dslreports logo
site
spacer

spacer
 
   
spc
story category
AT&T iPad Hacker Sentenced to 3.5 Years
While AT&T Saw No Punishment For Helping NSA, FBI Break The Law
by Karl Bode 12:31PM Monday Mar 18 2013
Back in June of 2010, you might recall that a security hole in AT&T's website allowed two individuals to gain access to the e-mail addresses of 114,000 owners of 3G Apple iPads, including "dozens of CEOs, military officials, and top politicians." A group calling itself Goatse Security at the time claimed responsibility for the hack, which in addition to e-mail addresses resulted the group obtaining user ICC-IDs -- used to identify their specific iPad on the AT&T network.

One of those involved in the "hack" today found themselves sentenced to 41 months in prison, to be followed by three years of supervised release and $73,000 in restitution to be paid to AT&T. The two had claimed they were simply security researchers highlighting the vulnerability:
quote:
The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security holes that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security. AT&T maintained that the two did not contact it directly about the vulnerability and learned about the problem only from a "business customer."
Many justly question Goatse Security's methods, given "Weev" is on record considering using the collected data to go phishing. Still, the punishment is seen as particularly severe, given they didn't illegally access private servers and were not able to gain a list of user passwords -- therefore not technically being defined as unauthorized access under the Computer Fraud and Abuse Act.

Security eyebrows are being raised a bit further in full context of the fact that AT&T helped the FBI break the law and worked with the NSA to illegally spy on all United States residents without so much as a wrist slap.

view:
topics flat nest 
whoyourdaddy

join:2013-02-20
Honey Brook, PA

well

then why no jail time for the nsa or fbi

FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5

1 recommendation

Re: well

said by whoyourdaddy:

then why no jail time for the nsa or fbi

Because when the gov't does it and the legislature and courts OK it, IT ISN'T ILLEGAL. You can debate forever whether it was right or wrong, but whether people like it or not, the gov't gets to decide what is illegal or not. Don't like that, then throw those elected officials out of office on election day.
whoyourdaddy

join:2013-02-20
Honey Brook, PA

Re: well

that's what I do

coldmoon
Premium
join:2002-02-04
Broadway, NC
Reviews:
·Windstream
said by FFH5:

said by whoyourdaddy:

then why no jail time for the nsa or fbi

Because when the gov't does it and the legislature and courts OK it, IT ISN'T ILLEGAL. You can debate forever whether it was right or wrong, but whether people like it or not, the gov't gets to decide what is illegal or not. Don't like that, then throw those elected officials out of office on election day.

You miss the real point here. Congress made it legal AFTER AT&T and others broke the law. So even IF it is legal NOW, it wasn't legal when they committed the criminal acts...
--
Returnil - 21st Century body armor for your PC

dib22

join:2002-01-27
Kansas City, MO
said by whoyourdaddy:

then why no jail time for the nsa or fbi

simple... they went back after the law was broken and changed the rules.

»www.wired.com/threatlevel/2008/0···pproves/

CUBS_FAN
Next Year Again..

join:2005-04-28
Chicago, IL
kudos:1
Reviews:
·AT&T U-Verse
·magicjack.com
·Comcast
·Vonage
said by whoyourdaddy:

then why no jail time for the nsa or fbi

I know what you mean. The FBI tapped into ex-Governor Rod Blagojevich's phone which indicted him.

Cabal
Premium
join:2007-01-21
Reviews:
·Suddenlink
Hilarious watching him get ripped apart on Reddit:

»www.reddit.com/r/IAmA/comments/1···der_the/

TLDR: Weev is a douche, not a hero.
--
If you can't open it, you don't own it.

Simba7
I Void Warranties

join:2003-03-24
Billings, MT

1 recommendation

Re: well

said by Cabal:

TLDR: Weev is a douche, not a hero.

Ya, but they could've done this to anyone if they wanted. From what I read on reddit, this idiot was fsckin' with people and gloating every step of the way.

said by French87@reddit :

From the article:

The day before his sentencing he posted a comment on Reddit saying, “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”

On Monday morning, federal prosecutors used his Reddit post to support their call for a four-year sentence.

His ego was so huge that he posted the day before his sentencing on what he did. Too bad it backfired on him, freakin' idiot.
--
Bresnan 30M/5M | CenturyLink 5M/896K
MyWS[PnmIIX3@3.2G,8G RAM,500G+1.5T+2T HDDs,Win7]
MyLaptop[Asus G53SX,32GB RAM,2x750GB HDD,Win7]
WifeWS[A64@2G,2G RAM,120G HDD,Win7]
Router[PE1750,4G RAM,3x36G HDD,2xIntel Pro/1000+GT Quad Port,Gentoo]
Chubbysumo

join:2009-12-01
Superior, WI
Reviews:
·Charter

Re: well

said by Simba7:

said by Cabal:

TLDR: Weev is a douche, not a hero.

Ya, but they could've done this to anyone if they wanted. From what I read on reddit, this idiot was fsckin' with people and gloating every step of the way.

said by French87@reddit :

From the article:

The day before his sentencing he posted a comment on Reddit saying, “My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time.”

On Monday morning, federal prosecutors used his Reddit post to support their call for a four-year sentence.

His ego was so huge that he posted the day before his sentencing on what he did. Too bad it backfired on him, freakin' idiot.

while he might be an idiot, the CFAA is so overly broad, and so vague, that it can be used to prosecute nearly anyone for any type of computer related crime. This just goes to show(the sentencing and railroading of a case in general) that the government will swarm like bees when you piss them off(which they did when he disclosed Obamas Ipad ICCID, which is probably why he got so railroaded). He will probably win an appeal on some grounds, simply because the CFAA is so overly broad, and this likely does not fall under it, since he did not gain unauthorized access to a system, it was a public facing server.

WiFiguru
To infinity... and beyond
Premium
join:2005-06-21
Irvine, CA

AT&T

AT&T should be hiring these guys, not prosecuting them.

It was AT&T's fault in being vulnerable in the first place.
whoyourdaddy

join:2013-02-20
Honey Brook, PA

1 edit

Re: AT&T

yes its their fault that's why their service sucks and why they think they don't suck they where trying to buy t-mobile

FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5
said by WiFiguru:

AT&T should be hiring these guys, not prosecuting them.

Maybe they will - after they get out of jail and have a hard time getting work with a prison record.
whoyourdaddy

join:2013-02-20
Honey Brook, PA

Re: AT&T

some company will hire them just give time. all they have to do is on the apps is I hacked into att's mainframe. and they get hired
ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·Northland Cable ..
·Time Warner Cable
·ooma
·VOIPO
·Verizon Broadban..
said by FFH5:

said by WiFiguru:

AT&T should be hiring these guys, not prosecuting them.

Maybe they will - after they get out of jail and have a hard time getting work with a prison record.

A prison record hasn't been a real issue for Kevin Mitnick.

cableties
Premium
join:2005-01-27

Re: AT&T

said by ke4pym:

said by FFH5:

said by WiFiguru:

AT&T should be hiring these guys, not prosecuting them.

Maybe they will - after they get out of jail and have a hard time getting work with a prison record.

A prison record hasn't been a real issue for Kevin Mitnick.

Mitnik. Yeah, he HAS experience on his resume.
--
Splat
Kiwi
Premium
join:2003-05-26
USA/MidWest
kudos:1
Really, can you read?

dib22

join:2002-01-27
Kansas City, MO

Hacker? Really

If asking a web server to process a request is hacking, everyone reading this page is guilty.

Did the customers who lost data (their email address and ipad device id if I remember correctly) get to sue at&t for being incompetent?

No... as a customer you can only arbitrate with at&t.
big_e

join:2011-03-05

1 recommendation

Re: Hacker? Really

Is entering someone's house and stealing without their permission and taking their stuff okay if the door isn't locked? How about if you walk into a bar and steal the tip jar? If they didn't physically secure it to the bar then its perfectly justifiable to simply take it. Come to think of if it bank robbery is simply asking a teller to process a request as well, so by your logic robbery isn't that big of a deal either.
Rekrul

join:2007-04-21
Milford, CT

1 recommendation

Re: Hacker? Really

said by big_e:

Is entering someone's house and stealing without their permission and taking their stuff okay if the door isn't locked? How about if you walk into a bar and steal the tip jar? If they didn't physically secure it to the bar then its perfectly justifiable to simply take it. Come to think of if it bank robbery is simply asking a teller to process a request as well, so by your logic robbery isn't that big of a deal either.

First of all, you can't "steal" digital information, you can only copy it. Second, they didn't "hack" anything. All they did was change the numbers in the URLs.

If you type such an URL manually and you make a typo and get someone else's information, have you "hacked" the site?

Yes, they changed the URLs intentionally, but they didn't bypass any security.

This is like getting arrested for "stealing" cable TV because the cable company accidentally gave you the movies channels free for six months.
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Hacker? Really

said by Rekrul:

First of all, you can't "steal" digital information, you can only copy it.

So you won't mind then if I help myself to every medical record you have in electronic form? How about those stored sexts with your significant other? They're just digital, so I can't steal them, right? I'm not trying to break anything, I just want to prove that it can be done, that's why I'm posting all of your information on this website.

said by Rekrul:

This is like getting arrested for "stealing" cable TV because the cable company accidentally gave you the movies channels free for six months.

Morally, it's stealing if you discover this and use those services you aren't paying for. If the cashier at McDonalds gives you change for a $20 instead of the $10 you paid for, would you knowingly walk out of the restaurant without making it right?

Simba7
I Void Warranties

join:2003-03-24
Billings, MT

2 recommendations

Re: Hacker? Really

said by Crookshanks:

So you won't mind then if I help myself to every medical record you have in electronic form?

If you could get that information, the head IT admin would be in a sh*tload of trouble for improper security measures, not to mention putting private information on a public server. I think it's also against federal law to screw up that bad.

It's like knowingly putting TOP SECRET data on a UNCLASSIFIED, PUBLIC system. Someone's going to Leavenworth after going through a court-martial involving having several layers of ass chewed off by multiple people.

Accessing a PUBLIC website by changing the URL's should not make you able to access sensitive information. There was no hacking involved by just changing the URL.. so this was a badly designed website or a poorly configured web server.

Unfortunately, someone got their feelers hurt and pointed their finger at the "hacker" to try and save what ass he/she had left, which is bullsh*t.
--
Bresnan 30M/5M | CenturyLink 5M/896K
MyWS[PnmIIX3@3.2G,8G RAM,500G+1.5T+2T HDDs,Win7]
MyLaptop[Asus G53SX,32GB RAM,2x750GB HDD,Win7]
WifeWS[A64@2G,2G RAM,120G HDD,Win7]
Router[PE1750,4G RAM,3x36G HDD,2xIntel Pro/1000+GT Quad Port,Gentoo]
Crookshanks

join:2008-02-04
Binghamton, NY

1 edit

Re: Hacker? Really

said by Simba7:

If you could get that information, the head IT admin would be in a sh*tload of trouble for improper security measures, not to mention putting private information on a public server. I think it's also against federal law to screw up that bad.

...

Unfortunately, someone got their feelers hurt and pointed their finger at the "hacker" to try and save what ass he/she had left, which is bullsh*t.

The fact that the IT guys screwed up is not a mitigating factor when determining the severity of the crime committed by the hacker.

Some jurisdictions have so-called "safe storage" laws for firearms. My failure to follow those laws may subject me to criminal and/or civil liability, but it does not result in a lesser charge for the person who steals my firearms than they would have otherwise gotten.

said by Simba7:

There was no hacking involved by just changing the URL

The law doesn't see it that way. Here's the definition of computer trespass in New York State, a Class E Felony, emphasis mine:

quote:
A person is guilty of computer trespass when he or she knowingly uses,
causes to be used, or accesses a computer, computer service, or computer
network without authorization and:
1. he or she does so with an intent to commit or attempt to commit or
further the commission of any felony; or
2. he or she thereby knowingly gains access to computer material.
Do I think it's absurd that they were able to do this merely by changing a URL? Sure. Does that excuse what they did? Absolutely not. What matters is that any reasonable person would have known they were accessing private data without permission.

Simba7
I Void Warranties

join:2003-03-24
Billings, MT

Re: Hacker? Really

said by Crookshanks:

What matters is that any reasonable person would have known they were accessing private data without permission.

It's not private data if it's stored on a publicly accessible server. If it was private data, it wouldn't be connected to the internet. It would be only accessible through the corporate intranet via through their network or by VPN.
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Hacker? Really

That is completely irrelevant. Your bank's online portal is on a "publicly accessible server". Does that mean I can publish your transaction list if I discover a bug that allows me to access it merely by manipulating a URL string?

What matters from a legal and moral standpoint is whether a reasonable person would have known that they were accessing data they had no authorization to access. The answer to this question is an unqualified "Yes." There is no miscarriage of justice here. They broke the letter and spirit of the law. They knew they were breaking the letter and spirit of the law. Mens rea is solidly established.

The EFF really needs to find a more sympathetic defendant if they are going to go after the CFAA. Using this character is likely to get the law upheld and establish case law in support of CFAA that the judiciary will be compelled to honor going forward. They could at least find somebody who lacked Mens rea and whom wasn't stupid enough to brag about his crime the day before sentencing.
Chubbysumo

join:2009-12-01
Superior, WI
Reviews:
·Charter
the problem, is that he did not hack. He did not have to do any exploiting to gain access to the info, he simply typed in a different URL, and it spit out info, just like you can do with any website. You have a web browser, you have a url bar, and can choose to type anything into it you want. The problem really, is that this highlights(along with aaron schwarz's case) the broad and vague nature of the CFAA, which can used to convict anyone of nearly anything that the prosecutor can convince a judge is covered, even if its a longshot, and very unlikely link.
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Hacker? Really

This is irrelevant.

Any reasonable person would have known they were not entitled to have access to this information. It does not matter from a legal or moral standpoint that they were able to "easily" access the information without any "hacking". You don't get to (legally) keep $200 you find sitting in the ATM because the previous customer forgot to take it with him, even though no hacking or force was required to obtain it.

In doing this, they would have also broken any number of state laws that are not applied as broadly as the CFAA. I can tell you that they would be guilty of felony level offenses in both New York State and Pennsylvania. I'm guessing the other 48 states as well, though NY and PA are the only ones I have direct knowledge of, since I've lived in both locales while working in IT.

Our common law legal system is based on mens rea, the "guilty mind". Did they know they were accessing information that they had no right to access? Yes, they did, any reasonable person would have. It was not something they accidentally stumbled across and walked away from. They accessed information they knew they had no right to access, then published said information. They broke both the letter and spirit of the law.

an

@sbcglobal.net

Re: Hacker? Really

ATM analogy is a little silly... especially since you aren't allowed to just keep any found money... whether it was in an ATM or just blowing around on the street.
Chubbysumo

join:2009-12-01
Superior, WI
Reviews:
·Charter
you will defend the government(as you do in all your posts) to your last breath. The fact of the matter is, this was a public facing server, and a person did not have to take unreasonable steps(meaning, a normal person like you or I could have discovered this, not just him, and it was by accident for him as well because he typed in a wrong URL, and got curious) to discover or use this info, thus, it was not properly protected and is fair game. The ATM analogy is terrible, simply because if its cash, unless they come back, its yours. There have been many occasions that I find money left in an ATM, and take it. I don't feel bad either, because if you are stupid enough to leave money in an ATM, you deserve the loss. Also, while you point out two states that have also broad laws against things like this, as far as im aware, only a few other states have taken measures farther than the federal law, simply because the CFAA is so broad, it can be used for anything.
Crookshanks

join:2008-02-04
Binghamton, NY

Re: Hacker? Really

said by Chubbysumo:

There have been many occasions that I find money left in an ATM, and take it. I don't feel bad either

You have no concept of morality if you're taking money that doesn't belong to you without a shred of guilt. The just thing to do is return it to the bank, they can determine from transaction logs and camera footage who the money belongs to. Will they do this? Maybe, I know my credit union does, crediting the money back into the account of the member who left it there. Either way, it's not yours for the taking.

said by Chubbysumo:

a person did not have to take unreasonable steps(meaning, a normal person like you or I could have discovered this, not just him, and it was by accident for him as well because he typed in a wrong URL, and got curious)

If it was an accident there wouldn't have been mens rea and a prosecution would be a gross abuse of governmental power. Except it wasn't an accident. They discovered the exploit, perhaps accidentally, but afterwards wrote a program to parse as many different URL strings as possible, stole as much information as they could, then published said information.
pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
said by Rekrul:

First of all, you can't "steal" digital information, you can only copy it. Second, they didn't "hack" anything. All they did was change the numbers in the URLs.

Are you saying all information can't be stolen, just copied? For example, if someone obtained ALL your personal information, copied it as you say, then published it, you'd not be a victim of any crime?

No one could be prosecuted for publishing your social security number, bank number, all passwords to all your accounts, as they were only "copied"? Can someone "copy" from any webcam or cameras you have in your home and publish those videos as well??
--
Congress could mess up a one piece jigsaw puzzle.

dib22

join:2002-01-27
Kansas City, MO

1 recommendation

A better analogy would be that you paid a hotel to rent you a room, the hotel manager then placed the register on the front door, and then prosecuted the person who stopped and looked at who was staying.

How dare he look at the information posted publicly at the front door?

winsyrstrife
River City Bounce
Premium
join:2002-04-30
Brooklyn, NY

In related news

Karl Bode, of the popular technology website, DSL Reports, is being held under suspicion of illegal activities, for expressing sympathies in relation to the questionable activities of the Goatse Security group.

AT&T, the NSA and the FBI are taking Karl's words with all seriousness. "We were none too pleased to have our hypocrisy highlighted." The NSA was heard to say. "Do as we say, not as we do."
--
"Suddenly everything is fainting, falling from a broken ladder's rung. There's a jolt exhilarating from the phone I'm holding...
I hear the words of what I'll become, how eager the hands that reach for love."
- Blind Melon - New Life
old_wiz_60

join:2005-06-03
Bedford, MA
Reviews:
·Verizon FiOS

Simple matter.

Money... the hacker didn't have the resources to bribe Congress, the DOJ, and the FCC. When the government or their agents commit a crime, it is acceptable in the name of "national security". The DOJ and FCC and the other government groups know they don't have to worry about silly things like the constitution or laws on the books.

the hacker was pretty obnoxious in court;he obviously didn't have an expensive lawyer to shut him up.

WHT

join:2010-03-26
Rosston, TX
kudos:5

Changing URLs?

Many times I encounter a discussion group where the URL shows something like "discussions/May_2009.html" or products/thingy#1.html. I'll reenter the URL as simply "discussions" or "products" to go up one level.

It's a slippery slope when that is considered "hacking".

MxxCon

join:1999-11-19
Brooklyn, NY

Re: Changing URLs?

If you make site's owner look bad, that mean it's "hacking" and you deserve 41 month in prison, 3 Years Probation And Restitution Of $73k
--
[Sig removed by Administrator: signature can not exceed 20GB]

Rogue Wolf
Mourns the Loss of lilhurricane

join:2003-08-12
Troy, NY

1 recommendation

Are we surprised?

Fortune may favor the bold, but the law favors he with the pricier lawyers. Even better if you can afford access to the halls of power- then just get the law changed in your favor!
--
I may have been born yesterday, but I've spent all afternoon downtown.

MxxCon

join:1999-11-19
Brooklyn, NY

Can you count?

All this "hacker" did was increment by one a number at the end of AT&T's PUBLIC URL.
Use company's public api = 41 month in prison, 3 Years Probation And Restitution Of $73k.
Let that be a lesson to you folks, do not do anything to help make AT&T make more money.

Corporate America trying to destroy anybody and everybody that makes them look bad.
--
[Sig removed by Administrator: signature can not exceed 20GB]
Chubbysumo

join:2009-12-01
Superior, WI
Reviews:
·Charter

Re: Can you count?

said by MxxCon:

All this "hacker" did was increment by one a number at the end of AT&T's PUBLIC URL.
Use company's public api = 41 month in prison, 3 Years Probation And Restitution Of $73k.

I can get less time for murder. If im gonna go to prison, it sure as hell won't be over trumped up hacking charges. the problem is that the CFAA allows the government to convict nearly now who typed in a wrong URL and pissed off the wrong people

txpatriot

@texas.gov

Sympathy for sociopaths

For the life of me I'll never understand why the tech community shows so much love for sociopaths like this guy.

I know not EVERYONE thinks of him as a hero, but a disturbing number of people do.
Expand your moderator at work
ConstantineM

join:2011-09-02
San Jose, CA

ridiculous verdict

I once spoke to a detective of a local police agency about a stolen phone. He told me that the thiefs disable GPS tracking by disassembling the phone, and physically disconnecting the GPS chip. (I guess he must have never heard of anything like aGPS.)

If these kind of people work at these jobs, no wonder we get these results. Not sure sure what the solution is, but understaffing and huge budget cuts in most non-federal governments, plus the job security for federal employees and the fame-seeking of the prosecutors, probably don't help the case at all.

It's appalling that someone like George Shirakawa Jr, a corrupt politician with a gambling addiction, will be getting a much smaller sentence than these security researchers and activists.