Background

After reading the Wired article “AOL4FREE Culprit Tells His Tale” by David Cassel (April 22, 1997), which states that “[Nicholas] Ryan came forward with a 30-KB essay explaining his motives and experiences to hacker sites,” I wanted to track down the original document for myself.

Despite searching extensively, I was unable to find the essay publicly available anywhere on the internet. Eventually, I reached out to a friend who happened to have preserved a copy. To help keep this piece of early internet history accessible, I’m posting the full text of Nicholas Ryan’s 30-KB essay here for anyone else who may be interested.

As a side note, I’m currently writing a book that explores AOL in the mid-1990s through the early 2000s—specifically the hacker communities that inspired so many teenagers to learn how the internet worked, tinker, learn programming, hack, and develop skills that later carried into their professional lives.

Nicholas Ryan, if you happen to read this, I’d love to hear from you. Please reach out via podcast [at] [name of this website]. If anyone can help put me in touch with Nicholas, it would be greatly appreciated.

AOL4FREE Essay (written by Nicholas Ryan, AKA Happy Hardcore)

The Technical Details

Much of this information is a year and a half old, and I've been told AOL
has changed their system significantly since then, but this is how it worked
when I wrote AOL4Free. I will begin with a basic technical explanation of
how the America Online software works. It's a nationwide computer network
that provides services such as email, live chatting, file downloading, and
numerous others to whomever has an account and can dial in. At AOL's
headquarters in Virginia (and to a lesser extent, its offices in Arizona),
there are many large, expensive mainframes that constitute the AOL host
hardware. No matter what computer you use to connect to AOL, you always
connect to this same host. For the specific computer you need a program called
the AOL client software. This software provides a graphical interface for you
to interact with, and it handles all of the details of communicating with the
AOL host. It works like this: You sit down at your computer and want to use AOL.

You first open up your client software application, and now you must provide it
with a telephone number to dial. AOL has a nationwide network of local telephone

numbers that anyone can call to connect them to the service. Now you choose
'Sign On' and the software proceeds to dial the number. You then provide your
username and a password, which is sent to the host by the client. The host then
tells the client whether the info was correct, and if so, allows the client to
establish a session.

Everything you 'do' on AOL is basically a matter of the client making a certain
request of the host, and the host providing certain information to the client.
Because AOL uses a graphical interface, all of the details of exactly how this
client/host communication works is usually totally hidden from the user. This is
where the hacking comes in. If someone were to use software debugging tools to
analyze how the communication happens on a very low level, one could possibly
manipulate the information sent to the host in such a way as to make the system
do things it was never intended to do. That is exactly what I did.

This communication consists of what is called a token language. A token is a
certain combination of two characters that stand for a certain request or a
certain kind of information. The host sends tokens to the client, which causes
it to perform certain actions at certain times, and vice versa. Actually, a
token is usually never sent just by itself. Almost always there is a certain
piece of data sent with the token, called the token data. The combination of the
token and the token data is called a packet. For example, there is a certain
token that the client sends to the host called the password token. The token
data that is sent along with this token is the username and password the user
entered into the software. When the host receives this packet, it first looks at
the token. It sees the password token, which means it expects the associated
token data to be a username/password combination. If this info corresponds to a
real account, it sends a different token to the client that tells the client
that it has successfully established a connection.

America Online consists of many virtual 'areas'. The user navigates the service
by pressing buttons that open or close the areas the user wants to work with.
You can open the message board area, and also open the live chat area, and also
the file download area. Because of AOL's token language, you can have all these
areas open at the same time; the client handles all the details of making sure
that all the packets it receives from the host go into the right windows. To go
to a certain area, the user clicks on a button and the client sends one of
several 'area-invoking' tokens. These tokens tell the host to send the client
the information associated with a certain area, and when the client receives
that info it presents the user with the area in a graphical format.

Now you know AOL4Free is the program I wrote to allow somebody to use the AOL
service on the Macintosh (I now own a PC) without paying the usual $3 an hour
charge (now $19.95 a month, of course). One simply ran the AOL4Free installer,
and it made certain changes to the AOL client software. From then on, whenever
one used that altered client software, one was not charged. How did it work? It
relied on the fact that there were certain areas on AOL called 'free areas'.
When any user entered one of these areas, he was not charged until he had left
that area. These areas consisted of members services that allow you to do things
like check your bill, write for technical support, etc. However, there was a
catch. Remember how I said that somebody can be in more than one area at once,
that is, download while chatting while reading email? When one enters the free
area, this normally isn't allowed.

Out of curiosity, I examined the process by which AOL prevents the user from
accessing any others areas while in the free area. What the user sees when he
enters a free area is this: any other windows he has open close, and only when
he leaves the free area do those windows reappear, which allow him to continue
accessing the service as usual. I discovered that when someone enters the free
area, it is the CLIENT software which is given the responsibility for closing
those windows, NOT the host. What happens is the client tells the host that a
free area is being entered, and the host turns of billing and sends back a
certain token requesting that the client close all other windows. I modified the
client software so that it ignores this request. This means that one could now
enter a free area and still continue to use any of AOL's other services.

It's somewhat more complex than this; I made further modifications which make
the client 'enter' the free area automatically, and frequently the host turns
billing back on so I had to make the client send the 'free area token' very
often. However, that is basically how all versions of AOL4Free worked.

The History

I released the first version around middle of June of 1995. On AOL there are
places called 'chat rooms' where people gather to talk about any variety of
topics. I hung out in certain chat rooms called 'macwarez' rooms, where people
gathered to exchange copies of pirated commercial Macintosh software. When you
send an email message to somebody, you have the option of 'attaching' a file to
this message, which the recipient can then download. This is how I distributed
AOL4Free; I attached the file to an email message describing what it does, and I
mailed it out to many of the people who hung out in those rooms.

I called myself 'Happy Hardcore'. Like most of the 'warez' people, I was using a
fake account. Back then, one made a fake account by using a credit-card
generator to provide AOL with fake credit card info. These accounts lasted about
a week, and when they were canceled people just made another. Of course, since
we weren't paying for these accounts anyway, there was no reason for us to use
AOL4Free, but I used it anyway.

Why did I do this? Simply put, I wanted to be a hacker. Internet hacking,
however, had a very steep learning curve; only the very best survive, because it
was incredibly easy to trace an internet hacker unless he is connected through a
string of fake phone dialups and accounts. These are hard to come by, and you
need many connections. Speaking of connections, you couldn't just walk into an
IRC hack room and ask for tips. Unless you were already trusted, no one would
actually admit to being such a hacker. Instead, I turned to AOL. The 'elite'
hackers of the internet turned their nose at AOL, and regarded anybody who uses
it as a lamer. Maybe, I thought, AOL is uncharted territory. It is relatively
easy to get a fake AOL account and supposedly hard to track you down on one.

So I logged onto AOL and quickly learned how to fake an account, and did so. AOL
seemed a much more friendly and laid back place than the internet; I was amazed
at how easy it was to walk into a chat room and immediately acquire megabytes of
pirated software. Still, real hackers appeared to be mythical beings on AOL.
Sure, many people wrote macro 'Hell' programs like AOHELL, but the few who
claimed to be elite wouldn't talk. This was around January '95.

In the quest for eliteness I started exploring the AOL system for holes, and
quickly learned about a possible culprit. When you entered a free area, your
windows disappeared, but when you exited, they reappeared in exactly the same
position. Using a debugger, I discovered that they were just being hidden, not
destroyed. This was the seed of AOL4Free, and I knew then that this would be my
ticket to the hacker world. I refined my technique and worked on the utility,
and months later I had a working first version.

At first, I didn't hang out in any of these chats rooms under my nickname; that
is, I didn't log on under a username that identified me as 'Happy Hardcore', and
I didn't tell anybody I was. I did, however, put my nickname on the release of
AOL4Free, so people knew that someone named 'Happy Hardcore' was writing this. I
also provided a way for people to send me email anonymously. Anonymous email
works like this: there is a certain computer in Finland called 'anon.penet.fi'
(now offline). I sent mail to that computer requesting that I be given an
anonymous email address. The computer then sent me a code number. From now on,
whoever wanted to send me mail instead sent mail to this remailer computer in
Finland, and specified the code number. The remailer then forwarded this mail to
me at my real account. In this way, nobody could tell what my real email address
was. I mostly used this anon remailer to receive and answer email
troubleshooting AOL4Free.

A couple of weeks after the first release I decided to come out of the closet,
and began logging under Happy Hardcore usernames and identifying myself as such
to people. I spent a few hours every day on AOL in these chat rooms, talking
with people and downloading pirated software. You can basically separate the
people in these rooms into two categories: the 'lame' and the 'elite'. The lame
were called so because of their lack of computer knowledge and their tendency to
leach warez off of people without 'contributing' their own. The elite, on the
other hand, were smart and either had a lot of technical savvy or were willing
to learn. There were very few elite, and I began to make friends with them. My
first friends were called 'Skywalker', 'Yoda', and 'Lando'. They were teenagers
like me who were impressed with my work and shared a willingness to hack AOL.

I was frankly amazed at how quickly AOL4Free took off. I never imagined that
this little utility I wrote, as clever as it was, would come to transform me
into this almost mythical figure "Happy Hardcore". I was now truly at the top of
the AOL underground. When I entered a room, I'd immediately get dozens of
messages asking about when my next version would come out, who I knew, and many
just thanking me. The best thing was that this attention was free, like the AOL.

At that time, however, there wasn't much hacking of AOL going on, aside from my
AOL4Free. However, soon we happened upon a piece of software that opened up
limitless possibilities, in about the middle of July. Apparently someone had
conned an AOL staffer into lending him his account, and found this tool on it.
This software was called simply 'Utilities'; it is an add-on to the AOL client
application that allows the user to easily bypass the graphical interface and
send token information to the host directly. Using this, one could send the
'area requesting' token and with it, send any data whatsoever. This data
consists of two numbers corresponding to a certain AOL area. The first number is
called a 'lib', and the second number is called a 'rec', and together they
reference a 'library record'. In order to find out if we could access any
'secret' areas, i.e. any areas that aren't normally accessible to the AOL user,
we proceeded to send out many numbers consecutively, and wrote down what areas
were associated with them.

We found many, many secret areas. Most numerous were what was called 'Rainman'
areas. These are places on AOL were staffers have access to information and
tools that allow them to alter the content of AOL's areas on the HOST computer.
Staffers have special accounts called 'OverHead' or 'OH' accounts that give them
access to the Rainman tools. For example: MacWorld magazine has a certain area
on AOL. Using his Rainman account, a MacWorld staffer could log onto AOL and go
to the MacWorld Rainman area. Here he would be able to change the look and the
content of the MacWorld area, that is alter the information that is displayed to
the user when a normal AOL user visits the MacWorld area.

More special than OverHead accounts are 'Internal' accounts. These accounts are
only available to AOL employees and provide special access to very technical
tools information. Scanning for lib recs, we found many of these places too.
However, at this time we hadn't yet found many of the most secret areas, that
held the most sensitive technical information. Also, many of the tools we found
we couldn't access because their access was restricted to people with overhead
or internal accounts. However, we were able to enter the private communication
areas where staffers talked with each other. For example, we found the Guide
message board; guides are staffers that police AOL's chat rooms for violations
of the Terms of Service, such as swearing. In this board, we could read all of
the citations of members that Guides gave out, citations which were supposed to
be private information.

This was the real thing. What we were doing, and the information we were
getting, was too sensitive to put out to the public. I was an outlaw, a spy, and
I loved cracking the puzzle of AOL's system. And though we might have liked to
believe it, most AOL employees were not incompetent, although much of the
management was. They had designed a system for use in a smaller and more
trusting environment, and by the time it became big enough so that those who
could exploit it were attracted to it, it was too late.

Me and Skywalker were the first two to discover how to use Utilities to hack and
soon we brought in several other elite people and told them. There was one
person called Darth Vader who was a real jerk, but was very smart. He was able
to fool the anonymous remailer in Finland into providing him with my real email
address, and thus my real name. However, if he told anyone but me I didn't and
still don't know about it, unless of course it was the Secret Service. It was
basically me and the four listed above who, over the next few weeks, explored
AOL with Utilities and traded information concerning what secrets we had found
and how to access them. I stress that in no way did we EVER do anything to cause
permanent damage using the tools or information that we found. At this point in
time, the most dangerous tool we found was one that allowed us to delete or
alter any of the files in any of AOL's file libraries at will; I didn't use it
to damage or alter anything (besides changing the description on one certain
file slightly as a test), but Darth Vader may have used it to cause extensive
damage to the Science Fiction file library.

During this time we also got ourselves access to certain staffer's OH accounts
using the technique of 'phishing'. What we did was hang out in certain chat
rooms frequented by staffers, and pretend we were employees of the AOL billing
department. We then made up some kind of story about how we had lost a staffer's
account information, and asked them to give us their password so we could fix
it. There were many gullible staffers out there, and we acquired many OH
accounts this way, which we logged onto and used to try to discover more secret
areas. Unfortunately, none of the accounts we stole had 'Rainman' or internal
access so we weren't able to use any of the Rainman or internal tools mentioned
above.

Around the beginning of August (I'm not sure of the time here, it could have
been September) AOL began to verify credit card numbers on the fly. This mean
that no more could one use a CC generator to create fake accounts; instead one
had to have a real CC number. However, you could still make accounts using fake
checking account information. A few weeks later, AOL also closed this checking
out hole. I figured out a way to get around this and make fake accounts anyway
by using what are called 'form captures.' When one enters an AOL area, or
displays any sort of AOL dialog box or window, one can use the Utilities tool to
make a 'snapshot' of the window. This saves the information associated with this
window to disk. At any other time, one could call up this information and have
access to that window. I used this technique to manipulate the account creation
process so I could create an account without entering any billing information;
these accounts last a long time, as they didn't seem to be automatically
detected by the AOL billing software.

Around now was when Skywalker discovered a hacking technique called 'morphing'.
Using the Utilities tool, you could send the username/password token while you
were already signed onto your account, and you could automatically be switched
to any other account you had the password to. This was clever and useful for
switching between multiple accounts to check email. However, soon morphing will
figure much more prominently in the story.

Mid-August I went on vacation for two weeks and came back about a week before I
was to go to college, about the beginning of September. Because AOL was
canceling my accounts very quickly, I decided to go 'underground' again and
stopped being Happy Hardcore in public (except when I went to release new
versions of AOL4Free). I only informed a few friends of my current account
username at any time. Then I released an updated version of the AOL4Free
software (to work with version 2.6 of the Macintosh client ). I also discovered
that AOL had prevented morphing, and I checked to see if there was another way
to morph. It turns out there was; there are two different username/password
tokens, and AOL had only blocked one of them. The second could still be used to
morph. Me, Skywalker, Lando, and Yoda were even more delighted when we found out
we could 'morph' to AOL's guest account, which mean we could roam AOL's chat
rooms anonymously with 'guest' as our screen name, and no staffer could kick us
offline or detect who we were.

During this time we caused a little mischief with a certain chat room 'master
tool' we had found. AOL sometimes has online events where they invite
celebrities to come into a chat room and answer questions from the audience The
celebrity is put up on a virtual stage, and whatever he (and only he) says is
broadcast to the whole audience. We found a way to hack ourselves access to the
stage, and we disrupted several of these online chats by coming onstage during
an event and joking around, including one featuring the director of the movie
'Hackers'. Unfortunately, many of the big celebrity events, such as Michael
Jackson, sported beefed up security which we couldn't get around.

Also, I released to the public under the 'Happy Hardcore' name a tool called
'AOL4Free hack'. This was an add-on to AOL4Free that gave the user a menu of
choices. These choices corresponded to many AOL secret areas including the Guide
Area. It didn't provide access to any of the dangerous tools, but people could
walk into the Guide chat room and bug the hell out of them.

Now we come to two very important parts of the story. The first concerns Marc
Remillard, an EWorld employee at the time. The second concerns the use of the
morphing technique to break into any AOL account on the system without needing a
password. I'm not sure when Marc first contacted me, probably in August. I heard
from an AOL friend called John, who knew Marc, that Marc was interested in
speaking to me. EWorld (now out of business) was an online service that used the
same interface as AOL, but was run by Apple Computer. Consequently it was also
vulnerable to AOL's security holes. Well, I logged onto EWorld with a fake
account and spoke to Marc. He was impressed with my ability and convinced me
that I should not write an EWorld4Free, which I agreed not to. Basically, his
line was that Apple would be much more legally vigilant at pursuing me than AOL
would if I wrote an EWorld4Free, and I believed him.

I went away to college, but when I moved into my apartment it took about a week
for the phone company to install my line so I was off AOL for that time (2nd
week in September, I think). When I got back on AOL, I discovered that all hell
had broken loose. A few days after I left for college, Yoda had discovered that
using my new morphing technique one could morph into any account on the AOL
service. This includes the account of any AOL employee, including Steve Case. He
could do anything the user of that account could do, read his email, and most
importantly use a special AOL tool called 'Online CRIS'. CRIS is an AOL area
which gives certain high-level staffers total administrative control over any
account on the AOL system. For any given account, one could view the password,
name, address, billing information, and usage information associated with that
account. One could also use CRIS to search for any accounts associated with a
certain name, and so on. You could also change the information in any of these
fields, and could delete accounts or knock them offline. Well, the day after
finding this hole Yoda told Skywalker about it, and Skywalker made the mistake
of telling Darth Vader about it. Darth Vader and a few of his friends proceeded
to wreak havoc. They logged onto many of the highest level AOL accounts and
roamed the chat rooms boasting about their deeds. They sent out pirated software
using Steve Case's account, they deleted accounts, and they read and mailed out
private staff email (which I will discuss later). It took AOL a couple days to
close this hole down, and when I got my phone service back everything had calmed
down.

You may have heard all of the news stories about the AOL break-ins at around
this time. This is what they were referring to. Of course, when I had released
the software to use the second morphing technique, I of course had no idea it
could be used for this purpose of hacking accounts.

Darth Vader had found several staff emails of importance. One concerned Da
Chronic, an IBM hacker who had been causing mayhem on AOL by releasing a program
called AOHell, which let one disrupt chat rooms and make fake accounts (using
the old credit card method). This letter spoke of a meeting between top AOL
staffers and FBI agents (and a federal judge); in this meeting it was agreed
that the FBI would help AOL in tracking down Da Chronic. It discussed the crimes
they think Da Chronic could be prosecuted for, and talked about intimidating the
owners of any computers on the Internet that let anyone download AOHell. Out of
some feeling of misguided solidarity, I proceeded to post that message publicly
on several Internet newsgroups. I first used a fake AOL account to post it; when
the message was deleted with a forged cancellation originating from AOL
(staffers, I assume), I reposted the message through the anon.penet.fi remailer.

Another staff email Darth Vader found described a method an AOL employee had
invented to detect usage of AOL4Free. The letter listed accounts that had been
tracked as using AOL4Free, and suggested that AOL contact the Secret Service
about it. Instead of taking this as a warning sign, I proceeded to release a new
version AOL4Free that was supposedly undetectable. Finally, there was a letter
that really made me mad: it was a copy of the first online conversation I had
with Marc Remillard. Apparently he had sent a copy to his superiors, and they
had in turn sent a copy to people at AOL.

Well, I had come back from my one week hiatus to find out that this awesome
security hole had come and gone, and I was determined to reopen it. One of my
friends had found a very useful document in one of the secret areas: a complete
listing of all of the tokens recognized by the AOL host, and exactly what they
do. Using this document, me, Yoda, and Lando experimented with sending certain
tokens to the host, using Utilities, during the signon process. A week later I
hit gold. It turned out that if I attempted to sign on any account and provided
the wrong password, a dialog box appears telling me to reenter the password.
However, by sending this certain token, I fool the host system into believe I
had entered the correct password and I was signed onto the account as usual.
Mindful of what had happened to the first hole, I told only one person about
this, Yoda. We spent another week 'exploring' many staff accounts; we read
email, 'form-captured' many private areas, including the private area for the
AOL Network Operations department, and used Online CRIS to look over account
data. We read and saved many interesting messages, messages about AOL security
problems, memos to and from Steve Case's account, etc. I did not see anything
which indicated that they were going after me in particular, however.

This was the big time. When I found this hole, I was nothing less than blown
over. For a day, I walked around in a daze, amazed at what I had done. AOL4Free
and reading staffer's message boards was one thing. That was mischievous, and
playful, and got me respect in public. This was of a whole different level. In
effect, my pleasure at hacking came from solving the puzzle, but now that I had
access to any account on the system, the game was over. I had found the last
piece, and I had beaten the 'enemy' totally. Things suddenly became less fun,
and a lot more scary. Reading Steve Case's email was of a whole different
perceived level than snagging a few hours of free time. On one hand, I felt
amazed that I had hacked the biggest online service in the world, but on the
other hand, I could never tell many people of this in case AOL learned who
really did it. But above all, I first had to wrestle with the question, did I
really deserve this success? For the first time, I had qualms about what I was
doing. I knew that I had climbed the mountain, and now wondered how I was going
to get off it.

Now we come back to Marc. I was furious that a conversation I had thought was
private had been sent to AOL, of all places (though I can't really blame him for
sending it to his superiors). I stupidly boasted to a friend that I was going to
sign on Marc's account without using a password, and he told Marc. I proceeded
to use this security hole to sign on Marc's EWorld account and I read some of
his mail. One piece of mail was a letter to Apple Legal discussing certain
issues related to me (an email that I later learned had been planted by him).
The next day I receive a letter from Marc through John. In the letter, he talked
about how he had recorded me breaking into his account, but he still had no idea
how I did it. He described how EWorld was in a frenzy over this break in; since
EWorld is a service primarily for AOL employees, Apple was very concerned about
any of their corporate secrets becoming revealed. Marc then warned me that I
could only regain his trust and escape the wrath of Apple by giving him the
security hole immediately.

Needless to say, I was scared, but I was not about to give up my info so
quickly. I spent a few more days hacking AOL accounts (but stayed off EWorld)
and decided it would then be best to give it up. I met Marc on AOL and provided
him with the account hole info; he in turn told me how close I was to getting
busted by EWorld (another story I later found out was false). He said that
EWorld security had informed him that all he needed to do was get me online, and
they would have my 'info' within minutes. He also stated how his superiors did
not know about this meeting with me on AOL (he was on a fake AOL account I
provided him with). Within a few days, the account hole was gone on both AOL and
EWorld. This was about the beginning of October.

After this, I met two new friends on AOL. One was called Gates; he was an PC
user and an old AOL hacking veteran. However, because there was no equivalent
Utilities tool for the PC, there wasn't much he could do in the way of true
hacking. Another person I met was called Cygnus, who used a Mac and was very
sharp. With him, Yoda, and Lando, I uncovered what was the last big AOL security
hole of note. We found a way we could access a tool that allowed us to alter any
of AOL's message boards, by changing the titles and descriptions of messages and
boards. We didn't use this to alter any boards that were in use, but we played
around with several empty boards. Cygnus also used the file library tool to take
control of several unused file libraries, to which he began to upload warez.
Most importantly, Skywalker and Darth Vader had managed to acquire OH accounts
with Rainman access. This allowed them to literally create their own 'hackers
area', to which they included links to the borrowed file libraries and message
boards.

At the same time as this, Cygnus was instrumental in finding another account
security hole on EWorld. He used this log onto dozens of EWorld accounts, and
downloaded software that allowed him to access the private Apple employee's
EWorld area. I used this hole to play around with one or two accounts, but was
scared to do anything more. Over the next month or so, there were a number of
additional account holes on EWorld that were found by Cygnus and Yoda and
subsequently closed. I didn't talk much to Marc either; a few snippets of
conversation here and there about the number of EWorld security holes.

I was beginning to realize that we had probably exhausted the store of AOL
security holes, and boredom was beginning to set in. After playing around on IRC
for a few months I was then busted in December of '95, which was, shall I say,
somewhat of a surprise. But that's another story.

Nicholas Ryan, AKA Happy Hardcore