And this my friends, is the fake world of democracy we live in. We are being illusioned to posses freedom that we don't really have. This is a game played by very powerful people at the top, who have the right amount of money at the right time and these people will continue to game this system. We need a change, desperately!
Could you please explain how convicting a person that hacked into AT&T means we have fake democracy? I must be missing something here, could you elaborate a bit?
Ummm...so let's say you upload a couple of private photos from a strip club on Facebook. They were meant to be private, but unfortunately, technically they weren't. Now, I do some googling and I find out that I can view these photos from a couple of unique URLs. Now, I have two options:
1) Just tell you so that you can remove these photos and you alone will benefit from it.
2) Bring this to light so that, everyone like you who have posted their private photos will benefit from it.
Now, what is the best way for me to bring it to light? Contact Facebook?? Yeah, it's a good shot, but Facebook will probably do everything to suppress that this incident even occurred.
So, the only way for me to prove that I DID gain access to your private photos is by proving everyone that I Just did. And that is by posting this info somewhere that will gain media attention.
Now, a couple of points to note here:
I did NOT hack into Facebook.
I did NOT threaten you to provide me those photos.
I just took what was available already and posted it to another online medium, so this will be brought to light.
So, now, please tell me, how was my INTENTION malicious? My intention was good. It's not like I sold your photos and made a ton of money. I actually fought for your privacy and now I'm labelled a Villian. Great!
There wasn't "a couple of private photos". If Facebook protected it with a random key, and you noticed the key generator was flawed so knowing I live in, say, Montana you could bruteforce this generator in 3 days, and you wrote a script that indeed in three days bruteforced the key - yes, it would be "hacking Facebook". And if you took these photos and 100K of other photos and, saying nothing to facebook or me, went to the press - yes, it would expose you to criminal charges. If you intention was good, you would have stopped with one photo and notified facebook and/or myself and you would not write a tool to harvest and keep 100K of them. Creating and using such tool is what got them into trouble, not visiting some page or discovering some flaw. If you see neighbors door is open, you're not criminal. If you go in and go through personal possessions, because the door was open - you are. Selling has nothing to do with this - if you use it not for money but for lulz it's still the same. The evil is not in the money - the evil is in going where you do not belong and taking things that are not yours to take.
While I agree that "fake democracy" is a bit over the top, I also can't see how he "hacked into AT&T". There might be enough room to dicker over whether searching for a vulnerability equates to "hacking," but does anyone really believe Auernheimer did anything illegal by manually typing in an address?
Hacked is a very loaded word. In some circles, it means "did a brilliant work cleverly and ingeniously using some stuff not always as it was intended to be used", in others it means "did some computer voodoo and stole my data".
Searching for vulnerabilities on a public sites containing live private data is not a business that one should approach lightly. I personally wouldn't do it without being specifically asked for it. But even if one does, taking then massive amount of data is definitely not what a whitehat researcher does.
>>> but does anyone really believe Auernheimer did anything illegal by manually typing in an address?
As far as I know, he didn't manually type an address. He wrote a script that bruteforced ID protection and downloaded a massive list of private emails. Do I have a wrong information? How is it different from bruteforcing a weak password on an email account and copying all the emails - do you think this is legitimate too and that information was public?
> How is it different from bruteforcing a weak password on an email account
It is different in these ways:
* Brute-forcing the email password is an attempt to circumvent a system designed specifically to keep unauthorized people out. One can not claim this info is public or that authorization was implied.
* Repeatedly making a call to an open, yet hidden, API is simply using it as it was designed. IMO, at most this dude violated some AT&T TOS by scripting the requests.
He knew that he was obtaining sensitive information that he shouldn't have been able to access (through at&t's negligence), however instead of following any sort of responsible disclosure, and reporting the incident to the company, he goes to IRC and talks openly about trying to use the information to benefit himself through insider trading and then gives the information to Gawker (again instead of contacting AT&T).
He probably could have had the charges dropped, had he composed his actions differently.
Absolutely. He was a dick about it. I don't think that anyone would argue differently.
But the fact of the matter is, he's been convicted for unauthorized access to a public computer system. Last I checked, being a dick and a braggart wasn't criminal.
I think he was rather stupid about the whole thing, but criminal? The fault should lie with AT&T, who put their customer data on a public webserver for the world to see.
That's like saying that it isn't robbery if the door was unlocked.
It still is. Any reasonable person would know that stealing from a house, locked or no, isn't something they're supposed to be doing.
It's a quandary, to be sure, because once you discover a hypothetical exploit, it's human nature to sate that curiosity by testing whether it works. Two or three accounts would have proved it, 100,000 accounts is excessive.
I'm not trying to say that the number of accounts he released is germane to the discussion per se, but I certainly think that it's relevant in the discussion of intent.
It is not. As far as I can see in reports, however, this is not what Andrew Auernheimer did. He wrote a tool that bruteforces massive amounts of IDs and downloaded massive number of private emails, which were not public data. The fact the it was easy for him is irrelevant, just as the fact that somebody had weak password is irrelevant if you bruteforce it and access his bank or email account. If you do that - you'll probably be liable for unauthorized access, and excuse "he had a weak password, so it's like public information" is not going to work.
If you've read the reports, then you'd know that what he did was write a tool that performed gets of URLs with an incrementing ID component. Like, http://news.ycombinator.com/item?id=4812496 has an integer component of "4812496". You can change that to "4812497" and get a different story. That's what he did. AT&T published a bunch of customer data on a URL endpoint with an integer component, and he wrote a script that just iterated through the integers.
It's a "brute force attack" only in the loosest sense of the term. It's an insult to actual brute force attacks to call it that.
A password-protected system is, by definition, protected. A URL - "Uniform Resource Locator" - is a string that identifies how to reach a given resource, which may or may not include access control. And in this case, didn't.
This was not protected information. The fact that anyone could consider this technically-protected information long enough to get a criminal conviction flies in the face of the entire structure of the internet.
It wasn't just this action that got him convicted. Intent also plays a role. His intent was malicious, with the intent to benefit from what a reasonable person would conclude was access to intentionally private data. Had his actions after discovering the problem been one of a responsible adult the results would have been different. The difficulty has little to do with it. Easily getting access to something you shouldn't have access to does not instilled you with special rights. This also means intent plays a critical role.
Read past the headlines and actually understand the entire story before posting.
From what I just read, he didn't hack anything. He found out that AT&T didn't require a password to check if an email was valid, then just got a list of valid email addresses.
How could a jury equate this with conspiracy to access a computer?
The computer held a list of addresses. It did not present that list to the public. He found a trick where he could probe the addresses, and used that trick to extract the list counter to the desires of the owner (and the owners of the addresses). I can't imagine how you think that access was authorized.
Now, sure, it's not much of a "hack" in a security analysis sense. And it was a terribly dumb bug, and a huge security goof by AT&T. But why should criminal law care about how difficult something is? You don't get off of burglary charges if someone's door is unlocked. And if AT&T is culpable for their poor engineering, they are so in a civil sense for damages; it doesn't make the hack less of a crime.
Admittedly there's a spectrum between "full disclosure" security research and grey hat anarchic asshattery, and there are cases where people have been wrongly prosecuted. But this case looks pretty black and white to me.
Information whether email is valid or not was made publicly available by AT&T. Shouldn't access to publicly available information be assumed to be authorized by the one who made the information public?
If you forget to wear your pants in public you are the one who is to be charged with indecent behavior not the people looking at you with intrusion on your privacy.
What gives you the right to sell that data? What gives you the rights to what a reasonable person would understand to be sensitive and private data? You can't look at this from just a technical standpoint, but also the intent of the people involved.
Your question about forgetting to wear pants is a perfect example. In California, it's legal depending on the intent. The mere act is not a crime without intent, and looking at one without the other is pointless.
> Information whether email is valid or not was made publicly available by AT&T
By mistake. They left that hole open by mistake. I just re-read the details to be sure; the clear intention of the developer was that the email address would be retrieved (keyed on the SIM ID) to pre-populate a sign-in field for the user. That CCID is not meaningfully useful to the user. This API was clearly never intended as a "validation" mechanism, and for you to claim so is flatly ridiculous. It was a security hole, and a dumb one, and something AT&T should be held liable for if someone suffered damages.
But for you to claim that its very existence makes it legal to exploit to retrieve addresses of third party users is just insane, sorry. That's the kind of logic Weev relied on, and it's going to send him to jail. And rightly so: the rest of us in society don't particularly want jokers like you running around free looking to steal our email addresses.
Very impolite. Criminal? Only if you check many entities and lots of them notice and it bothers them or you check one for a long time and you bother it. Might be harassment.
I can't see what the coat was supposed to be in AT&T case though.
weev is a criminal. He spent many years making a living for himself by stealing from other people. He gets to re-write this past of his because most of his former crew are gone. weevs defenders are people who didn't know him when he was most active (2003-2009).
This particular case is also pretty clear-cut. If you were a whitehat, why would you retrieve so much data? Why would you give the data to someone who was not with that company?
Reserve your sympathy for hackers who get set up by their businesses partners, or people who aren't thieves and backstabbers. weev is just beginning to get what he has had coming to him for ten years...
Regardless of his past, why did he pull so much information? And turning it over to gawker seems a bit wrong. He should have contacted the company. If they didn't do anything then he should have gone to the media.
It seems like he acted irresponsibily with the situation. It wasn't just one misstep, it was a few.
Why a sad face? Did the article not represent his crime correctly? I don't know this person or his back story but if he committed a crime why shouldn't he suffer the consequences?
It's my ignorance showing so be gentle. I'm not trolling. I don't read every link on the front page and what piques my interest may not be what piques yours. Having said that, I will read the article you linked to.
I suspect it is because many people don't think the "crime" he committed either actually is a crime, or if it is that it should be a crime. Lots of gray area around this particular activity.
Apparently they have IRC logs of him first talking about selling the information to spammers or using it to go phishing, which makes it a little worse.
I would have said the same thing after discovering the stash.
Not because I actually planned to do this but because the situation is bizzare and that's some sort of humiliating humour.
I don't know what the title was before, but this new title, while accurate to the article, is really confusing and I will say downright misleading if you aren't following this closely already... there were no iPads hacked, for example; this was an issue with AT&T's website, and probably would have worked against any targeted set of devices (where you could reasonably guess the ICCID; even if not, it is still entirely related to accessing servers).
(I saw this, semi-freaked as I'm constantly hacking iPads, and then read the article to find out the title sucked.)
AT&T put this information on a public interface and relied on obscurity of serial integers to protect it, then cried foul when someone crawled their unprotected data and claimed felony unauthorized access to a computer system because they didn't explicitly authorize him to download the contents of those publicly-accessible pages.
If I discovered that someone hadn't locked a filing cabinet, and then I rifled through it, found a whole bunch of names and social security numbers, recorded all of them, and then went to talk to a news organization with this list without ever notifying the people whose filing cabinet I'd gone through, do you think that would be OK?
Because that's pretty much the equivalent of what happened here. You say "AT&T put this information on a public interface and relied on obscurity of serial numbers to protect it"; this phrasing puts the blame on AT&T. Yes, they should not have done that. But that's about equivalent to forgetting to lock a file cabinet; it's a mistake that someone made. Weev then took advantage of that mistake to violate the privacy of thousands of people, providing their personal information to a news organization.
Now, I don't necessarily think that they should have been convicted of everything they were convicted of. Unless there are facts that I haven't seen, they haven't come anywhere close to committing identity theft. But you do have to admit that Weev did not exactly handle this responsibly, and did invade people's privacy.
The metaphor doesn't really hold up; it's rather like you went to the administrative desk of AT&T 1000 times, asked the person behind the desk "Can I please have document 001?" and they simply handed it over without questions each of the 1000 times. That employee should have stopped handing over documents, but it didn't.
In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
If he would have used it with the pure intention of showing that the system is insecure, he would have been right and nobody would have been able to blame him of improper conduct.
Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Bingo. I think it was a dick move to go running to Gawker with it, rather than practicing responsible disclosure. But even then, I'm having a hard time with the idea of criminal charges for that; he didn't steal this data, AT&T happily handed it to him. He basically ran around saying "Haha, what a moron the guy at the administrative desk is, I just kept asking him for files and he just kept on handing them to me". And while that's distasteful, is it criminal?
Honestly, to me, it feels like he's being run down because someone got embarrassed, and he's being railroaded with archaic laws that can be applied in vague and nebulous ways to make just about anyone a criminal if it's useful.
No, that analogy suggests that there was someone actively paying attention, who should have noticed something awry, but was instead granting permission without thinking. In this case, they just left an unsecured program running; it was a passive mistake. Just like leaving a door unlocked and someone comes in and goes through your papers. The door being unlocked does not mean that someone gave permission for you to go through it.
> In my opinion the crime isn't in requesting or obtaining that information, it's in the way that he handled that information afterwards.
I think that the fact that he requested a hundred thousand records probably didn't work in his favor. If he had requested just a dozen or so, to confirm that the problem existed, it would have been one thing; once he hit thousands, it makes you wonder if he had ulterior motives. Past the first dozen or so, there was nothing left to prove about the security flaw.
> Instead he sold/handed over that information to Gawker, which is where he went wrong in my opinion, because he took another organisation's information and decided to put that information on the market against their will or consent.
Yes, this was the biggest mistake. And I don't remember the source, but I recall that someone mentioned that he had considered selling the information as well, before deciding to just give it to Gawker.
Of course, in some ways I don't blame him for not going to AT&T first; there have been researchers who have discovered flaws, and disclosed them to the company, only to have the company accuse them of criminal acts for having even tested for the flaw in the first place. That kind of behavior creates a catch-22, and a very chilling effect on security research.
You forgot to mention that this filing cabinet was not only unlocked but left unattended, near the road, day and night for months. Yes it had AT&T logo on it and opening and looking inside might be impolite. But a crime? Hardly.
Crime is leaving such a file cabinet in such manner, especially if it contains private data of your clients.
It does not matter on what AT&T relied. As long as it was clear that this information is not intended to be public and he was doing something the system was not intended to do and circumventing access controls, however easy it was - and anybody with half a brain would know it was not intended to be public and he is circumventing access controls - the only right thing to do was to notify the admins, delete all the data and stay away. Bruteforcing the access and keeping the massive amount of data could not lead to any other outcome but him being considered a criminal.
This is old, but some people seem to misunderstand it still. If your neighbor has a weak lock, telling him about it is OK. Picking the lock, coming in and going through his private things, while keeping some copies of his bank statements, credit card numbers, etc. - is not OK and has a high chance of landing you in jail. And no, "he had a sucky lock" is not a good defense. You knew it wasn't your property and it wasn't a public place.
If he had to write a script to take the addresses and bruteforce the IDs, there was a lock. A weak one, but still a lock. If there were just a public page that lists all the emails and IDs, the case would be different. I can see no legitimate reason to download a massive list of names - if you wanted to show a vulnerability, one or two emails would be enough. If he stopped when he found a hundred emails or found an algorithm that can generate an ID and guess an email and published that - this would be very different. Even if he created a demo script that would find emails but would not record them (or record sha1 hashes of them - so it can be proven they were true ones but not possible to actually use it for any malicious purpose) - it would still be different.
URLs are not a lock. They are a mechanism for locating a resource. AT&T made no attempt to obscure the resource location, or to mathematically hide the location of a given resource like the rest of the sane world does. Publishing something on a predictable interface and then saying "oopsie, that's private, you're a felon for looking at it" is insane.
You again ignore the facts. He didn't just "look" at it. He wrote a script - a purposeful action - to generate specific sets of IDs based on his guesses about geographic distribution, etc. and used it to download more than 100K email addresses. You here sound like spammers saying "what you want from me, I just sent an email, now it's a crime?". That stopped working long ago. There's a difference between looking at one page and writing a tools that scans through millions of IDs (most of which would be rejected by the access controls) to bruteforce the protection and download 100K of emails. I don't believe anybody can be genuinely so obtuse as not to understand the difference between the two.
You are ignoring or ignorant of the other facts of the case and his other actions. Looking solely at the technical side ignores realities. Furthermore gaining access to sensitive data does not install you with special rights for that data.
That article's bias is showing. If that is all you read about the incident then sure.. they are just regular criminals. But there is more to the case than that. From what I've read elsewhere, the Feds used a bit of stretching to make that law fit.
I don't ask you how to Google. I ask you to substantiate your claims that the article is biased and the truth is different from what is described there. If you are convinced this is the case, it must be easy for you to provide some evidence. Of course, you may consider this trolling and refuse to continue the discussion. The readers would then left to judge if your bare unsubstantiated claims are proof enough. I was assuming you wrote that comment in order to try to convince the readers in the truth of your claims. However maybe I was wrong.
The article's bias is pretty evident where it referred to them as "trolls". The only "evidence" I have that there is more to the story than what this article said is just what I read in other articles. Sadly, I did not bookmark any of them so I can't easily return to them to provide links to you. I'd have to Google for them. So if you would like to read more than just this one account, you would need to Google as well. But if you want to base your opinion on only what you read in this one article AND what some random guy on the Internet (me) gives you, then I won't judge you for that. Carry on.
I think the fact that he was a known troll is just a fact. He himself called himself a troll, one quote: "Trolling can frequently have large economic repercussions as, as I learned when I trolled Amazon.". This is not an evidence of bias. Of course, being a troll does not mean being a criminal, but the fact that Auernheimer was a troll is well established and confirmed even by himself.
The problem with Googling is that you know what to Google for to provide evidence. I have no idea what evidence you have, so how I can Google for evidence that only you know what it is?
You don't Google the evidence. You Google the guy. You have his real name. You have his online name. You have the name of his security firm. Those things alone will provide days worth of reading material. Read some. What I read described his actions a little more. And talked more about the vague language in a 30 year old law. And talked about how the Feds used a very self-serving interpretation of that language.
I know all this. I've read his backstory, and his current story, and the court materials, and other materials, and remain convinced that he created a tool to circumvent AT&T access controls and downloaded private information, he violated every standard of responsible disclosure (actually, he didn't disclose it to AT&T at all, he went straight to the press, after doing much more than is necessary for vulnerability demonstration), that he fully knew this is not necessary for demonstrating the vulnerability and that he did it for reasons of personal enjoyment and popularity, if not monetary gain.
What I did not find is any evidence that shows the decision was wrong or biased, and so for the article. Since you were repeatedly unable to point to any evidence yourself, I conclude your statement about it was baseless and rooted in personal emotions, not facts. You are still welcome to provide contradicting evidence.
My bias comment about the original article was mostly from them calling the guys "trolls" along with some other things that seemed to have a certain tone. But after rereading it, most of the article is indirectly attributed to "Prosecutors" and "the government" so I will concede that the article may not be "biased" per se. But I maintain that there is more to the story than they reported. And since you are determined to make me Google this all again and point you to specific articles & "evidence" here goes...
Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address...
AT&T said: ...wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address.
The exploit was a simple script: a hacker could throw an ICC-ID at AT&T's servers, and they would return its registered email address. ICC-ID are easily guessable,...
federal agent Christian Schorle does his best to dig up evidence that Auernheimer is less of an advocate for security and more of a full-fledged Internet miscreant.
All of these things help shape my opinion on the matter:
1) I don't believe the data harvested is that significant. Having a list of email address these days is practically worthless and pretty easy to get. Having an email address matched to an iPad ID number might be a little more useful to someone, but I fail to see how beyond some better targeted SPAM. I was not able to find any articles about that leaked info being to blame for any other iPad/AT&T breaches but I didn't look very hard.
2) I don't believe that any security systems were circumvented to obtain the data. It seems to me that a wget or cURL call on a loop would have done 75% of the work. Calling this a "hack" is kind of an insult to people who actually do hack into secure systems. It is barely even "brute force", if at all. I would put this in the "automated scraping" bucket.
3) I don't believe he committed a crime here. Sure, the guys seems like a bit of a crusty wild man and possibly a bit of a douche. But thanks be to the Earth & Stars that neither of those things are felonies. Unfortunately, it seems they had already determined this guy was bad. And when you start a search with your mind already made up about the results, you are almost always going to end up at that result... no matter if it is wrong or right.
1. Your belief about significance of the data is immaterial - these emails were private and were not intended for disclosure. The fact that you think they're not that interesting does not matter - I may think the content of your private email account is nothing of interest and will give nobody any useful information - that still doesn't give me the right to access it.
2. As I noted elsewhere, here the word "hack" is not used in a sense of "cleverly use the technology" but in the sense "used computers to access information he was not authorized to access". Unfortunately, the battle for the former meaning agains the latter is long lost, and the press is using this word in the latter meaning for years now.
The fact that he had to write the script which uses special algorithm based on geographic distribution of IDs means the information was not public and he had to commit some work and apply his own ingenuity to access it.
3. Unauthorized access of private information is a crime. I'd rather it stay so - otherwise I'd have to rely on a good will of people like Auernheimer to keep my private information private. I think the consequences of this would be very grim. The problem is not that this guy was an ass - he was an ass long before that, and still was free to commit his jackassery. Until he crossed the line between being jackass and committing a crime. I agree that it is not the most heinous crime committed in the US ever - it is probably a small crime, like petty theft or trespass - but it still is. I hope he will be punished in accordance with the severity of the crime - not too hard, not too lightly.
> I agree that it is not the most heinous crime committed in the US ever - it is probably a small crime, like petty theft or trespass - but it still is. I hope he will be punished in accordance with the severity of the crime - not too hard, not too lightly.
But he was convicted of a felony. There is no "lightly" on a felony... only varying degrees "You're F'ed!" Fines will be high. Even if probation/community service is used rather than prison (yes, PRISON... not jail), the punishment lasts for a lifetime for a felon. Many, many, many forms have a special check box for felons.
From my reading of the article, the defendant is being painted to be bigger, scarier target so that AT&T looks like a victim instead of a corporation failing to secure the confidential information of their customers as due diligence demands. From the comments on this thread, the defendant did not have intentions that were completely (as in 100%) benign. In addition, the co-defendant pleading guilty will probably make it harder for his legal team to prove his innocence. However, why is AT&T getting away with what basically amounts to negligence? Specifically, AT&T failed to provide reasonable (industry-standard) security to their users' confidential information (email addresses and other personal data).
It says about 120,000 Apple iPad users were affected, so 120,000 counts of negligence. My "class-action lawsuit" senses are tingling.
While I agree that his past "clouds" peoples potential judgement of him, I can't help but wonder if it was really understood that this data was in publicly accessible. He didn't need to work his way through backdoors and breach what some would consider traditional security measures.
