Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail - Page 2

The idiot at AT&T that didn't do anything to secure the email addresses should get the 41 months.

This guy is not a hacker. Script kiddy at best. They can surely find something legitimate to put this guy away for a little while and he probably deserves that. This however sets such a bad prescedent. You didn't even need a script to do this as a single CURL command with numeric range wildcards would have done the trick.

The real reason this blew up was because of what it meant to the security of people who were listed. The real fear was that someone was going to figure out how to use the ICC-ID to target the people who were exposed. The list was a who's who of government, defense, and private industry. AT&T didn't protect the identity of these people who were all walking around with 3G iPads who could be identified via their email addresses. So you could electronically tie iPads to specific people.

The moral of the story is to not mess with the man. He can put you away for years even if what you did doesn't amount to anything. They can call you a hacker, terrorist, etc and reality doesn't matter. Perception by people that just don't understand is what you are left with.

He should argue he didn't have a jury of his peers. The people who understand what he actually did cannot believe this has moved forward and now been successful. The guy is a duche, but the precedent is an epic fail.

It's not 41 months in jail for "requesting a link with a changed number". Rather, it was repeatedly requesting email addresses over and over and then publishing them.

Whether it is fair or not is open to question, but you don't further the discussion my misrepresenting his crime.

I think that spam ought to be a felony for the same reason.

"I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this. See you in 4 years....dude...." - Christopher126

This guy just released the public URL for an ATT page that had a list of all iPad cellular users email addresses to the media. That was his "crime." Google did the exact same crime by indexing the page. AT&T was being a dipshit by leaving that info public, and they eventually fixed it. He didn't do any harm to anyone.

He exposed that ATT had a public page that had the email addresses for accounts on it to the media. That really shouldn't be a crime.

Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.

There are those that are both younger and older than I am here, but I remember when I was in school, there was one Apple ][ machine which was shared by about 38 students who made up my class.

I'm a little concerned how a court can consider a simple HTTP GET request as hacking. If it isn't illegal to do it once, how exactly is it illegal to do it 100k times? If it is indeed based upon quantity, what is the cutoff between legal and illegal? Without any evidence of intent to disrupt service to others with the numerous requests (DDOS attack), I don't see the crime here. I highly respect the Electonic Freedom Foundation's cause and stance on many cases like this, and am glad they are on the same page with this issue as well. https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal

 

If the crime had more to do with publishing the email addresses themselves, then what law was broken? It would seem that Gawker would be more culpable in that regard since they posted them, so why are they not a defendant in this case?

 

This case seems like a serious miscarriage of justice due to technology illiteracy on the part of the court. Hopefully this case sheds some light on the misinterpretations and shortcomings of CFAA, DMCA, and other acts/laws like it.

 

Just look at him. He fits the fandroid stereotype perfectly¡

 

...or one could argue that he looks like the stereotypical tech company founder.

 

 

Except for the fact that this is 2013, not 1975.

His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.

He was an idiot when he released these emails. It was unnecessary and stupid.

Truly wonderful thing, the Internet. Only a bit hard to get hard data.

 

He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses. 

could be much worse so at least he will get out and start a new at least he will get out some day.

I hope AT&T officials are also going to jail for the aid they offered to this hacker through lax security?

Really.

 

You know, applying your own rules to yourself could help the planet.

Yes, I agree with that part. The "hacker" gets a massive sentence (that's life destroying, quite obviously), and AT&T, a big company making billions, gets off the hook even though THEY failed to protect their users?

 

That guy found a leak and publicized it, after warning the company and giving them time to solve it. Read the computer security certifications, and you'll find this is the correct behavior (along with numerous warnings that US law is dangerous and ends up favoring evil crackers, as it can put a white hat in prison). The consequence of that behavior, is that bad guys can operate for decades, because white hats are not going to publicize anything, and big companies can keep putting individuals at risk without the fear that their behavior is exposed by a white hat.

 

The reason why this guy is punished that hard is not because he "hacked people's info". It's because he threatened AT&T's brand name.

I think that the people who're so happy sending that poor sod to prison would benefit from a few years behind bar themselves. Of course they'll deny it, but applying their rules to themselves, the FBI can ALWAYS find enough reason to put you behind bars... Nobody's perfect enough to live free ;)

So true about the laws and who they truly favor. This poor sap seems to have subpar intelligence with all of the loose cannon remarks he made. That certainly didn't help his cause. What pisses me off more than anything is that they nailed him for unauthorized access to AT&T's system. How in the hell do you get unauthorized access to a login screen? He sent the ICC-ID and got the email address back, but that was part of AT&T's scheme to pre-enter the users email address to make login easier. So he got nailed for unauthorized access to a login screen. Impersonating users (but wait, he impersonated iPads). Sigh... Shouldn't you have to actually get past the login screen in some manner to truly get unauthorized access? Perhaps even access to data that is not purposefully made available outside of access controls? It is certainly hard to come up with some sort of good definition on where the line should be drawn, but it should not include accessing data purposefully made available to anyone. The next generation Rick-Roll is going to be a link to exploit hole in someone's system and you will go to jail as your reward for clicking a link.

Your social security number is just a number on a paper card not a person. But if someone other than you use it it will be considered identity theft. The same thing here. The iPad ICC-ID is associated with iPads user.

So is Harold Finch in trouble since he's given the SSNs?

 

Your SSN is your account number issued to you by the United States Government. FWIW it is not supposed to be use as identification (I know, tell that to everyone that does). The ICC-ID is randomly selected by chance and does not directly identify a user. It was collected as associated with users when they signed up for wireless services for their iPads. At the time there were also quite a few ICC-IDs that AT&T (or anyone for that matter) did not know who owned them.  Either way, providing the ICC-ID only got you a login screen with a pre-populated email address. That is right, a login screen that you actually still needed to enter a password for. The bar for criminal activity is a little too low IMHO if requesting a login screen gets you 41 months. It would be one thing if he was trying to hack the site and actually login as these people.

 

Basically what he did was like looking at AppleInsider users. You see your unique user ID and increment and see who is next. I'm glad that this isn't a login screen and is a public profile so that I won't go to jail for looking at publicly accessible information. 

 

http://forums.appleinsider.com/u/28346/ is Phone-UI-Guy

http://forums.appleinsider.com/u/28347/  is wolumila765

 

It looks like this guy hacked AT&T and dumped their database. He simply asked them for the login screen for 114K devices, and never logged in.

He discovered an open url that divulged customer information without any authentication. He collected proof. He told AT&T, the alleged victim, and gave them time to fix the problem before he told Gawker.

An actual criminal would not tell AT&T at all. A criminal would shed no light on the problem. Nor would a criminal pressure a company to start protecting your data.

It seems whistle blowing to me. He was convicted for unauthorized access to a computer, but there are millions of web servers you can access with the same lack of authorization. You probably did so today.

Anyone else reminded of the movie "Hackers"? No? Just me?

"Uses". Listing it after a company fails to adequately protect it is already a very different ballgame. Worse, the big issue is that the "hacker" did NOT publish the list of users. AT&T did. He just repeated it under a different form.

 

I cannot understand why his lawyer did not get him off.