_offset <0>
      idb_append_data 01x
      idb_end_obj
      var_string_null <A>

Circ: IN  - AT (SID = 17, pktlen = 121, TX = 23, RX = 16, CRC = 11e9)
41 54 00 11 40 01 20 01 4D 24 20 74 20 19 A7 10 | AT..@. .M$ t ...
18 13 57 65 6C 63 6F 6D 65 2C 20 49 52 43 20 43 | ..Welcome, XXXX
68 69 6C 6C 21 2E 5F 71 C1 21 2A 0A 94 48 3C 48 | XXXX!._q.!*..H<H
54 4D 4C 3E 3C 46 4F 4E 54 20 20 53 49 5A 45 3D | TML><FONT  SIZE=
33 20 50 54 53 49 5A 45 3D 31 30 3E 24 32 39 2E | 3 PTSIZE=10>$29.
39 39 20 53 48 4F 45 20 53 41 4C 45 21 7F 47 6F | 99 SHOE SALE!Go
69 6E 67 20 6F 6E 20 6E 6F 77 20 61 74 20 74 68 | ing on now at th
65 20 53 70 6F 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | e Spor??????????

      uni_start_stream 00x
        uni_start_stream
          async_online 01x
          uni_invoke_local <32-6567>
          mat_title "Welcome, XXXXXXXXXXX!"
          sm_set_plus_group 71x C1x
          man_set_context_relative <10>
          man_append_data "<HTML><FONT  SIZE=3 PTSIZE=10>$29.99 SHOE SALE!\127Going on now at the Spor"

Circ: IN  - AT (SID = 17, pktlen = 121, TX = 24, RX = 16, CRC = ffe6)
41 54 00 11 94 1E 74 73 20 53 75 70 65 72 73 74 | AT....ts Superst
6F 72 65 20 4D 65 67 61 73 61 6C 65 2E 3C 2F 48 | ore Megasale.</H
54 4D 4C 3E 7D 21 2A 11 30 8E 01 02 9F 76 02 04 | TML>}!*.0....v..
0A 40 11 2E D8 4B 69 00 00 43 22 21 1D 21 2A 0C | .@...Ki..C"!.!*.
94 34 3C 48 54 4D 4C 3E 3C 46 4F 4E 54 20 20 53 | .4<HTML><FONT  S
49 5A 45 3D 33 20 50 54 53 49 5A 45 3D 31 30 3E | IZE=3 PTSIZE=10>
4C 6F 73 20 41 6E 67 65 6C 65 73 3A 20 44 69 6E | Los Angeles: Din
69 6E 67 2C 20 6D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ing, m??????????

     man_append_data "ts Superstore Megasale.</HTML>"
     man_end_context
     man_set_context_relative <17>
     mat_art_id <1-2--24714>
     act_replace_select_action
       uni_start_stream_wait_on 00x
       sm_m_send_token_arg Ki 00x 00x 43x 22x

     man_end_context
     man_set_context_relative <12>
     man_append_data "<HTML><FONT  SIZE=3 PTSIZE=10>Los Angeles: Dining, m"

Circ: OUT - Type: ACK, pktlen = 3, TX = 16, RX = 24, CRC = 0a3a

Circ: OUT - ya (SID = 1793, pktlen = 8, TX = 17, RX = 24, CRC = d406)
79 61 07 01 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ya...???????????

man_start_object <org_group> ""

Circ: OUT - SF (SID = 1, pktlen = 11, TX = 18, RX = 24, CRC = cc36)
53 46 00 01 00 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? | SF......????????

            uni_start_stream
            uni_void

Circ: IN  - AT (SID = 17, pktlen = 121, TX = 25, RX = 16, CRC = f489)
41 54 00 11 94 3D 6F 76 69 65 73 2C 20 61 72 74 | AT...=ovies, art
73 2C 20 62 61 72 73 20 61 6E 64 20 61 6C 6C 20 | s, bars and all
74 68 65 20 68 6F 74 74 65 73 74 20 6C 6F 63 61 | the hottest loca
6C 20 68 61 6E 67 6F 75 74 73 2E 7F 3C 2F 48 54 | l hangouts.</HT
4D 4C 3E 7D 21 2A 12 30 8E 01 00 C7 49 02 04 0A | ML>}!*.0....I...
40 11 2E D8 4B 69 00 00 03 00 21 1D 21 2A 0E 94 | @...Ki....!.!*..
15 3C 48 54 4D 4C 3E 3C 46 4F 4E 54 20 20 53 49 | .<HTML><FONT  SI
5A 45 3D 33 20 50 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ZE=3 P??????????

          uni_invoke_local <>
* UNKNOWN prot/atom/datalen: 0, 29, 0
            man_set_context_relative <18>
            mat_art_id <1-0--14519>
            act_replace_select_action
              uni_start_stream_wait_on 00x
              sm_m_send_token_arg Ki 00x 00x 03x 00x

         man_end_context
            man_set_context_relative <14>
            man_append_data "<HTML><FONT  SIZE=3 P"

Circ: IN  - AT (SID = 17, pktlen = 121, TX = 26, RX = 16, CRC = 8dcf)
41 54 00 11 94 46 54 53 49 5A 45 3D 31 30 3E 35 | AT...FTSIZE=10>5
30 2C 30 30 30 20 4A 4F 42 53 21 7F 4F 6E 65 20 | 0,000 JOBS!One
6F 66 20 74 68 65 6D 20 69 73 7F 72 69 67 68 74 | of them isright
20 66 6F 72 20 79 6F 75 2E 7F 41 70 70 6C 79 20 |  for you.Apply
68 65 72 65 2E 3C 2F 48 54 4D 4C 3E 7D 21 2A 13 | here.</HTML>}!*.
30 8E 01 02 2B 76 02 04 0A 40 11 2E D8 4B 69 00 | 0...+v...@...Ki.
00 1D 4D 21 1D 21 2A 10 94 0C 54 4F 50 20 4E 45 | ..M!.!*...TOP NE
57 53 20 53 54 4F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | WS STO??????????

     man_append_data "TSIZE=10>50,000 JOBS!\127One of them  is\127right for you.\127Apply here."
            man_end_context
            man_set_context_relative <19>
            mat_art_id <1-2-11126>
            act_replace_select_action
              uni_start_stream_wait_on 00x
              sm_m_send_token_arg Ki 00x 00x 1Dx 4Dx

        man_end_context
            man_set_context_relative <16>
            man_append_data "TOP NEWS STO"

Circ: IN  - AT (SID = 17, pktlen = 121, TX = 27, RX = 16, CRC = 1f34)
41 54 00 11 94 2E 52 59 3A 20 42 75 73 68 2C 20 | AT....RY: Bush,
47 6F 72 65 20 41 67 72 65 65 20 74 6F 20 33 20 | Gore Agree to 3
50 72 65 73 69 64 65 6E 74 69 61 6C 20 44 65 62 | Presidential Deb
61 74 65 73 7D 21 2A 14 30 8E 01 00 85 94 02 04 | ates}!*.0.......
0A 40 11 2E D8 4B 69 00 00 00 16 21 1D 41 6A 94 | .@...Ki....!.Aj.
25 3C 48 54 4D 4C 3E 3C 46 4F 4E 54 20 20 53 49 | %<HTML><FONT  SI
5A 45 3D 33 20 50 54 53 49 5A 45 3D 31 30 3E 7F | ZE=3 PTSIZE=10>
57 68 61 74 27 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | What's??????????
     man_append_data "RY: Bush, Gore Agree to 3 Presidential Debates"
        man_end_context
            man_set_context_relative <20>
            mat_art_id <1-0--31340>
            act_replace_select_action
              uni_start_stream_wait_on 00x
              sm_m_send_token_arg Ki 00x 00x 00x 16x

            man_end_context
            man_set_context_relative <3>
            man_append_data "<HTML><FONT  SIZE=3 PTSIZE=10>\127What's"

Circ: IN  - AT (SID = 17, pktlen = 105, TX = 28, RX = 16, CRC = 0741)
41 54 00 11 94 38 20 68 61 70 70 65 6E 69 6E 67 | AT...8 happening
20 6F 6E 20 41 4F 4C 20 54 6F 64 61 79 3F 20 43 |  on AOL Today? C
6C 69 63 6B 20 68 65 72 65 20 74 6F 20 66 69 6E | lick here to fin
64 20 6F 75 74 2E 20 3C 2F 48 54 4D 4C 3E 7D 21 | d out. </HTML>}!
2A 15 30 8E 01 00 EF A9 02 04 0A 40 11 2E D8 4B | *.0........@...K
69 00 00 0E 2B 21 1D E2 2D 06 40 01 24 20 9F 86 | i...+!..-.@.$ ..
02 53 43 68 40 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .SCh@.??????????

    man_append_data " happening on AOL Today? Click here to find out. </HTML>"
            man_end_context
            man_set_context_relative <21>
            mat_art_id <1-0--4183>
            act_replace_select_action
              uni_start_stream_wait_on 00x
              sm_m_send_token_arg Ki 00x 00x 0Ex 2Bx

            man_end_context
            async_error_box
            uni_start_stream 00x
              buf_start_buffer 9Fx
              buf_set_token 53x 43x
              buf_close_buffer
            uni_end_stream 00x

Circ: IN  - AT (SID = 17, pktlen = 100, TX = 29, RX = 16, CRC = daae)
41 54 00 11 20 11 21 71 20 00 1E 21 76 20 17 C6 | AT.. .!q ..!v ..
2F 54 01 02 E2 21 8C 14 00 00 33 10 18 08 53 69 | /T...!....3...Si
67 6E 20 4F 66 66 E4 84 01 53 01 00 09 06 53 69 | gn Off ..S....Si
67 6E 20 4F 66 66 50 2B E4 84 01 53 02 04 0F 20 | gn OffP+...S...
11 24 20 9F 86 02 70 45 24 22 14 68 20 02 21 02 | .$ .. pE$".h .!.
41 51 40 27 41 2A 50 01 21 1D 71 40 47 20 12 21 | AQ@'A*P.!.q@G .!
12 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .?????

          uni_start_stream_wait_on
              man_update_display <32-30>
              man_preset_gid <32-6086>
              if_last_return_false_then <1, 2>
              man_change_context_relative <335544371>
              mat_title "Sign Off"
              mat_bool_resize_horizontal <yes>
              man_start_object <trigger> "Sign Off"
              mat_relative_tag <1>
              mat_bool_resize_horizontal <yes>
              act_replace_select_action
                uni_start_stream_wait_on
                  buf_start_buffer 9Fx
                  buf_set_token 70x 45x
                  buf_add_atom_data <20>
                  buf_close_buffer
                uni_end_stream

              man_end_object
              man_update_display <2>
              uni_sync_skip <1>
              man_set_context_relative <1>
              mat_bool_disabled <no>
              man_end_context
              man_update_display <>
              uni_sync_skip <2>
            uni_wait_off_end_stream
          man_update_woff_end_stream <>

Circ: IN  - ya (SID = 772, pktlen = 53, TX = 30, RX = 18, CRC = 7da5)
79 61 03 04 AC 98 44 39 02 01 02 01 01 00 04 04 | ya....D9........
98 A3 CF 86 07 01 01 05 02 03 C0 0A 15 31 35 32 | .............152
2D 36 38 2D 35 37 2E 69 70 74 2E 61 6F 6C 2E 63 | -68-57.ipt.aol.c
6F 6D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | om???

          man_change_context_relative <0>
          man_place_cursor <956432642>

Circ: OUT - SC (SID = 17, pktlen = 13, TX = 19, RX = 30, CRC = f668)
53 43 00 11 00 01 00 00 02 00 ?? ?? ?? ?? ?? ?? | SC.....

          uni_start_stream
          uni_end_stream

Circ: IN  - At (SID = 131077, pktlen = 19, TX = 31, RX = 19, CRC = 70c6)
41 74 02 00 05 20 01 41 29 22 21 80 21 1D 20 02 | At... .A)"!.!. .

          uni_start_stream
            man_set_context_globalid <1>
            act_do_action 80x
            man_end_context
          uni_end_stream

Circ: OUT - f1 (SID = 23, pktlen = 20, TX = 20, RX = 31, CRC = 9489)
66 31 00 17 00 01 00 00 0E 04 00 2B 04 32 00 02 | f1.........+.2..
00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .????

          uni_start_stream
            uni_data 00x 2Bx 04x 32x
          uni_end_stream

Circ: OUT - f1 (SID = 24, pktlen = 20, TX = 21, RX = 31, CRC = 956b)
66 31 00 18 00 01 00 00 0E 04 00 2B 05 03 00 02 | f1.........+....
00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .?????

          uni_start_stream
            uni_data 00x 2Bx 05x 03x
          uni_end_stream

Circ: OUT - f1 (SID = 25, pktlen = 20, TX = 22, RX = 31, CRC = 2eec)
66 31 00 19 00 01 00 00 0E 04 00 2B 0C A4 00 02 | f1.........+....
00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .????

          uni_start_stream
            uni_data 00x 2Bx 0Cx A4x
          uni_end_stream

Circ: OUT - f1 (SID = 26, pktlen = 20, TX = 23, RX = 31, CRC = 10b6)
66 31 00 1A 00 01 00 00 0E 04 00 2B 0C A2 00 02 | f1.........+....
00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | .???????????????

          uni_start_stream
            uni_data 00x 2Bx 0Cx A2x
          uni_end_stream

Circ: IN  - AT (SID = 23, pktlen = 26, TX = 32, RX = 20, CRC = f7f9)
41 54 00 17 20 01 21 76 2B 04 32 4F 33 E2 21 15 | AT.. .!v+.2O3.!.
71 20 10 20 03 40 27 ?? ?? ?? ?? ?? ?? ?? ?? ?? | q . .@'

          uni_start_stream
            man_preset_gid <43-1074>
            if_last_return_true_then <1>
            man_replace_data ""
            man_update_display <>
            uni_wait_off
            uni_abort_stream <0>
            uni_sync_skip <1>
%-----------------09/14/00 - 18:19:45-----------------%


Assuming that the board doesn’t screw the formatting, you may be able to tell what some of this does, but it’s puzzling at the very least.

This, however, is what two minutes in an AOL chat room looks like:

Example 2:



*** Starting circular dump ***
Circ: IN  - AA (pktlen = 83, TX = 123, RX = 80, CRC = e6a3)

41 41 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | AA???

Circ: IN  - AA (pktlen = 75, TX = 23, RX = 81, CRC = c257)
41 41 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | AA????

Circ: IN  - AA (pktlen = 29, TX = 24, RX = 81, CRC = 1e09)
41 41 07 6D 6F 6E 73 6F 6F 6E 73 20 61 6E 64 20 | AA.monsoons and
66 69 72 65 73 74 6F 72 6D 73 ?? ?? ?? ? ?? ?? | firestorms

Circ: IN  - CA (pktlen = 21, TX = 25, RX = 81, CRC = fb85)
43 41 13 44 6F 64 ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ | CA.ZZZZZZZZZZZZ
33 31 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | 31?

Circ: IN  - AA (pktlen = 45, TX = 26, RX = 81, CRC = 9735)
41 41 1A 49 20 64 6F 6E 74 20 65 76 65 6E 20 6B | AA.I dont even k
6E 6F 77 20 77 68 61 74 20 61 20 6D 6F 6E 73 6F | now what a monso
6F 6E 20 69 73 20 20 4C 4F 4C ?? ?? ?? ?? ?? | on is  LOL

Circ: IN  - AA (pktlen = 33, TX = 27, RX = 81, CRC = 620f)
41 41 14 70 65 6E 6E 79 20 69 74 20 77 61 73 6E | AA. it wasn
74 20 65 76 65 6E 20 39 30 20 68 65 72 65 ?? ?? | t even 90 here??

Circ: IN  - CA (pktlen = 15, TX = 28, RX = 81, CRC = d6a1)
43 41 16 42 6F 6F 64 6C 65 73 38 36 ?? ?? ?? ?? |

Circ: IN  - CB (pktlen = 6, TX = 29, RX = 81, CRC = 1338)
43 42 13 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | CB.

Circ: IN  - AA (pktlen = 46, TX = 30, RX = 81, CRC = deff)
41 41 15 54 68 65 72 65 27 73 20 73 6F 6D 65 74 | AA.There's somet
68 69 6E 67 20 61 62 6F 75 74 20 43 41 20 74 68 | hing about CA th
61 74 20 69 73 20 53 61 6E 65 3F  ?? ?? ?? | at is Sane

Circ: OUT - Type: ACK, pktlen = 3, TX = 81, RX = 30, CRC = 598e

Circ: IN  - AA (pktlen = 29, TX = 31, RX = 81, CRC = 5803)
41 41 14 62 75 74 20 69 74 20 77 61 73 20 72 65 | AA.but it was re
61 6C 6C 79 20 68 75 6D 69 64 ?? ?? ?? ?? ?? ?? | ally humid??????

Circ: OUT - Aa (SID = 1581, pktlen = 96, TX = 82, RX = 31, CRC = 68d9)
41 61 06 2D 00 01 00 01 07 04 00 00 01 50 01 0A | Aa.-...
04 00 00 01 02 03 01 42 54 65 6E 6E 69 73 20 62 |
61 6C 6C 20 73 69 7A 65 64 20 68 65 72 65 20 6C | all sized here l
61 73 74 20 74 69 6D 65 2E 2E 2E 6E 65 76 65 72 | ast time...never
20 73 65 65 6E 20 68 61 69 6C 20 74 68 61 74 20 |  seen hail that
62 69 67 20 62 65 66 6F 72 65 00 02 00 ?? ?? ?? | big before..

uni_start_stream
  man_set_response_id <336>
  man_set_context_relative <258>
  de_data 54x 65x 6Ex 6Ex 69x 73x 20x 62x ...
uni_end_stream

Circ: IN  - AA (pktlen = 72, TX = 33, RX = 82, CRC = 89f2)
41 41 05 54 65 6E 6E 69 73 20 62 61 6C 6C 20 73 | AA.Tennis ball s
69 7A 65 64 20 68 65 72 65 20 6C 61 73 74 20 74 | ized here last t
69 6D 65 2E 2E 2E 6E 65 76 65 72 20 73 65 65 6E | ime...never seen
20 68 61 69 6C 20 74 68 61 74 20 62 69 67 20 62 |  hail that big b
65 66 6F 72 65 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | efore?

Circ: IN  - AA (pktlen = 27, TX = 34, RX = 82, CRC = d52c)
41 41 18 6C 6F 6C 20 69 74 73 20 61 62 6F 75 74 | AA.lol its about
20 36 37 20 68 65 72 65 ?? ?? ?? ?? ?? ?? ?? ?? |  67 here

Circ: IN  - CB (pktlen = 6, TX = 35, RX = 82, CRC = 93e5)
43 42 16 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? |

Circ: IN  - AA (pktlen = 41, TX = 36, RX = 82, CRC = 3d32)
41 41 14 74 68 65 20 73 6B 79 20 74 75 72 6E 65 | AA.the sky turne
64 20 6C 69 6B 65 20 64 61 72 6B 20 64 61 72 6B | d like dark dark
20 62 6C 61 63 6B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? |  black?

Circ: IN  - AA (pktlen = 55, TX = 37, RX = 82, CRC = 980f)
41 41 07 4F 68 20 79 6F 75 20 72 65 6D 65 6D 62 | AA.Oh you rememb
65 72 2E 2E 77 68 65 6E 20 74 68 65 20 68 6F 75 | er..when the hou
73 65 73 20 77 61 73 68 20 6F 75 74 20 74 6F 20 | ses wash out to
73 65 61 3F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | sea

Circ: IN  - AA (pktlen = 73, TX = 38, RX = 82, CRC = 5f52)
41 41 19 57 69 63 6B 69 64 2C 20 79 61 27 6C 6C | AA.Wi, ya'll
20 63 6F 75 6C 64 6E 27 74 20 74 61 6B 65 20 6F |  couldn't take o
75 72 20 72 61 69 6E 73 2E 2E 2E 61 6C 6C 20 79 | ur rains...all y
65 72 20 68 69 6C 6C 73 20 77 6F 75 6C 64 20 62 | er hills would b
65 20 67 6F 6E 65 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | e gone??

Circ: IN  - AA (pktlen = 23, TX = 39, RX = 82, CRC = e2b6)
41 41 12 3C 2D 20 6E 65 61 72 20 54 61 6D 70 61 | AA.<- near Tampa
2C 20 46 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | , FL??

Circ: OUT - Type: ACK, pktlen = 3, TX = 82, RX = 39, CRC = bbde

Circ: IN  - CB (pktlen = 6, TX = 40, RX = 82, CRC = 5297)
43 42 0B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | CB.

Circ: IN  - AA (pktlen = 40, TX = 41, RX = 82, CRC = 03fc)
41 41 14 61 6E 64 20 68 65 6E 20 69 74 20 67 6F | AA.and hen it go
74 20 61 20 77 65 69 72 64 20 67 72 65 65 6E 20 | t a weird green
63 6F 6C 6F 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | color


Both of these examples have the atoms resolved, for ease of reading. The actual raw data wouldn’t be, but anyone with knowledge of hex-based numbering systems can easily resolve them. There is also software available that will do it.

For example, “74 20 61 20 77 65 69 72 64 20 67 72 65 65 6E 20” = "t a weird green ". The server would only get the numbers, but from that, the words could easily be made out.

I’m not 100% sure, but I imagine that AIM more closely resembles Example 2.

The point of all this is that IF they are logging, then they’ll be able to get something like the above, so they can get SOME information about what you were doing.

And if nothing else, you can see how much “trash” the logs would have.

-David

Soulfrost, thanks alot. I think I see your point there, and it seems reassuring, to me anyways, that its not just plain old text. Its not exactly secure if its just a hex convertion of the ASCII text, but probably more time consuming and inane than any self respecting human would bother to decode.

A question, is that plain text to the right of all those blocks of numbers something you decoded as an example, or does it just garble chunks of the logs at a time? It seems odd that there’d be a bunch of hex digits interspersed with uncoded text. Maybe I’m missing a bigger concept here.

Actually after more closely reading your post, it seems you resolved some of the hex into text for an example. So the logs just contain a pile of hex digits.

I’ve never used plain AOL so is an AOL chatroom a Java applet? If so I’m kinda skeptical that it would resemble an AIM chat, but thats just my uneducated instinct.

Thanks again for you’re help, and I’m a sponge here so anything else you feel up to explaining feel free. Come to the ChiDope and I’ll buy you a beer or 5.

Here are some things I gleaned from the packet logs for AIM.

It sends a LOT of “trash”, which I assume to be mostly advertisements for the banners.

It also sends the unencrypted Screen Name of each and every person on your Buddy List, then receives an “online” or an “offline” message for each one.

Like I said, there’s a lot of uninteresting things mixed in, but the conversations themselves are not encrypted (except for being in hex notation.)

From AIM IMs (person XXXXXX sent this to me):



0x0000   44 45 53 54 00 00 20 53-52 43 00 00 08 00 45 00   DEST.. SRC....E.
0x0010   01 0D CD 19 40 00 30 06-F6 5B 98 A3 F5 3D A6 3E   ..Í.@.0.ö[˜£õ=¦>
0x0020   52 56 14 46 07 43 43 BE-63 FA 01 4C 84 30 50 18   RV.F.CC¾cú.L„0P.
0x0030   40 00 6D 75 00 00 2A 02-59 ED 00 DF 00 04 00 07   @.mu..*.Yí.ß....
0x0040   00 00 84 5D 07 E9 35 42-45 30 34 31 30 00 00 01   ..„].é5BE0410...

0x0050   ***** Screen Name Edited Out *****

0x0060   00 00 04 00 01 00 02 00-11 00 04 00 02 00 00 00   ................
0x0070   0F 00 04 00 00 01 41 00-03 00 04 39 C2 C5 CC 00   ......A....9ÂÅÌ.
0x0080   02 00 98 05 01 00 04 01-01 01 02 01 01 00 8C 00   ..˜...........Œ.
0x0090   00 00 00 3C 48 54 4D 4C-3E 3C 42 4F 44 59 20 42   ...<HTML><BODY B
0x00A0   47 43 4F 4C 4F 52 3D 22-23 66 66 66 66 66 66 22   GCOLOR="#ffffff"
0x00B0   3E 3C 46 4F 4E 54 20 43-4F 4C 4F 52 3D 22 23 66   ><FONT COLOR="#f
0x00C0   66 30 30 30 30 22 20 46-41 43 45 3D 22 56 65 72   f0000" FACE="Ver
0x00D0   64 61 6E 61 22 20 53 49-5A 45 3D 32 3E 74 68 65   dana" SIZE=2>the
0x00E0   20 41 49 4D 73 20 75 73-75 61 6C 6C 79 20 67 6F    AIMs usually go
0x00F0   74 20 73 75 73 70 65 6E-64 65 64 20 69 6E 20 35   t suspended in 5
0x0100   20 68 6F 75 72 73 3C 2F-46 4F 4E 54 3E 3C 2F 42    hours</FONT></B
0x0110   4F 44 59 3E 3C 2F 48 54-4D 4C 3E                  ODY></HTML>


You can clearly make out that I was talking to XXXXXX, and he said “the AIMs usually got suspended in 5 hours”. Also, the HTML for the font and color stuff is included.

And from an AIM chatroom (just me in there):



0x0000   44 45 53 54 00 00 20 53-52 43 00 00 08 00 45 00   DEST.. SRC....E.
0x0010   00 F2 BE 24 40 00 30 06-C1 58 CD BC 04 38 A6 3E   .ò¾$@.0.ÁXͼ.8¦>
0x0020   52 56 14 46 07 51 4C EF-EA 36 01 5F E7 4D 50 18   RV.F.QLïê6._çMP.
0x0030   40 00 40 8B 00 00 2A 02-CD 57 00 C4 00 0E 00 06   @.@‹..*.ÍW.Ä....
0x0040   00 00 E4 7B 8D 74 31 35-46 44 46 43 46 00 00 03   ..ä{t15FDFCF...
0x0050   00 03 00 32 09 53 6F 75-6C 46 72 6F 73 74 00 00   ...2.SoulFrost..
0x0060   00 05 00 01 00 02 00 10-00 04 00 02 00 00 00 0F   ................
0x0070   00 04 00 00 00 0C 00 02-00 04 33 ED 89 2E 00 03   ..........3í‰...
0x0080   00 04 39 C2 C9 53 00 01-00 00 00 05 00 72 00 01   ..9ÂÉS.......r..
0x0090   00 6E 3C 48 54 4D 4C 3E-3C 42 4F 44 59 20 42 47   .n<HTML><BODY BG
0x00A0   43 4F 4C 4F 52 3D 22 23-66 66 66 66 66 66 22 3E   COLOR="#ffffff">
0x00B0   3C 46 4F 4E 54 20 43 4F-4C 4F 52 3D 22 23 30 30   <FONT COLOR="#00
0x00C0   30 30 38 30 22 20 46 41-43 45 3D 22 43 6F 6D 69   0080" FACE="Comi
0x00D0   63 20 53 61 6E 73 20 4D-53 22 3E 57 65 6C 63 6F   c Sans MS">Welco
0x00E0   6D 65 20 74 6F 20 6D 79-20 6E 69 67 68 74 6D 61   me to my nightma
0x00F0   72 65 3C 2F 46 4F 4E 54-3E 3C 2F 48 54 4D 4C 3E   re</FONT></HTML>
0x0000   20 53 52 43 00 00 44 45-53 54 00 00 08 00 45 07    SRC..DEST....E.
0x0010   00 C5 C8 2B 00 00 80 06-A7 77 A6 3E 52 56 CD BC   .ÅÈ+..€.§w¦>RVͼ
0x0020   04 38 07 51 14 46 01 5F-E7 4D 4C EF EB 00 50 18   .8.Q.F._çMLïë.P.
0x0030   0C 90 F7 92 00 00 2A 02-01 40 00 97 00 0E 00 05   .÷’..*..@.—....
0x0040   00 00 00 00 90 06 31 35-46 44 46 43 46 00 00 03   .....15FDFCF...
0x0050   00 01 00 00 00 06 00 00-00 05 00 77 00 01 00 73   ...........w...s
0x0060   3C 48 54 4D 4C 3E 3C 42-4F 44 59 20 42 47 43 4F   <HTML><BODY BGCO
0x0070   4C 4F 52 3D 22 23 66 66-66 66 66 66 22 3E 3C 46   LOR="#ffffff"><F
0x0080   4F 4E 54 20 43 4F 4C 4F-52 3D 22 23 30 30 30 30   ONT COLOR="#0000
0x0090   38 30 22 20 46 41 43 45-3D 22 43 6F 6D 69 63 20   80" FACE="Comic
0x00A0   53 61 6E 73 20 4D 53 22-3E 49 20 74 68 69 6E 6B   Sans MS">I think
0x00B0   20 79 6F 75 27 72 65 20-67 6F 6E 6E 61 20 6C 69    you're gonna li
0x00C0   6B 65 20 69 74 3C 2F 46-4F 4E 54 3E 3C 2F 48 54   ke it</FONT></HT
0x00D0   4D 4C 3E                                          ML>


Here, you can easily see that I’m doing a really bad Alice Cooper impersonation.

There’s no encryption to speak of, so if you were being logged at either the server or at your machine, it wouldn’t be hard for them to see exactly what you said, what you were told, and who you were talking with.

If you’re interested in capturing the packets for yourself, or if you just want more information, a good site is at:
http://grc.com/oo/packetsniff.htm
(non-commercial, I think, but has links to commercial sites.)

-David