Expose Blatant Security Hole From AT&T... Face Five Years In Jail
from the security-through-threat-of-intimidation dept
A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T's setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users' info. And that's what these hackers did -- collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others."This seemed like a pretty massive flaw in the design of the system by AT&T... but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That's a law that we've been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as "unauthorized access" under the bill.
Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.
Obviously, there may be a fine line between "white hat" exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andrew auernheimer, ipad, security hole, user ids, weev
Companies: apple, at&t
Reader Comments
Subscribe: RSS
View by: Time | Thread
white. hat
[ link to this | view in chronology ]
Re: white. hat
[ link to this | view in chronology ]
Re: Re: white. hat
That's why the US government brand him a terrorist.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
report massive breach to ATT and the media with a huge stack of big names in the files.. things might get fixed.
As for the number of addresses.. I bet it was the work of just a few minutes to knock together some software tool that incremented through the numbers and gobbled the information at speed. Let that run then go back through to search for interesting names. This is not like doing 114,000 bank robberies or kicking 114,000 kittens.
[ link to this | view in chronology ]
Re: harvesting
Unless weev could show his "bad" harvesting act is what (made it newsworthy hence) motivated AT&T to hide that customer data.
"part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question"
That mouth-flapping sounds exactly like a responsible white hat to me. Think like a black hat. The professional's mantra.
[ link to this | view in chronology ]
Land of the censored and where money rules.
[ link to this | view in chronology ]
I found a vulnerability similar to the iPad one, except it was probably worst because it had to do with hospital patient information. After paying one of my hospital bills and realized that the receipt link they sent me used a number that could be incremented and it would reveal certain private patient information such as their patient ID, amount of their bill, address, etc... What did I do in this situation? Did I write a script to harvest all the data? Did I tell my hacker friends about it and how they can get that data too? No, I didn't because that's would be the unethical thing to do. What I did was report it to the hospital's IT department so they could fix the issue.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
and did they actually fix the system, or just decide to file your name for the day someone abuses the system and shift the blame onto you.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re white hat or black hat behavior?
vulnerability in AT&T's computer security. Doing the "ethical thing doesn't sound like much fun, and who knows wither or not changes would have been made without all the news generated by the "unethical hackers" ?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
So you're assuming that intent is the key measure in whether or not it was unauthorized access? That would seem to open a huge can of worms you don't want open.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Have you never heard of CVE?
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
You noticed they didn't take the five minutes to actually abuse the system for their profit, didn't you?
[ link to this | view in chronology ]
Weird that the information went public, rather than them acting on those less than noble actions and reaping the rewards.
Outlining how I could rob a bank is not equivalent to robbing a bank.
[ link to this | view in chronology ]
Re: It's the same thing!!!
Yes it is equivalent, and because it's the same thing there are quite a few people in Hollywood who need to be arrested and locked up for a long time.
The Italian Job
Die Hard
Heist
Gone in 60 seconds
And that's just theft. What about murder???? Oh there are a lot of writers in Hollywood that need to be in jail for a long time.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Five years in jail for that ****?
[ link to this | view in chronology ]
Corporations can't be held responsible for doing a piss poor job.
And if you find a security hole, forget about it immediately, security through obscurity is the best policy.
If hes getting 5 years for "hacking" is AT&T getting a 500 million fine for not bothering to secure the system in the first place?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So I guess it's now illegal to manually type in URLs in a browser because you might accidentally mistype one and end up on a page you're not supposed to be able to access.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not sure I have pity...
Regardless of who a hacking or security breach happens do (corporate or otherwise), I always relate it to myself personally. If I had my home broken into but nothing was stolen, and the only purpose of the break in was to say "Hey look, your window on the second floor was left unlocked", it would be unsettling, it would be a violation, and it would cause me all kinds of stress. I would hope that it would be considered illegal, and I would hope that the person who broke in would be dealt with. Obviously I would have blame for not locking the window, but like hell I'm going to thank someone for breaking into my private property.
Relating it closer to the technology world, the same could be said about, say, my email account. If someone finds a hole in my email provider's system and merely says "Look, I could have read all of those private emails, leaked them, or do damaging things with the accounts, but I didn't"..... I would still be pretty upset that someone had access to it at all. The email provider obviously has blame (lots of blame), but I would still question the morals of the person who gained access, I'd be concerned about the status of my email data / contact list, and again it would cause my unnecessary stress.
Now.... if in both hypothetical cases, the person who broke in is known to not be the most noble of people out there, and in fact admits to being a troublemaker, it definitely wouldn't make me feel any better about it. In fact, it would make be question the morals of the action and question what really happened to my property / data.
[ link to this | view in chronology ]
Re: Not sure I have pity...
The problem is that companies like ATT ignore those notes. The only time they fix their vulnerabilities is if there is a big public media blow up.
BTW when I was in university, we were frequently pranking (whitehatting) each other, and we learned how to lock our shit up. It is helpful.
[ link to this | view in chronology ]
Re: Not sure I have pity...
And, seriously, everyone needs to quit equivocating (in bad metaphors, especially) things which are not remotely equivalent, but to which they have similar emotional reactions.
Now, if some actual breaching were involved, you might be able to stretch this into being akin to a B&E. But no, not even close. It's more like dancing naked in your all-glass house and just expecting no one to look. If there is a crime in that situation, is isn't on the part of the onlookers, even if they now specifically visit your neighborhood to see you dance.
[ link to this | view in chronology ]
hackers STOP telling them NOW
dont tell them anything and now you will have vulnerabilites that last longer
the longest i held was on a aix unix system for 10 years.
while leaving a program in non root called oteacher which required root access for like 2 seconds
i accidently hit a 3rd key ( breaking out)
and up come the lovely $
we completely copied the login system then put it on every pc and when everyone came in and logged in well we had every login and password.
have a nice day its fun out there when ya step out on the info highway , ya never know what adventures ya gonna have.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Who cares if they treat customers with disregard and put their info out there for anyone to get.
AT&T should be sent to Jail for five years for being retarded.
FREE WEEV
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
FREE Weev
http://en.wikipedia.org/wiki/Weev
[ link to this | view in chronology ]
Whistleblowers?
AT&T should be paying them. Leaving the flaw unexposed would have posed a much greater risk.
[ link to this | view in chronology ]