If you've read the reports, then you'd know that what he did was write a tool that performed gets of URLs with an incrementing ID component. Like, http://news.ycombinator.com/item?id=4812496 has an integer component of "4812496". You can change that to "4812497" and get a different story. That's what he did. AT&T published a bunch of customer data on a URL endpoint with an integer component, and he wrote a script that just iterated through the integers.
It's a "brute force attack" only in the loosest sense of the term. It's an insult to actual brute force attacks to call it that.
A password-protected system is, by definition, protected. A URL - "Uniform Resource Locator" - is a string that identifies how to reach a given resource, which may or may not include access control. And in this case, didn't.
This was not protected information. The fact that anyone could consider this technically-protected information long enough to get a criminal conviction flies in the face of the entire structure of the internet.
It wasn't just this action that got him convicted. Intent also plays a role. His intent was malicious, with the intent to benefit from what a reasonable person would conclude was access to intentionally private data. Had his actions after discovering the problem been one of a responsible adult the results would have been different. The difficulty has little to do with it. Easily getting access to something you shouldn't have access to does not instilled you with special rights. This also means intent plays a critical role.
Read past the headlines and actually understand the entire story before posting.
It's a "brute force attack" only in the loosest sense of the term. It's an insult to actual brute force attacks to call it that.
A password-protected system is, by definition, protected. A URL - "Uniform Resource Locator" - is a string that identifies how to reach a given resource, which may or may not include access control. And in this case, didn't.
This was not protected information. The fact that anyone could consider this technically-protected information long enough to get a criminal conviction flies in the face of the entire structure of the internet.