My Most Memorable AIM Story

AIM got me my first DEFCON talk back in 2011 from work I had did a couple years prior. This was back when Google Talk was fresh and used XMPP for it’s backend protocol (aka the good days). There was a feature within AIM that let you send messages to a friends phone and you only needed to know their number — no approval needed to start sending.

All of this “magic” of sending messages from the Internet to cellular devices was handled through message gateways. You could stand up your own gateway or leverage one of the many public ones. Using a gateway, you could bind a fancy XMPP client like Google Talk over to legacy TOC AOL servers for AIM.

At the time, XMPP didn’t impose any rate limiting when using APIs to login to accounts which meant you could send thousands of messages without issues. In regards to AIM and phones, they did impose rate limiting (5 message burts), but supported truncated messages. If I sent 1 messages with 2000 characters, it would split it into 13 text messages to the user. If timed right, you could send 65 messages, wait and then do it again. The phone carriers would queue these messages too, so even when you turned your phone off, they would still arrive.

Where it all came together was an app I built called carrier pigeon. I could generate every phone number for an area code, auto-add them as contacts within AOL, bind my Google talk user to the AOL account using a transport and flood every number with messages. Adding more AOL accounts meant more messages, but even with one well-timed setup, you could easily cause issues.

My boss at the time George told me I was not allowed to ever flood an area code or I’d be fired. To this day, I remember testing an “echo chamber” concept where my Google account would transform into an auto-responder, send messages to a group of other auto-responders and kick off a flood that way. Not thinking, I enabled this on my main account with hundreds of contacts, several AOL accounts and a lot of friend phone numbers. The result was an echo chamber as expected, but it didn’t just go to me, it spammed every person on the list with hundreds of messages. When people complained, it fed back into the beast. Phone calls started to pour in from angry friends wanting to know why I was flooding their phone. I called George to apologize and unplugged my computer. Fun times.

If you want to see me in my early glory, here it is:

https://www.youtube.com/watch?v=rjp9gvhe_eA

Founder of @BlockadeIO, PDF X-RAY, and @PassiveTotal. Partner and developer for @TheNinjaJobs. VP of Strategy for @RiskIQ. Roaster at @SplitKeyCoffee.

Founder of @BlockadeIO, PDF X-RAY, and @PassiveTotal. Partner and developer for @TheNinjaJobs. VP of Strategy for @RiskIQ. Roaster at @SplitKeyCoffee.