Expose Blatant Security Hole From AT&T… Face Five Years In Jail
from the security-through-threat-of-intimidation dept
A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T’s setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users’ info. And that’s what these hackers did — collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: “Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others.”
This seemed like a pretty massive flaw in the design of the system by AT&T… but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That’s a law that we’ve been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as “unauthorized access” under the bill.
Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.
Obviously, there may be a fine line between “white hat” exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.
Filed Under: andrew auernheimer, ipad, security hole, user ids, weev
Companies: apple, at&t
Comments on “Expose Blatant Security Hole From AT&T… Face Five Years In Jail”
white. hat
Whats coming or due to come out of this case as has indeed arisen during those of Manning/ Assange and Hammond is the conflict between authoritarian bad Gov determined to assert failing power and idealistic techono savvy young who have a drum to beat. Somethings got to give and my money is on the overwhelming spirit of and desire for real far reaching social change. Law please follow
Re: white. hat
My prediction is that it will take some form of government scandal or exposed brutalization of apparently innocent people in order to build enough public outcry leverage in order to get the government to decrease the severity of such absurd law enforcement efforts, and it will likely only do so because of political infighting in which some otherwise momentarily disadvantaged partisan group will see championing such a cause as an opportunity to regain power.
Maybe if they’d simply reported it to ATT, rather than harvesting 114,000 e-mail addresses there’d have been a different outcome. Just a guess.
Re: Re:
report security flaw to some ATT email address.. nothing happens.
report massive breach to ATT and the media with a huge stack of big names in the files.. things might get fixed.
As for the number of addresses.. I bet it was the work of just a few minutes to knock together some software tool that incremented through the numbers and gobbled the information at speed. Let that run then go back through to search for interesting names. This is not like doing 114,000 bank robberies or kicking 114,000 kittens.
Re: harvesting
I thought the same.
Unless weev could show his “bad” harvesting act is what (made it newsworthy hence) motivated AT&T to hide that customer data.
“part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question”
That mouth-flapping sounds exactly like a responsible white hat to me. Think like a black hat. The professional’s mantra.
It’s not bizarre. The US govt. (and by extension the people that aren’t that technologically savvy) has always sided with big corporations. Why would it change?
Land of the censored and where money rules.
I don’t see it this way. If you go back and read the original news articles regarding this security flaw, these guys wrote a script and started harvesting email addresses. They also shared the script with others. That’s not a white hat hacker’s behavior.
I found a vulnerability similar to the iPad one, except it was probably worst because it had to do with hospital patient information. After paying one of my hospital bills and realized that the receipt link they sent me used a number that could be incremented and it would reveal certain private patient information such as their patient ID, amount of their bill, address, etc… What did I do in this situation? Did I write a script to harvest all the data? Did I tell my hacker friends about it and how they can get that data too? No, I didn’t because that’s would be the unethical thing to do. What I did was report it to the hospital’s IT department so they could fix the issue.
Re: Re:
My point exactly. How much prison time did you get for exposing that security flaw?
Re: Re:
did they send you a bill for them having to fix the system?
and did they actually fix the system, or just decide to file your name for the day someone abuses the system and shift the blame onto you.
It sounds like they are just trolling some trolls.
Re white hat or black hat behavior?
Re: Unethical or ethical behavior of hackers finding
vulnerability in AT&T’s computer security. Doing the “ethical thing doesn’t sound like much fun, and who knows wither or not changes would have been made without all the news generated by the “unethical hackers” ?
Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying “i f-ing struck oil” while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don’t appear entirely noble.
Re: Re:
Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying “i f-ing struck oil” while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don’t appear entirely noble.
So you’re assuming that intent is the key measure in whether or not it was unauthorized access? That would seem to open a huge can of worms you don’t want open.
Re: Re:
I’m not sure you understand the difference between talk and action,
Re: Re: Re:
What do you call writing a script and harvesting 100,000+ e-mail addresses and sharing that script with others? I think most (including the jury) view that as action.
Re: Re: Re: Re:
Sharing vulnerabilities is common place.
Have you never heard of CVE?
Re: Re: Re:2 Re:
Yeah, but what does that have to do with writing a script to harvest 100,000 e-mail addresses and sharing that script?
Re: Re: Re:3 Re:
If all you have to do is increment the id, then anyone who has taken a first semester programming class and a lot of people that haven’t could write that script up in 5 minutes or less. Sharing the script has nothing to do with it. I imagine they wrote a script to see if incrementing really was all you had to do. Write the script that increments and see if you get an email address for each one. Wouldn’t take too long and is not necessary to share, but not sharing isn’t going to be even the slightest hindrance to anyone.
Re: Re:
So if they had addressed the situation in dry technical terms instead of casual chat, it would have been a whole different thing, right?
You noticed they didn’t take the five minutes to actually abuse the system for their profit, didn’t you?
“Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying “i f-ing struck oil” while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don’t appear entirely noble.”
Weird that the information went public, rather than them acting on those less than noble actions and reaping the rewards.
Outlining how I could rob a bank is not equivalent to robbing a bank.
Re: It's the same thing!!!
“Outlining how I could rob a bank is not equivalent to robbing a bank.”
Yes it is equivalent, and because it’s the same thing there are quite a few people in Hollywood who need to be arrested and locked up for a long time.
The Italian Job
Die Hard
Heist
Gone in 60 seconds
And that’s just theft. What about murder???? Oh there are a lot of writers in Hollywood that need to be in jail for a long time.
Re: Re:
actually the RICO laws make discussing a crime a conspiracy with greater penalty than actually committing the crime
Re: Re: Re:
I hear crime being discussed on the news all the time. It’s a conspiracy, I tell ya!
Re: Re: Re:
That would be planning an actual crime with intent to commit it. Otherwise you could arrest every cop and prosecutor who ever existed.
white. hat
Assange already leaked this!
That’s why the US government brand him a terrorist.
Five years in jail for that ****?
Talk about a violation of civil liberties. I do know that the CFAA has been revised to be more “severe” towards hackers. What a corrupt government, he really didn’t do anything other than expose a security hole. The Swartz case and the appeal of Auernheimer’s conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.
And the most important lesson we can learn is, corporations are always right.
Corporations can’t be held responsible for doing a piss poor job.
And if you find a security hole, forget about it immediately, security through obscurity is the best policy.
If hes getting 5 years for “hacking” is AT&T getting a 500 million fine for not bothering to secure the system in the first place?
typical US thinking. blame the messenger, not the sender.
really gives encouragement to someone else to do the same, eh? perhaps next time, when no one bothers to tell AT&T, they can find themselves on the receiving end of some serious security breaches that result in ordinary people having their information broadcast and used nefariously. if AT&T then get a good shafting, perhaps they would be more thankful than court happy. over all though, this has only been done so AT&T can try to save face and pass the buck for their own total fuck up!
So how exactly are they going to describe what he actually did? “Felony alteration of URLs”? “Illegal tampering with a web link”?
So I guess it’s now illegal to manually type in URLs in a browser because you might accidentally mistype one and end up on a page you’re not supposed to be able to access.
Re: Re:
Yep. If someone has unprotected directories which they intend to remain hidden, and you simply remove one directory level in a URL exposing the (not intended for access) parent directory, you are a criminal hax0r deserving a flogging, three beatings, and twenty years in prison (maximum security).
Not sure I have pity...
I get the idea that bad things could have been done, but weren’t, but does that make it white hat, ie: ethical?
Regardless of who a hacking or security breach happens do (corporate or otherwise), I always relate it to myself personally. If I had my home broken into but nothing was stolen, and the only purpose of the break in was to say “Hey look, your window on the second floor was left unlocked”, it would be unsettling, it would be a violation, and it would cause me all kinds of stress. I would hope that it would be considered illegal, and I would hope that the person who broke in would be dealt with. Obviously I would have blame for not locking the window, but like hell I’m going to thank someone for breaking into my private property.
Relating it closer to the technology world, the same could be said about, say, my email account. If someone finds a hole in my email provider’s system and merely says “Look, I could have read all of those private emails, leaked them, or do damaging things with the accounts, but I didn’t”….. I would still be pretty upset that someone had access to it at all. The email provider obviously has blame (lots of blame), but I would still question the morals of the person who gained access, I’d be concerned about the status of my email data / contact list, and again it would cause my unnecessary stress.
Now…. if in both hypothetical cases, the person who broke in is known to not be the most noble of people out there, and in fact admits to being a troublemaker, it definitely wouldn’t make me feel any better about it. In fact, it would make be question the morals of the action and question what really happened to my property / data.
Re: Not sure I have pity...
The situation is not the same. If someone slipped a note in your post box “your window is unlocked”, you would be very creeped out, but also lock you damned window and thank god you hadn’t been robbed already.
The problem is that companies like ATT ignore those notes. The only time they fix their vulnerabilities is if there is a big public media blow up.
BTW when I was in university, we were frequently pranking (whitehatting) each other, and we learned how to lock our shit up. It is helpful.
Re: Not sure I have pity...
Hypothesize all you want. What was done wasn’t breaking in to anything. No one had to crack a password or change permissions or trawl a raw database. There was no cracking, white or black hatted, involved.
And, seriously, everyone needs to quit equivocating (in bad metaphors, especially) things which are not remotely equivalent, but to which they have similar emotional reactions.
Now, if some actual breaching were involved, you might be able to stretch this into being akin to a B&E. But no, not even close. It’s more like dancing naked in your all-glass house and just expecting no one to look. If there is a crime in that situation, is isn’t on the part of the onlookers, even if they now specifically visit your neighborhood to see you dance.
hackers STOP telling them NOW
dont deface websites and elt them know anymore
dont tell them anything and now you will have vulnerabilites that last longer
the longest i held was on a aix unix system for 10 years.
while leaving a program in non root called oteacher which required root access for like 2 seconds
i accidently hit a 3rd key ( breaking out)
and up come the lovely $
we completely copied the login system then put it on every pc and when everyone came in and logged in well we had every login and password.
have a nice day its fun out there when ya step out on the info highway , ya never know what adventures ya gonna have.
nothing wrong with the judge in this case, then! could he not have directed or overruled the jury verdict?
Bottom line is they did it, they admitted they did it, and they knew it was illegal. They also said they did it to see if they could, not to report a flaw in the code or the op syst. They gave the hack to a third party and thats collusion after the fact and before they contacted anyone from AT&T. I would have found them guilty and I’m on their side.
Re: Re:
Hear, hear.
Re:
AT&T are the victim ?
Who cares if they treat customers with disregard and put their info out there for anyone to get.
AT&T should be sent to Jail for five years for being retarded.
FREE WEEV
Re: Re:
Doesn’t matter if they are the biggest assholes in the world. They didn’t do anything to profit from the completely stupid and horrible vulnerability they found.
Re: Re: Re:
No, but they did harvest over 100,000 e-mail addresses and share their knowledge of the vulnerability with others. I’m pretty sure you don’t need to show a profit in order to be guilty of a crime. This all could have been avoided if they simply disclosed the security issue to ATT and closed the books on it.
FREE Weev
FREE Weev
http://en.wikipedia.org/wiki/Weev
Whistleblowers?
Why couldn’t these guys be protected as whistle-blowers?
AT&T should be paying them. Leaving the flaw unexposed would have posed a much greater risk.