dslreports logo
 story category
AT&T/iPad Data Thieves Arrested
Fraud and conspiracy to access a computer without authorization
Back in June of 2010 hackers infiltrated AT&T servers and obtained the e-mail addresses and ICC-IDs for more than 120,000 iPad owners -- many of them high level politicians or military personnel. The AT&T website flaw responsible was found by a group calling itself Goatse Security, who you'll recall fired a few shots at AT&T at the time. claiming the carrier didn't disclose the vulnerability in a suitable period of time. Today Federal prosecutors in New Jersey announced the arrest of two individuals: Daniel Spitler of San Francisco and Andrew Auernheimer of Fayettevile. Both men face charges of fraud and conspiracy to access a computer without authorization.
view:
topics flat nest 

Bill Neilson
Premium Member
join:2009-07-08
Alexandria, VA

Bill Neilson

Premium Member

In response, AT&T issued a statement today

telling customers that because of the arrest, all AT&T consumers will be billed $5 more per month for future security.

"Consumers win when they pay more," says Dan Douchebag, AT&T rep. "We feel that consumers enjoy paying more to us knowing that we are thus upgrading their networks making it super-duper!"
Expand your moderator at work

Augustus III
If Only Rome Could See Us Now....
join:2001-01-25
Gainesville, GA

Augustus III

Member

goatse

security. never gets old. goatse

after that is out of their way, these 2 are destined for a lifetime of job security.

Minimoh
@162.1.129.x

Minimoh

Anon

Re: goatse

When these 2 go to prison, they will learn the true meaning of infiltration
Lazlow
join:2006-08-07
Saint Louis, MO

Lazlow

Member

Re: goatse

Hopefully these two will see minimal time(if any) in a minimal security facility.
gigante
Premium Member
join:2000-06-30
Anchorage, AK

gigante

Premium Member

Re: goatse

Maybe in a federal pound-me-in-the-goatse prison.
fiberguy2
My views are my own.
Premium Member
join:2005-05-20

fiberguy2 to Lazlow

Premium Member

to Lazlow
said by Lazlow:

Hopefully these two will see minimal time(if any) in a minimal security facility.

I'd normally agree with you. These guys COULD have been doing the public a favor by exposing the "gaping hole" in at&t's system - and they did. However, where they went too far is by then contemplating on what to do with the data they stole.. ie: sell it for spam, etc.

Now, the big question I have is, how much is at&t going to have to pay for THEIR negligence? Answer - nothing. This is a total shame.

I'm not an "evil corporation" person one bit, however, at&t knew about this and chose to do nothing about it.

blueeyesm
join:2003-09-05
Waterloo, ON

blueeyesm

Member

Re: goatse

I'd say the pair went too far by stealing the data to begin with, rather than the contemplation...

Corrahn
join:2004-08-09
Maumelle, AR

Corrahn

Member

NOU

Damn the man.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Hackers? White hat; black hat; others?

Those who break in to computer systems tread on thin ice legally. Claiming good intentions(like the Goatse crew) doesn't carry much weight with those being violated.

Only White Hat hackers hired by the target companies to test security are on firm legal ground.

Those who do it on spec and look for rewards from the targets AFTER the attack, to me sounds more like shakedown artists than a legitimate company. And there are too many of these so-called security groups on the internet.

And, of course, the black hat hackers who are either rogue anarchists themselves or working for criminal organizations are the worst of the lot.

In any case, the Goatse hackers will get to try and prove they are really just rogue good guys with wonderful intentions in court.

Harddrive
Proud American and Infidel since 1968.
Premium Member
join:2000-09-20
Fort Worth, TX

1 recommendation

Harddrive

Premium Member

Re: Hackers? White hat; black hat; others?

isn't that just stupid of them?
kinda like this...

i got onto a secure Military base. went straight to the military police building and told them how bad their security is. why am i being arrested?
i dialed into a health organization server maintenance line and telnet'ed over to some patients' information servers. i called them up and told them of the security flaw. why is the FBI knocking on my door?

doing something wrong to point out someones flaws will only get you in trouble.
Lazlow
join:2006-08-07
Saint Louis, MO

Lazlow

Member

Re: Hackers? White hat; black hat; others?

The problem is that most organizations will not fix their security until they are embarrassed into doing so. ATT knew for months about this issue and choose to leave their customers exposed. Unfortunately this is the norm for most companies rather than an oddity. While I would not do what people like this do, I do see how it is in the public interest that someone does do it.

Edit: The hackers response from back in June:

»security.goatse.fr/a-res ··· s-letter

Harddrive
Proud American and Infidel since 1968.
Premium Member
join:2000-09-20
Fort Worth, TX

1 recommendation

Harddrive

Premium Member

Re: Hackers? White hat; black hat; others?

maybe there should be some Government-based agency that these types of folks can go blow the whistle on corporate entities that fail to secure their networks.
Lazlow
join:2006-08-07
Saint Louis, MO

Lazlow

Member

Since no one seems to want to bother to check the link:

"When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Re: Hackers? White hat; black hat; others?

said by Lazlow:

Since no one seems to want to bother to check the link:

"When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."

And you take everything posted by a hacker at face value? Forgive me for my skepticism about their intentions. I guess a jury will get to determine the value of those claims.
Lazlow
join:2006-08-07
Saint Louis, MO

Lazlow

Member

Re: Hackers? White hat; black hat; others?

If they had bad intentions they would have done it in March. But instead they informed Apple and ATT. Apple fixed their end almost immediately. A couple of months later ATT had still done nothing. To prove how easily it could be done, they did it and showed it to a reporter. Now if they had wanted to do something bad would they have informed Apple and ATT in the first place or bothered to tell a reporter? No they would have just taken advantage of the information and kept their mouth shut.

dib22
join:2002-01-27
Kansas City, MO

dib22

Member

Re: Hackers? White hat; black hat; others?

said by Lazlow:

A couple of months later ATT had still done nothing.

How could they monetize it... that is the only way to get ATT to react to anything quickly.

packetscan
Premium Member
join:2004-10-19
Bridgeport, CT

packetscan to FFH5

Premium Member

to FFH5
said by FFH5:

said by Lazlow:

Since no one seems to want to bother to check the link:

"When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."

And you take everything posted by a hacker at face value? Forgive me for my skepticism about their intentions. I guess a jury will get to determine the value of those claims.

"U.S. Attorney Paul Fishman said there was no evidence the two men used the information they acquired for criminal purposes."
»online.wsj.com/article/S ··· 456.html
Austinloop
join:2001-08-19
Austin, TX

Austinloop to Lazlow

Member

to Lazlow
Sure glad you accept the word of someone who violates the law and breaks into other people's, or company's property. A maximum sentence would be nice.

JasonOD
@comcast.net

JasonOD to Harddrive

Anon

to Harddrive
There is a precedent for security researchers to publish flaws after notification and a waiting period and not being arrested, but breaking into or inadvertently crossing into restricted areas is always against the law.
Austinloop
join:2001-08-19
Austin, TX

Austinloop

Member

Re: Hackers? White hat; black hat; others?

Hopefully, those two will get a vacation at a federal institution and develop a relation with a big guy named Bubba.

Harddrive
Proud American and Infidel since 1968.
Premium Member
join:2000-09-20
Fort Worth, TX

Harddrive

Premium Member

Re: Hackers? White hat; black hat; others?

lol. i'd love to see that happen.

Corrections Officer: 'so, why are you here?'
Inmate 1: 'i slaughtered a family of five and then stole their BMW for 3 days.'
Inmate 2: 'well i raped 10 women and was working on number 11 when they caught me.'
Inmate 3: 'i was building a bomb to blow up my former employer's home.'

Corrections Officer: 'hey you.. Mr. Quiet, why are you here?'
Inmate 4: 'i stole iPad email addresses from AT&T.'

after a considerable amount of silence...
Corrections Officer: 'Well i guess it's time to assign cell mates.'
Inmates 1, 2, & 3 all say at the same time, 'Do we get to pick?'
chgo_man99
join:2010-01-01
Sunnyvale, CA

chgo_man99

Member

Re: Hackers? White hat; black hat; others?

said by Harddrive:

lol. i'd love to see that happen.

Corrections Officer: 'hey you.. Mr. Quiet, why are you here?'
Inmate 4: 'i stole iPad email addresses from AT&T.'

after a considerable amount of silence...
Corrections Officer: 'Well i guess it's time to assign cell mates.'
Inmates 1, 2, & 3 all say at the same time, 'Do we get to pick?'

Corrections Officer: hey you, another there, why are you here?

inmate 5: "I hacked into my cheating wife's email"

»www.nydailynews.com/news ··· far.html

mikepd
Discovery
Premium Member
join:2000-10-26
New Port Richey, FL

mikepd

Premium Member

Re: Hackers? White hat; black hat; others?

[BQUOTE26_michigan_man_jailed_for_hacking_into_wifes_email_says_he_was_doing_it_for_welfar.html

Reading other peoples mail is against federal law regardless if the lsw is actually enforced. The fact that a prosecutor decides to go after someone is their bad break.

»wiki.answers.com/Q/Is_op ··· _a_crime

dib22
join:2002-01-27
Kansas City, MO

dib22

Member

Re: Hackers? White hat; black hat; others?

They didn't read it... they discovered a seriously bad security model that att was using on a server to tie peoples email addresses with their ipad sim card (if i remember the original information about this correctly).

The news keeps saying they 'hacked their email' when in fact I am not sure they even 'hacked' anything...they sent a request to an att server, that is on the internet, and it gave them an address back.
Lazlow
join:2006-08-07
Saint Louis, MO

Lazlow to JasonOD

Member

to JasonOD
Which if you had read the posted link, you would know had already been done. While I agree it was against the law, I think what they did was in the public interest.

As far as I have seen all they asked of ATT was for them to fix the flaw(in reference to the blackmail statement elsewhere).

SimbaSeven
I Void Warranties
join:2003-03-24
Billings, MT
·StarLink

SimbaSeven to Harddrive

Member

to Harddrive
said by Harddrive:

i got onto a secure Military base. went straight to the military police building and told them how bad their security is. why am i being arrested?
i dialed into a health organization server maintenance line and telnet'ed over to some patients' information servers. i called them up and told them of the security flaw. why is the FBI knocking on my door?

doing something wrong to point out someones flaws will only get you in trouble.

Not really. Sure, he'll be questioned and probably released. The person who is suppose to be a "watch" will probably get his CO's ass chewed out by the base CO and we all know how sh*t rolls downhill.

Now, if it was that easy for him to get on base in the first place.. Imagine how easy it would be for a terrorist to plant a bomb anywhere on the base and set it off without being detected.

i1me2ao
Premium Member
join:2001-03-03
TEXAS

i1me2ao to Harddrive

Premium Member

to Harddrive
it is all about image not substance..

KrK
Heavy Artillery For The Little Guy
Premium Member
join:2000-01-17
Tulsa, OK
Netgear WNDR3700v2
Zoom 5341J

1 recommendation

KrK to Harddrive

Premium Member

to Harddrive
said by Harddrive:

doing something wrong to point out someones flaws will only get you in trouble.

Hmmm. Doesn't seem to apply to politicians or campaigns, however. There it gets you richly rewarded and re-elected into office.

Augustus III
If Only Rome Could See Us Now....
join:2001-01-25
Gainesville, GA

1 recommendation

Augustus III to Harddrive

Member

to Harddrive
said by Harddrive:

isn't that just stupid of them?
kinda like this...

i got onto a secure Military base. went straight to the military police building and told them how bad their security is. why am i being arrested?
i dialed into a health organization server maintenance line and telnet'ed over to some patients' information servers. i called them up and told them of the security flaw. why is the FBI knocking on my door?

doing something wrong to point out someones flaws will only get you in trouble.

correct. the trick is to capitalize on the situation and buy yourself a nice yacht. that's what the smart ones do.

after all, you will be called a criminal in both cases
chgo_man99
join:2010-01-01
Sunnyvale, CA

chgo_man99 to FFH5

Member

to FFH5
what they were doing was just not breaking the law on computer security but sorta scaring/blackmailing att.

•••

packetscan
Premium Member
join:2004-10-19
Bridgeport, CT

packetscan to FFH5

Premium Member

to FFH5
said by FFH5:

Those who break in to computer systems tread on thin ice legally. Claiming good intentions(like the Goatse crew) doesn't carry much weight with those being violated.

Only White Hat hackers hired by the target companies to test security are on firm legal ground.

People are saying "break into" as if they did something. However if we go back to the original story when it was happening, AT&T had made a mistake and left a hole in their site so large you could drive a train through. Had they not reported this problem who would have? Maybe we would have found out about it after our government systems were comprised by foreign governments.

Companies for the most part do no take security seriously and in the end stupid shit like this happens, an AT&T engineer or engineering team made a series of bad choices and now these researchers are Possibly facing jail time.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Goatse hackers outed by mole in their group:

»arstechnica.com/apple/ne ··· hack.ars

50 pages of IRC chat logs between Auernheimer, Spitler, and other members of a self-professed "troll" group known as Goatse Security. Those chat logs, turned over to the FBI by an unnamed confidential source, reveal that the group (Auernheimer in particular) wanted to "embarrass" AT&T publicly over the security flaw they discovered and make the stock price go down in order to troll the company. Auernheimer also attempted to spin the story in the press and attempt to paint Goatse Security as a legitimate data security company, and later attempted to destroy evidence after it was announced that the FBI planned to investigate the matter.

In early June, Spitler discussed with the group how they might use the information. "I don't see the point unless we phish for passes even then that's boring," he wrote. Other members of the group suggested mining the e-mail addresses to sell to spammers "for thousands," or leaking the addresses to the press to "tarnish AT&T."

Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."

"[A]t this point we won. we dropepd [sic] the stock price," Auernheimer wrote. "[L]et's not like do anything else we f**king win and i get to like spin us as a legitimate security organization."

I guess they are black hat hackers after all - condemned out of their own mouths.

dib22
join:2002-01-27
Kansas City, MO

dib22

Member

Re: Hackers? White hat; black hat; others?

said by FFH5:

I guess they are black hat hackers after all - condemned out of their own mouths.

Maybe... I mean if you used casual bar talk, for example, you could most likely bring charges against a large number of people... but bragging and talking smack in a bar doesn't mean you really intend to do such things. At least in a bar there would be witnesses... IRC chat logs are not very easy to authenticate.

KrK
Heavy Artillery For The Little Guy
Premium Member
join:2000-01-17
Tulsa, OK

KrK

Premium Member

I thought it was about AT&T and Apple exec's going to jail..

...but it's about the third party thieves.... not the first party ones.

AnonoCoward
@clearwire-wmx.net

AnonoCoward

Anon

Seem Familiar?

This seems like a classic example of the Streisand Effect, or to the Canadian audience, the Bubble Effect. If AT&T/Apple (AppleT&T) would have responded to the vulnerability and worked with goatse to patch it quickly and effectively, very few people would know about it. Instead, they LET it happen, decry how much harm these evil hackers do, then raise rates / demand more US government money.

Without a doubt they will take a tax deduction for "increasing security measures". AppleT&T looks tough on hackers, the "bad guys" are put away, and all is safe once more in La-La land.

•••••
wierdo
join:2001-02-16
Miami, FL

wierdo

Member

excuse me?

It disturbs me greatly that merely accessing a URL can now be a criminal offense.

Does this mean it's a crime to access a webcam you don't know to be listed in a directory somewhere? Or what if I get a directory index out of apache and access a file sitting on a webserver that's not linked from any HTML page?

What exactly is the crime here?