or Connect
AppleInsider › Forums › Mobile › iPad › Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail
New Posts  All Forums:Forum Nav:

Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail - Page 2

post #41 of 65
The idiot at AT&T that didn't do anything to secure the email addresses should get the 41 months.

This guy is not a hacker. Script kiddy at best. They can surely find something legitimate to put this guy away for a little while and he probably deserves that. This however sets such a bad prescedent. You didn't even need a script to do this as a single CURL command with numeric range wildcards would have done the trick.

The real reason this blew up was because of what it meant to the security of people who were listed. The real fear was that someone was going to figure out how to use the ICC-ID to target the people who were exposed. The list was a who's who of government, defense, and private industry. AT&T didn't protect the identity of these people who were all walking around with 3G iPads who could be identified via their email addresses. So you could electronically tie iPads to specific people.

The moral of the story is to not mess with the man. He can put you away for years even if what you did doesn't amount to anything. They can call you a hacker, terrorist, etc and reality doesn't matter. Perception by people that just don't understand is what you are left with.

He should argue he didn't have a jury of his peers. The people who understand what he actually did cannot believe this has moved forward and now been successful. The guy is a duche, but the precedent is an epic fail.
post #42 of 65
Quote:
Originally Posted by ifyouonlyknew View Post

This guy did what you are doing right now on this forum. For example, if you request http://forums.appleinsider.com/t/156530/ you are brought to this forum. All he did was change the number so instead he requested http://forums.appleinsider.com/t/156531/ and was returned someone else's email address. The problem is AT&T did not have any authorization protection. You did not need any username or password combination to access this. It was open to the entire internet to request at any time. 41 months in jail for requesting a link with a changed number makes no sense not did he actually hack anything. AT&T just failed to protect this list by placing some authorization check before returning the data.

It's not 41 months in jail for "requesting a link with a changed number". Rather, it was repeatedly requesting email addresses over and over and then publishing them.

Whether it is fair or not is open to question, but you don't further the discussion my misrepresenting his crime.
Quote:
Originally Posted by christopher126 View Post

I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this.

See you in 4 years....dude....

I think that spam ought to be a felony for the same reason.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #43 of 65
"I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this. See you in 4 years....dude...." - Christopher126

This guy just released the public URL for an ATT page that had a list of all iPad cellular users email addresses to the media. That was his "crime." Google did the exact same crime by indexing the page. AT&T was being a dipshit by leaving that info public, and they eventually fixed it. He didn't do any harm to anyone.
post #44 of 65

He exposed that ATT had a public page that had the email addresses for accounts on it to the media. That really shouldn't be a crime.

post #45 of 65
Quote:
Originally Posted by SolipsismX View Post

Seriously though, I wasn't clear. I mean in college courses I took for fun in the last few years.

Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #46 of 65
Quote:
Originally Posted by PhilBoogie View Post


Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.

There are those that are both younger and older than I am here, but I remember when I was in school, there was one Apple ][ machine which was shared by about 38 students who made up my class.

post #47 of 65

I'm a little concerned how a court can consider a simple HTTP GET request as hacking. If it isn't illegal to do it once, how exactly is it illegal to do it 100k times? If it is indeed based upon quantity, what is the cutoff between legal and illegal? Without any evidence of intent to disrupt service to others with the numerous requests (DDOS attack), I don't see the crime here. I highly respect the Electonic Freedom Foundation's cause and stance on many cases like this, and am glad they are on the same page with this issue as well. https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal

 

If the crime had more to do with publishing the email addresses themselves, then what law was broken? It would seem that Gawker would be more culpable in that regard since they posted them, so why are they not a defendant in this case?

 

This case seems like a serious miscarriage of justice due to technology illiteracy on the part of the court. Hopefully this case sheds some light on the misinterpretations and shortcomings of CFAA, DMCA, and other acts/laws like it.

post #48 of 65
Quote:
Originally Posted by PhilBoogie View Post


Why do you think it was an Android tablet?

 

Just look at him. He fits the fandroid stereotype perfectly¡

post #49 of 65
Quote:
Originally Posted by lkrupp View Post

 

Just look at him. He fits the fandroid stereotype perfectly¡

 

...or one could argue that he looks like the stereotypical tech company founder.

 

post #50 of 65
Quote:
Originally Posted by e_veritas View Post

 

...or one could argue that he looks like the stereotypical tech company founder.

 

 

 

Except for the fact that this is 2013, not 1975.

post #51 of 65
Quote:
Originally Posted by popnfresh View Post

That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.

I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.

His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.

He was an idiot when he released these emails. It was unnecessary and stupid.
post #52 of 65
Quote:
Originally Posted by Apple ][ View Post

My quote came from the Verge, so either Wired has it wrong or the Verge does.

Or maybe it was one of those phablets, and that could possibly explain the confusion, with one source calling it a phone and the other source calling it a tablet?

Truly wonderful thing, the Internet. Only a bit hard to get hard data.
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #53 of 65
Quote:
Originally Posted by NasserAE View Post

Quote:
Originally Posted by popnfresh View Post

That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.

I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.

His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.

He was an idiot when he released these emails. It was unnecessary and stupid.

 

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses. 

post #54 of 65

could be much worse so at least he will get out and start a new at least he will get out some day.

post #55 of 65
I hope AT&T officials are also going to jail for the aid they offered to this hacker through lax security?

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #56 of 65
Quote:
Originally Posted by Apple ][ View Post

 

A rape is just one person getting violated. This guy electronically violated the info of 114,000 people. 

 

And just because some rapists might get off light, that doesn't mean that this guy's sentence was too harsh. I support the death penalty for rape, and I don't believe that this guy's sentence was too harsh.


Really.

 

You know, applying your own rules to yourself could help the planet.

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #57 of 65
Quote:
Originally Posted by Phone-UI-Guy View Post

 

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses. 


Yes, I agree with that part. The "hacker" gets a massive sentence (that's life destroying, quite obviously), and AT&T, a big company making billions, gets off the hook even though THEY failed to protect their users?

 

That guy found a leak and publicized it, after warning the company and giving them time to solve it. Read the computer security certifications, and you'll find this is the correct behavior (along with numerous warnings that US law is dangerous and ends up favoring evil crackers, as it can put a white hat in prison). The consequence of that behavior, is that bad guys can operate for decades, because white hats are not going to publicize anything, and big companies can keep putting individuals at risk without the fear that their behavior is exposed by a white hat.

 

The reason why this guy is punished that hard is not because he "hacked people's info". It's because he threatened AT&T's brand name.

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #58 of 65
Quote:
Originally Posted by orbitly View Post

"I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this. See you in 4 years....dude...." - Christopher126

This guy just released the public URL for an ATT page that had a list of all iPad cellular users email addresses to the media. That was his "crime." Google did the exact same crime by indexing the page. AT&T was being a dipshit by leaving that info public, and they eventually fixed it. He didn't do any harm to anyone.


I think that the people who're so happy sending that poor sod to prison would benefit from a few years behind bar themselves. Of course they'll deny it, but applying their rules to themselves, the FBI can ALWAYS find enough reason to put you behind bars... Nobody's perfect enough to live free ;)

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
post #59 of 65
Quote:
Originally Posted by lightknight View Post

Quote:
Originally Posted by Phone-UI-Guy View Post

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT


Yes, I agree with that part. The "hacker" gets a massive sentence (that's life destroying, quite obviously), and AT&T, a big company making billions, gets off the hook even though THEY failed to protect their users?

That guy found a leak and publicized it, after warning the company and giving them time to solve it. Read the computer security certifications, and you'll find this is the correct behavior (along with numerous warnings that US law is dangerous and ends up favoring evil crackers, as it can put a white hat in prison). The consequence of that behavior, is that bad guys can operate for decades, because white hats are not going to publicize anything, and big companies can keep putting individuals at risk without the fear that their behavior is exposed by a white hat.

The reason why this guy is punished that hard is not because he "hacked people's info". It's because he threatened AT&T's brand name.

So true about the laws and who they truly favor. This poor sap seems to have subpar intelligence with all of the loose cannon remarks he made. That certainly didn't help his cause. What pisses me off more than anything is that they nailed him for unauthorized access to AT&T's system. How in the hell do you get unauthorized access to a login screen? He sent the ICC-ID and got the email address back, but that was part of AT&T's scheme to pre-enter the users email address to make login easier. So he got nailed for unauthorized access to a login screen. Impersonating users (but wait, he impersonated iPads). Sigh... Shouldn't you have to actually get past the login screen in some manner to truly get unauthorized access? Perhaps even access to data that is not purposefully made available outside of access controls? It is certainly hard to come up with some sort of good definition on where the line should be drawn, but it should not include accessing data purposefully made available to anyone. The next generation Rick-Roll is going to be a link to exploit hole in someone's system and you will go to jail as your reward for clicking a link.
post #60 of 65
Quote:
Originally Posted by Phone-UI-Guy View Post

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses. 

Your social security number is just a number on a paper card not a person. But if someone other than you use it it will be considered identity theft. The same thing here. The iPad ICC-ID is associated with iPads user.
post #61 of 65
Quote:
Originally Posted by NasserAE View Post

Your social security number is just a number on a paper card not a person. But if someone other than you use it it will be considered identity theft. The same thing here. The iPad ICC-ID is associated with iPads user.

So is Harold Finch in trouble since he's given the SSNs?

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #62 of 65
Quote:
Originally Posted by NasserAE View Post

Quote:
Originally Posted by Phone-UI-Guy View Post

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses. 

Your social security number is just a number on a paper card not a person. But if someone other than you use it it will be considered identity theft. The same thing here. The iPad ICC-ID is associated with iPads user.

 

Your SSN is your account number issued to you by the United States Government. FWIW it is not supposed to be use as identification (I know, tell that to everyone that does). The ICC-ID is randomly selected by chance and does not directly identify a user. It was collected as associated with users when they signed up for wireless services for their iPads. At the time there were also quite a few ICC-IDs that AT&T (or anyone for that matter) did not know who owned them.  Either way, providing the ICC-ID only got you a login screen with a pre-populated email address. That is right, a login screen that you actually still needed to enter a password for. The bar for criminal activity is a little too low IMHO if requesting a login screen gets you 41 months. It would be one thing if he was trying to hack the site and actually login as these people.

 

Basically what he did was like looking at AppleInsider users. You see your unique user ID and increment and see who is next. I'm glad that this isn't a login screen and is a public profile so that I won't go to jail for looking at publicly accessible information. 

 

http://forums.appleinsider.com/u/28346/ is Phone-UI-Guy

http://forums.appleinsider.com/u/28347/  is wolumila765

 

It looks like this guy hacked AT&T and dumped their database. He simply asked them for the login screen for 114K devices, and never logged in.

post #63 of 65
He discovered an open url that divulged customer information without any authentication. He collected proof. He told AT&T, the alleged victim, and gave them time to fix the problem before he told Gawker.

An actual criminal would not tell AT&T at all. A criminal would shed no light on the problem. Nor would a criminal pressure a company to start protecting your data.

It seems whistle blowing to me. He was convicted for unauthorized access to a computer, but there are millions of web servers you can access with the same lack of authorization. You probably did so today.
post #64 of 65

Anyone else reminded of the movie "Hackers"? No? Just me?

Insert Witty Comment Here
Reply
Insert Witty Comment Here
Reply
post #65 of 65
Quote:
Originally Posted by NasserAE View Post


Your social security number is just a number on a paper card not a person. But if someone other than you use it it will be considered identity theft. The same thing here. The iPad ICC-ID is associated with iPads user.

"Uses". Listing it after a company fails to adequately protect it is already a very different ballgame. Worse, the big issue is that the "hacker" did NOT publish the list of users. AT&T did. He just repeated it under a different form.

 

I cannot understand why his lawyer did not get him off.

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply

Social Capitalist, dreamer and wise enough to know I'm never going to grow up anyway... so not trying anymore.

 

http://m.ign.com/articles/2014/07/16/7-high-school-girls-are-kickstarting-their-awa...

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
  • Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail
AppleInsider › Forums › Mobile › iPad › Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail