Expose Blatant Security Hole From AT&T... Face Five Years In Jail

from the security-through-threat-of-intimidation dept

A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T's setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users' info. And that's what these hackers did -- collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others."

This seemed like a pretty massive flaw in the design of the system by AT&T... but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That's a law that we've been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as "unauthorized access" under the bill.

Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.

Obviously, there may be a fine line between "white hat" exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 7:08pm

    white. hat

    Whats coming or due to come out of this case as has indeed arisen during those of Manning/ Assange and Hammond is the conflict between authoritarian bad Gov determined to assert failing power and idealistic techono savvy young who have a drum to beat. Somethings got to give and my money is on the overwhelming spirit of and desire for real far reaching social change. Law please follow

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    MrWilson, Nov 21st, 2012 @ 7:19pm

    Re: white. hat

    My prediction is that it will take some form of government scandal or exposed brutalization of apparently innocent people in order to build enough public outcry leverage in order to get the government to decrease the severity of such absurd law enforcement efforts, and it will likely only do so because of political infighting in which some otherwise momentarily disadvantaged partisan group will see championing such a cause as an opportunity to regain power.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 7:24pm

    Maybe if they'd simply reported it to ATT, rather than harvesting 114,000 e-mail addresses there'd have been a different outcome. Just a guess.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 7:25pm

    It's not bizarre. The US govt. (and by extension the people that aren't that technologically savvy) has always sided with big corporations. Why would it change?

    Land of the censored and where money rules.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    teka (profile), Nov 21st, 2012 @ 7:40pm

    Re:

    report security flaw to some ATT email address.. nothing happens.

    report massive breach to ATT and the media with a huge stack of big names in the files.. things might get fixed.

    As for the number of addresses.. I bet it was the work of just a few minutes to knock together some software tool that incremented through the numbers and gobbled the information at speed. Let that run then go back through to search for interesting names. This is not like doing 114,000 bank robberies or kicking 114,000 kittens.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    @blamer, Nov 21st, 2012 @ 7:50pm

    Re: harvesting

    I thought the same.

    Unless weev could show his "bad" harvesting act is what (made it newsworthy hence) motivated AT&T to hide that customer data.

    "part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question"

    That mouth-flapping sounds exactly like a responsible white hat to me. Think like a black hat. The professional's mantra.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    M., Nov 21st, 2012 @ 7:55pm

    I don't see it this way. If you go back and read the original news articles regarding this security flaw, these guys wrote a script and started harvesting email addresses. They also shared the script with others. That's not a white hat hacker's behavior.

    I found a vulnerability similar to the iPad one, except it was probably worst because it had to do with hospital patient information. After paying one of my hospital bills and realized that the receipt link they sent me used a number that could be incremented and it would reveal certain private patient information such as their patient ID, amount of their bill, address, etc... What did I do in this situation? Did I write a script to harvest all the data? Did I tell my hacker friends about it and how they can get that data too? No, I didn't because that's would be the unethical thing to do. What I did was report it to the hospital's IT department so they could fix the issue.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 8:10pm

    It sounds like they are just trolling some trolls.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 8:25pm

    Re:

    My point exactly. How much prison time did you get for exposing that security flaw?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    marie, Nov 21st, 2012 @ 8:30pm

    Re white hat or black hat behavior?

    Re: Unethical or ethical behavior of hackers finding
    vulnerability in AT&T's computer security. Doing the "ethical thing doesn't sound like much fun, and who knows wither or not changes would have been made without all the news generated by the "unethical hackers" ?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    scichotic (profile), Nov 21st, 2012 @ 8:37pm

    Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 9:32pm

    "Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble."
    Weird that the information went public, rather than them acting on those less than noble actions and reaping the rewards.

    Outlining how I could rob a bank is not equivalent to robbing a bank.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Mike Masnick (profile), Nov 21st, 2012 @ 9:49pm

    Re:

    Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying "i f-ing struck oil" while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don't appear entirely noble.

    So you're assuming that intent is the key measure in whether or not it was unauthorized access? That would seem to open a huge can of worms you don't want open.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 10:48pm

    Re: Re: white. hat

    Assange already leaked this!

    That's why the US government brand him a terrorist.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    skpg (profile), Nov 21st, 2012 @ 11:52pm

    Five years in jail for that ****?

    Talk about a violation of civil liberties. I do know that the CFAA has been revised to be more "severe" towards hackers. What a corrupt government, he really didn't do anything other than expose a security hole. The Swartz case and the appeal of Auernheimer's conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Josef Anvil (profile), Nov 22nd, 2012 @ 12:01am

    Re: It's the same thing!!!

    "Outlining how I could rob a bank is not equivalent to robbing a bank."

    Yes it is equivalent, and because it's the same thing there are quite a few people in Hollywood who need to be arrested and locked up for a long time.

    The Italian Job
    Die Hard
    Heist
    Gone in 60 seconds

    And that's just theft. What about murder???? Oh there are a lot of writers in Hollywood that need to be in jail for a long time.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    That Anonymous Coward (profile), Nov 22nd, 2012 @ 12:46am

    Re:

    did they send you a bill for them having to fix the system?
    and did they actually fix the system, or just decide to file your name for the day someone abuses the system and shift the blame onto you.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    That Anonymous Coward (profile), Nov 22nd, 2012 @ 12:51am

    And the most important lesson we can learn is, corporations are always right.
    Corporations can't be held responsible for doing a piss poor job.
    And if you find a security hole, forget about it immediately, security through obscurity is the best policy.

    If hes getting 5 years for "hacking" is AT&T getting a 500 million fine for not bothering to secure the system in the first place?

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 1:06am

    typical US thinking. blame the messenger, not the sender.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    The eejit (profile), Nov 22nd, 2012 @ 2:56am

    Re:

    I'm not sure you understand the difference between talk and action,

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 4:33am

    Re: Re:

    What do you call writing a script and harvesting 100,000+ e-mail addresses and sharing that script with others? I think most (including the jury) view that as action.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 5:03am

    Re: Re: Re:

    Sharing vulnerabilities is common place.
    Have you never heard of CVE?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 5:16am

    really gives encouragement to someone else to do the same, eh? perhaps next time, when no one bothers to tell AT&T, they can find themselves on the receiving end of some serious security breaches that result in ordinary people having their information broadcast and used nefariously. if AT&T then get a good shafting, perhaps they would be more thankful than court happy. over all though, this has only been done so AT&T can try to save face and pass the buck for their own total fuck up!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Rekrul, Nov 22nd, 2012 @ 6:20am

    So how exactly are they going to describe what he actually did? "Felony alteration of URLs"? "Illegal tampering with a web link"?

    So I guess it's now illegal to manually type in URLs in a browser because you might accidentally mistype one and end up on a page you're not supposed to be able to access.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 6:48am

    Re: Re: Re: Re:

    Yeah, but what does that have to do with writing a script to harvest 100,000 e-mail addresses and sharing that script?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Chad, Nov 22nd, 2012 @ 9:17am

    Not sure I have pity...

    I get the idea that bad things could have been done, but weren't, but does that make it white hat, ie: ethical?

    Regardless of who a hacking or security breach happens do (corporate or otherwise), I always relate it to myself personally. If I had my home broken into but nothing was stolen, and the only purpose of the break in was to say "Hey look, your window on the second floor was left unlocked", it would be unsettling, it would be a violation, and it would cause me all kinds of stress. I would hope that it would be considered illegal, and I would hope that the person who broke in would be dealt with. Obviously I would have blame for not locking the window, but like hell I'm going to thank someone for breaking into my private property.

    Relating it closer to the technology world, the same could be said about, say, my email account. If someone finds a hole in my email provider's system and merely says "Look, I could have read all of those private emails, leaked them, or do damaging things with the accounts, but I didn't"..... I would still be pretty upset that someone had access to it at all. The email provider obviously has blame (lots of blame), but I would still question the morals of the person who gained access, I'd be concerned about the status of my email data / contact list, and again it would cause my unnecessary stress.


    Now.... if in both hypothetical cases, the person who broke in is known to not be the most noble of people out there, and in fact admits to being a troublemaker, it definitely wouldn't make me feel any better about it. In fact, it would make be question the morals of the action and question what really happened to my property / data.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    lolzzzzz, Nov 22nd, 2012 @ 9:26am

    hackers STOP telling them NOW

    dont deface websites and elt them know anymore
    dont tell them anything and now you will have vulnerabilites that last longer

    the longest i held was on a aix unix system for 10 years.
    while leaving a program in non root called oteacher which required root access for like 2 seconds
    i accidently hit a 3rd key ( breaking out)
    and up come the lovely $
    we completely copied the login system then put it on every pc and when everyone came in and logged in well we had every login and password.

    have a nice day its fun out there when ya step out on the info highway , ya never know what adventures ya gonna have.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 10:24am

    nothing wrong with the judge in this case, then! could he not have directed or overruled the jury verdict?

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Chosen Reject (profile), Nov 22nd, 2012 @ 2:03pm

    Re: Re: Re: Re: Re:

    If all you have to do is increment the id, then anyone who has taken a first semester programming class and a lot of people that haven't could write that script up in 5 minutes or less. Sharing the script has nothing to do with it. I imagine they wrote a script to see if incrementing really was all you had to do. Write the script that increments and see if you get an email address for each one. Wouldn't take too long and is not necessary to share, but not sharing isn't going to be even the slightest hindrance to anyone.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 2:56pm

    Re:

    actually the RICO laws make discussing a crime a conspiracy with greater penalty than actually committing the crime

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    smalley, Nov 22nd, 2012 @ 3:09pm

    Bottom line is they did it, they admitted they did it, and they knew it was illegal. They also said they did it to see if they could, not to report a flaw in the code or the op syst. They gave the hack to a third party and thats collusion after the fact and before they contacted anyone from AT&T. I would have found them guilty and I'm on their side.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Nov 22nd, 2012 @ 6:55pm

    Re:

    Hear, hear.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Nov 23rd, 2012 @ 5:56am

    FREE Weev

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Nov 23rd, 2012 @ 5:59am

    AT&T are the victim ?

    Who cares if they treat customers with disregard and put their info out there for anyone to get.

    AT&T should be sent to Jail for five years for being retarded.


    FREE WEEV

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    candide08, Nov 23rd, 2012 @ 7:40am

    Whistleblowers?

    Why couldn't these guys be protected as whistle-blowers?

    AT&T should be paying them. Leaving the flaw unexposed would have posed a much greater risk.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    DC (profile), Nov 23rd, 2012 @ 3:06pm

    Re: Not sure I have pity...

    The situation is not the same. If someone slipped a note in your post box "your window is unlocked", you would be very creeped out, but also lock you damned window and thank god you hadn't been robbed already.

    The problem is that companies like ATT ignore those notes. The only time they fix their vulnerabilities is if there is a big public media blow up.

    BTW when I was in university, we were frequently pranking (whitehatting) each other, and we learned how to lock our shit up. It is helpful.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Nov 23rd, 2012 @ 6:53pm

    Re: Re:

    I hear crime being discussed on the news all the time. It's a conspiracy, I tell ya!

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    orbitalinsertion (profile), Nov 24th, 2012 @ 3:44pm

    Re:

    So if they had addressed the situation in dry technical terms instead of casual chat, it would have been a whole different thing, right?

    You noticed they didn't take the five minutes to actually abuse the system for their profit, didn't you?

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    orbitalinsertion (profile), Nov 24th, 2012 @ 3:46pm

    Re: Re:

    That would be planning an actual crime with intent to commit it. Otherwise you could arrest every cop and prosecutor who ever existed.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    orbitalinsertion (profile), Nov 24th, 2012 @ 3:49pm

    Re:

    Yep. If someone has unprotected directories which they intend to remain hidden, and you simply remove one directory level in a URL exposing the (not intended for access) parent directory, you are a criminal hax0r deserving a flogging, three beatings, and twenty years in prison (maximum security).

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    orbitalinsertion (profile), Nov 24th, 2012 @ 3:56pm

    Re: Not sure I have pity...

    Hypothesize all you want. What was done wasn't breaking in to anything. No one had to crack a password or change permissions or trawl a raw database. There was no cracking, white or black hatted, involved.

    And, seriously, everyone needs to quit equivocating (in bad metaphors, especially) things which are not remotely equivalent, but to which they have similar emotional reactions.

    Now, if some actual breaching were involved, you might be able to stretch this into being akin to a B&E. But no, not even close. It's more like dancing naked in your all-glass house and just expecting no one to look. If there is a crime in that situation, is isn't on the part of the onlookers, even if they now specifically visit your neighborhood to see you dance.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    orbitalinsertion (profile), Nov 24th, 2012 @ 3:59pm

    Re:

    Doesn't matter if they are the biggest assholes in the world. They didn't do anything to profit from the completely stupid and horrible vulnerability they found.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Nov 25th, 2012 @ 5:45pm

    Re: Re:

    No, but they did harvest over 100,000 e-mail addresses and share their knowledge of the vulnerability with others. I'm pretty sure you don't need to show a profit in order to be guilty of a crime. This all could have been avoided if they simply disclosed the security issue to ATT and closed the books on it.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This