Are these other bots grabbing freely published email addresses to the internet or using subversive methods to find back doors into private areas to harvest these numbers. It sounds like arguing that a guy who breaks into a home to steal jewelry is just as guilty as someone who scores the streets after Mardi Gras looking for jewerly someone left behind on the street. They seem very different to me.
Most of those bots are designed to search through online forums and listserv archives, so they'd likely have algorithms to iterate through the numbers at the end of a URL in order to quickly scan through such databases (functionally identical to what was done here). However, I agree that the difference is the 'intent', which is where I have no qualm with lack of punishment for those who set up bots as compared to what was done here.
I was mainly bringing it up to combat your point of the crime being considered 100k instances of the crime when, in reality, it was one action/intent which lead to that many email addresses being harvested. It's not like he came up with 100k ways to access that many different databases.
Quote:
I understand what you're saying but I think the first and second part of your comment are illogically stated. For it to be true you have to concede that precedent set for other crimes are fair and just. I don't think I could make that statement, especially if we're talking about someone doing a violent crime such as rape and getting less than 41 months.
And again, I can agree with that point. Violent crime deserves a larger punishment. That's what's fair and just in an ideal world. In the real world, where legal precedent plays a major factor in sentencing, this is the typical sentence which is handed out based on what I've heard (3-5 years on average for a first offence). The best I could do with a quick Google search to back that up was this bit of information about rape sentences in California. 8 years maximum if it's a first offence and no weapons are involved.
The idiot at AT&T that didn't do anything to secure the email addresses should get the 41 months.
This guy is not a hacker. Script kiddy at best. They can surely find something legitimate to put this guy away for a little while and he probably deserves that. This however sets such a bad prescedent. You didn't even need a script to do this as a single CURL command with numeric range wildcards would have done the trick.
The real reason this blew up was because of what it meant to the security of people who were listed. The real fear was that someone was going to figure out how to use the ICC-ID to target the people who were exposed. The list was a who's who of government, defense, and private industry. AT&T didn't protect the identity of these people who were all walking around with 3G iPads who could be identified via their email addresses. So you could electronically tie iPads to specific people.
The moral of the story is to not mess with the man. He can put you away for years even if what you did doesn't amount to anything. They can call you a hacker, terrorist, etc and reality doesn't matter. Perception by people that just don't understand is what you are left with.
He should argue he didn't have a jury of his peers. The people who understand what he actually did cannot believe this has moved forward and now been successful. The guy is a duche, but the precedent is an epic fail.
This guy did what you are doing right now on this forum. For example, if you request http://forums.appleinsider.com/t/156530/ you are brought to this forum. All he did was change the number so instead he requested http://forums.appleinsider.com/t/156531/ and was returned someone else's email address. The problem is AT&T did not have any authorization protection. You did not need any username or password combination to access this. It was open to the entire internet to request at any time. 41 months in jail for requesting a link with a changed number makes no sense not did he actually hack anything. AT&T just failed to protect this list by placing some authorization check before returning the data.
It's not 41 months in jail for "requesting a link with a changed number". Rather, it was repeatedly requesting email addresses over and over and then publishing them.
Whether it is fair or not is open to question, but you don't further the discussion my misrepresenting his crime.
I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this.
See you in 4 years....dude....
I think that spam ought to be a felony for the same reason.
"I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this. See you in 4 years....dude...." - Christopher126
This guy just released the public URL for an ATT page that had a list of all iPad cellular users email addresses to the media. That was his "crime." Google did the exact same crime by indexing the page. AT&T was being a dipshit by leaving that info public, and they eventually fixed it. He didn't do any harm to anyone.
Seriously though, I wasn't clear. I mean in college courses I took for fun in the last few years.
Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.
Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.
There are those that are both younger and older than I am here, but I remember when I was in school, there was one Apple ][ machine which was shared by about 38 students who made up my class.
I'm a little concerned how a court can consider a simple HTTP GET request as hacking. If it isn't illegal to do it once, how exactly is it illegal to do it 100k times? If it is indeed based upon quantity, what is the cutoff between legal and illegal? Without any evidence of intent to disrupt service to others with the numerous requests (DDOS attack), I don't see the crime here. I highly respect the Electonic Freedom Foundation's cause and stance on many cases like this, and am glad they are on the same page with this issue as well. https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal
If the crime had more to do with publishing the email addresses themselves, then what law was broken? It would seem that Gawker would be more culpable in that regard since they posted them, so why are they not a defendant in this case?
This case seems like a serious miscarriage of justice due to technology illiteracy on the part of the court. Hopefully this case sheds some light on the misinterpretations and shortcomings of CFAA, DMCA, and other acts/laws like it.
That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.
I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.
His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.
He was an idiot when he released these emails. It was unnecessary and stupid.
My quote came from the Verge, so either Wired has it wrong or the Verge does.
Or maybe it was one of those phablets, and that could possibly explain the confusion, with one source calling it a phone and the other source calling it a tablet?
Truly wonderful thing, the Internet. Only a bit hard to get hard data.
That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.
I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.
His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.
He was an idiot when he released these emails. It was unnecessary and stupid.
He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses.
Comments
Quote:
Are these other bots grabbing freely published email addresses to the internet or using subversive methods to find back doors into private areas to harvest these numbers. It sounds like arguing that a guy who breaks into a home to steal jewelry is just as guilty as someone who scores the streets after Mardi Gras looking for jewerly someone left behind on the street. They seem very different to me.
Most of those bots are designed to search through online forums and listserv archives, so they'd likely have algorithms to iterate through the numbers at the end of a URL in order to quickly scan through such databases (functionally identical to what was done here). However, I agree that the difference is the 'intent', which is where I have no qualm with lack of punishment for those who set up bots as compared to what was done here.
I was mainly bringing it up to combat your point of the crime being considered 100k instances of the crime when, in reality, it was one action/intent which lead to that many email addresses being harvested. It's not like he came up with 100k ways to access that many different databases.
Quote:
I understand what you're saying but I think the first and second part of your comment are illogically stated. For it to be true you have to concede that precedent set for other crimes are fair and just. I don't think I could make that statement, especially if we're talking about someone doing a violent crime such as rape and getting less than 41 months.
And again, I can agree with that point. Violent crime deserves a larger punishment. That's what's fair and just in an ideal world. In the real world, where legal precedent plays a major factor in sentencing, this is the typical sentence which is handed out based on what I've heard (3-5 years on average for a first offence). The best I could do with a quick Google search to back that up was this bit of information about rape sentences in California. 8 years maximum if it's a first offence and no weapons are involved.
Yes, but we called it a library back then and websites were referred to as books.
Seriously though, I wasn't clear. I mean in college courses I took for fun in the last few years.
This guy is not a hacker. Script kiddy at best. They can surely find something legitimate to put this guy away for a little while and he probably deserves that. This however sets such a bad prescedent. You didn't even need a script to do this as a single CURL command with numeric range wildcards would have done the trick.
The real reason this blew up was because of what it meant to the security of people who were listed. The real fear was that someone was going to figure out how to use the ICC-ID to target the people who were exposed. The list was a who's who of government, defense, and private industry. AT&T didn't protect the identity of these people who were all walking around with 3G iPads who could be identified via their email addresses. So you could electronically tie iPads to specific people.
The moral of the story is to not mess with the man. He can put you away for years even if what you did doesn't amount to anything. They can call you a hacker, terrorist, etc and reality doesn't matter. Perception by people that just don't understand is what you are left with.
He should argue he didn't have a jury of his peers. The people who understand what he actually did cannot believe this has moved forward and now been successful. The guy is a duche, but the precedent is an epic fail.
It's not 41 months in jail for "requesting a link with a changed number". Rather, it was repeatedly requesting email addresses over and over and then publishing them.
Whether it is fair or not is open to question, but you don't further the discussion my misrepresenting his crime.
I think that spam ought to be a felony for the same reason.
This guy just released the public URL for an ATT page that had a list of all iPad cellular users email addresses to the media. That was his "crime." Google did the exact same crime by indexing the page. AT&T was being a dipshit by leaving that info public, and they eventually fixed it. He didn't do any harm to anyone.
He exposed that ATT had a public page that had the email addresses for accounts on it to the media. That really shouldn't be a crime.
Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.
Quote:
Originally Posted by PhilBoogie
Ah, ok, for a moment there I thought you were younger than I imagined, from all your insightful posts I couldn't really believe you had internet 'at school'.
There are those that are both younger and older than I am here, but I remember when I was in school, there was one Apple ][ machine which was shared by about 38 students who made up my class.
I'm a little concerned how a court can consider a simple HTTP GET request as hacking. If it isn't illegal to do it once, how exactly is it illegal to do it 100k times? If it is indeed based upon quantity, what is the cutoff between legal and illegal? Without any evidence of intent to disrupt service to others with the numerous requests (DDOS attack), I don't see the crime here. I highly respect the Electonic Freedom Foundation's cause and stance on many cases like this, and am glad they are on the same page with this issue as well. https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal
If the crime had more to do with publishing the email addresses themselves, then what law was broken? It would seem that Gawker would be more culpable in that regard since they posted them, so why are they not a defendant in this case?
This case seems like a serious miscarriage of justice due to technology illiteracy on the part of the court. Hopefully this case sheds some light on the misinterpretations and shortcomings of CFAA, DMCA, and other acts/laws like it.
Quote:
Originally Posted by PhilBoogie
Why do you think it was an Android tablet?
Just look at him. He fits the fandroid stereotype perfectly¡
Quote:
Originally Posted by lkrupp
Just look at him. He fits the fandroid stereotype perfectly¡
...or one could argue that he looks like the stereotypical tech company founder.
Paid4phones.com
Paid4phones.com
Paid4phones.com
Why do spammers have to be so annoying?
Quote:
Originally Posted by e_veritas
...or one could argue that he looks like the stereotypical tech company founder.
Except for the fact that this is 2013, not 1975.
His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.
He was an idiot when he released these emails. It was unnecessary and stupid.
Truly wonderful thing, the Internet. Only a bit hard to get hard data.
Quote:
Originally Posted by NasserAE
Quote:
Originally Posted by popnfresh
That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.
I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.
His script guessed the ICC-ID and got an email for every correct one. He was converted with identity theft and accessing a computer without authorization. What he did was like you calling any business human resources department (public phone number) and pretending to be an employee by guessing first and last names and inquiring about something (any personal info). This is similar to what he did. He pretended to be these 114k people by hitting the server with these ICC-IDs.
He was an idiot when he released these emails. It was unnecessary and stupid.
He didn't pretend to be 114K people. He pretended to be 114K iPads. Not seeing how iPads have identities to be legally stollen as they are not people. As I said the moron at AT&T should be who gets the jail time. They exposed this information in the name of ease of use so customers wouldn't have to enter their email addresses.
could be much worse so at least he will get out and start a new at least he will get out some day.