Expose Blatant Security Hole From AT&T… Face Five Years In Jail

from the security-through-threat-of-intimidation dept

A few years ago, we wrote about some hackers who exposed a really basic security flaw in AT&T’s setup for iPad users. Basically, if you fed an ID to a website, it would return the email address of the account. And, on top of that, AT&T appeared to hand out the IDs in numerical order, so it was easy to just run through a bunch of IDs in order and collect a ton of users’ info. And that’s what these hackers did — collecting a variety of emails including the President of News Corp., the CEO of Dow Jones and Mayor Bloomberg in New York. They got lots of other government officials as well: “Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others.”

This seemed like a pretty massive flaw in the design of the system by AT&T… but of course, all of the blame is falling on the guys who exposed the hole. It seems noteworthy that the pair of hackers who exposed this are known for trollish online behavior, and Andrew Auernheimer, who goes by the name weev, has flat out called himself an internet troll. It seems that the FBI decided to use the trollish nature of Auernheimer and collaborator Daniel Spitler to argue that this hack actually violated the incredibly poorly-worded and misunderstood Computer Fraud and Abuse Act (CFAA). That’s a law that we’ve been discussing for a few years now, as law enforcement and courts keep trying to stretch the definition of what counts as “unauthorized access” under the bill.

Unfortunately, in this case, a jury was convinced that the discovery of this security hole left by AT&T was actually a crime, and Auernheimer is now facing five years in jail. Not surprisingly, he plans to appeal. Of course, part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question, before eventually just revealing the security hole to the media.

Obviously, there may be a fine line between “white hat” exposure of security flaws and nefarious activity, but given that all that really happened here was the exposure of really poorly thought-out programming by AT&T, it seems bizarre that the guy who exposed it is now facing years in jail.

Filed Under: , , , ,
Companies: apple, at&t

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Expose Blatant Security Hole From AT&T… Face Five Years In Jail”

Subscribe: RSS Leave a comment
Anonymous Coward (user link) says:

white. hat

Whats coming or due to come out of this case as has indeed arisen during those of Manning/ Assange and Hammond is the conflict between authoritarian bad Gov determined to assert failing power and idealistic techono savvy young who have a drum to beat. Somethings got to give and my money is on the overwhelming spirit of and desire for real far reaching social change. Law please follow

MrWilson says:

Re: white. hat

My prediction is that it will take some form of government scandal or exposed brutalization of apparently innocent people in order to build enough public outcry leverage in order to get the government to decrease the severity of such absurd law enforcement efforts, and it will likely only do so because of political infighting in which some otherwise momentarily disadvantaged partisan group will see championing such a cause as an opportunity to regain power.

teka (profile) says:

Re: Re:

report security flaw to some ATT email address.. nothing happens.

report massive breach to ATT and the media with a huge stack of big names in the files.. things might get fixed.

As for the number of addresses.. I bet it was the work of just a few minutes to knock together some software tool that incremented through the numbers and gobbled the information at speed. Let that run then go back through to search for interesting names. This is not like doing 114,000 bank robberies or kicking 114,000 kittens.

@blamer (profile) says:

Re: harvesting

I thought the same.

Unless weev could show his “bad” harvesting act is what (made it newsworthy hence) motivated AT&T to hide that customer data.

“part of the issue is that Auernheimer discussed, but did not actually do, a variety of bad things he could have done with the data in question”

That mouth-flapping sounds exactly like a responsible white hat to me. Think like a black hat. The professional’s mantra.

M. says:

I don’t see it this way. If you go back and read the original news articles regarding this security flaw, these guys wrote a script and started harvesting email addresses. They also shared the script with others. That’s not a white hat hacker’s behavior.

I found a vulnerability similar to the iPad one, except it was probably worst because it had to do with hospital patient information. After paying one of my hospital bills and realized that the receipt link they sent me used a number that could be incremented and it would reveal certain private patient information such as their patient ID, amount of their bill, address, etc… What did I do in this situation? Did I write a script to harvest all the data? Did I tell my hacker friends about it and how they can get that data too? No, I didn’t because that’s would be the unethical thing to do. What I did was report it to the hospital’s IT department so they could fix the issue.

Mike Masnick (profile) says:

Re: Re:

Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying “i f-ing struck oil” while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don’t appear entirely noble.

So you’re assuming that intent is the key measure in whether or not it was unauthorized access? That would seem to open a huge can of worms you don’t want open.

Chosen Reject (profile) says:

Re: Re: Re:3 Re:

If all you have to do is increment the id, then anyone who has taken a first semester programming class and a lot of people that haven’t could write that script up in 5 minutes or less. Sharing the script has nothing to do with it. I imagine they wrote a script to see if incrementing really was all you had to do. Write the script that increments and see if you get an email address for each one. Wouldn’t take too long and is not necessary to share, but not sharing isn’t going to be even the slightest hindrance to anyone.

Anonymous Coward says:

“Completely misleading article title. Especially if you click through the links and read the actual chat logs. Saying “i f-ing struck oil” while talking about what illegal things you can do with the information paints a pretty clear picture, and their actions afterwards don’t appear entirely noble.”
Weird that the information went public, rather than them acting on those less than noble actions and reaping the rewards.

Outlining how I could rob a bank is not equivalent to robbing a bank.

Josef Anvil (profile) says:

Re: It's the same thing!!!

“Outlining how I could rob a bank is not equivalent to robbing a bank.”

Yes it is equivalent, and because it’s the same thing there are quite a few people in Hollywood who need to be arrested and locked up for a long time.

The Italian Job
Die Hard
Gone in 60 seconds

And that’s just theft. What about murder???? Oh there are a lot of writers in Hollywood that need to be in jail for a long time.

skpg (profile) says:

Five years in jail for that ****?

Talk about a violation of civil liberties. I do know that the CFAA has been revised to be more “severe” towards hackers. What a corrupt government, he really didn’t do anything other than expose a security hole. The Swartz case and the appeal of Auernheimer’s conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.

That Anonymous Coward (profile) says:

And the most important lesson we can learn is, corporations are always right.
Corporations can’t be held responsible for doing a piss poor job.
And if you find a security hole, forget about it immediately, security through obscurity is the best policy.

If hes getting 5 years for “hacking” is AT&T getting a 500 million fine for not bothering to secure the system in the first place?

Anonymous Coward says:

really gives encouragement to someone else to do the same, eh? perhaps next time, when no one bothers to tell AT&T, they can find themselves on the receiving end of some serious security breaches that result in ordinary people having their information broadcast and used nefariously. if AT&T then get a good shafting, perhaps they would be more thankful than court happy. over all though, this has only been done so AT&T can try to save face and pass the buck for their own total fuck up!

Chad says:

Not sure I have pity...

I get the idea that bad things could have been done, but weren’t, but does that make it white hat, ie: ethical?

Regardless of who a hacking or security breach happens do (corporate or otherwise), I always relate it to myself personally. If I had my home broken into but nothing was stolen, and the only purpose of the break in was to say “Hey look, your window on the second floor was left unlocked”, it would be unsettling, it would be a violation, and it would cause me all kinds of stress. I would hope that it would be considered illegal, and I would hope that the person who broke in would be dealt with. Obviously I would have blame for not locking the window, but like hell I’m going to thank someone for breaking into my private property.

Relating it closer to the technology world, the same could be said about, say, my email account. If someone finds a hole in my email provider’s system and merely says “Look, I could have read all of those private emails, leaked them, or do damaging things with the accounts, but I didn’t”….. I would still be pretty upset that someone had access to it at all. The email provider obviously has blame (lots of blame), but I would still question the morals of the person who gained access, I’d be concerned about the status of my email data / contact list, and again it would cause my unnecessary stress.

Now…. if in both hypothetical cases, the person who broke in is known to not be the most noble of people out there, and in fact admits to being a troublemaker, it definitely wouldn’t make me feel any better about it. In fact, it would make be question the morals of the action and question what really happened to my property / data.

DC says:

Re: Not sure I have pity...

The situation is not the same. If someone slipped a note in your post box “your window is unlocked”, you would be very creeped out, but also lock you damned window and thank god you hadn’t been robbed already.

The problem is that companies like ATT ignore those notes. The only time they fix their vulnerabilities is if there is a big public media blow up.

BTW when I was in university, we were frequently pranking (whitehatting) each other, and we learned how to lock our shit up. It is helpful.

orbitalinsertion (profile) says:

Re: Not sure I have pity...

Hypothesize all you want. What was done wasn’t breaking in to anything. No one had to crack a password or change permissions or trawl a raw database. There was no cracking, white or black hatted, involved.

And, seriously, everyone needs to quit equivocating (in bad metaphors, especially) things which are not remotely equivalent, but to which they have similar emotional reactions.

Now, if some actual breaching were involved, you might be able to stretch this into being akin to a B&E. But no, not even close. It’s more like dancing naked in your all-glass house and just expecting no one to look. If there is a crime in that situation, is isn’t on the part of the onlookers, even if they now specifically visit your neighborhood to see you dance.

lolzzzzz says:

hackers STOP telling them NOW

dont deface websites and elt them know anymore
dont tell them anything and now you will have vulnerabilites that last longer

the longest i held was on a aix unix system for 10 years.
while leaving a program in non root called oteacher which required root access for like 2 seconds
i accidently hit a 3rd key ( breaking out)
and up come the lovely $
we completely copied the login system then put it on every pc and when everyone came in and logged in well we had every login and password.

have a nice day its fun out there when ya step out on the info highway , ya never know what adventures ya gonna have.

smalley says:

Bottom line is they did it, they admitted they did it, and they knew it was illegal. They also said they did it to see if they could, not to report a flaw in the code or the op syst. They gave the hack to a third party and thats collusion after the fact and before they contacted anyone from AT&T. I would have found them guilty and I’m on their side.

Anonymous Coward says:

Re: Re: Re:

No, but they did harvest over 100,000 e-mail addresses and share their knowledge of the vulnerability with others. I’m pretty sure you don’t need to show a profit in order to be guilty of a crime. This all could have been avoided if they simply disclosed the security issue to ATT and closed the books on it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...