Hacker pleads guilty to hacking AT&T to obtain iPad user email addresses
One of the computer hackers allegedly responsible for gathering email addresses of iPad customers from the AT&T servers has pleaded guilty and could face up to five years in prison per charge.
Accused hacker Daniel Spitler pleaded guilty to identity theft and conspiracy to gain unauthorized access to computers, The Wall Street Journal reports. Spitler is allegedly part of the Goatse Security hacking group that orchestrated a security breach of AT&T's servers shortly after the launch of the original iPad.
"Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves," said U.S. Attorney Paul Fishman. "Daniel Spitler's guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport."
Sentencing is set for Sept. 28. Meanwhile, Andrew Auernheimer, the other hacker accused in the case, is currently engaged in plea negotiations, according to a letter filed with the court by his lawyer last month.
In June of last year, hackers exploited a security flaw on AT&T's web servers to obtain email addresses from the SIM card addresses of at least 114,000 iPad 3G users. Though the attack was originally thought to be a sophisticated hack, the actual exploit used an automated script to submit HTTP requests for thousands of possible serial numbers and collect AT&T's responses.
Credit: Bill Kostroun/AP Photo
Following the breach, AT&T issued a statement. "This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained," the company said.
Security experts have downplayed the breach as having "no direct security consequences," as emails and ICC IDs were the only personal information obtained during the hack.
The FBI quickly initiated an investigation into the incident. A week after the breach, Auernheimer was arrested by the FBI on separate felony drug charges.
Auernheimer claims that his "Goatse Security" group waited to disclose the flaw until AT&T had fixed the problem, but AT&T has criticized the group for going public with it. Prosecutors charged Spitler and Auernheimer in January.
Andrew Auernheimer's booking photo, via the Washington County Detention Center.
Accused hacker Daniel Spitler pleaded guilty to identity theft and conspiracy to gain unauthorized access to computers, The Wall Street Journal reports. Spitler is allegedly part of the Goatse Security hacking group that orchestrated a security breach of AT&T's servers shortly after the launch of the original iPad.
"Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves," said U.S. Attorney Paul Fishman. "Daniel Spitler's guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport."
Sentencing is set for Sept. 28. Meanwhile, Andrew Auernheimer, the other hacker accused in the case, is currently engaged in plea negotiations, according to a letter filed with the court by his lawyer last month.
In June of last year, hackers exploited a security flaw on AT&T's web servers to obtain email addresses from the SIM card addresses of at least 114,000 iPad 3G users. Though the attack was originally thought to be a sophisticated hack, the actual exploit used an automated script to submit HTTP requests for thousands of possible serial numbers and collect AT&T's responses.
Credit: Bill Kostroun/AP Photo
Following the breach, AT&T issued a statement. "This issue was escalated to the highest levels of the company and was corrected by Tuesday. We are continuing to investigate and will inform all customers whose e-mail addresses... may have been obtained," the company said.
Security experts have downplayed the breach as having "no direct security consequences," as emails and ICC IDs were the only personal information obtained during the hack.
The FBI quickly initiated an investigation into the incident. A week after the breach, Auernheimer was arrested by the FBI on separate felony drug charges.
Auernheimer claims that his "Goatse Security" group waited to disclose the flaw until AT&T had fixed the problem, but AT&T has criticized the group for going public with it. Prosecutors charged Spitler and Auernheimer in January.
Andrew Auernheimer's booking photo, via the Washington County Detention Center.
Comments
I am waiting for the day when I can see a mugshot of a clean-shaven one dressed in a pinstripe suit and tie.
***
Susan Cassell, a lawyer representing Spitler, said any 26-year-old in her client's position "will be deeply saddened by the process, especially when his goal was to benefit the public by exploiting a security breach that, if left unaddressed, could have led to far more serious consequences."
***
Susie baby, if you expect anyone to believe that your lowlife client had an altruistic motivation to promote the public good by stealing people's personal information, then you need to quit your day job as a shyster. You'll do better peddling jalopies to morons on a back alley New Jersey used car lot.
Slap on the cuffs. Messing with people's computers is not a joke these days, they're used for important stuff. The ability to understand a system *so well* that you can subvert it, surely can be used for something constructive?
AT&T is equally guilty for being hackable.
Being sloppy with people's personal information is not a joke these days, they're used for important stuff. The mere possibility to understand the security system *so well* that it can be easily breached, surely sounds criminal to me.
It is true, though, that the hackers have gone out of the normal way to obtain the information. The question is: (i) have they used it for direct personal gain? (ii) have they divulged the obtained information? (iii) have they divulged the method they had been using?
Or was it just for advertising their skills in order to get hired as (a) security expert(s)?
IMHO organizations who collect personal information should outsource the sensitive part to companies whose sole business it is to provide secure services.
AT&T is equally guilty for being hackable.
Being sloppy with people's personal information is not a joke these days, they're used for important stuff. The mere possibility to understand the security system *so well* that it can be easily breached, surely sounds criminal to me.
It is true, though, that the hackers have gone out of the normal way to obtain the information. The question is: (i) have they used it for direct personal gain? (ii) have they divulged the obtained information? (iii) have they divulged the method they had been using?
Or was it just for advertising their skills in order to get hired as (a) security expert(s)?
IMHO organizations who collect personal information should outsource the sensitive part to companies whose sole business it is to provide secure services.
It always strikes me as grotesque watching people try so hard to cut these kinds of low-lifes so much slack. Why did you keep going on and on when the answer to your (i) question was "yes". Maybe you don't understand the gain they were going for. The US Attorney understood. Every adolescent hacker wannabe does too.
And wanting to take half the blame from the actual criminals and give it to the victim just because they're not hackable... that's great. If you'd care to give us your list of sites & companies that are completely unhackable (taking care to differentiate between unhacked and unhackable, because they're most assuredly not the same thing).
these people are defective but that should not prevent that from doing serious time in jail with the "general" population. I'm sure that will be a pleasant learning experience for these jersk.
In jail with the general population (a rough sorta bunch) they'll get 3 square meals a day, free medical and dental (they'll need both) and all the sex they want!
Lock the door & throw away the key on these lowlifes.
Looks like "goatse" will cease to be a smirking metaphor where these misguided folks are headed.
Take a bath, hippie.
Stallman definitely has done almost as much damage as Gates
AT&T is equally guilty for being hackable.
Being sloppy with people's personal information is not a joke these days, they're used for important stuff. The mere possibility to understand the security system *so well* that it can be easily breached, surely sounds criminal to me.
It is true, though, that the hackers have gone out of the normal way to obtain the information. The question is: (i) have they used it for direct personal gain? (ii) have they divulged the obtained information? (iii) have they divulged the method they had been using?
Or was it just for advertising their skills in order to get hired as (a) security expert(s)?
IMHO organizations who collect personal information should outsource the sensitive part to companies whose sole business it is to provide secure services.
So, let's say somebody knows how to pick the lock at the bank.
Is the bank guilty for not being 100% impenetrable?
But, the bank robber
1. Didn't use the money for direct personal gain
2. Didn't give out the money to anyone else
3. Didn't tell anybody else how they broke into the bank
So, the Bank is responsible here and not the bank robber, right?
Especially after the Playstation Network business, I have no sympathy for these hackers. Stealing personal information is actually more damaging than stealing from a bank (after all, my bank funds are FDIC insured).
Hackers like these losers prevented me and millions of others from playing online for over a month. Screw them.
If these hackers really wanted to alert AT&T to the security flaw they could have used other means - one example is that they could have tried contacting the CEO if others in the company wouldn't listen. It sounds like they were just too impatient to wait for AT&T to fix the flaw, so they decided to just exploit it?
Slap on the cuffs. Messing with people's computers is not a joke these days, they're used for important stuff. The ability to understand a system *so well* that you can subvert it, surely can be used for something constructive?
Oh good grief. AT&T not only left the door unlocked, they left it wide open! No, i'm not condoning hacking, but AT&T has a responsibility to secure the data. Something they clearly failed to do.
It always strikes me as grotesque watching people try so hard to cut these kinds of low-lifes so much slack.?
And wanting to take half the blame from the actual criminals and give it to the victim just because they're not hackable... that's great. If you'd care to give us your list of sites & companies that are completely unhackable (taking care to differentiate between unhacked and unhackable, because they're most assuredly not the same thing).
I might agree with you if AT&T hadn't been ? in my opinion ? so utterly negligent in this matter.
An analogy is this: People shouldn't steal other people's bicycles, but if you leave your bicycle unlocked in a bad section of New York city, do you really expect it to be there when you come back a few hours later? Some actions are so moronic that it's hard to find sympathy for the so-called "victim."
I sometimes am careless and leave a door in my house unlocked. By the logic employed by these so-called security companies, it would be okay for someone to burgle my house and take my stuff in order to show me how poor my home security is. Worse yet, they could sell my stuff to really make their point.
Your analogy is a poor fit here. You obviously live in a "good" neighborhood without a lot of crime. I doubt you'd be "careless" and leave your door unlocked if you lived in a bad neighborhood with rampant crime. On the InterNet, there are no "good" neighborhoods.
Look, if you lived on the edge of the jungle, and you leave your baby unattended and lions or hyenas come by and make a meal of it, whose fault is it? Yeah, the hyenas really shouldn't have done that. But hey, you live on the edge of the jungle, you know what hyenas are like, and you didn't take precautions?
Hackers like these losers prevented me and millions of others from playing online for over a month. Screw them.
Oh, boo hoo! My heart bleeds peanut butter for you!
Oh good grief. AT&T not only left the door unlocked, they left it wide open! No, i'm not condoning hacking, but AT&T has a responsibility to secure the data. Something they clearly failed to do.
I agree with you. However, Apple has been given a complete pass on this despite the fact that Apple defined the requirement for this "unlocked door." AT&T should have recognized this as a security vulnerability and worked with Apple to redefine how it worked, but they did not.
Oh good grief. AT&T not only left the door unlocked, they left it wide open! No, i'm not condoning hacking, but AT&T has a responsibility to secure the data. Something they clearly failed to do.
I might agree with you if AT&T hadn't been – in my opinion – so utterly negligent in this matter.
An analogy is this: People shouldn't steal other people's bicycles, but if you leave your bicycle unlocked in a bad section of New York city, do you really expect it to be there when you come back a few hours later? Some actions are so moronic that it's hard to find sympathy for the so-called "victim."
Your analogy is a poor fit here. You obviously live in a "good" neighborhood without a lot of crime. I doubt you'd be "careless" and leave your door unlocked if you lived in a bad neighborhood with rampant crime. On the InterNet, there are no "good" neighborhoods.
Look, if you lived on the edge of the jungle, and you leave your baby unattended and lions or hyenas come by and make a meal of it, whose fault is it? Yeah, the hyenas really shouldn't have done that. But hey, you live on the edge of the jungle, you know what hyenas are like, and you didn't take precautions?
Oh, boo hoo! My heart bleeds peanut butter for you!
So because the door was open the hacking was ok?
Regarding your bicycle comment. Does that mean if they catch the thief he shouldn't be prosecuted because the owner was a moron to start with?
The animal analogy is inappropriate as the animal's action is a natural survival based response. Hacking is not an action that has any positive or survival based need.