Hackers Claim To Hit T-Mobile Hard 302
dasButcher writes "Hackers are
claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)
Re:Why.... (Score:5, Insightful)
Why isn't this stuff encrypted?
My guesses: legacy, convenience, lack of care, lack of duty.
Using the data for good purposes (Score:1, Insightful)
Now, I'm not going to cheer crackers breaking into a private corporation's data services. The breech has tremendous privacy implications, and a lot of these fall squarely on the head of the consumer. However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much. Time after time, the data has shown that SMSes *should* be giant cash cows for these monopolistic entities, but lacking internal financial data it has always been difficult to make an issue out of this at Congress. Of course the cell companies have every interest to keep this data private, but maybe in this case T-Mobile won't have the choice.
Look on the bright side.. (Score:5, Insightful)
Like competitors would ever pay for this (Score:5, Insightful)
From the "hackers" We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?
Re:Why.... (Score:5, Insightful)
Front-line Manager: We need to encrypt our dataz.
Middle Manager: How much will this cost?
Front-line Manager: (insert any number)
Middle Manager: No.
Re:Why.... (Score:5, Insightful)
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
If the hackers could get through all of this, they must be *very* good. More likely, however, is that they have someone on the inside which bypasses all of this. And it would bypass the encryption on the data anyway since s/he obviously already had Need To Know to get at the data anyway, and thus would have the decryption key. There isn't much a corporation can do against an insider that needs that info just to perform the job they were hired to perform.
Re:Like competitors would ever pay for this (Score:1, Insightful)
Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?
Well, what is the value of the information? I can't see it being that useful to a competing carrier.
The only thing that might be useful is a list of good customers getting close to their end of contract, so you could have a good shot at stealing their business.
Re:Like competitors would ever pay for this (Score:2, Insightful)
Re:Using the data for good purposes (Score:5, Insightful)
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
Yeah, the hackers have sure demonstrated their high ideals by offering the data for sale to the highest bidder. I'm sure they're all just wonderful people who are only thinking of the greater good.
And yes, that was sarcasm. In truth, my opinion of these guys couldn't be much lower than it currently is.
Re:Why.... (Score:1, Insightful)
If the hackers could get through all of this, they must be *very* good.
Practical computer security typically has more to do with those responsible for maintaining the security getting sloppy or being un-knowledgeable than with some extreme degree of skill or knowledge on the part of those penetrating the system.
Is that the list of compromised servers? (Score:3, Insightful)
Interesting. I only saw HP-UX, SunOS, AIX and Linux. No Windows used in T-Mobile, or they could not be cracked? Or T-Mobile just don't put anything important on Windows servers?
Re:Using the data for good purposes (Score:4, Insightful)
However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much.
They don't have to cost so much. In fact, the cost of providing SMS service is next to nothing - it's an afterthought that runs in the cell phone control channel.
HOWEVER, in the real world, the price of a product/service doesn't depend on the cost to provide the service, it depends on what people are willing to pay. The fact that so many people are willing to pay high prices for SMS reflects supply & demand.
Personally, I never send SMS. If I want to talk to you, I'll call you. Otherwise I'll send email. But I seem to be in the minority.
A better question is why is there so little competition in SMS prices - is there collusion to avoid competition?
Millions of credit cards, unprecedented access (Score:5, Insightful)
And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.
However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.
Re:Using the data for good purposes (Score:3, Insightful)
Re:Using the data for good purposes (Score:2, Insightful)
So what? Are you just complaining because the price is high, or are you prevented from using SMS services because of the pricing?
What possible relationship should the price to the consumer have to what is really costs? Do you believe there is any relationship between consumer products and the price charged? If you do, you are sadly mistaken. The prices to the consumer have nothing to do with "costs", especially material costs. It has to do with what the market will pay. If they charge $1 a message and people will pay it, that is the price.
And why would you want the government to get involved? Do you think the government should regulate all prices? Did you think the price of a car is closely tied to the cost of the materials? How about books? Do you think a 100 page book absolutely has to cost less than a 200 page book? Aren't you confused when you go to the store and the prices do not reflect this? Should the government fix this problem?
No, the government shouldn't have anything to do with this. A bit of education will teach you that prices have nothing whatsoever to do with costs - lots of stuff is sold for less than it costs to make it. Plenty more stuff is sold for way, way more than it costs to make it.
Re:worthless data! (Score:5, Insightful)
What is there in this data that would cause an AT&T executive to risk losing his job and perhaps going to prison?
Re:Using the data for good purposes (Score:5, Insightful)
Why should Congress bother with SMS pricing? Isn't that what competition is for?
Why? Because the cell providers are monopolies, created in part through the (very necessary) restriction of broadcast frequencies. Contrary to popular opinion, government *is* supposed to do good things for its citizens. I really admire that the EU has chosen to take the cell providers over there head-on, forcing them to lower rates. I disagree with how they did it, but that's only because they chose to regulate maximum prices instead of just breaking the monopolies up.
So when there were sufficient cell companies to have competition, American cell prices were the lowest in the world by far. Now that all the small players have been gobbled up, and we're only left with effectively three companies, there is no more competition.
Re:Using the data for good purposes (Score:3, Insightful)
Ah, but these are not governmental-backed monopolies that are essential to life, now are they? Don't like GM, but something else (everyone else sure did). DVD too expensive? Rent it, watch another movie, or just pass it up.
Telephone, internet, electricity, or water too expensive? Too bad, suck it up and pay, because by all normal metrics, these are the basic tenets of modern life.
So when the few remaining cell phone operators pretty much simultaneously raised rates on SMSes, at a time when the whole gov't was turning a blind eye to any form of regulation (thus leading to the current world-wide crisis), smacks strongly of collusion. Which is when the gov't is supposed to intervene.
Guys, busting up AT&T was the *best* thing that ever happened to American telecommunications. To believe some people here on /., that should never have happened.
Before I hit the panic button (Score:5, Insightful)
I'll wait for some validation. Cuz, you know;
prodsrv1|192.168.1.200|root@cia.gov sekret files|for realz|RHEL4
isn't especially convincing.
Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.
Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.
Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.
Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.
At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.
Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.
Re:Why.... (Score:3, Insightful)
Encryption doesn't really matter in this type of break in, it's more for "oh shit I left my hard drive and laptop in an airport" type of scenarios.
Re:Why.... (Score:5, Insightful)
As a purveyor of security software (to a different industry), I've seen countless times that almost always the conversation really does go along an only slightly-less direct route:
A. We need to secure X
B. How much does it cost?
A. (insert any dollars)
B. Do we have to spend that?
A. We do if we want to be reasonably secure.
B (thinks... We're smart people; we can install a few firewalls; that'll keep the Bad Guys out)
B. (Having insight) But this is like insurance, right? If we keep people out of the network, we don't get anything for those dollars.
A. Well, sort of, I suppose so.
B. Right, we'll save those dollars.
---
You have to assume that Bad Guys CAN get into your network if they really want to. Because the truth is, whatever your in-house people have told you, they can. Of you doubt me, talk to people whose job is to break into networks. All the ones I've known will tell you that 100% of targeted commercial networks fall to a concerted attack.
When they do fall, security's job is to make sure, at a minimum:
1) the Bad Guys can't learn anything useful
2) the Bad Guys can't interfere with the service you're selling
3) there's a high probability that you'll detect the event and be able to track the Bad Guys
B's insight isn't a bad one at all... security *is* a kind of insurance. Which means that most of the time, if you have a well-designed system you really are "wasting" the dollars. But one day you or your successor will regret those "saved" dollars.
B's job really is to make a proper cost/benefit analysis. My experience is that that almost never happens. They either just "save" the dollars without thinking or, more often, either a) look to what their competition is doing or b) assume that the risk is so small ("we haven't been hacked so far") that it's not worth spending any money.
Re:worthless data! (Score:5, Insightful)
If I were an AT&T official and they contacted me? I'd absolutely be interested. I'd also be on the phone to internal corporate security and the FBI before I finished reading the email.
If this story is true, those are some mighty bold thieves. AT&T probably has more resources than anyone else on the planet for tracking down the originator of that communication. For that matter, AT&T are probably the ones the FBI contacts when they want to hunt down a bad guy, so you know there's a long relationship there, too.
Times may be tough, but various competing corporations often have informal and even friendly relationships with each other when it comes to Loss Prevention departments. They share info on thieves and threats, and despite outward animosity between two competing companies, their L.P. departments do tend to help each other out with situations like these. I know that's the case in retail, where organized crime investigations actually can have cooperation between companies like Walmart and Best Buy. There's definitely an "old boy's network" behind the scenes as these employees shift between companies and don't forget their old friends. It's a lot like the cop brotherhood (in part because many of the L.P. staffs are actually retired cops.) AT&T likely wants these guys caught almost as much as T-Mobile does.
Re:Using the data for good purposes (Score:2, Insightful)
Also, since customers can't easily switch companies due to contract terms, there is not enough fluidity in the market such that a company which lowers prices can quickly attract customers from another corp, and lead to a price war or reduction in prices.
Re:Why.... (Score:4, Insightful)
What stuff? You mean the raw database? Theoretically, there are various layers of security here: firewalls to the outside, authentication to particular views on the inside where only data you Need To Know is available to you, and proper firewalls on each database server to limit access to the database port(s) and probably ssh.
It seems your theory is kind of flawed, because if their protection was indeed that good the thieves probably wouldn't have gotten the data they did.
I think the reality is they have a firewall, and probably overly simplistic authentication on the databases, and virtually nothing else. Consider an inept DBA running SQL Server 2005 who ties the SQL Server's SA account to the machine's administrator account. And add another inept system administrator who has a shared admin account across all the database servers, as well as some IIS servers and maybe some FTP servers as well. So the hacker worms his way to an admin account on ftp_serve_01.tmobile.com and ta-da! He's suddenly got admin rights to their data!
Never ascribe to ingenuity that which can be adequately explained by stupidity.
Pay some smart $$$ get smart security (Score:2, Insightful)
Re:Why.... (Score:2, Insightful)
Almost any risk can be covered one of two ways:
This is simply an application of Murphy's law. Any outcome which is not systematically excluded will occur eventually. You can either incur the overhead of building a system that excludes the negative outcomes or you can accept the risk that they will occur.
Of course, in practice you can't absolutely exclude negative outcomes, but as you say, you may be able to analyze them and break them down into manageable cases.
Re:Using the data for good purposes (Score:3, Insightful)
The prices to the consumer have nothing to do with "costs", especially material costs. It has to do with what the market will pay. If they charge $1 a message and people will pay it, that is the price.
No, you're missing an important part of how markets are supposed to work.
In a free market, if providers A and B are charging $1 for a message, then even if people are willing to pay $1, provider C will notice that they can grab a lot of customers by charging, say, $0.75. They'll lower their prices, and customers will jump at the opportunity to save 25% on their messaging. Then A and B will have little choice but to lower their own prices... and this process will repeat every so often, until the price is so low that it can't be lowered any more (without becoming unprofitable).
But that hasn't happened. SMS prices have gone up, not down, despite strong evidence that the current price could be slashed dramatically while still remaining profitable (i.e. forwarding an SMS message costs almost nothing). Perhaps the providers are colluding to keep prices high, or perhaps the cost of switching providers is so high that there's effectively no competition. Either way, this is clearly a market failure, and resolving market failures is a duty of the government.
Re:Using the data for good purposes (Score:5, Insightful)
Guys, busting up AT&T was the *best* thing that ever happened to American telecommunications.
So the baby bells could reform their monopoly as SBC? Oh and then change back to AT&T and rebuy the spun-off AT&T Wireless? Yeah that worked out well.
Re:Using the data for good purposes (Score:3, Insightful)
Short answer: no.
Here's the longer answer:
I, as a US citizen am one of the many people who allow corporations to exist. They exist to serve me and other people around me.
That's it. That's the end of the story, they don't exist to make boatloads of cash. They don't exist to make money for shareholders. They don't exist for any other reason except to improve my life, and the lives of the people around me.
If a corporation is acting in a poor manner, my government, as a representative of the people, has the right to dictate every detail of how the company can and will act. The company can either dissolve or follow the rules that we set for them.
If you don't like it, go vote in another form of government.
Market value of short-selling T-mobile stock? (Score:1, Insightful)
Oh this is hilarious. When T-mobile's stock tanks Monday morning, someone is going to have made a killing on short-selling the stock.
Follow the money. Who stands to gain a lot by a supposed breach of all of T-Mobile's systems? Is there some proof the system is really hacked? I doubt anyone on ATT or Verizon's payroll would be dumb enough to pull this. But there are lots of hedge fund traders looking for new 'angles' to make a buck, and after having destroyed the banking system, I suspect someone has gotten wise to what could be pulled off with a little hacking. (Or suggestions of hacking)
Re:If you were smart, you used a prepaid phone (Score:5, Insightful)
Well, unless you bought your phone at a store with cash, and buy refills the same way..
I guess I am the "not smart" T-Mobile user, as I bought my prepaid phone through their web site.. You seem to be imply that T-Mobile is somehow a flyby night company ... They are in fact 8th largest in the world.. Verizon is 14th., AT&T is 15th., Sprint doesn't make the top 20 and they have slightly more than half as many subscribers as AT&T... Of all these companies, why should I not have trust in T-Mobile ?
Re:Using the data for good purposes (Score:2, Insightful)
Are you arguing that between the time that AT&T was broken up in the 80's and the time that it essentially reformed as a unified National telecom corporation, there wasn't much innovation and price competitiveness in the US telecom market? Seems like that period of time worked out pretty well in terms of lower prices and new services for commercial and residential customers.
Re:T-Mobile Customer? (Score:5, Insightful)
I think we are entering an age where everyone knows the employee's loyality goes just as far as the permanence of their job, and no job is permanent anymore. So everyone is out for themselves, and if they see a chance to grab some kind of a big payoff they are going to take it. Or toss a wrench into the works just to see what happens.
Well, over the last 20 years or so, companies in general have made it abundantly clear that they feel little or no obligation to their workers. Their stockholders and CEOs, yes, but not their workers. I'm not saying they really ever did, but for perhaps 50 years there was a facade (pensions, long-term employment, etc.).
So it's entirely reasonable that workers return the favour.
Re:T-Mobile Customer? (Score:1, Insightful)
"If you are, you better start thinking about where to go next. Their service is now wide open. Anything transferred through their network is now questionable."
I'm a T-Mobile customer. I use pretty much voice only, no data, I don't text, but I get texts. I have no friends, and largely call my immediate family. The rest of the time, the phone is simply to order takeout, or to pay a bill with a virtual credit card account number, or to call Comcast when their shitty service konks out again.
The only reason I keep the service is because they are GSM, their low rates compared to Verizon and AT&T, and damn good, friendly customer service. Their CR people try, and I mean really try, but what they have to work with is near worthless.
For awhile now, I've felt they've been owned or would be. If you've ever paid your bill online, and looked at how they handle data, such as the confirmed payment printable receipt, it's obviously they have bad coders--they put your data (i.e. name, address, telephone number, account number, amount paid, etc.) in the https header, which while technically secure/SSL'd, is stupid, since if they have any logging, it likely goes in unencrypted; it's just bad form.
When you have voicemails 2 weeks old saved that are suddenly deleted, and you call in to find out at least why, and they can't get a trace on the problem, they have an incompetent logging setup.
When their entire system bonks and deletes everything except the bare necessity in your account, including calling information, which happened to me in February, and again they can't pull up any sort of traceable logs or records to figure out what happened, they have security problems.
When they do several system "upgrades" over the past few years, and every upgrade has a correlating outage, voicemail loss, or some strange change in features that gets fixed a few days later, you know the people doing this are incompetent, overworked, or working with crap when they can't even perform a basic test or rollout of the new system first.
Any observant T-Mobile customer knows T-Mobile's underpinnings are really, really, really shitty. And that's aside from their crappy frequency which doesn't seem to penetrate most city buildings and has dropout points in coverage areas which are just weird. It feels as if they have some incompetent, ancient legacy boss who tries to do the right thing but doesn't.
I hate Verizon given they are the spawn of the hated landline baby bell company. I used to be with AT&T, but their rates just suck. I've been tempted to go to Sprint, but I've heard horrors a few years back about their nationwide coverage.
You might be asking why I stay with T-Mobile, aside from the fact their rates are cheap. I stay with T-Mobile since, despite all their problems, they've otherwise given me the fewest grief of any telephone provider I've ever had. Which is sort of a sad comment on the state of cellular providers in the US.
Re:Using the data for good purposes (Score:1, Insightful)
this is not only true for SMS, but all commerical network bandwidth delivery - the marginal cost for extra bits is effectively zero, but the capital costs to build a fast reliable network is very high, and there are also high costs in regular maintenance. The operation of the service is very low cost - basically only power (computers and cooling) once you have the location, the computers, and the system all set up. Oh yeah, and reliable bits are clearly a commodity. Economic theory is *very* clear on this -> cost of commodities move to the marginal cost, every time. However, this is not true for bandwidth - leading to all sorts of screwy situations.
Re:Why.... (Score:5, Insightful)
Re:Using the data for good purposes (Score:2, Insightful)
Perhaps this is getting pedantic but:
Health laws for restaurants are applied across the board to all of a certain type of business. Not just corporations. Sole proprietorships, partnerships, llc and corporations.
Beyond that, health laws aren't micromanaging any one particular business, but managing the behavior of a class of businesses. Which was my point. Laws/regs of corps or business = gov't's main avenue for management.
Gov't mandating the specific behavior of a single business/corp. = micromanagement (it's done but not nearly as often)
Probably we're just in violent agreement on this.
Re:Be warned! (Score:2, Insightful)
Re:Using the data for good purposes (Score:1, Insightful)
... which only happened because of *de*regulation.
Re:T-Mobile Customer? (Score:2, Insightful)
>Their service is now wide open.
Oh, please. The servers listed are a tiny fraction of Tmo's network. You think they provide billing and data services to 30,000,000+ customers with 511 systems?
Did you notice how many of those systems had their regions attached? Do all your systems in say Kansas, have the word Kansas in their /etc/ directory somewhere? This looks more like a "server deployment database dump" than an actual hacker's list of compromised systems.
Did you notice the variety of systems they claim to have compromised HPUX, Sun and AIX, and Linux, but not one single Windows server? What are the odds, even if they were all equally secure (cough). The enterprise still uses plenty of Windows software, and it's obvious when dealing with tmo Customer Care that their desktops are Windows. 20k systems in the hands of low-wage employees and not one of them on this list?
And what did you think the big companies do to keep your phone records safe? With the major carriers all having 20k+ customer care reps, did you expect "DOD Secret Level Clearance" was required to work there? Your phone records at any company are available for a price. ("pssst, no one cares who you're callling.").
>Their inability to keep hackers out equals no reason to be in business.
Maybe in BizarroLand. All the proof we have is a list of suspiciously Unix-centric systems that are likely on the T-Mobile network. Compromising a single DNS server in the DMZ might have given them access to some engineer's home directory where a .csv was sitting ready for a perl script to translate it to DNS entries as part of some routine maintenance task. And if they have a friendly customer care rep that will risk their job to provide 3 months worth of phone records for $100.... Well, that hasn't been news in 5 years.
I think your tinfoil hat needs another layer. Have you tried Copper foil for better Chi alignment?
Re:nice! (Score:4, Insightful)
nice!
We all joke, and to some extent say, "good job" to the hackers. We forget these guys are no different than the robbers and thugs you see on "cops" or the evening news, they are just more covert. No one cheers on the armed gunman, robbing a convenience store. It bothers me these guys aren't viewed in the same light.
Re:nice! (Score:4, Insightful)
No doubt that they are bad guys, but to say that they are 'no different' is taking it a little far. How many convenience store robberies have you heard of that have ended badly for the staff? There is a good chance that a convenience store robber is willing to deprive someone of their life to get what they want. A hacker is merely willing to deprive someone of property. They are more like the guy who breaks into the convenience store after hours, with the intent to run away if confronted.
The curious thing is that the typical slashdotter would have some appreciation for the skills required to pull off such a hack (assuming they didn't just find a backup tape full of passwords in the trash :) - we can more readily identify with the nerd in his basement with the world at his fingertips 'sticking it to the man' than we could with the armed robber desperate to get cash for his next drug hit. And we all hate cell phone companies. I don't know what's on the agenda for these guys though... presumably blackmail or extortion.
But when you are king and are rounding up all the hackers, remember to include the guys who are unlawfully downloading copyright material too :)
Re:Using the data for good purposes (Score:2, Insightful)
The truth is that cell networks are incredibly expensive to expand and maintain, and even though cell companies are gobbling up profits, something that has become pretty much a necessity is not that expensive. We enjoy a great deal of consumer surplus since people would pay more than what we pay now for cell service. In fact, if it cost the average citizen $300 a month to have a cell phone, many people (including myself) would still have it. Then again, land lines wouldn't be extinct.
Re:Why.... (Score:3, Insightful)
Maybe some of it is encrypted. But perhaps with some pilfered credentials a database or other internal system will happily respond to your queries and pass back the results as plaintext. After all, somebody somewhere has to be able to decrypt the customer/billing information or it's useless.
Encryption isn't the be-all and end-all of security. For example, using TrueCrypt on your laptop is a great idea to reduce your risk in case of theft, but when you've mounted an encrypted partition and someone is rooting your box over the network it's not going to help you.
Well, frankly, the "insurance" sucks too..... (Score:3, Insightful)
I've worked in I.T. long enough to know that the vast majority of security products and services out there are little more than selling companies a "bill of goods". Sometimes, it's a great investment, simply as a CYA move. (As a systems administrator, you're a lot less likely to get fired because of a hack if you can show you tried your best to secure everything, using products X, Y and Z, right?)
But ultimately, you can go with the most highly regarded firewall product, the top-rated anti-spyware and anti-virus solutions, implement policies requiring employees change their passwords every 30 days, encrypt sensitive information, and the whole 9 yards. But one employee who has been given access is all it takes to make it all come tumbling down. (And I imagine the vast majority of the time, that's a key component of successful hacks anyway. Remember the AOL credit card leaks a while back? Total inside job.)
In most cases, you really don't have much of a guarantee that a given product truly gives you the security it claims either. How do you REALLY know that expensive firewall doesn't have some kind of back-door in it that's never been publicized? Maybe one of their developers stuck it in there secretly, knowing he'd made FAR more than his salary selling the password to a few key hackers in the underground later?
Unless a product offers to cover all your expenses to recover from a hack, if their product or service is hacked, it's pretty weak insurance.
Hard to tell yet. (Score:5, Insightful)
They might have technical chops or they might just be taking advantage of a disgruntled employee or other low-tech hole; it's impossible to say so far. What's clear is that they obviously had no idea what to do with the data once they got their hands on it.
I mean, did they really think they could just grab a dump of T-Mobile's customer database and sell it to AT&T? C'mon. Let's think about that for a minute -- what the hell is AT&T going to do with it? I'm sure their marketing department knows all about T-Mobile's demographics versus their own, and if not (and if they care) they could find out with a few calls and some relatively small payments to a research firm. Same with just about anything else I can possibly imagine them extracting from T-Mobile's servers. If AT&T or Verizon is really dying to know something about T-Mobile's operations, they have lots of easier ways to figure it out that involve a lot less risk than buying red-hot DB dumps from criminals.
Also, anyone with half a brain ought to realize that all the telco companies live in fear of being broken into, and that a major breakin is going to hurt the public's perception of the entire industry. The U.S. cellular telcos are, basically, a cartel: and if there's one thing cartel members hate more than each other, it's disruptive outsiders. T-Mobile's competitors probably didn't respond because they thought it was a joke, or some sort of Nigeria scam; if they'd known it was serious, they almost certainly would have done what Pepsi did [post-gazette.com] and called the cops. Not for altruistic reasons, but for sound business ones: having basically mercenary criminals screwing around, stealing data, scaring customers, and generally upsetting the normal business environment is not to any legitimate player's advantage.
The other red-flag that screams amateur hour about the whole thing is what they did after being turned down by the "competitors" -- they posted what amounts to a "for sale" ad to the Full Disclosure list. They thought that was the best venue for selling a shitload of customer financial records? Really? There are bulletin boards, whole online communities, where criminals trade identity information. It's a mature underground economy; the information they had -- names, addresses, CC numbers, SSNs -- would have been a fungible, commodity product, well-understood and easy to resell for cash.
However they got the information in the first place, it's pretty clear they didn't think their cunning plan all the way through.)
Re:worthless data! (Score:3, Insightful)
It's not worthless - it's so valuable that it's radioactive. Any competitor coming anywhere near this data would get sued into oblivion.
Re:Scamtastic!? (Score:3, Insightful)
Even if this is a hoax, which it may well be, you don't want to be talking about it until afterwards when you can say something like "We had hackers breach our perimiter systems, but our superb security teams saw and stopped them before they were able to get anything but our publically available user manuals". It might be bullshit, but it sounds better than "we've been hacked, you're in the shit". Your average person could deal with the former, but doubtful that they could deal with the latter.
Re:Using the data for good purposes (Score:3, Insightful)
they need to get rid of the contracts for not only wireless carriers, but wireline and cable, too. you should not have to signup for a year or two just to get a couple bucks off your telephone or cable bill.
AND separate cost of hardware from service -- you should be able to buy a handset from anywhere and signup with whoever you want and have your phone JustWork.
Re:Why.... (Score:3, Insightful)
What part of that did you mistake to read "I can't encrypt server side even if I must make clients use clear text" ?