dslreports logo
site
spacer

spacer
 
   
spc
story category
User Faces Five Years Prison for AT&T iPad Hack
IRC Logs Play Starring Role in Hurting "Security Researchers"
by Karl Bode 09:02AM Monday Nov 26 2012
Back in 2010, you might recall that a security hole in AT&T's website allowed a hacker to gain access the e-mail addresses of 114,000 owners of 3G Apple iPads, including "dozens of CEOs, military officials, and top politicians." A group calling itself Goatse Security at the time claimed responsibility for the hack, which in addition to e-mail addresses resulted the group obtaining user ICC-IDs -- used to identify their specific iPad on the AT&T network.

Click for full size
The vulnerability was originally shared with Gawker. Two individuals wrote a simple script that would any user to convince the AT&T website to fire off e-mail addresses if a user simply entered an iPad ICC-ID -- which were stored in simple numerical order. Daniel Spitler, 26, cooperated with the government and plead guilty to one count of conspiracy to gain unauthorized access to computers and one count of identity theft. Andrew Auernheimer, last week was found guilty and faces five years in prison.

The two claimed to be security researchers, but private chat logs provided to law enforcement show the two discussed wreaking havoc and potentially damaging AT&T's reputation and stock:
quote:
prosecutors say his interest went beyond concern about the security of customer data. According to the criminal complaint, a confidential informant helped federal authorities make their case against the two defendants by providing them with 150 pages of chat logs from an IRC channel where, prosecutors said, Spitler and Auernheimer admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security.
One problem is that the Computer Fraud and Abuse Act (CFAA) used to prosecute Auernheimer is incredibly murky as to whether what Auernheimer and Spitler did was actually a crime, but still a jury was sold on the idea. The jury also apparently wasn't swayed by the idea that AT&T deserved significant blame for a poorly secured website and iPad ICC-IDs stored in simple numerical order. Auernheimer plans to appeal the ruling.

view:
topics flat nest 

FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Security Researchers? or really just hackers?

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.

ArrayList
netbus developer
Premium
join:2005-03-19
Brighton, MA
Reviews:
·RCN CABLE
·Comcast

Re: Security Researchers? or really just hackers?

The difference between it security research and hacking is that one gets caught and the other doesn't. This was a grey hat job, if it had been black hat AT&T would have never known about it.

IMO, AT&T was really lucky here. They could have been left in the dark for a very long time about this issue. They should be grateful that the scope of the problem was contained.
kaila

join:2000-10-11
Lincolnshire, IL
said by FFH5:

...Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher....

Not sure that would guarantee one from prosecution, even if given permission....
Skippy25

join:2000-09-13
Hazelwood, MO
I would agree somewhat but would require that to be considered a hacker you must exploit it for personal gain and not give the company a chance to fix it. Both of which were violated by these 2 individuals.

If you "hack" a system privately (permission or not), inform them of such and provide them a reasonable time to fix it and they don't, that is on them if you then make it public. That is providing a public service.

You stating the only legitimate security is if you are hired is pure BS. Most companies will not put the money into finding them and even more wont admit it is there and fix it until they are forced to. Thus, it is a public service unless they are extorting the company or trying to use it for personal gain in some way.

Mizzat
Will post for thumbs
Premium
join:2003-05-03
Atlanta, GA
kudos:1

Re: Security Researchers? or really just hackers?

The problem with your definition is that it isn't the definition in the law. It is an unaurthorized connection to a computer. Did you get permission to access the computer dslreports.com is on? No? Well you're in violation of the same law. One could argue that is is publically accessable, well so was the information they got. It's a poorly written law, but they "hackers" could have conducted themselves better. Also, from what I read, they did contact AT&T prior to leaking it to Gawker.
Skippy25

join:2000-09-13
Hazelwood, MO

Re: Security Researchers? or really just hackers?

I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not.

It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote.

In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them.

It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug.

Anonymous_
Anonymous
Premium
join:2004-06-21
127.0.0.1
kudos:2
Reviews:
·Time Warner Cable

Re: Security Researchers? or really just hackers?

said by Skippy25:

I would agree accessing data would be unlawful, finding a vulnerability by "hacking" is not.

It is one thing to discover an open door, it is another to enter it. Sorry if I was not clear in what I wrote.

In my personal opinion, the internet is a much safer place because of rogue hackers that do it just to do it and not exploit. I welcome and thank them.

It are the morons like these 2 that try to game the system for exploitation that I think should be lined up in front of a small hole they just dug.

I found a bug on a website from a major company. That allowed me to re log in (to my user id) to the site with out entering my password vulnerability only worked if you had psychical access to your computer. I promptly notified the said company and they fixed it.
jvanbrecht

join:2007-01-08
Bowie, MD
That is not always the case. Not all real security researchers have any sympathy for their targets. Many believe in full disclosure. They are not required to notify the affected entities. That is just a common courtesy.

In this case however, it appears the researchers were just asshats intent on causing harm.

Just because they are hackers/asshats, does not make their actions any different from the thousands of others who call themselves researchers.
nonymous
Premium
join:2003-09-08
Glendale, AZ
said by FFH5:

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.

Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there.

FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5

Re: Security Researchers? or really just hackers?

said by nonymous:

said by FFH5:

Too many so-called security researchers are just hackers until they get caught. Then they start claiming to be researchers. Real security researchers would contact the company ahead of time and notify the target about what they are doing. Failure to get an ok 1st makes you a hacker and not a researcher.

Depends on what you are doing. I have just stumbled upon flaws occasionally without even trying. So there is no way I would have prewarned anyone as I was not even trying to find the flaw it was just there.

Coming across a flaw accidentally is not hacking. But given the laws as they are about hacking, it would make me leery about reporting it or telling anyone about it. Legally you are completely in the clear, but if someone at a corporation wants to be a jerk, you might have to spend money on lawyers to prove your innocence.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.

ArrayList
netbus developer
Premium
join:2005-03-19
Brighton, MA

What's the lesson here?

DON'T LET THEM KNOW YOU WERE SUCCESSFUL.

yaplej
Premium
join:2001-02-10
White City, OR

Deter "white hats"?

Will this serve as a deterrent for "white hat" hackers from bring forward or publishing any security holes they find? Im sure someone else had already found the hold and been exploiting it for other purposes.

AT&T should have been alerted privately with a disclosure of their intent to public announce the security issue within x days. Sending a formal letter certified would have probably been enough evidence in their defence that they warned AT&T about the issue and allowed them time to fix the issue.

Even if they were going to publish the findings willfully knowing it could cause financial damage to AT&T that should not be grounds for criminal charges. What protections should any organization have against open publication of any discovered security issues?

Honestly though it seems like something that probably shouldn't have been shared with your 30 some hacker friends online that you really dont know. That makes your intentions look a little more shady.
--
sk_buff what?

Open Source Network Accelerators
»www.trafficsqueezer.org
»www.opennop.org

jc100

join:2002-04-10

Re: Deter "white hats"?

....or continued to exploit the problem to collect 114,000 emails. Then go public with the issue after sharing with his friends. Even if his intent wasn't nefarious, no one knows about everyone else involved.

Either he should have notified ATT immediately, kept his mouth shut and sold the emails anonymously, or gave them to wikileaks. I'd pick "A" and probably get a nice little bonus from ATT for doing them a huge favor and not going to the "Media".
jc100

join:2002-04-10

1 recommendation

Read and Inciteful Comment on Story

I was sympathetic to the individual (Why Must ALL MUGSHOTS look like you're some Terrorist or Drug Addict?), until someone brought up a good point.

When he discovered the exploit, instead of reporting the problem, he continued exploiting the hole. He managed to collect 114,000 Emails. It's irrelevant if he USED THEM nefariously or not. That's only going to factor into his sentencing. What the man did was illegal (Sorry Buddy You aren't ATT with the Patriot Act on Your side Only our Government and their cronies can wrongfully collect information.). Thus, by the double standards we live by here, he's guilty. Five Years guilty? I'd hope not, but guilty as he didn't report the problem.

He'd been better off letting them know immediately, keeping his trap shut and selling the information anonymously, or handing it over to wikileaks. Instead, he commits a crime and has a change of heart that then lands him in hot water after he confesses to the world.
Wilsdom

join:2009-08-06

Re: Read and Inciteful Comment on Story

Illegal to possess email addresses? To possibly "embarrass" a company? I don't think what he did qualifies as "hacking".
jc100

join:2002-04-10

Re: Read and Inciteful Comment on Story

It's not illegal to possess the emails. It's the act in which he acquired the emails that constitutes breaking the law. Instead of reporting the problem, the man continued to exploit the issue.

Here's an example. Let's use Pinto. The makers knew the car had a fault that may cause an explosion. Instead of rectifying the problem, the company continued to ignore the issue and plead ignorance. Like the man above, both used the ignorance plea to their advantage.

It's not as if he couldn't have picked up the phone to call ATT and notify them. Heck, he could have even gone to the Media and made $$$ off it and still been in the clear. Instead, he continued to use the script to extract 114,000 emails and tell his buddies.

Unwise.
Wilsdom

join:2009-08-06

Re: Read and Inciteful Comment on Story

Difference is that in your example Pinto is the one acting negligently. Punishing a independent mechanic for not reporting the problem would be ridiculous, even if they told a "confidential informant" that they are looking forward to people dying.
jc100

join:2002-04-10

Re: Read and Inciteful Comment on Story

Actually, you're wrong. If a Mechanic is aware that a certain part is faulty and continues to use the item, he or she may be liable. Let's give the example of tires. Say the Mechanic has repeated complaints about a tire blowing out and ignores the customer.

Said Mechanic fails to notify company of complaints, and a customer dies. If the family finds out the Mechanic didn't take due diligence and let the manufacturer know the part he received were faulty, then he MAY be liable, too.

Ignorance is not an excuse to ignore one's duties.

MooJohn

join:2005-12-18
Milledgeville, GA
kudos:1
Reviews:
·Windstream

He didn't *hack* anything

I agree -- he simply figured out that he could enter numbers and get the user that corresponded to it. At no time did he access any portion of the website not normally available to the public. He didn't use SQL injection or probe the site for existing vulnerabilities. He simply put some numbers into a box and hit SUBMIT! What mad l33t skillz!

The law about "unauthorized access" is too vague. The worst he did was violate their TOS and embarrass them for having made such a stupidly poor site. Oh, and don't forget he went to IRC to brag about it -- that's the double death!
--
John M - Cranky network guy
jc100

join:2002-04-10

1 edit

Re: He didn't *hack* anything

I'm not denying there's a gray area here, but the actions following his exploit were what made them criminal. Instead of going to ATT, he bragged to friends and seemed intent on possibly harming ATT. None the less, he might win on appeal due to the vagueness of the law.

None the less, his actions were borderline criminal if not criminal. It doesn't matter if he used SQL ijection or script kiddy code. The end result was the same. Att had a flaw, with said individual exploiting the flaw.

Your argument is like a person leaving a possession on their front porch and then justifying the stealing of the item. Even if I leave money sitting out in plain site, it's still theft if you take it off my property. It doesn't matter if you are a career criminal or opportunistic. You've committed the same act of theft.

MooJohn

join:2005-12-18
Milledgeville, GA
kudos:1
Reviews:
·Windstream

He didn't *steal* anything either

No one was deprived of anything. He obtained a list of owners' email addresses -- oh the humanity!

If he tried to extort them or cause financial harm, charge him with that. To say his access was criminal simply because he typed things into the box that they didn't expect and it spit out information is ludicrous.

»imgs.xkcd.com/comics/exploits_of_a_mom.png
--
John M - Cranky network guy
jc100

join:2002-04-10

Re: He didn't *steal* anything either

You literacy skills need a bit of fine tuning. HE DID talk about exploiting the email addresses. That's where the FBI came in.
dynodb
Premium,VIP
join:2004-04-21
Minneapolis, MN

Blaming the victim

The jury also apparently wasn't swayed by the idea that AT&T deserved significant blame for a poorly secured website and iPad ICC-IDs stored in simple numerical order. Auernheimer plans to appeal the ruling.
Ah, yes- the old "She was asking for it by dressing so sexy and besides, she didn't fight back hard enough" defense.

Let's stop pretending that any of these guys are somehow doing society a favor by revealing security flaws. They're the reason so much is spent on security in the first place. It's like arguing that a burglar did you a favor in trashing your house because they showed how weak your lock is.

They're hacker scum. Throw away the key.
Austinloop

join:2001-08-19
Austin, TX
kudos:1

Re: Blaming the victim

I have to agree. The idea that AT&T deserved...... goes right along with it is probably okay to go into my home thru an open door and help yourself because I left the door open.
Wilsdom

join:2009-08-06

Re: Blaming the victim

Except ATT's site is public, and nothing was stolen. So it's more like walking into a store whose door is unlocked and being arrested because the store is "closed".
Austinloop

join:2001-08-19
Austin, TX
kudos:1

Re: Blaming the victim

Yes, I believe that it is called trespassing in your example. Are you sure that the site the hacker was hacking was a public site. By your definition, nothing was stolen, just a little over 100,000 email addresses.

Just hacker scum trying alibi their activities. No sympathy for them at all.

tshirt
Premium,MVM
join:2004-07-11
Snohomish, WA
kudos:5
Reviews:
·Comcast
What AT&T deserves is to lose customers/be fined for such a poor job of securing personal data (an actual legal requirement)
That however does not excuse this pairs actions, discovering the hole wasn't nessesarily illegal but continously exploiting it beyond a basic "can I reproduce it?" might be, and discussing and eventually trying to crash the stock definately is.
Not promptly disclosing it to the company once they understood of it's importance removes any chance of being classifed a Researcher and the long delay, and eventually disclosure method bring Hacking with criminal Intent into play.

not

@comcast.net

Misleading Title

Title of this article is a bit misleading.

Could be read as to mean a simple iPad hack on an AT&T iPad. You know, something as simple as a jailbreak of the device. Since tablets aren't included in the jailbreak safety protection that covers phones, one could think this article is about someone getting 5 years for jailbreaking their iPad.

nonamesleft

join:2011-11-07
Manitowoc, WI

Really?

What about att's illegal warrantless wiretapping, and helping the government to break the law?
I think he should ask for immunity, since it's the cool thing to do.

tshirt
Premium,MVM
join:2004-07-11
Snohomish, WA
kudos:5

Re: Really?

However the gov't didn't ask/insist they do it, as in AT&T's case.
funny0

join:2010-12-22

jhcjhsagdhsag

and if i live on the moon you cant get me you aint going to it
me and the chinese and indians are having a dvdr swap meet
Heck might invite the russians too....
USA is not invited...