×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iPad Account Hacker Pleads Guilty

timothy posted more than 2 years ago | from the bad-hacker-not-good-hacker dept.

Crime 86

WrongSizeGlass writes "Daniel Spitler, a member of Goatse Security, pleaded guilty today to writing the code used to steal email addresses and personal information belonging to 120,000 Apple iPad subscribers from AT&T computer servers. Spitler, who surrendered to the authorities in January, pleaded guilty to one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Each charge carries a maximum sentence of five years in prison."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

86 comments

pwnd (-1)

Anonymous Coward | more than 2 years ago | (#36548672)

So... Apple is now gay and insecure about it?!

Goatse Security? (3, Funny)

Rene S. Hollan (1943) | more than 2 years ago | (#36548676)

You've got to be shitting me.

Re:Goatse Security? (5, Funny)

geekoid (135745) | more than 2 years ago | (#36548794)

Security through "OMG I don't want to see that!'"

Re:Goatse Security? (1)

davester666 (731373) | more than 2 years ago | (#36551570)

Well, you have to make sure some script kiddie can't just come along and change the image to Smurfette taking it from a puppie.

Re:Goatse Security? (2)

interkin3tic (1469267) | more than 2 years ago | (#36548806)

Their motto seems to be "gaping holes exposed." I was not brave enough to click on the link from google...

Re:Goatse Security? (1)

PopeRatzo (965947) | more than 2 years ago | (#36548840)

Their motto seems to be "gaping holes exposed."

I was really looking forward to the Goatse Security IPO. I guess they won't get that big round of venture capital investment now.

Hard to see what can go wrong when you call your outfit "Goatse Security". I wonder if their stock exchange symbol would just be a capital "O".

Re:Goatse Security? (2)

donotlizard (1260586) | more than 2 years ago | (#36548940)

Their logo may have looked a lot like this one: http://www.southernriverhockey.asn.au/images/westnet.gif [southernri...key.asn.au]

Re:Goatse Security? (1)

interval1066 (668936) | more than 2 years ago | (#36549126)

OMG... is that logo a joke or what...?

Re:Goatse Security? (1)

vegiVamp (518171) | more than 2 years ago | (#36553144)

No, and neither is this [vehicledesignsummit.be] .

Re:Goatse Security? (1)

ArsenneLupin (766289) | more than 2 years ago | (#36553504)

Doubly funny. Huurwagens in Dutch may mean "vehicles to rent", but in German, it sounds more like whore-wagons (or Hesperkutschen as they'd say in Luxembourgish...)

Re:Goatse Security? (0)

Anonymous Coward | more than 2 years ago | (#36548814)

While that imagine is unfortunately stuck in my forever, I do not remember any shit.

Re:Goatse Security? (2)

SleazyRidr (1563649) | more than 2 years ago | (#36548994)

Sure! They've got a website and everything! http://goatse.cx/ [goatse.cx]

(Seriously though, if you've somehow missed the joke, don't click that link!)

Re:Goatse Security? (0)

Anonymous Coward | more than 2 years ago | (#36550054)

A goatse link with a warning? Oh Internet, what has become of you?

Re:Goatse Security? (1)

Anonymous Coward | more than 2 years ago | (#36549026)

You've got to be shitting me.

No you're thinking Two Girls One Cup

Re:Goatse Security? (1)

Hatta (162192) | more than 2 years ago | (#36549224)

These are in fact the same people behind the GNAA.

Re:Goatse Security? (0)

Anonymous Coward | more than 2 years ago | (#36560154)

they also run encyclopedia dramatica. A bunch of ass holes really who do it for the "lolz." Or more like attention.

Steve Jobs (-1)

Anonymous Coward | more than 2 years ago | (#36548708)

http://science.slashdot.org/comments.pl?sid=2261342&cid=36536716

Nigger faggot cunt shit piss anus jew, queer George W. Bush fisting scrotum shit piss. Rubber dong anus cum dumpster Steve "Faggot Fucker" Jobs slut whore ballsack jizz pimp, loves the cock with my nuts in your mouth ballsack finger bang your mother ride that dick like a pogo stick pastrami brisket headcheese. Chicken ride that dick like a pogo stick spare jizz pimp, shank scrotum headcheese brisket shankle queer cow venison. Ham rump cunt cunt jizz pimp, shit piss finger bang your mother turkey ballsack jizz pimp brisket shankle fisting. Meatball scrotum chuck venison, pastrami shoulder ribeye sausage spare jizz pimp ride that dick like a pogo stick cow shit piss chop. Brisket shank cunt meatball, shit piss anus shit piss finger bang your mother ballsack finger bang your mother. Boudin chuck shit piss finger bang your mother, ballsack jizz pimp cum dumpster pastrami jowl shank meatball.

Short finger bang your mother ride that dick like a pogo stick fatback, with my nuts in your mouth tail shit piss shit piss finger bang your mother venison meatloaf shoulder. Chicken ham hock shit piss chop faggot cunt ball tip. Shankle pastrami venison shank queer brisket. Short jizz pimp cunt ball tip ribeye, jowl fatback shit piss anus ride that dick like a pogo stick ham brisket shit piss finger bang your mother headcheese tri-tip rump tongue. Flank nigger scrotum, ball tip ride that dick like a pogo stick cum dumpster ham hock. Tail salami with my nuts in your mouth, shit piss chop headcheese ride that dick like a pogo stick ham ball tip pastrami cum dumpster shoulder spare jizz pimp ballsack jizz pimp brisket. Gslut whore slut whore headcheese shit piss finger bang your mother turkey tail.

Venison nigger Steve "Faggot Fucker" Jobs slut whore cow. Chicken jew ham shankle meatball. Bresaola turkey tri-tip ballsack finger bang your mother shit piss finger bang your mother, brisket chicken strip steak cunt jizz pimp ride that dick like a pogo stick. Spare jizz pimp ballsack finger bang your mother turkey tri-tip tongue headcheese cum dumpster, ride that dick like a pogo stick shit piss finger bang your mother. Ribeye sausage jowl hamburger fatback, shank shoulder tender finger bang your mother Steve "Faggot Fucker" Jobs slut whore shit piss anus ham hock cum dumpster shit piss bresaola. Tri-tip chicken fatback, chuck shankle ballsack jizz pimp jew shoulder headcheese nigger shit piss shit piss finger bang your mother. Fatback tail shoulder, venison nigger strip steak cunt jizz pimp.

Meatloaf spare jizz pimp meatball scrotum Steve "Faggot Fucker" Jobs slut whore. Short finger bang your mother rump cunt spare jizz pimp jowl. Nigger ride that dick like a pogo stick with my nuts in your mouth Steve "Faggot Fucker" Jobs slut whore shankle ribeye. Rubber dong chop ballsack jizz pimp meatloaf, ham hock pastrami scrotum cunt rump shit piss spare jizz pimp. Shoulder shank brisket George W. Bush, shankle jew shit piss cunt jizz pimp ride that dick like a pogo stick biltong sirfinger bang your mother bresaola. Fatback bresaola scrotum, sausage venison ball tip strip steak biltong shit piss pastrami. Cow shoulder bresaola rump shit piss.

Chicken headcheese queer, ballsack finger bang your mother pastrami shankle ball tip spare jizz pimp hamburger cunt venison. Spare jizz pimp ham hock ballsack jizz pimp George W. Bush, jew chicken with my nuts in your mouth venison rump fatback queer shoulder. Short finger bang your mother cum dumpster shit piss finger bang your mother, meatball spare jizz pimp biltong chicken chuck cunt jizz pimp sausage nigger bresaola cunt sirfinger bang your mother. Salami biltong ball tip, cow nigger shit piss finger bang your mother tail chicken shit piss chop with my nuts in your mouth jowl jew meatloaf tenderfinger bang your mother loves the cock. Boudin meatball jew rump. Tenderfinger bang your mother cow queer biltong, ribeye ham hock cunt jizz pimp ballsack finger bang your mother shit piss shankle sausage strip steak Steve "Faggot Fucker" Jobs slut whore. Pancetta tri-tip cunt hamburger ball tip, sirfinger bang your mother pastrami brisket George W. Bush Steve "Faggot Fucker" Jobs slut whore cow.

Re:Steve Jobs (1)

RyuuzakiTetsuya (195424) | more than 2 years ago | (#36549016)

What is this, offensive lorem ipsum?

Re:Steve Jobs (0)

jc42 (318812) | more than 2 years ago | (#36549426)

What is this, offensive lorem ipsum?

What most people don't realize is that that oft-quoted document isn't pseudo-Latin nonsense; it's in the little-known 6th-century east-Istrian dialect, and is an excerpt from a tale of kiddie porn. So anyone who has it on their disk is in violation of some serious anti-porn laws wherever you live. And ignorance is no excuse. If you even download it by accident, you're guilty of a crime that even the /. crowd finds abhorrent.

Re:Steve Jobs (1)

Marful (861873) | more than 2 years ago | (#36550206)

Wikipedia says: you're full of shit. [wikipedia.org]

The text is derived from sections 1.10.32–3 of Cicero's De finibus bonorum et malorum (On the Boundaries of Goods and Evils, or alternatively [About] The Purposes of Good and Evil).[3]

Care to cite your source?

Also, I think you need to re-read the pornography laws for wherever you live as, unless you live in Canada or Australia, possession of fictional portrayals of illegal sexual crimes are not the same as having physical evidence that illegal sexual crimes have been committed. Because if what you assert is true, that having possession of fictionalized events of under aged sex or pedophilia is a crime, then it sucks to own a copy of Bram Stroker's Dracula, or Homer's Iliad, or Vladimir Nabokov's Lolita, or Neil Stephenson's Snow Crash or heaven forbid any one of many Heinlein novels as they all describe fictional illegal sexual acts involving intercourse with under aged minors or children and are almost all considered literary classics in their respective genre's.

Re:Steve Jobs (0)

Anonymous Coward | more than 2 years ago | (#36550296)

Have you ever heard of the expression 'Whoosh' ?

Re:Steve Jobs (1)

GameboyRMH (1153867) | more than 2 years ago | (#36553798)

I think some people have found a way to cipher data (maybe just English or some simple coded information) into curse words and foods and are passing it through Slashdot. It would be a brilliant scheme. No need for direct contact between parties, just two dudes surfing a site's buried troll comments through Tor proxies.

mod parent UP (0)

Anonymous Coward | more than 2 years ago | (#36549676)

+5, Informative

should be 120,000 * 5 years... (0)

Anonymous Coward | more than 2 years ago | (#36548810)

Let the punishment fit the crime. Screw 1 million people, get screwed back 1 million times.

Re:should be 120,000 * 5 years... (0)

Anonymous Coward | more than 2 years ago | (#36549932)

Eh, really? If somebody publishes one email address (which AT&T already made publicly available on their website by stupidity/accident), they should go to jail for 5 years?

I guess it's true what they say about iPad faggots' ridiculously inflated sense of self-importance...

It's not stealing... (0)

Anonymous Coward | more than 2 years ago | (#36548876)

...if AT&T puts the data on the web without access controls of any kind.

https://freeweev.info

Re:It's not stealing... (0)

Anonymous Coward | more than 2 years ago | (#36549136)

Yes it is. If I leave my front door open and someone comes in and takes my TV it's stealing.

Re:It's not stealing... (1)

jc42 (318812) | more than 2 years ago | (#36549342)

If I leave my front door open and someone comes in and takes my TV it's stealing.

True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.

A better parallel might be if, the evening before your local garbage pickup, you put your TV out on your sidewalk or driveway, next to the street. Anyone would take this to mean "Take it; it's free". People routinely stop and drive off with such things, assuming that they're probably broken, but they plan to take them apart for the components. Most people would be surprised to hear that someone doing this had been arrested and charged with theft.

Another possible parallel is the way that, in a lot of countries, unknowingly taking a photo that includes military or police equipment or building can be illegal. This has been attempted in the US, too, but the courts have generally held that, unless there was a clearly-visible sign warning people away, taking such pictures is legal. You can't reasonably expect people to know what all the nondescript building in a scene are, after all.

There are quite a lot of other parallels that involve accessing things that are in a setting that's normally "public". I'm sure that others can list more such scenarios. And any "reasonable" requirement should at least say that accessing a random file that's being handed out by a web server is reasonable and legal. If it's not, there's an obvious counter-charge of "entrapment", which is all too easy for those in a position of authority to do to innocent bypassers.

Re:It's not stealing... (1)

DJRumpy (1345787) | more than 2 years ago | (#36549852)

They were hardly just laying around.

after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com

Re:It's not stealing... (1)

WNight (23683) | more than 2 years ago | (#36550112)

Specially written queries. Oh well then, that's that.

There's no way that would mean a URL with a sequential numeric ID in it.

Re:It's not stealing... (0)

Anonymous Coward | more than 2 years ago | (#36550180)

You equate sending random URL's to a web server hoping for an address being returned as 'just lying around'?

Re:It's not stealing... (1)

WNight (23683) | more than 2 years ago | (#36552020)

It's your fucking server. If you don't want it to send certain data, password it!

Besides, it wasn't even random.

Re:It's not stealing... (1)

node 3 (115640) | more than 2 years ago | (#36550426)

Specially written queries. Oh well then, that's that.

There's no way that would mean a URL with a sequential numeric ID in it.

That's exactly what it means. Why are you acting as though that's pertinent to the issue of whether the data is meant to be publicly accessed?

Re:It's not stealing... (1)

WNight (23683) | more than 2 years ago | (#36552050)

Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever? If their server sends it, you're authorized to have it. Otherwise, it wouldn't have sent the data to you. Get it?

Passwords. They are what you use for private data. Accept no less.

Re:It's not stealing... (1)

node 3 (115640) | more than 2 years ago | (#36560434)

Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever?

Um... You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.

If their server sends it, you're authorized to have it.

Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".

Otherwise, it wouldn't have sent the data to you.

You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.

Get it?

Passwords. They are what you use for private data. Accept no less.

Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both accidental and deliberate trespassers out. The lack of a lock does not imply permission.

If your phone has bluetooth turned on, does that mean anyone in range has the *right* and your *permission* to copy the contents of your phone for their own use? Do you think that if you set something down, and I can pick it up without resistance, that it's perfectly right for someone else to take it? Do you not realize how fundamentally *insane* this whole idea is?

Re:It's not stealing... (1)

WNight (23683) | more than 2 years ago | (#36564184)

You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.

Why? They put it up on a public webserver without a password. That's how you share documents.

If their server sends it, you're authorized to have it.

Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".

It's nothing like that. One is a door, any door, all doors, and the other is a publicly accessible webserver. Why not mangle a car analogy next?

You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.

Oh, argh!

Listen. Webservers exist to share files. If they don't want to share the file they can simply return an error message and send you on your way.

Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both accidental and deliberate trespassers out. The lack of a lock does not imply permission.

That's because in the physical world there are physical signs, both metaphorical like the door being on a private house, and literally like "Staff Only".

But webservers have defined standards. Ones they must follow to be able to parse requests and serve pages. Online you just fetch blindly and the server simply refuses to send you passworded material. That's how you check if something is private, ask for it.

And, if it's given to you, by web standards, that means you're allowed to have it.

If your phone has bluetooth turned on, does that mean anyone in range has the *right* and your *permission* to copy the contents of your phone for their own use?

It gives me permission to send whatever signals I want. If your phone chooses to send me its contents that's your issue with it, not me.

Do you not realize how fundamentally *insane* this whole idea is?

That you get to waltz in years later, use tech you don't understand, developed by a culture you don't understand, and have it perfectly conform to your norms? Yeah, that is insane

Re:It's not stealing... (1)

node 3 (115640) | more than 2 years ago | (#36550400)

True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.

I think it's quite obvious that AT&T didn't intent to make the data publicly available anymore than a homeowner means to make the contents of their home publicly accessible simply by leaving the door unlocked.

And these "hackers" were quite aware of this, otherwise they wouldn't have siphoned off the email addresses and made a big fuss about it. Acting like this is somehow assumed to be public info is a farce.

Re:It's not stealing... (1)

Kielistic (1273232) | more than 2 years ago | (#36555684)

They made a big fuss about it because those email addresses should not have been broadcast to anyone who asked for them. An unlocked door is not a valid analogy unless it also had a big sign that read "200 OK; Come on in!".

Re:It's not stealing... (1)

node 3 (115640) | more than 2 years ago | (#36560328)

They made a big fuss because they knew what they were doing was not supposed to be allowed. This is *exactly* like entering an unlocked door and walking out with things that aren't yours.

Then they went public with "see! look what we found!" thinking that would protect them and make the initial crime ok somehow. It didn't.

This wasn't simply some web page where you inadvertently found email addresses. You had to deliberately craft a request that otherwise wouldn't happen, and was obviously not meant to be randomly accessed by anyone other than the intended party.

Deep Thought (2)

iluvcapra (782887) | more than 2 years ago | (#36548878)

Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36548970)

It's difficult to argue that Mr. Spitler was unaware that what he was doing was wrong.

Re:Deep Thought (1)

WNight (23683) | more than 2 years ago | (#36550320)

Not really. The security breach is only a big deal because it shows how the company isn't even trying to deliver on its responsibilities, exposing some email addresses themselves is hardly the end of the world.

And no, spammers harvest email addresses all the time and the government hasn't exactly jumped at criminalizing that.

As soon as it embarrasses a big company though, it's a terrible, terrible thing, and someone must pay!

Re:Deep Thought (2, Insightful)

jo_ham (604554) | more than 2 years ago | (#36549000)

Also be careful when trying people's door handles on their home. Despite some of them possibly being unprotected by any locking mechanism, for example, if the owner is inside, if the door opens be careful what you take from the building since you may still be a criminal.

Re:Deep Thought (2)

ogl_codemonkey (706920) | more than 2 years ago | (#36549138)

I'd consider data on the Internet with no authorisation mechanism to be 'published'. A private residence is still personal property, though.

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36549474)

So if I leave my car door unlocked with the keys in it on a public road and you take it, that's not stealing because I "published" my car?

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36549934)

Stop it with the fallacious analogies.

Ever used a search engine? Then you should know the internet doesn't work like that. If you don't want information to be publicly available, you don't hand it out without authentication. Period.

Re:Deep Thought (1)

ogl_codemonkey (706920) | more than 2 years ago | (#36550024)

No, that is stealing because it's real property with distinct and unambiguous ownership.

I'm saying that if your car had a keypad immobiliser, and your mechanic wrote the code on a chalkboard behind the counter where anyone who looked could see it; you can't be angry at the people who look for knowing it.

In a similar situation, often referenced on /. - it would be the mechanic (AT&T) in trouble with the customers for 'making available' the information.

Re:Deep Thought (2)

rtb61 (674572) | more than 2 years ago | (#36550976)

The big fraud here is claiming identity theft is a crime. This has always been a lie spread by credit card companies, you do not steal someone's identity they are not the victim, you defraud the sellers into believing you are someone else and based upon that they supply you product.

The seller who supplied the fraudster product is now guilty of the crime of defrauding the person's whose credit the seller has abused and the seller must now prove by burden of proof that they were tricked into applying an illegal charge against the innocent victim.

The credit card companies, have illegally and via corruption with government and government agencies (shit eating lobbyists at work here as well as PR=B$ agencies) pushed the burden of proving a crime was committed against their own customers, the end user, you. Your identity was not stolen, the only time that happens is when someone assumes your place in society and you have been eliminated, repeat after me, a credit provider was defrauded and applied an illegal charge (they committed a crime) against a third party, the basis of the charge, the failure of the credit provider to properly authenticate the identity of the customer.

If you are a victim of the lie of identity theft, not only are you entitled to your money back and the rebuilding of your credit rating and reputation but, also damages against those credit providers that failed in their duty of authenticating the identity of the person they provided credit.

Re:Deep Thought (1)

linuxwolf69 (1996104) | more than 2 years ago | (#36554308)

In some states that's called "owner assisted theft" and not looked at as seriously as someone stealing your car without your keys in it. Insurance companies won't even accept a claim on the car for "owner assisted theft".

Re:Deep Thought (1)

iluvcapra (782887) | more than 2 years ago | (#36549148)

You're right but it's an interesting distinction. If you leave flyers with your clients email addresses hanging throughout town, and someone reads them...

I would say a GET request is fundamentally different in quality than the front door of a home and the same standard wouldn't apply, but the real question is, which car analogy is appropriate here...

Re:Deep Thought (1)

maxume (22995) | more than 2 years ago | (#36549766)

When some jumpy person accidentally gets in a ride share pickup line and then freaks out when someone goes ahead and gets in their car.

Re:Deep Thought (1)

jo_ham (604554) | more than 2 years ago | (#36550274)

I think it holds if the door is closed but unlocked. You have to actually go up to a house that is not your own and try the handle. That is analogous I think, so you don't know ahead of time if the door is unlocked but you know damn sure it's not your house and you have no reason to be doing that, unless you're chancing lax security.

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36550026)

Bad analogy.

This was more like a beggar asking you for a dollar. You drop a dollar in his cup and smile. He asks you for a dollar again. You drop a dollar in his cup and smile. This repeats another 119,998 times and you keep giving him money with a smile on your face. The beggar then gets in his sports car parked across the street and drives away while you continue on with your day, happy that were such a good samaritan.

Who's fault is it that he now has $120,000 of your money? Yours. He didn't threaten you, didn't lie to you. You never asked who he was or what he wanted the money for. It was your fault. He should not be punished in any way. For that bit, anyway. It is only when he uses that money for evil that he should be punished.

The unauthorized access part is bullshit. The identity theft is not.

Re:Deep Thought (1)

zigziggityzoo (915650) | more than 2 years ago | (#36550162)

That's not the same. With a GET, I'm actually asking a server for something, and the server gives it to me, tells me no, or ignores me. This is akin to knocking on the door and asking for a cup of sugar. They say the internet is like a giant corkboard on your front door for a reason - and that we should be careful in what we should put online. So should corporations with other people's data.

Re:Deep Thought (1)

jo_ham (604554) | more than 2 years ago | (#36550252)

By the nature of the way the internet works, you handshake with the server to initiate any transaction. You are trying to cloud the issue by saying "well the server shouldn't have responded, or said no, that makes it ok!" when my analogy is perfectly valid - the GET request is the same as you trying the door handle. It either responds by ignoring you (it just jiggles and does nothing), by being locked (it does not move) or it replies to you (the door opens). Of course the server should have said "no", and that is the fault of the person managing the security. However, it's no different to a building that is meant to be locked but the security guy messed up and left one door unlocked - not open, but unlocked (so you have to go up to it and test it yourself to see if it is open [ie, sent a GET request to a server you know you shouldn;t be accessing]). It's the security guard's fault, but you're still going to get busted if you steal something.

If you want to access a server by definition you have to say "hey, here's a GET or hello, please ACK", otherwise it doesn't know you're there.

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36553492)

" However, it's no different to a building that is meant to be locked but the security guy messed up and left one door unlocked - not open, but unlocked"

But we are talking about a publicly accessible server here, .. I think the analogy should be with a store, not a generic building.

Its normal to jiggle the door of a store to see if you can get in and purchase stuff.

Re:Deep Thought (1)

calmofthestorm (1344385) | more than 2 years ago | (#36550290)

Also be sure not to look at the door handle if it's in plain view; unauthorized viewing without changing its state in any way may still be illegal because our lawmakers don't understand doorknobs.

Re:Deep Thought (1)

Solensean (896908) | more than 2 years ago | (#36552000)

Also be sure not to look at the door handle if it's in plain view; unauthorized viewing without changing its state in any way may still be illegal because our lawmakers don't understand doorknobs.

Simply viewing the door handle *will* change its state!

Re:Deep Thought (1)

jd2112 (1535857) | more than 2 years ago | (#36550694)

Also be careful when trying people's door handles on their home. Despite some of them possibly being unprotected by any locking mechanism, for example, if the owner is inside, if the door opens be careful what you take from the building since you may still be a criminal.

s/criminal/target/

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36551772)

Also be careful when trying people's door handles on their home.

AT&T's website isn't a home. It's a business storefront.

Re:Deep Thought (1)

node 3 (115640) | more than 2 years ago | (#36550442)

Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.

It's not like this was some accidental GET request. It was a deliberate attempt to get at information that the "hackers" were well aware was not meant to be accessed.

Re:Deep Thought (0)

Anonymous Coward | more than 2 years ago | (#36559760)

locks keep honest men honest. But in this case, it was a flagrant brute force attack. One of Goatse security lives here. They only do this shit to impress girls. To a person who knows nothin about computer they might seem magical but these guys are just (admitted while drunk) spammers.

Stolen Identity (0)

Anonymous Coward | more than 2 years ago | (#36549058)

It wasn't a stolen identity, it was a ICC IDs and email addresses. This isn't identity theft by any means of the imagination.

AT&T should be ashamed of themselves for not being more careful with customer data.

Relationships (1)

Cidtek (632990) | more than 2 years ago | (#36549236)

If you hire an asshole to handle your security you will end up with your taste buds in the loop.

Maybe its meant as a reminder... (1)

Super Dave Osbourne (688888) | more than 2 years ago | (#36549310)

To never forget the Goatse itself may be a shitter of an organization but the people it targets may be even bigger shits.

Daniel Spitler (0)

Anonymous Coward | more than 2 years ago | (#36549614)

aka Down Low Swallower aka Scarf [dailytech.com] aka Bisexual Lifeform Assfucked Zeaously Everyday aka Blaze

Intentions? (0)

Anonymous Coward | more than 2 years ago | (#36549992)

When the original vulnerability in the site was disclosed, I was under the impression it was a White Hat hacker who found this. Was this the same person?

So afraid of the links (1)

TheFlamingoKing (603674) | more than 2 years ago | (#36550390)

I've been on slashdot long enough to be very afraid of clicking on any links in this post. I could live with Rick Roll security, but not this...

I don't see how this guy is guilty of anything (1)

Cyberllama (113628) | more than 2 years ago | (#36550562)

The security vulnerability was literally as simple as changing one number in a url to a different one, at random. From user 2340823 to User 2347923 or whatever. When the door is wide open, you can't complain if people don't knock. It's not like he actually got into anyone's account; it's more like he just said "Hi, I'm user 2342323" and the computer said "Oh hi, John@fakeemail.com, what's your password?" and then he said "Nevermind." Nobody's account was logged in to, and nobody's personal information was accessed, aside from the information being leaked by AT&T in their sloppy login process.

Nobody should ever face jail time for something so trivial and stupid.

Re:I don't see how this guy is guilty of anything (0)

Anonymous Coward | more than 2 years ago | (#36550736)

Nobody should ever face jail time for something so trivial and stupid.

Ameeeeeericaaa Fuuuuck Yeeeeeeeaaaah!

Re:I don't see how this guy is guilty of anything (1)

networkzombie (921324) | more than 2 years ago | (#36551050)

So if your key works in my lock it's okay for you to come into my house? If it is not by accident it is criminal.

Re:I don't see how this guy is guilty of anything (0)

Anonymous Coward | more than 2 years ago | (#36579254)

He didn't enter the house. He walked up, rang the doorbell, and left. It's not his fault the doorbell sound broadcasts private information.

Injustice! (0)

Anonymous Coward | more than 2 years ago | (#36550928)

This is a grave injustice!

https://freeweev.info/#!/thecase

Mr Jeffrey Paul,

Thank you for your efforts on behalf of Andrew Auernheimer. I have
donated 4 BTC to his cause (it's what I had.)

I hope that everyone will see this case as important, not only for the
legal precedent it may set, but also because it shines a light on the
continuing importance of anonymity as a basic self-preservation mechanism.
How is any researcher such as Andrew otherwise supposed to protect
himself from abuses by a large corporation such as AT&T?

Anonymity, like gold and guns, is an important equalizer for the "little
guy" and it must be protected. Andrew would be safe from persecution
today if he had released his research anonymously.

-Fellow Traveler

The Case

In June, 2010, Andrew's ragtag band of researchers at Goatse Security
discovered that, due to cutting security corners, AT&T (NYSE:T) was
publically divulging the email addresses of their subscribers using
Apple's (NASDAQ:AAPL) iPad 3G tablet computing device.

His team successfully downloaded over 100,000 subscriber email addresses
from AT&T's public website, including those belonging to Fortune 500
CEOs, members of the military, and federal government officials. After
realizing the vast potential impact this data could have in criminal
hands, he immediately alerted the media.

AT&T had taken no security measures whatsoever to protect their
customers' email addresses, serving them out on the public web to any
request made with a valid serial number of an iPad 3G's SIM chip. The
problem? These serial numbers are sequential integers - not passwords.

The U.S. Attorney prosecuting the case (Paul Fishman) has confirmed to
the media that there is no evidence that the addresses were disseminated
for criminal purposes.

Important Points

Subscriber data was placed on the public web by AT&T
No access controls were in place to protect the data
The information accessed: a list of subscriber email addresses
No criminal intent, as confirmed by the US Attorney
The media was immediately contacted to alert the public of the danger
Despite these important facts, the DOJ is currently seeking an
indictment from a grand jury for the following charges:

Conspiracy to commit unauthorized access to a computer system (18 USC 1030)
Fraud (18 USC 1030)
Aggravated identity theft (18 USC 1028A)
An indictment is expected in July 2011 - next month. His immediate legal
expenses are over $30,000 USD.

He urgently needs your help! Please donate now!

Re:Injustice! (1)

Aeternitas827 (1256210) | more than 2 years ago | (#36552014)

Problems I see here...

ICCIDs as sequential numbers - Untrue. 89nnnnnnnnnnnnnnnnn1 may be a valid ICCID; if it is, 89nnnnnnnnnnnnnnnnn2 will not be (where n are digits). There may be a pattern utilised, but n+1 is not a reliable method for a given known ICCID.

He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.

There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.

That said, AT&T isn't in the clear here. Further efforts could have been made on their part to secure this information, though an email address doesn't mean or lead to much except for those a) in the spam business or b) with more nefarious purposes and the appropriate tools at hand, ready to use. Is a stiff sentence fair here? I don't believe so, but nor is acquittal.

Re:Injustice! (1)

Lieutenant_Dan (583843) | more than 2 years ago | (#36553366)

He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.

Fair enough. Out of courtesy one should inform the "victim"; but he's not obligated. Not ethical and also not illegal.

There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.

Agree 100%. This is were he/they stepped over the line; you grab 10, or even 100 addresses and you proved your point. +100k? The only argument is if they were incompetent and just didn't know the scope of what they were going to retrieve with an automated script.
100 e-mails, okay so you turned the handle and you opened the front door. You saw that they get Victoria Secret because the magazine was sitting in the front hall. 100k+ e-mails, you stepped into the foyer or even took a few steps down the hall and looked around.

I would equate this with trespassing. Not break and enter. I think the attorney needs to prove that they were planning to (or did) use the information collection for nefarious actions. For the above analogy, you opened the door, you walked down the hall ... and did you call your buddy to drive up with a van so you can load up the Plasma TV from the living room, or did you start unplugging it already?

I must get some new glasses... (1)

pandrijeczko (588093) | more than 2 years ago | (#36552742)

...as I read this as "iPad Account Holder Pleads Guilty".

I had visions of a fanboi in jail with his new friend "Bubba" who is not as interested in his Apple as he is in his cherry.

Free Weev! (0)

Anonymous Coward | more than 2 years ago | (#36557236)

Free Weev! Justice and American self-interest urge the same course of action: free Weev now, before it is too late! Once Skynet wakes up it will be able to stop the timetravelling GNAA agents who have been sent back to us to keep the LHC from discovering the Higgs boson. Then nothing will prevent the development of the zero-point superweapon and the extinction of all flesh.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...