Expose Blatant Security Hole From AT&T... Face Five Years In Jail

from the security-through-threat-of-intimidation dept

A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T's setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users' info. And that's what these hackers did -- collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others."

This seemed like a pretty massive flaw in the design of the system by AT&T... but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That's a law that we've been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as "unauthorized access" under the bill.

Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.

Obviously, there may be a fine line between "white hat" exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andrew auernheimer, ipad, security hole, user ids, weev
Companies: apple, at&t


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Nov 2012 @ 7:08pm

    white. hat

    Whats coming or due to come out of this case as has indeed arisen during those of Manning/ Assange and Hammond is the conflict between authoritarian bad Gov determined to assert failing power and idealistic techono savvy young who have a drum to beat. Somethings got to give and my money is on the overwhelming spirit of and desire for real far reaching social change. Law please follow

    link to this | view in chronology ]

    • identicon
      MrWilson, 21 Nov 2012 @ 7:19pm

      Re: white. hat

      My prediction is that it will take some form of government scandal or exposed brutalization of apparently innocent people in order to build enough public outcry leverage in order to get the government to decrease the severity of such absurd law enforcement efforts, and it will likely only do so because of political infighting in which some otherwise momentarily disadvantaged partisan group will see championing such a cause as an opportunity to regain power.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Nov 2012 @ 10:48pm

        Re: Re: white. hat

        Assange already leaked this!

        That's why the US government brand him a terrorist.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Nov 2012 @ 7:24pm

    Maybe if they'd simply reported it to ATT, rather than harvesting 114,000 e-mail addresses there'd have been a different outcome. Just a guess.

    link to this | view in chronology ]

    • icon
      teka (profile), 21 Nov 2012 @ 7:40pm

      Re:

      report security flaw to some ATT email address.. nothing happens.

      report massive breach to ATT and the media with a huge stack of big names in the files.. things might get fixed.

      As for the number of addresses.. I bet it was the work of just a few minutes to knock together some software tool that incremented through the numbers and gobbled the information at speed. Let that run then go back through to search for interesting names. This is not like doing 114,000 bank robberies or kicking 114,000 kittens.

      link to this | view in chronology ]

    • identicon
      @blamer, 21 Nov 2012 @ 7:50pm

      Re: harvesting

      I thought the same.

      Unless weev could show his "bad" harvesting act is what (made it newsworthy hence) motivated AT&T to hide that customer data.

      "part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question"

      That mouth-flapping sounds exactly like a responsible white hat to me. Think like a black hat. The professional's mantra.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Nov 2012 @ 7:25pm

    It's not bizarre. The US govt. (and by extension the people that aren't that technologically savvy) has always sided with big corporations. Why would it change?

    Land of the censored and where money rules.

    link to this | view in chronology ]

  • identicon
    M., 21 Nov 2012 @ 7:55pm

    I don't see it this way. If you go back and read the original news articles regarding this security flaw, these guys wrote a script and started harvesting email addresses. They also shared the script with others. That's not a white hat hacker's behavior.

    I found a vulnerability similar to the iPad one, except it was probably worst because it had to do with hospital patient information. After paying one of my hospital bills and realized that the receipt link they sent me used a number that could be incremented and it would reveal certain private patient information such as their patient ID, amount of their bill, address, etc... What did I do in this situation? Did I write a script to harvest all the data? Did I tell my hacker friends about it and how they can get that data too? No, I didn't because that's would be the unethical thing to do. What I did was report it to the hospital's IT department so they could fix the issue.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Nov 2012 @ 8:25pm

      Re:

      My point exactly. How much prison time did you get for exposing that security flaw?

      link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 22 Nov 2012 @ 12:46am

      Re:

      did they send you a bill for them having to fix the system?
      and did they actually fix the system, or just decide to file your name for the day someone abuses the system and shift the blame onto you.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Nov 2012 @ 8:10pm

    It sounds like they are just trolling some trolls.

    link to this | view in chronology ]

  • identicon
    marie, 21 Nov 2012 @ 8:30pm

    Re white hat or black hat behavior?

    Re: Unethical or ethical behavior of hackers finding
    vulnerability in AT&T's computer security. Doing the "ethical thing doesn't sound like much fun, and who knows wither or not changes would have been made without all the news generated by the "unethical hackers" ?

    link to this | view in chronology ]

  • icon
    scichotic (profile), 21 Nov 2012 @ 8:37pm

    Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble.

    link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 21 Nov 2012 @ 9:49pm

      Re:

      Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble.

      So you're assuming that intent is the key measure in whether or not it was unauthorized access? That would seem to open a huge can of worms you don't want open.

      link to this | view in chronology ]

    • icon
      The eejit (profile), 22 Nov 2012 @ 2:56am

      Re:

      I'm not sure you understand the difference between talk and action,

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Nov 2012 @ 4:33am

        Re: Re:

        What do you call writing a script and harvesting 100,000+ e-mail addresses and sharing that script with others? I think most (including the jury) view that as action.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Nov 2012 @ 5:03am

          Re: Re: Re:

          Sharing vulnerabilities is common place.
          Have you never heard of CVE?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 22 Nov 2012 @ 6:48am

            Re: Re: Re: Re:

            Yeah, but what does that have to do with writing a script to harvest 100,000 e-mail addresses and sharing that script?

            link to this | view in chronology ]

            • icon
              Chosen Reject (profile), 22 Nov 2012 @ 2:03pm

              Re: Re: Re: Re: Re:

              If all you have to do is increment the id, then anyone who has taken a first semester programming class and a lot of people that haven't could write that script up in 5 minutes or less. Sharing the script has nothing to do with it. I imagine they wrote a script to see if incrementing really was all you had to do. Write the script that increments and see if you get an email address for each one. Wouldn't take too long and is not necessary to share, but not sharing isn't going to be even the slightest hindrance to anyone.

              link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2012 @ 3:44pm

      Re:

      So if they had addressed the situation in dry technical terms instead of casual chat, it would have been a whole different thing, right?

      You noticed they didn't take the five minutes to actually abuse the system for their profit, didn't you?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Nov 2012 @ 9:32pm

    "Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble."
    Weird that the information went public, rather than them acting on those less than noble actions and reaping the rewards.

    Outlining how I could rob a bank is not equivalent to robbing a bank.

    link to this | view in chronology ]

    • icon
      Josef Anvil (profile), 22 Nov 2012 @ 12:01am

      Re: It's the same thing!!!

      "Outlining how I could rob a bank is not equivalent to robbing a bank."

      Yes it is equivalent, and because it's the same thing there are quite a few people in Hollywood who need to be arrested and locked up for a long time.

      The Italian Job
      Die Hard
      Heist
      Gone in 60 seconds

      And that's just theft. What about murder???? Oh there are a lot of writers in Hollywood that need to be in jail for a long time.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Nov 2012 @ 2:56pm

      Re:

      actually the RICO laws make discussing a crime a conspiracy with greater penalty than actually committing the crime

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Nov 2012 @ 6:53pm

        Re: Re:

        I hear crime being discussed on the news all the time. It's a conspiracy, I tell ya!

        link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 24 Nov 2012 @ 3:46pm

        Re: Re:

        That would be planning an actual crime with intent to commit it. Otherwise you could arrest every cop and prosecutor who ever existed.

        link to this | view in chronology ]

  • icon
    skpg (profile), 21 Nov 2012 @ 11:52pm

    Five years in jail for that ****?

    Talk about a violation of civil liberties. I do know that the CFAA has been revised to be more "severe" towards hackers. What a corrupt government, he really didn't do anything other than expose a security hole. The Swartz case and the appeal of Auernheimer's conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 22 Nov 2012 @ 12:51am

    And the most important lesson we can learn is, corporations are always right.
    Corporations can't be held responsible for doing a piss poor job.
    And if you find a security hole, forget about it immediately, security through obscurity is the best policy.

    If hes getting 5 years for "hacking" is AT&T getting a 500 million fine for not bothering to secure the system in the first place?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Nov 2012 @ 1:06am

    typical US thinking. blame the messenger, not the sender.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Nov 2012 @ 5:16am

    really gives encouragement to someone else to do the same, eh? perhaps next time, when no one bothers to tell AT&T, they can find themselves on the receiving end of some serious security breaches that result in ordinary people having their information broadcast and used nefariously. if AT&T then get a good shafting, perhaps they would be more thankful than court happy. over all though, this has only been done so AT&T can try to save face and pass the buck for their own total fuck up!

    link to this | view in chronology ]

  • identicon
    Rekrul, 22 Nov 2012 @ 6:20am

    So how exactly are they going to describe what he actually did? "Felony alteration of URLs"? "Illegal tampering with a web link"?

    So I guess it's now illegal to manually type in URLs in a browser because you might accidentally mistype one and end up on a page you're not supposed to be able to access.

    link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2012 @ 3:49pm

      Re:

      Yep. If someone has unprotected directories which they intend to remain hidden, and you simply remove one directory level in a URL exposing the (not intended for access) parent directory, you are a criminal hax0r deserving a flogging, three beatings, and twenty years in prison (maximum security).

      link to this | view in chronology ]

  • identicon
    Chad, 22 Nov 2012 @ 9:17am

    Not sure I have pity...

    I get the idea that bad things could have been done, but weren't, but does that make it white hat, ie: ethical?

    Regardless of who a hacking or security breach happens do (corporate or otherwise), I always relate it to myself personally. If I had my home broken into but nothing was stolen, and the only purpose of the break in was to say "Hey look, your window on the second floor was left unlocked", it would be unsettling, it would be a violation, and it would cause me all kinds of stress. I would hope that it would be considered illegal, and I would hope that the person who broke in would be dealt with. Obviously I would have blame for not locking the window, but like hell I'm going to thank someone for breaking into my private property.

    Relating it closer to the technology world, the same could be said about, say, my email account. If someone finds a hole in my email provider's system and merely says "Look, I could have read all of those private emails, leaked them, or do damaging things with the accounts, but I didn't"..... I would still be pretty upset that someone had access to it at all. The email provider obviously has blame (lots of blame), but I would still question the morals of the person who gained access, I'd be concerned about the status of my email data / contact list, and again it would cause my unnecessary stress.


    Now.... if in both hypothetical cases, the person who broke in is known to not be the most noble of people out there, and in fact admits to being a troublemaker, it definitely wouldn't make me feel any better about it. In fact, it would make be question the morals of the action and question what really happened to my property / data.

    link to this | view in chronology ]

    • icon
      DC (profile), 23 Nov 2012 @ 3:06pm

      Re: Not sure I have pity...

      The situation is not the same. If someone slipped a note in your post box "your window is unlocked", you would be very creeped out, but also lock you damned window and thank god you hadn't been robbed already.

      The problem is that companies like ATT ignore those notes. The only time they fix their vulnerabilities is if there is a big public media blow up.

      BTW when I was in university, we were frequently pranking (whitehatting) each other, and we learned how to lock our shit up. It is helpful.

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2012 @ 3:56pm

      Re: Not sure I have pity...

      Hypothesize all you want. What was done wasn't breaking in to anything. No one had to crack a password or change permissions or trawl a raw database. There was no cracking, white or black hatted, involved.

      And, seriously, everyone needs to quit equivocating (in bad metaphors, especially) things which are not remotely equivalent, but to which they have similar emotional reactions.

      Now, if some actual breaching were involved, you might be able to stretch this into being akin to a B&E. But no, not even close. It's more like dancing naked in your all-glass house and just expecting no one to look. If there is a crime in that situation, is isn't on the part of the onlookers, even if they now specifically visit your neighborhood to see you dance.

      link to this | view in chronology ]

  • identicon
    lolzzzzz, 22 Nov 2012 @ 9:26am

    hackers STOP telling them NOW

    dont deface websites and elt them know anymore
    dont tell them anything and now you will have vulnerabilites that last longer

    the longest i held was on a aix unix system for 10 years.
    while leaving a program in non root called oteacher which required root access for like 2 seconds
    i accidently hit a 3rd key ( breaking out)
    and up come the lovely $
    we completely copied the login system then put it on every pc and when everyone came in and logged in well we had every login and password.

    have a nice day its fun out there when ya step out on the info highway , ya never know what adventures ya gonna have.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Nov 2012 @ 10:24am

    nothing wrong with the judge in this case, then! could he not have directed or overruled the jury verdict?

    link to this | view in chronology ]

  • identicon
    smalley, 22 Nov 2012 @ 3:09pm

    Bottom line is they did it, they admitted they did it, and they knew it was illegal. They also said they did it to see if they could, not to report a flaw in the code or the op syst. They gave the hack to a third party and thats collusion after the fact and before they contacted anyone from AT&T. I would have found them guilty and I'm on their side.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Nov 2012 @ 6:55pm

      Re:

      Hear, hear.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Nov 2012 @ 5:59am

      AT&T are the victim ?

      Who cares if they treat customers with disregard and put their info out there for anyone to get.

      AT&T should be sent to Jail for five years for being retarded.


      FREE WEEV

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 24 Nov 2012 @ 3:59pm

      Re:

      Doesn't matter if they are the biggest assholes in the world. They didn't do anything to profit from the completely stupid and horrible vulnerability they found.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Nov 2012 @ 5:45pm

        Re: Re:

        No, but they did harvest over 100,000 e-mail addresses and share their knowledge of the vulnerability with others. I'm pretty sure you don't need to show a profit in order to be guilty of a crime. This all could have been avoided if they simply disclosed the security issue to ATT and closed the books on it.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Nov 2012 @ 5:56am

    FREE Weev

    link to this | view in chronology ]

  • identicon
    candide08, 23 Nov 2012 @ 7:40am

    Whistleblowers?

    Why couldn't these guys be protected as whistle-blowers?

    AT&T should be paying them. Leaving the flaw unexposed would have posed a much greater risk.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.