And this my friends, is the fake world of democracy we live in. We are being illusioned to posses freedom that we don't really have. This is a game played by very powerful people at the top, who have the right amount of money at the right time and these people will continue to game this system. We need a change, desperately!
Could you please explain how convicting a person that hacked into AT&T means we have fake democracy? I must be missing something here, could you elaborate a bit?
Ummm...so let's say you upload a couple of private photos from a strip club on Facebook. They were meant to be private, but unfortunately, technically they weren't. Now, I do some googling and I find out that I can view these photos from a couple of unique URLs. Now, I have two options:
1) Just tell you so that you can remove these photos and you alone will benefit from it.
2) Bring this to light so that, everyone like you who have posted their private photos will benefit from it.
Now, what is the best way for me to bring it to light? Contact Facebook?? Yeah, it's a good shot, but Facebook will probably do everything to suppress that this incident even occurred.
So, the only way for me to prove that I DID gain access to your private photos is by proving everyone that I Just did. And that is by posting this info somewhere that will gain media attention.
Now, a couple of points to note here:
I did NOT hack into Facebook.
I did NOT threaten you to provide me those photos.
I just took what was available already and posted it to another online medium, so this will be brought to light.
So, now, please tell me, how was my INTENTION malicious? My intention was good. It's not like I sold your photos and made a ton of money. I actually fought for your privacy and now I'm labelled a Villian. Great!
There wasn't "a couple of private photos". If Facebook protected it with a random key, and you noticed the key generator was flawed so knowing I live in, say, Montana you could bruteforce this generator in 3 days, and you wrote a script that indeed in three days bruteforced the key - yes, it would be "hacking Facebook". And if you took these photos and 100K of other photos and, saying nothing to facebook or me, went to the press - yes, it would expose you to criminal charges. If you intention was good, you would have stopped with one photo and notified facebook and/or myself and you would not write a tool to harvest and keep 100K of them. Creating and using such tool is what got them into trouble, not visiting some page or discovering some flaw. If you see neighbors door is open, you're not criminal. If you go in and go through personal possessions, because the door was open - you are. Selling has nothing to do with this - if you use it not for money but for lulz it's still the same. The evil is not in the money - the evil is in going where you do not belong and taking things that are not yours to take.
While I agree that "fake democracy" is a bit over the top, I also can't see how he "hacked into AT&T". There might be enough room to dicker over whether searching for a vulnerability equates to "hacking," but does anyone really believe Auernheimer did anything illegal by manually typing in an address?
Hacked is a very loaded word. In some circles, it means "did a brilliant work cleverly and ingeniously using some stuff not always as it was intended to be used", in others it means "did some computer voodoo and stole my data".
Searching for vulnerabilities on a public sites containing live private data is not a business that one should approach lightly. I personally wouldn't do it without being specifically asked for it. But even if one does, taking then massive amount of data is definitely not what a whitehat researcher does.
>>> but does anyone really believe Auernheimer did anything illegal by manually typing in an address?
As far as I know, he didn't manually type an address. He wrote a script that bruteforced ID protection and downloaded a massive list of private emails. Do I have a wrong information? How is it different from bruteforcing a weak password on an email account and copying all the emails - do you think this is legitimate too and that information was public?
> How is it different from bruteforcing a weak password on an email account
It is different in these ways:
* Brute-forcing the email password is an attempt to circumvent a system designed specifically to keep unauthorized people out. One can not claim this info is public or that authorization was implied.
* Repeatedly making a call to an open, yet hidden, API is simply using it as it was designed. IMO, at most this dude violated some AT&T TOS by scripting the requests.
He knew that he was obtaining sensitive information that he shouldn't have been able to access (through at&t's negligence), however instead of following any sort of responsible disclosure, and reporting the incident to the company, he goes to IRC and talks openly about trying to use the information to benefit himself through insider trading and then gives the information to Gawker (again instead of contacting AT&T).
He probably could have had the charges dropped, had he composed his actions differently.
Absolutely. He was a dick about it. I don't think that anyone would argue differently.
But the fact of the matter is, he's been convicted for unauthorized access to a public computer system. Last I checked, being a dick and a braggart wasn't criminal.
I think he was rather stupid about the whole thing, but criminal? The fault should lie with AT&T, who put their customer data on a public webserver for the world to see.
That's like saying that it isn't robbery if the door was unlocked.
It still is. Any reasonable person would know that stealing from a house, locked or no, isn't something they're supposed to be doing.
It's a quandary, to be sure, because once you discover a hypothetical exploit, it's human nature to sate that curiosity by testing whether it works. Two or three accounts would have proved it, 100,000 accounts is excessive.
I'm not trying to say that the number of accounts he released is germane to the discussion per se, but I certainly think that it's relevant in the discussion of intent.
It is not. As far as I can see in reports, however, this is not what Andrew Auernheimer did. He wrote a tool that bruteforces massive amounts of IDs and downloaded massive number of private emails, which were not public data. The fact the it was easy for him is irrelevant, just as the fact that somebody had weak password is irrelevant if you bruteforce it and access his bank or email account. If you do that - you'll probably be liable for unauthorized access, and excuse "he had a weak password, so it's like public information" is not going to work.
If you've read the reports, then you'd know that what he did was write a tool that performed gets of URLs with an incrementing ID component. Like, http://news.ycombinator.com/item?id=4812496 has an integer component of "4812496". You can change that to "4812497" and get a different story. That's what he did. AT&T published a bunch of customer data on a URL endpoint with an integer component, and he wrote a script that just iterated through the integers.
It's a "brute force attack" only in the loosest sense of the term. It's an insult to actual brute force attacks to call it that.
A password-protected system is, by definition, protected. A URL - "Uniform Resource Locator" - is a string that identifies how to reach a given resource, which may or may not include access control. And in this case, didn't.
This was not protected information. The fact that anyone could consider this technically-protected information long enough to get a criminal conviction flies in the face of the entire structure of the internet.
It wasn't just this action that got him convicted. Intent also plays a role. His intent was malicious, with the intent to benefit from what a reasonable person would conclude was access to intentionally private data. Had his actions after discovering the problem been one of a responsible adult the results would have been different. The difficulty has little to do with it. Easily getting access to something you shouldn't have access to does not instilled you with special rights. This also means intent plays a critical role.
Read past the headlines and actually understand the entire story before posting.
