Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Criminal Charges Filed Against AT&T iPad Attacker

CmdrTaco posted more than 3 years ago | from the someone-will-be-sad dept.

Security 122

Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday. Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville. Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."

cancel ×

122 comments

Umm, yeah... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34927536)

Uncle Sam and Ma Bell go wayyy back if you know what I mean. You don't sass the latter unless you are ready to deal with the former in a very bad mood.

They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...

This is appropriate (0)

Anonymous Coward | more than 3 years ago | (#34927580)

When you buy this product you sign an agreement. You should abide by it, or be ready to face the consequences.

Re:This is appropriate (4, Insightful)

Pojut (1027544) | more than 3 years ago | (#34927722)

That's not the problem.

Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.

THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.

It's that pesky "went public with the information" part that screwed him up.

Re:This is appropriate (2, Interesting)

Monkeedude1212 (1560403) | more than 3 years ago | (#34927882)

Something thats bothering me is that I can't seem to find any notion that AT&T fixed the flaw.

Now I'm willing to take their word that the guy didn't put forth much effort trying to contact them - but it seems like this court case has made it easier for them to brush the issue under the rug rather than fix.

Re:This is appropriate (0)

Anonymous Coward | more than 3 years ago | (#34927980)

they likely would be thanking him rather than trying to send him to the pokey

Oh, I want some of what you're smoking. Must be good stuff!

If security flaws are only submitted to the corporation it concerns, two things may happen (not mutually exclusive):
1) They still sue you.
2) They ignore the flaw and do nothing about it.

There have been lots of stories on /. for either case over the years.

Re:This is appropriate (2)

melikamp (631205) | more than 3 years ago | (#34928340)

IMHO, the problem is the desire to be famous NOW. Sign your leaks with strong encryption and leak them anonymously, and you will be safe.

Re:This is appropriate (1)

Anonymous Coward | more than 3 years ago | (#34928512)

IMHO, the problem is the desire to be famous NOW. Sign your leaks with strong encryption and leak them anonymously, and you will be safe.

No. If he wanted to help, he shouldn't have released them publicly at all unless AT&T refused to fix the problem. Instead, he went straight ahead and released them first thing. Do you understand the difference?

Re:This is appropriate (1)

DrXym (126579) | more than 3 years ago | (#34928544)

Sign your leaks with strong encryption and leak them anonymously, and you will be safe.

Of course that's a bit like taking a shit on the couch of every house you burgle. You're safe while you remain anonymous, you're screwed if you're ever caught. Once they catch you for one offence they more or less have a cast iron against you for those other offences on you too.

Re:This is appropriate (1)

Hatta (162192) | more than 3 years ago | (#34928848)

Why exactly is that a problem? Isn't that journalism? All he did was aggregate publicly available information.

Re:This is NOT appropriate (1)

tripdizzle (1386273) | more than 3 years ago | (#34929538)

But shouldn't the public know that their data was vulnerable? How does the alleged attacker know that if he sent sent the info to AT&T that they wouldn't have sat on it and then had him prosecuted in a more quiet sort of way so this info doesn't go public? Shouldn't AT&T and/or Apple be the ones being prosecuted and/or sued for leaving this information vulnerable?

Re:This is NOT appropriate (1)

Pojut (1027544) | more than 3 years ago | (#34929628)

I didn't say I agreed with it, I just said that's the way it probably is.

Re:This is appropriate (1)

Splab (574204) | more than 3 years ago | (#34929878)

Yeah.. Except don't do that.

I once discovered a flaw in a website and told the operators. A couple of days later I was called up by their security personal threatening with police etc.

If you discover a flaw within a system, use an anonymous mail system to tell them about it and if nothing happens go to wikileaks. Do not put yourself in the line of fire.

Re:This is appropriate (1)

nomadic (141991) | more than 3 years ago | (#34929950)

How do you respond?

And when the US Gov raided AT&T? (0)

Anonymous Coward | more than 3 years ago | (#34928912)

And when the US Gov raided AT&T for customer info, they had signed an agreement called "The Constitution".

They don't seem to be ready to face the consequences.

Re:Umm, yeah... (1)

Tiger Smile (78220) | more than 3 years ago | (#34927586)

Awesome post!

Re:Umm, yeah... (2)

Cytotoxic (245301) | more than 3 years ago | (#34927666)

You don't want to screw with the phone cops, man. [youtube.com] They blew up a transmitter in Cincinnati back in the 70's when some DJ named "Dr. Johny Fever" got out of hand...

the worst since '78! (0)

Anonymous Coward | more than 3 years ago | (#34928572)

Monster lizard ravages east coast! Mayors in five New England cities have issued emergency requests for federal disaster relief as a result of a giant lizard that descended on the east coast last night! Officials say that this lizard, the worst since '78, has devastated transportation, disrupted communication, and left many hundreds homeless!

Let's get this straight (4, Interesting)

Tiger Smile (78220) | more than 3 years ago | (#34927574)

AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.

Information must be free! (3, Funny)

Anonymous Coward | more than 3 years ago | (#34927638)

You're 100% right! He needed to scrape all the user information he could and go public with it! Your personal information wants to be FREE, and no corporation can stop its freedom.

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34927704)

I don't think he's being charged with noticing a security flaw, he's being charged with exploiting a security flaw.

most stores have merchandise out in the open (1)

peter303 (12292) | more than 3 years ago | (#34927770)

So by Tigers reasoning, I have the right the just take what I want then.

Re:most stores have merchandise out in the open (0)

Anonymous Coward | more than 3 years ago | (#34928166)

If you're a corporation in cahoots with the government, YES. ;)

Re:most stores have merchandise out in the open (1)

Biggseye (1520195) | more than 3 years ago | (#34929456)

lets be blunt about this, you are condoning theft, the willful disclosure of private information for your own political cause, to address what you feel is wrong. You do not care who you hurt, all you care about is your goal. You sound a lot like exactly the people you seem to think you have a right to bring down. It is interesting to me that technically adept people seem to think that they are the end all and be all. That they have a higher calling and violating other peoples rights, the law, and any other form or moral code is ok, as long as there goal is met. I have been working with sensitive data on various systems for 30+ years. Not once have I violated my duty to maintain confidentiality. You and the people you support think that rules are for other, lesser beings, when in fact you are the very poster child for the worst types of behavior found on computer networks. I think it is high time people like this man get stiff punishments for what they do.

Re:most stores have merchandise out in the open (1)

Duradin (1261418) | more than 3 years ago | (#34928678)

Yup. And if you shoot and kill someone its not your fault since they weren't wearing strong enough body armor to stop the round.

Re:Let's get this straight (3, Informative)

dunezone (899268) | more than 3 years ago | (#34927924)

Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.

Claiming to help? That is a great excuse there. They found a security hole in the system and instead of just reporting it to AT&T they pulled down private information which they did NOT have the right to access. In other words I left my front door unlocked, this doesn't give you the right to go in and snoop around and take my stuff, you CAN however report to me and the newspaper that my door is unlocked. That is why these "hackers" are in trouble. AT&T probably looked at the exploit and then realized not only was there a problem but the people reporting it took private and sensitive information, this then required them to go to the legal system because their liable for this. Most of these major companies have insurance to cover these types of incidents but unless they follow protocol the insurance might not pay out.

Also the article attached to slashdot is missing information. They also gave the private information to Gawker.

http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=229000863&cid=RSSfeed_IWK_All [informationweek.com]

And in apparently chat logs exists of these "hackers" discussing to sell or use this information in an illegal way.

http://www.crn.com/news/security/229000878/feds-nab-web-trolls-in-at-t-ipad-hack.htm [crn.com]

Re:Let's get this straight (0)

shakah (78118) | more than 3 years ago | (#34928124)

In other words I left my front door unlocked, this doesn't give you the right to go in and snoop around and take my stuff, you CAN however report to me and the newspaper that my door is unlocked.

Isn't the analogy more "If I put a bunch of things in my driveway (think "free" garage sale) along with a sign that said "please take whatever you want", but mistakenly put some of my wife's cherished possessions on display, should I be able to charge you with theft for taking my wife's things?"

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34928178)

Even that isn't much of an analogy, since you aren't depriving someone of their property by copying a database. It's a lot better than GP's argument though, I'll give you that.

Re:Let's get this straight (2)

shakah (78118) | more than 3 years ago | (#34928594)

Point taken -- how about:

I put a bunch of things in my driveway (think "free" garage sale) along with a sign that says "please take whatever you want". I mistakenly include sexually graphic pictures of my wife in the stuff I've put on display. You find them and take pictures of them with your smartphone, then show them to your friends -- should I be able to charge you with theft (or some other crime?) because you should have known that I didn't intend to give those away?"

Re:Let's get this straight (1)

FredFredrickson (1177871) | more than 3 years ago | (#34930034)

Exactly, that's the bit that's clearly missing from everybody's argument here. Hosting a webserver is an invitation for people to see what the server is serving. If you're too much of a dolt and put sensitive information on a webserver, how is it anybody's fault for seeing that information? There's no unauthorized access.

This is the same as google changing their mind retrospectively that they didn't want people on google.com.. I guess we'd all be criminals, since accessing information on a webserver is only allowed at the whim of the unpublicized thoughts of the company hosting it.

Re:Let's get this straight (0)

Sam H (3979) | more than 3 years ago | (#34928126)

I think I can guarantee that no chat logs could exist that show Goatse Security members discussing selling or using the information in an illegal way. Or they would be fakes.

I have personally answered requests sent to Goatse Security for a while, and have constantly refused all offers to buy or even have a look at the data. I am pretty sure some of the requests were bait to see just how greedy we were, so if the people who tried are honest, they will be able to confirm that no matter the amount of money proposed, we said no.

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34928426)

Here is a link to the complaint with the logs included:

http://www.scribd.com/doc/47136974/Auernheimer-Spitler-complaint

Re:Let's get this straight (1)

Jah-Wren Ryel (80510) | more than 3 years ago | (#34929128)

Here is a link to the complaint with the logs included:

http://www.scribd.com/doc/47136974/Auernheimer-Spitler-complaint [scribd.com]

Thanks.

From reading the logs its clear they've been edited for maximum impact by the prosecution, but even then all I see are some guys just talking shit about money and other things (like how to get "maximum lolz" out of situation).

But talking shit has been more than enough to get people put away for terrorism so these guys are probably screwed too.

Re:Let's get this straight (1)

erroneus (253617) | more than 3 years ago | (#34928438)

If all that is reported is the complete truth, then I agree with you. But is AT&T lying about being informed of the security flaw? Or in another way, has AT&T not processed attempted contact by the parties charged and forwarded this to AT&T's attorneys? Worse, did AT&T request proof of the vulnerability and then use that as a means to attack and prosecute these individuals?

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34928536)

"AT&T they pulled down private information which they did NOT have the right to access"

The problem I think most people who read this story have--is this that he did not have the right to access, or that AT&T didn't have the right to reveal/obligated to secure?

You may fault the guy. My question is if this data is so important to you, why isn't there any blame on AT&T, and why aren't they/AT&T being prosecuted as well for negligent data insecurity (and if there are no such laws, see next)?

It seems, on the one hand, the individual is prosecuted by the overweighted hand of the government for a criminal charge, while the big corporation at maximum can only face a tort/civil judgement.

DOJ for the "win" again...

Re:Let's get this straight (1)

Hatta (162192) | more than 3 years ago | (#34928904)

In other words I left my front door unlocked,

It may surprise you to learn this, but the Internet is not a residential neighborhood. It is a public space, that which is not restricted is presumed to be accessible. I have to ask your web server for every page of yours that I access. If you don't want me to access it, make your webserver refuse my access.

Just imagine for a moment if the burden was on the site visitor to ensure that he was authorized before he viewed a page. How would the internet work?

Re:Let's get this straight (1)

FredFredrickson (1177871) | more than 3 years ago | (#34930078)

Sadly, I'm betting your argument trumps this guy's lawyer's. Lawyers always avoid the obvious because it doesn't hedge the bets.

Re:Let's get this straight (1)

geekprime (969454) | more than 3 years ago | (#34929094)

If you left it out and available on the internet it is no longer private information.

Any arguments to the contrary are basically cya bullshit.

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34927966)

How should the public stand when they're woefully uninformed? TV 'news' will cover this entire story in 10 seconds and SoccerMom will think, "Gee, must be all there is to it!"

Let me guess how it will be reported.

Anchor-2 (male): "In other news, 2 hackers face charges today after stealing AT&T customers' data."
Anchor-1 (female): "Moving on.... A new study shows that video games cause serious mental illness in young adults [citation needed]..."

lousy modern "reporting" (0)

Anonymous Coward | more than 3 years ago | (#34928816)

bloody Computerworld "article" [computerworld.com] doesn't even cite Goatse Security [wikipedia.org]


And I know we're talking about AT&T here, but here's a protip for corperateAmerica : fix your problem, don't shoot the messenger.

Re:Let's get this straight (-1)

Anonymous Coward | more than 3 years ago | (#34927996)

Unfortunately "justice" in Amerikkka only affects the lower classes - otherwise the CEO of AT&T would be a head shorter by now.

Re:Let's get this straight (1)

jonescb (1888008) | more than 3 years ago | (#34928010)

Absolutely right. It's only illegal if you aren't paying AT&T/Facebook/etc for the user information you're taking.

Two wrongs don't make a right... (1)

MikeRT (947531) | more than 3 years ago | (#34928272)

MasterCard has agreed to work with the **AA. Does that wrong justify some punk exploiting a security hole and downloading credit card account information for several hundred thousand MasterCard customers?

Of course not.

Re:Let's get this straight (3, Interesting)

erroneus (253617) | more than 3 years ago | (#34928390)

We are at the point ("beyond" the point is still at the point) where we need a Wikileaks for security issues. Increasingly, it is becoming hazardous to expose weaknesses in systems and services that render personal and/or sensitive information vulnerable. We are not going to change the government or regulatory bodies' minds about what appropriate means or whose interests are of higher priority. So it is best to decide whether it is best to claim the glory of being the discoverer or implementer of the exploit or if the knowledge needs to be out there without risk to your identity being connected with it.

Stupidly, there are going to be "myspace/facebook" mentalities who will go for the fame regardless of the dangers. Personally, I would prefer to conceal my identity and get behind a wikileaks body to launder my identity from the work.

Re:Let's get this straight (1)

fulldecent (598482) | more than 3 years ago | (#34928990)

I've had problems with security disclosures before involving banks. Seriously, I need advice on responsible disclosure. Then I should start a wikileaks-style effort to help other people with the same.

Re:Let's get this straight (1)

Biggseye (1520195) | more than 3 years ago | (#34929204)

You have a very strange morality. You are justifying the means to suit your ends. What he did was wrong. Not exposing the flaw, but going public with private information. As others have said, your concept of right and wrong is akin to anarchy.

Re:Let's get this straight (0)

Anonymous Coward | more than 3 years ago | (#34930096)

As an average U.S. citizen, who the government would rather stomp than listen to, what would you suggest I do? I don't want to either run for office or end up in jail, though.

Bogus Charges (2, Insightful)

Anonymous Coward | more than 3 years ago | (#34927590)

The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.

Anyone know what the fraud charges are?

Re:Bogus Charges (0)

NewWorldDan (899800) | more than 3 years ago | (#34928546)

Ummm, no. He was clearly accessing the system in a manner not intended. I don't lock the door to my house, but if you come and look through my things, you're still tresspassing, and it's still illegal.

Re:Bogus Charges (0)

Anonymous Coward | more than 3 years ago | (#34929086)

I've always hated this house analogy. Their web server is giving out information. Lets say more like a newspaper boy delivering free newspapers that includes a private page 13 that was included by mistake. How would I know? The page is there, given away for FREE, why would I not look at it? I didn't go into anyones house, the paper was delivered to me in MY house......

Re:Bogus Charges (1)

scrib (1277042) | more than 3 years ago | (#34929374)

I find fault with the house analogy. It's common knowledge that you are not supposed to walk into someone's house uninvited. Websites are, for the most part, specifically designed as public spaces for any visitors. It is a very rare case in which a legitimate website actually invites you to access it.

A better analogy would be if AT&T got a giant billboard labeled "AT&T Customer Registration Data for AT&T customer use only" which listed all the information.

I know my analogy isn't perfect, but it's far closer to the reality of a web site than a house.

Re:Bogus Charges (0)

Anonymous Coward | more than 3 years ago | (#34929604)

Clearly accessing the system in a manner not intended? The "system" served up this information to this user with no quible. No authorization, no mandate. The system saw a request and filled it.
 
If your front door invited people in to the house, gave them a guided tour and then left them to rummage, you'd have a hard time proving it wasn't a "public" space.

Re:Bogus Charges (-1)

Anonymous Coward | more than 3 years ago | (#34928702)

The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.

So if I snoop around your house when you're not home, take pictures of things like your credit cards and whatnot, leave the originals at your house, not take anything, and start running up huge bills with your stuff, you're saying you're the one at fault. Gotcha, glad this got cleared up.

I mean, that's as "publicly available" as this was. If you left a credit card or some form of identifying documentation near a window and someone just happened to have a pair of binoculars or a telescope within sight of the window, that's "public" as in I can see it, right? I mean, you're clearly exposing the information.

lynch mob! lynch mob! (0)

metalmaster (1005171) | more than 3 years ago | (#34927608)

this isnt a matter for the courts. I say we gather all the apple fanboys, give em apple branded pitchforks and let em loose. To give the guy a sporting chance, we hold the event in a large forest and he gets a 30sec head start

Re:lynch mob! lynch mob! (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34927634)

No good. Mantracker is obviously an Apple Fanboy, this contest is clearly stacked in his favour.

Re:lynch mob! lynch mob! (1)

I8TheWorm (645702) | more than 3 years ago | (#34927706)

The problem with that is all of their pitchforks have rounded tips on them.

Re:lynch mob! lynch mob! (0)

Anonymous Coward | more than 3 years ago | (#34928550)

You're just holding it wrong, you're supposed to beat them bit the big wooden end. the pointy metal end is the antenna.

Re:lynch mob! lynch mob! (1)

scrib (1277042) | more than 3 years ago | (#34929634)

No no, to beat them with the wooden end you would have to hold it by the antenna and then it wouldn't work at all!

AT&T's motto: Trust Us (2)

digitaldc (879047) | more than 3 years ago | (#34927614)

AT&T has the fastest 4G network....trust us.

AT&T would NEVER compromise your data...trust us.

Re:AT&T's motto: Trust Us (1)

I8TheWorm (645702) | more than 3 years ago | (#34928128)

AT&T has no 4G network, and for that matter, nobody has one. The 4G specs mandate 100mbps of bandwidth.

p.s. at 14-21mbps, theirs is definitely in the running for fastest HPSA+ or 3G+.

Dissapointing title (1)

PolygamousRanchKid (1290638) | more than 3 years ago | (#34927656)

I thought an iPad Attacker whacked someone else on the head with an iPad. It would be a hoot and a half in court:

Prosecution: "Your Honor, we charge the suspect with assault with a deadly weapon."

Defense: "Your Honor, iPads are not classified as deadly weapons."

There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.

Re:Dissapointing title (2)

Graff (532189) | more than 3 years ago | (#34927998)

There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.

Google is your friend. [patch.com]

Re:Dissapointing title (0)

Anonymous Coward | more than 3 years ago | (#34928218)

Wow... just wow..

Guy goes to confront someone for hitting on his girl and hits him with a brand new boxed laptop, and a bag of feeces?
Cant make that up.

Damn it Slashdot why cant I paste in chrome.

This may scream for jury nullification or no-bill (3, Interesting)

davidwr (791652) | more than 3 years ago | (#34927662)

I'm going to assume for the sake of argument that the facts will prove he broke the law. If they don't the rest of this post doesn't apply to this case but it is still interesting from an academic/hypothetical perspective:

It's hard to say what is "just" in a case like this.

Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions, or is it more just to officially (in the form of a non-guilty verdict or a grand jury declining to indict even if the facts prove guilt) say that it's in society's best interest that this behavior be tolerated or even encouraged in this context?

Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence. While such events should be very rare as prosecutors should never let cases get this far, no-bills and jury nullifications "in the interest of justice" are the people's last chance to say "the application of the law in this case is unjust -or- the law itself is unjust." Assuming the law or its application is not unconstitutional or otherwise illegal, once a jury convicts the now-convicted-criminal is at the mercy of the Executive Branch for a pardon or commutation.

The sad part is neither the jury nor the grand jury will likely be allowed to see anything but the hard evidence and most or all of both groups will be too technically naive to make an informed decision as to whether it is more just to release this person or to indict and convict him.

Re:This may scream for jury nullification or no-bi (1)

bannable (1605677) | more than 3 years ago | (#34927790)

Weev doesn't do anything with good intentions, and this was no exception.

Re:This may scream for jury nullification or no-bi (0)

Anonymous Coward | more than 3 years ago | (#34927940)

Exactly! That was the argument I used when I was busted for showing my neighbor that he leaves his door unlocked by taking his TVs and computers.

Fucking judge said, "You could have just told him and if he kept doing it, then he would suffer the consequences of his stupidity."

Re:This may scream for jury nullification or no-bi (0)

Anonymous Coward | more than 3 years ago | (#34928110)

on a website where copyright infringement is routinely defended as !stealing, are we really going to insist that copying 'confidential' information is comparable to theft?

Re:This may scream for jury nullification or no-bi (1)

Restil (31903) | more than 3 years ago | (#34928154)

Jury nullification is a double edged sword. While the pot smokers and computer hackers amongst us can imagine a world in which they'll never see a conviction based solely upon a jury's refusal to convict them in spite of clear definition of the law and no reasonable doubt, that same jury could find an innocent black man guilty of a crime against a white woman (think "To Kill a Mockingbird"), even though the evidence clearly shows that no crime was committed.... just because he's black. Of course, while the civil rights movement went a long way toward solving THAT particular problem (with perhaps some room for improvement yet), consider instead that you are the victim of a crime, and the jury decides to acquit the defendant because despite his breaking the law, they really think you deserved to be victimized. Hey... maybe you DID sleep with his girlfriend and he decided to beat your ass for it. There would be a LOT of people who would think his actions were perfectly justifiable. However, it's not a jury's job to decide that. If they feel sympathetic to the plight of the defendant, they can take that into consideration during the sentencing phase if they wish. They don't get to just not convict the guy because they think you deserved that beating. THAT would also be jury nullification. In that case, you probably wouldn't be quite as supportive of the concept.

Don't get me wrong, I understand the concept in theory, and I can even envision times when it might be well supported by everyone. How many times have you heard someone say "They might press charges, but no jury would ever convict him"... But understand, as powerful a weapon as that potentially can be, it's not something you'd want to dilute by corrupting jurors country-wide to disregard what they're instructed to do and instead just do whatever they want. The CSI effect is bad enough. Do you really want a jury to decide your fate based on whether they like you or not? Especially if you're innocent that could be a real concern. You would WANT them to pay close attention to the evidence and not get sidetracked by the empathic pleas of those who are trying to put you away. Face it, the jury is already ticked off that they have to be there. They can get the deliberations over with much quicker if they just decide you're guilty... because.. hey.. you look like a criminal.. or someone who might be... You had better hope that at least ONE of those jurors decides to actually pay attention to the law and the duty they've been entrusted with.

-Restil

Re:This may scream for jury nullification or no-bi (0)

Anonymous Coward | more than 3 years ago | (#34928880)

By definition your first situation is not "Jury Nullification", I'm not sure if there is a good term for it besides "Racism". The second situation kind of qualifies but that is where the Judge is supposed to come in, preventing any evidence/opinion from coming into the courtroom that is irrelevant to the crime committed (Victim is a call girl/criminal/etc). And in both cases if the judge believes the jury is being swayed by something improper as a mater of law the judge can declare the defendant "not guilty". I realize it would not work if for example a black individual was victimized by a white individual and the jury found the white individual not guilty simply because his accuser was black (the judge can't exactly keep all parties skin color under wraps). But in our system of law it is supposed to be better that 10 guilty individuals go free than 1 innocent person be imprisoned. Unfortunately I would bet that's exactly what we have today, I would guess at least 10% of the "criminals" currently in prison/jail are guilty of "victimless crimes" (drug use, call girls, public intoxication, "disorderly conduct", etc). I think its unfortunate that our current judicial system is so hostile to Jury Nullification, for being the "beacon of hope for the free world" talk, we also have BY FAR the highest per capita incarceration rate of any country on the planet.

Re:This may scream for jury nullification or no-bi (1)

Anonymous Coward | more than 3 years ago | (#34929864)

I had a friend on a jury not long ago and one of his fellow jurors said guilty in the initial vote. When asked why, she responded, because the cops arrested him. Don't think every juror understands the concept of logic. They are, more often than not, average people and the average person, at least where I live, is pretty dumb. It took hours of arguing that while the guy very well might have been guilty, witnesses' memory was too flaky by this time to really say what happened. The trial was over an assault, but since the trial took place almost a year after the incident, no two people could really agree on what happened that night. The only guy who was certain was a police officer who changed his testimony after being contradicted by other officers. If my friend hadn't been there, this guy would have been found guilty simply because most people don't have his stamina for arguing. It is truly epic, and has been since he was a kid. While I don't agree with him on many issues, I am in awe of what he can get people to do if they make the mistake of listening to him for too long. ;^)

nope, double fail (0)

Anonymous Coward | more than 3 years ago | (#34930214)

If [the jury] feel sympathetic to the plight of the defendant, they can take that into consideration during the sentencing phase if they wish.

No, they cannot. You fail on two accounts:

1) Juries do not participate in sentencing for non-capital criminal cases, except in a handful of states (and even then they don't set the sentence). The Duke Law Journal had a nice article http://www.law.duke.edu/shell/cite.pl?52+Duke+L.+J.+951 [duke.edu] arguing that historical accidents contributed to the switch from English jury sentencing to modern judge sentencing.
2) And judges lost the ability to express sympathy for the plight of the defendant as consideration during the sentencing phase when the legislatures began passing "mandatory minimum sentencing" laws designed to take away that sympathy.

Ethical disclosure (4, Interesting)

SirGarlon (845873) | more than 3 years ago | (#34927690)

"We believe what we did was ethical," Auernheimer told Computerworld last June. "What we did was right."

The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

Rather than contact AT&T directly with what they'd uncovered, Goatse [Security] tipped off an unnamed third party, who in turn reported the design flaw to AT&T. Goatse took that route, Auernheimer said, to prevent AT&T from preventing the group from publicizing the e-mail address exposure.

So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?

Re:Ethical disclosure (4, Insightful)

gnasher719 (869701) | more than 3 years ago | (#34927768)

The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.

Ethical use of 3rd-party escrows in security leaks (1)

davidwr (791652) | more than 3 years ago | (#34927856)

It's more like:

I opened your safe and took pictures of what was inside.

Assuming the pictures were of mundane items that didn't reveal any secrets - such as a mundane picture of a bank vault with stacks of cash - then you can argue that no harm was done.

If the picture is a clearly readable copy of the Coca Cola recipe on the other hand, then releasing it may be harmful.

As to releasing "the picture" to an "responsible third-party escrow" as was done here, the ethics boil down to:
* Was there a good reason to believe that using an escrow served the public interest?
* Did you do your due diligence to make sure the escrow was an agency that would act in the public interest?

When it comes to security holes that vendors have an incentive to sit on, the answer to the first question is almost always yes. I don't know the specifics of this case so I can't answer the second.

he is the one in trouble? (1)

wolfgang_spangler (40539) | more than 3 years ago | (#34927778)

Perhaps I misread the story, but this "hacker" wrote a script to gather information that AT&T made public on their website, and HE is the one in trouble?

Re:he is the one in trouble? (2)

Jaysyn (203771) | more than 3 years ago | (#34927896)

Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted it about the flaw.

That pretty much sums it up. I wonder if the EFF will get involved?

web browsing is illegal now? (4, Interesting)

wolfgang_spangler (40539) | more than 3 years ago | (#34927858)

From the article:
In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."

How did he do anything illegal?

Re:web browsing is illegal now? (1)

Anonymous Coward | more than 3 years ago | (#34927938)

No good deed goes unpunished. Thank you for visiting the United Corporate of America (tm).

Re:web browsing is illegal now? (0)

Anonymous Coward | more than 3 years ago | (#34928118)

I don't think this episode qualifies as a good deed, even under your loose standards.

Re:web browsing is illegal now? (0)

Anonymous Coward | more than 3 years ago | (#34928338)

Perhaps not, but do you really think the DOJ would have acted any differently had this been an accidental release of data as opposed to the deliberate exposure of very shoddy security practices?

I don't.

Looks to me that what this was, is the equivalent of person A walking up to person B who is wearing their pants about halfway down their legs, jerking them down, and yelling "LOOKY HERE!" as bags of coke or crystal start spilling onto the street from person B's pockets. Only then to have the cop walking past arrest person A for assault and subsequently ignore the illegal narcotics around person B's feet.

Come ON, ya gotta be f'ng kidding me! Loose standards my tail!

Re:web browsing is illegal now? (1)

Anonymous Coward | more than 3 years ago | (#34928034)

Don't believe that the laws mean what most people think they do.
I was recently convicted for a _very_ similar incident (here in Norway).
There was no intrusion like most people would think ("breaking a lock/protection" etc) , but I was still convicted since the data was not meant to be publicly accessible.

Re:web browsing is illegal now? (2)

Cwix (1671282) | more than 3 years ago | (#34928268)

Thats like putting a sign on your lawn and suing anyone who pauses to read it.

Re:web browsing is illegal now? (1)

tgd (2822) | more than 3 years ago | (#34929818)

No, the correct analogy is that you aren't welcome to enter my house and take my microwave because I'm having an open house and have a plate of free cookies out.

Re:web browsing is illegal now? (0)

Anonymous Coward | more than 3 years ago | (#34930226)

Wrong, the correct analogy is that you aren't welcome to take a picture from the street of me walking around in my underwear while I have the blinds to my windows wide open.

Re:web browsing is illegal now? (1)

Cwix (1671282) | more than 3 years ago | (#34930390)

Your analogy is the epitome of fail.

When you go to a webpage you assume the author of the page has created/supplied the content for you to look at free of charge. Everything. Take google for example. I can go to google and look at the maps free, the search free, download free programs, etc. It is all free for me to consume. This person went to a webpage and found that this was available from their publicly accessible webpage. He consumed it.

If you were having an open house, and it was known I could consume whatever I wanted. Then yes, yes I would take your damn microwave. If you didn't want me to take your microwave then you shouldn't have left it where the general public could assume they could take it.

Should they have either asked AT&T if they could take it? Maybe. Should they have sent a email to AT&T to make sure they wanted to give away microwaves? Might have been a good idea. Doesn't negate the fact that AT&T essentially gave away the data.

Re:web browsing is illegal now? (1)

Cwix (1671282) | more than 3 years ago | (#34930410)

My bad, I was trying to reply to tqd.

mens rea (2)

davidwr (791652) | more than 3 years ago | (#34928474)

You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of your customer confidential data are on your desk in plain view.

I walk in and start taking pictures then share those pictures.

Did you do anything illegal?

I can probably beat a trespassing rap but I probably could not beat charges related to my copying and disseminating the information unless it was extremely clear what I was doing was in society's best interest.

Another example where justice demands no indictment:

You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of records of your criminal or not-quite-criminal-but-shocking-to-the-conscience activity are lying around. Records of bribes or not-quite-bribes-but-clearly-influence-peddling payments to corrupt politicians.

I walk in and start taking pictures then share those pictures with a responsible news organization who then runs a story on them.

Re:mens rea (0)

Anonymous Coward | more than 3 years ago | (#34930400)

Why would photographing and sharing the information be illegal. You put shit on a table labeled "Free stuff", guess what, anyone can take it and do what they want with it.

Re:web browsing is illegal now? (1)

Sockatume (732728) | more than 3 years ago | (#34928978)

He collated the information and distributed it, for one. By analogy, compare noticing the file cabinet's been left unlocked and telling someone, against photocopying everything, giving it to the gossip sheets, and then couting on those to tell someone.

Re:web browsing is illegal now? (0)

Anonymous Coward | more than 3 years ago | (#34929024)

The charge is for conspiracy. The access wasn't illegal. It was that he conspired with his codefendants to do something which they aren't going to argue was illegal.

Re:web browsing is illegal now? (1)

joeyblades (785896) | more than 3 years ago | (#34929704)

The users have a reasonable expectation of privacy (in spite of AT&Ts carelessness). He willfully violated the users' rights to privacy. Capturing email addresses and ID numbers also likely falls under the category of identity theft.

AT&T knew what they were doing.... (1)

realsilly (186931) | more than 3 years ago | (#34928008)

... of course they did. They are a massive company in size, and any company that size who puts info on the Web knows that they must legally protect this data.

Since I don't have all the info in this I can only make assumptions based on what I read in the article.
* AT&T made an application on their web site that allows an individual to enter in key info and pull back specific user data.
* Individuals were surfing around AT&T's website
* It was stated in one article that Hackers "guessed" 114,000 iPad ICC-IDs
* Defendant wrote a script to collect the email data of associated to the iPad ICC-IDs
* Some of the emails belong to High-Profile people in govt., military, FAA, News, and more.
* This only affects 3G users.

While I don't know all the technical facts of the case, it appears that the two being charged, were not being all that above board in their method of obtaining info.

Regardless of their actions... Shame on AT&T, they know this information is sensitive. The iPad ICC-IDs should never been made available via the Web in any form or fashion. Companies of this size know how much this information is worth. If I were one of the people exposed, I would first look to AT&T and question their lack of security. I would hold AT&T responsible for allowing such an easy breach of data.

But the reality is even more simplified. If you are going to be on the Web, and use your professional email address on a purchase of this type on a network, 3G or otherwise, you fall under the same situation as the rest of us. Anything that goes across the web is not Private and is always hackable.

Confidential Sources (0)

Anonymous Coward | more than 3 years ago | (#34928038)

If you read the actual complaint you see that an awful lot of the case is built around IRC logs given to them by a "confidential source." I think there is no question they did this hack, but most of the malitious intent is gleamed form these logs. That seems like some really shady evidence. How could they possibly confirm those logs?

Re:Confidential Sources (1)

davidwr (791652) | more than 3 years ago | (#34928516)

Remember, this is a big mega-corp telecom provider we are talking about. The tap all traffic on the interwebs and give it to the FBI/CIA/Illuminati/Pope/Scientologist/Trilateral Commission/United Nations/United Federation Of Solar Systems/etc/etc friends in real time, so of course they can fake, er, I mean, authenticate the logs.

Re:Confidential Sources (1)

ultrapenguin (2643) | more than 3 years ago | (#34928676)

Because if you ever been in their channel, this is exactly how they talk. There's little proof needed.

I say, let them burn in hell for 5-10 years without parole (thanks federal crimes), come back to life with a permanent restriction on using computers, never get a job again (thanks google), and show the rest of the retards like weev & co how things should be done. good riddance, the internet thanks you!

Sense (0)

Anonymous Coward | more than 3 years ago | (#34928436)

This makes as much sense as being charged for theft because one day when you were out walking and you noticed a bunch of papers fluttering around, you picked up one and noticed it was a list of names and addresses, and you told others about it because you thought it was interesting/concerning that they were fluttering about for the world to see. It doesn't sound like they cracked any passwords or reverse engineered any programs. They simply noticed that the information was openly available the web and told others about it. I hope the DOJ gets an earful from the judge for this and if it does go to court the jury laughs the prosecution out of the courtroom.

The definition of insanity (2)

Zontar_Thing_From_Ve (949321) | more than 3 years ago | (#34928570)

... is doing the same thing over and over again and expecting a different result.

How many times on Slashdot have we seen the following scenario?
1) Hacker finds security hole.
2) Hacker uses security hole to login to system. He may or may not do questionable things there.
3) Hacker gets caught and there's proof he was on the system and he wasn't authorized to be there.
4) Hacker looks at a trial and possible jail time.
5) Hacker claims innocence, saying that he was "just trying to help get the problem fixed".

Really, if you haven't learned by now that logging into systems where you don't belong may get you into deep trouble, there is no hope for you.

Got paid to 'backup' a coin-op video game's data. (1)

HornWumpus (783565) | more than 3 years ago | (#34928598)

Granting that didn't contain anything sensitive. Rare to see a real name.

It did contain a wealth of usage data which their competitors wanted.

That was not hacking in any meaningful sense of the word. Program entered player# then sucked results into database.

no goatse (0)

Anonymous Coward | more than 3 years ago | (#34928770)

Please don't link him.

attacker ?? (0)

Anonymous Coward | more than 3 years ago | (#34929716)

Why is the ipad data collector called an "attacker" ?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...