Criminal Charges Filed Against AT&T iPad Attacker 122
Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday.
Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville.
Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."
Umm, yeah... (Score:5, Insightful)
They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...
Re:This is appropriate (Score:5, Insightful)
That's not the problem.
Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.
THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.
It's that pesky "went public with the information" part that screwed him up.
Re: (Score:3, Interesting)
Something thats bothering me is that I can't seem to find any notion that AT&T fixed the flaw.
Now I'm willing to take their word that the guy didn't put forth much effort trying to contact them - but it seems like this court case has made it easier for them to brush the issue under the rug rather than fix.
Re: (Score:3)
Re: (Score:1)
IMHO, the problem is the desire to be famous NOW. Sign your leaks with strong encryption and leak them anonymously, and you will be safe.
No. If he wanted to help, he shouldn't have released them publicly at all unless AT&T refused to fix the problem. Instead, he went straight ahead and released them first thing. Do you understand the difference?
Re: (Score:2)
Of course that's a bit like taking a shit on the couch of every house you burgle. You're safe while you remain anonymous, you're screwed if you're ever caught. Once they catch you for one offence they more or less have a cast iron against you for those other offences on you too.
Re: (Score:2)
Except that you don't burglarize, you leak security vulnerabilities, which is more like publicizing a lock weakness.
Once they catch you
You don't get it. They won't. The entire DoD + FBI + NSA + CIA + ex-criminal informants can only sometimes catch people like Manning: people who come out and say they did it shortly after the fact. This is the very best they can do.
When dealing with companies and agencies that have a well documented record of behaving like dicks, it's just not worth your trouble to put your name out there. T
Re: (Score:2)
You might be anonymous, just like the genius thief who takes a dump on the sofa, but you're just waving a red rag at a bull. Law enforcement is obviously going to devote more time to catching a serious serial offender than if the hacks were disconnected, possibly committed by multiple people. One screwup is all they might need to catch you.
And no it's not
Re: (Score:2)
Why exactly is that a problem? Isn't that journalism? All he did was aggregate publicly available information.
Re: (Score:2)
Might be a nice argument although somehow I doubt he would win in court.
That is pretty close to the textbook definition of injustice.
Re:This is NOT appropriate (Score:1)
Re: (Score:2)
I didn't say I agreed with it, I just said that's the way it probably is.
Re: (Score:2)
Yeah.. Except don't do that.
I once discovered a flaw in a website and told the operators. A couple of days later I was called up by their security personal threatening with police etc.
If you discover a flaw within a system, use an anonymous mail system to tell them about it and if nothing happens go to wikileaks. Do not put yourself in the line of fire.
Re: (Score:2)
Re: (Score:2, Insightful)
THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.
To be totally honest, had he just given the information to AT&T and no one else, they most likely still would be pressing charges and taking him to court for 'hacking' their system.
Don't get me wrong, they were/are definitely lying about the whole trying to help AT&T's security thing.
Gathering the data then going public with it all without contacting AT&T is clearly not an act that is trying to help fix security problems, and this was not to help anyone except themselves.
But had they actually ha
Re: (Score:2)
Awesome post!
Re: (Score:3)
You don't want to screw with the phone cops, man. [youtube.com] They blew up a transmitter in Cincinnati back in the 70's when some DJ named "Dr. Johny Fever" got out of hand...
Let's get this straight (Score:5, Interesting)
AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.
Information must be free! (Score:3, Funny)
You're 100% right! He needed to scrape all the user information he could and go public with it! Your personal information wants to be FREE, and no corporation can stop its freedom.
most stores have merchandise out in the open (Score:2)
Re: (Score:1)
Re: (Score:2)
Yup. And if you shoot and kill someone its not your fault since they weren't wearing strong enough body armor to stop the round.
Re:Let's get this straight (Score:4, Informative)
Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.
Claiming to help? That is a great excuse there. They found a security hole in the system and instead of just reporting it to AT&T they pulled down private information which they did NOT have the right to access. In other words I left my front door unlocked, this doesn't give you the right to go in and snoop around and take my stuff, you CAN however report to me and the newspaper that my door is unlocked. That is why these "hackers" are in trouble. AT&T probably looked at the exploit and then realized not only was there a problem but the people reporting it took private and sensitive information, this then required them to go to the legal system because their liable for this. Most of these major companies have insurance to cover these types of incidents but unless they follow protocol the insurance might not pay out.
Also the article attached to slashdot is missing information. They also gave the private information to Gawker.
http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=229000863&cid=RSSfeed_IWK_All [informationweek.com]
And in apparently chat logs exists of these "hackers" discussing to sell or use this information in an illegal way.
http://www.crn.com/news/security/229000878/feds-nab-web-trolls-in-at-t-ipad-hack.htm [crn.com]
Re: (Score:1)
Isn't the analogy more "If I put a bunch of things in my driveway (think "free" garage sale) along with a sign that said "please take whatever you want", but mistakenly put some of my wife's cherished possessions on display, should I be able to charge you with theft for taking my wife's things?"
Re: (Score:3)
Point taken -- how about:
I put a bunch of things in my driveway (think "free" garage sale) along with a sign that says "please take whatever you want". I mistakenly include sexually graphic pictures of my wife in the stuff I've put on display. You find them and take pictures of them with your smartphone, then show them to your friends -- should I be able to charge you with theft (or some other crime?) because you should have known that I didn't intend to give those away?"
Re: (Score:2)
This is the same as google changing their mind retrospectively that they didn't want people on google.com.. I guess we'd all be criminals, since accessing information on a webserver is on
Re: (Score:2)
Re: (Score:2)
When you are spoofing the user's phone, it's not really "out there". You are definitely using advanced tools to hack at that point.
I disagree that it was an "advanced tool" - the level of "hacking" was roughly equivalent to wearing a name tag with someone else's name on it.
But more importantly they didn't do it with criminal intent.
If they really had criminal intent (and the chat log excerpts in the court filing don't even come close to making that case plus they didn't actually do anything with the information other than publish it and give it to a publisher - gawker) then I'd be ok with them being charged, at least proportionate to t
Re: (Score:2)
Advanced tools? Are you fucking mental?
From Ars:
When an iPad was detected, the device would then send the device's ICCID number from its SIM card, encoded in plain text in a URL.
encoded in plain text in a URL
That's a fucking query string you dolt! This is akin to going to www.example.com/?id=1234 and just iterating through the 1234 part in a script and harvesting an email address it whenever it returns something valid.
Change the user agent your script is using to an iPad and you're golden.
AT&T and co. left all that "out there" in the open; a ICCID validator for iPad users. The only "advanced tools" required was knowledge of query
Re: (Score:1)
I think I can guarantee that no chat logs could exist that show Goatse Security members discussing selling or using the information in an illegal way. Or they would be fakes.
I have personally answered requests sent to Goatse Security for a while, and have constantly refused all offers to buy or even have a look at the data. I am pretty sure some of the requests were bait to see just how greedy we were, so if the people who tried are honest, they will be able to confirm that no matter the amount of money pro
Re: (Score:2)
Here is a link to the complaint with the logs included:
http://www.scribd.com/doc/47136974/Auernheimer-Spitler-complaint [scribd.com]
Thanks.
From reading the logs its clear they've been edited for maximum impact by the prosecution, but even then all I see are some guys just talking shit about money and other things (like how to get "maximum lolz" out of situation).
But talking shit has been more than enough to get people put away for terrorism so these guys are probably screwed too.
Re: (Score:2)
If all that is reported is the complete truth, then I agree with you. But is AT&T lying about being informed of the security flaw? Or in another way, has AT&T not processed attempted contact by the parties charged and forwarded this to AT&T's attorneys? Worse, did AT&T request proof of the vulnerability and then use that as a means to attack and prosecute these individuals?
Re: (Score:2)
In other words I left my front door unlocked,
It may surprise you to learn this, but the Internet is not a residential neighborhood. It is a public space, that which is not restricted is presumed to be accessible. I have to ask your web server for every page of yours that I access. If you don't want me to access it, make your webserver refuse my access.
Just imagine for a moment if the burden was on the site visitor to ensure that he was authorized before he viewed a page. How would the internet work?
Re: (Score:2)
Re: (Score:2)
If you left it out and available on the internet it is no longer private information.
Any arguments to the contrary are basically cya bullshit.
Re: (Score:1)
Re: (Score:2)
Re:Let's get this straight (Score:4, Interesting)
We are at the point ("beyond" the point is still at the point) where we need a Wikileaks for security issues. Increasingly, it is becoming hazardous to expose weaknesses in systems and services that render personal and/or sensitive information vulnerable. We are not going to change the government or regulatory bodies' minds about what appropriate means or whose interests are of higher priority. So it is best to decide whether it is best to claim the glory of being the discoverer or implementer of the exploit or if the knowledge needs to be out there without risk to your identity being connected with it.
Stupidly, there are going to be "myspace/facebook" mentalities who will go for the fame regardless of the dangers. Personally, I would prefer to conceal my identity and get behind a wikileaks body to launder my identity from the work.
Re: (Score:2)
I've had problems with security disclosures before involving banks. Seriously, I need advice on responsible disclosure. Then I should start a wikileaks-style effort to help other people with the same.
Re: (Score:1)
Re: (Score:2)
"some kid"? Auernheimer has a Rolls Royce Silver Phantom and a history of major hacking successes. http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html [nytimes.com] Some kid, indeed!
Bogus Charges (Score:2, Insightful)
The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.
Anyone know what the fraud charges are?
Re: (Score:1)
Ummm, no. He was clearly accessing the system in a manner not intended. I don't lock the door to my house, but if you come and look through my things, you're still tresspassing, and it's still illegal.
Re: (Score:2)
I find fault with the house analogy. It's common knowledge that you are not supposed to walk into someone's house uninvited. Websites are, for the most part, specifically designed as public spaces for any visitors. It is a very rare case in which a legitimate website actually invites you to access it.
A better analogy would be if AT&T got a giant billboard labeled "AT&T Customer Registration Data for AT&T customer use only" which listed all the information.
I know my analogy isn't perfect, but it'
Re: (Score:1)
I couldn't see the details, but unless he was served a page displaying all the data rather than looking at a URI and extrapolating it for other users, he's in the wrong.
If he extrapolated the scheme and ran a script to get all matches, then yes it is like trying every front door on a street to find it unlocked. Sure the server shouldn't have given him the data, but it sounds like he made an effort to get it, rather than tripping over all the information completely accidentally.
lynch mob! lynch mob! (Score:1)
this isnt a matter for the courts. I say we gather all the apple fanboys, give em apple branded pitchforks and let em loose. To give the guy a sporting chance, we hold the event in a large forest and he gets a 30sec head start
Re: (Score:2)
No good. Mantracker is obviously an Apple Fanboy, this contest is clearly stacked in his favour.
Re: (Score:2)
The problem with that is all of their pitchforks have rounded tips on them.
Re: (Score:2)
No no, to beat them with the wooden end you would have to hold it by the antenna and then it wouldn't work at all!
AT&T's motto: Trust Us (Score:3)
AT&T would NEVER compromise your data...trust us.
Re: (Score:2)
AT&T has no 4G network, and for that matter, nobody has one. The 4G specs mandate 100mbps of bandwidth.
p.s. at 14-21mbps, theirs is definitely in the running for fastest HPSA+ or 3G+.
Dissapointing title (Score:2)
I thought an iPad Attacker whacked someone else on the head with an iPad. It would be a hoot and a half in court:
Prosecution: "Your Honor, we charge the suspect with assault with a deadly weapon."
Defense: "Your Honor, iPads are not classified as deadly weapons."
There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.
Re: (Score:3)
There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.
Google is your friend. [patch.com]
This may scream for jury nullification or no-bill (Score:3, Interesting)
I'm going to assume for the sake of argument that the facts will prove he broke the law. If they don't the rest of this post doesn't apply to this case but it is still interesting from an academic/hypothetical perspective:
It's hard to say what is "just" in a case like this.
Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions, or is it more just to officially (in the form of a non-guilty verdict or a grand jury declining to indict even if the facts prove guilt) say that it's in society's best interest that this behavior be tolerated or even encouraged in this context?
Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence. While such events should be very rare as prosecutors should never let cases get this far, no-bills and jury nullifications "in the interest of justice" are the people's last chance to say "the application of the law in this case is unjust -or- the law itself is unjust." Assuming the law or its application is not unconstitutional or otherwise illegal, once a jury convicts the now-convicted-criminal is at the mercy of the Executive Branch for a pardon or commutation.
The sad part is neither the jury nor the grand jury will likely be allowed to see anything but the hard evidence and most or all of both groups will be too technically naive to make an informed decision as to whether it is more just to release this person or to indict and convict him.
Re: (Score:1)
Re: (Score:2)
Jury nullification is a double edged sword. While the pot smokers and computer hackers amongst us can imagine a world in which they'll never see a conviction based solely upon a jury's refusal to convict them in spite of clear definition of the law and no reasonable doubt, that same jury could find an innocent black man guilty of a crime against a white woman (think "To Kill a Mockingbird"), even though the evidence clearly shows that no crime was committed.... just because he's black. Of course, while th
Re: (Score:1)
I had a friend on a jury not long ago and one of his fellow jurors said guilty in the initial vote. When asked why, she responded, because the cops arrested him. Don't think every juror understands the concept of logic. They are, more often than not, average people and the average person, at least where I live, is pretty dumb. It took hours of arguing that while the guy very well might have been guilty, witnesses' memory was too flaky by this time to really say what happened. The trial was over an assault,
The road to hell. (Score:2)
Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions...
I don't know how you prove your "good intentions" in court without taking the stand and exposing yourself to a withering, relentless, wholly unconstrained, examination of your character, history and behavior.
The prosecutor will take you apart, piece-by-piece, beginning with your taste for "Goatse."
Refusal to indict or refusal to convict in the presence of proven gu
Ethical disclosure (Score:5, Interesting)
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?
Re:Ethical disclosure (Score:5, Insightful)
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.
Ethical use of 3rd-party escrows in security leaks (Score:1)
It's more like:
I opened your safe and took pictures of what was inside.
Assuming the pictures were of mundane items that didn't reveal any secrets - such as a mundane picture of a bank vault with stacks of cash - then you can argue that no harm was done.
If the picture is a clearly readable copy of the Coca Cola recipe on the other hand, then releasing it may be harmful.
As to releasing "the picture" to an "responsible third-party escrow" as was done here, the ethics boil down to:
* Was there a good reason to b
Re: (Score:1)
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.
The only problem with your analogy is the lack of mention that the safe was on your front lawn, open, with a large sign saying "Please, help yourself to everything inside."
Re: (Score:2)
with a large sign saying "Please, help yourself to everything inside."
What part of the real situation does that correlate to?
Re: (Score:1)
with a large sign saying "Please, help yourself to everything inside."
What part of the real situation does that correlate to?
A website, offered to the world with no access restrictions containing a web form specifically for the purpose of retrieving the exact information the "hacker" collected combined with a TOU document that does not prohibit such actions.
Re: (Score:2)
So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.
I'm not a terrorist, I was just pointing out your airline security failures.
Love, Osama.
Re: (Score:1)
> I wanted to point out your security failures, so I opened your safe
Your safe is yours, their safe is $everyones.
> actually opened the safe and took the money out"
No. He made a digital _copy_ of the "money," their "wallet" still has the original "money." IOW, I have a Melbourne Red Metallic 2011 BMW M3, you are welcome to copy it (that's what the metaphor you're buying into is saying)! I will still have mine. Is OK with me, 'cause, I want a copy of your 1955 Chevrolet Series 3100 pickup. Hey if this
he is the one in trouble? (Score:2)
Perhaps I misread the story, but this "hacker" wrote a script to gather information that AT&T made public on their website, and HE is the one in trouble?
Re: (Score:3)
Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted it about the flaw.
That pretty much sums it up. I wonder if the EFF will get involved?
web browsing is illegal now? (Score:5, Interesting)
From the article:
In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."
How did he do anything illegal?
Re: (Score:1)
No good deed goes unpunished. Thank you for visiting the United Corporate of America (tm).
Re: (Score:1)
Don't believe that the laws mean what most people think they do.
I was recently convicted for a _very_ similar incident (here in Norway).
There was no intrusion like most people would think ("breaking a lock/protection" etc) , but I was still convicted since the data was not meant to be publicly accessible.
Re: (Score:3)
Thats like putting a sign on your lawn and suing anyone who pauses to read it.
Re: (Score:2)
No, the correct analogy is that you aren't welcome to enter my house and take my microwave because I'm having an open house and have a plate of free cookies out.
Re: (Score:2)
Your analogy is the epitome of fail.
When you go to a webpage you assume the author of the page has created/supplied the content for you to look at free of charge. Everything. Take google for example. I can go to google and look at the maps free, the search free, download free programs, etc. It is all free for me to consume. This person went to a webpage and found that this was available from their publicly accessible webpage. He consumed it.
If you were having an open house, and it was known I could co
Re: (Score:2)
My bad, I was trying to reply to tqd.
mens rea (Score:2)
You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of your customer confidential data are on your desk in plain view.
I walk in and start taking pictures then share those pictures.
Did you do anything illegal?
I can probably beat a trespassing rap but I probably could not beat charges related to my copying and disseminating the information unless it wa
Re: (Score:2)
He collated the information and distributed it, for one. By analogy, compare noticing the file cabinet's been left unlocked and telling someone, against photocopying everything, giving it to the gossip sheets, and then couting on those to tell someone.
Re: (Score:2)
AT&T knew what they were doing.... (Score:2)
... of course they did. They are a massive company in size, and any company that size who puts info on the Web knows that they must legally protect this data.
Since I don't have all the info in this I can only make assumptions based on what I read in the article.
* AT&T made an application on their web site that allows an individual to enter in key info and pull back specific user data.
* Individuals were surfing around AT&T's website
* It was stated in one article that Hackers "guessed" 114,000 iPad I
Re: (Score:1)
Remember, this is a big mega-corp telecom provider we are talking about. The tap all traffic on the interwebs and give it to the FBI/CIA/Illuminati/Pope/Scientologist/Trilateral Commission/United Nations/United Federation Of Solar Systems/etc/etc friends in real time, so of course they can fake, er, I mean, authenticate the logs.
Re: (Score:2)
Because if you ever been in their channel, this is exactly how they talk. There's little proof needed.
I say, let them burn in hell for 5-10 years without parole (thanks federal crimes), come back to life with a permanent restriction on using computers, never get a job again (thanks google), and show the rest of the retards like weev & co how things should be done. good riddance, the internet thanks you!
The definition of insanity (Score:3)
How many times on Slashdot have we seen the following scenario?
1) Hacker finds security hole.
2) Hacker uses security hole to login to system. He may or may not do questionable things there.
3) Hacker gets caught and there's proof he was on the system and he wasn't authorized to be there.
4) Hacker looks at a trial and possible jail time.
5) Hacker claims innocence, saying that he was "just trying to help get the problem fixed".
Really, if you haven't learned by now that logging into systems where you don't belong may get you into deep trouble, there is no hope for you.
Got paid to 'backup' a coin-op video game's data. (Score:2)
Granting that didn't contain anything sensitive. Rare to see a real name.
It did contain a wealth of usage data which their competitors wanted.
That was not hacking in any meaningful sense of the word. Program entered player# then sucked results into database.
i hate grousing about unaccepted stories (Score:2)
but i DID submit a much better title for this story:
"Goatse Security Busted Wide Open"
http://slashdot.org/submission/1447640/Goatse-Security-Busted-Wide-Open [slashdot.org]
Really a hacker? (Score:1)
You consider someone who already contacted AT&T and never got a returned phone call or email a hacker because he thought the people should know their info is unsecure...well then I guess most people could be considered hackers too....as I would want anyone in my close proximity of services to know if their services was ailing.
A complicated timeline (Score:2)
Two articles this [crn.com] and one refered to by the first state "facts" that are in opposition. [crn.com]
The first states that the accused ran their tool June 5 to June 9th, and released on July 10th.
The second states that AT&T fixed the hole on June 8 and told affected users about the breach on June 9th.
I see reports [crunchgear.com] that this information was on Gawker on the 9th, not the 10th.
I see reports [allthingsd.com] from June 14 that AT&T sent messages claiming to have learned of the fault June 7th. This seems likely to have been because Au