Slashdot Mirror
Hackers Claim To Hit T-Mobile Hard
dasButcher writes "Hackers are
claiming to own T-Mobile USA's servers and to have access to the cellular phone carrier's operations, finance and subscriber data." (Here's the seclists.org post of the claimed breach.)
"We already contacted with their competitors and they didn't show interest in buying their data" LOL... seems like its worthless!
Why isn't this stuff encrypted? For the few places that would need the data why not have a special viewer that would decrypt the stuff thats sensitive?
Taxation is legalized theft, no more, no less.
Now, I'm not going to cheer crackers breaking into a private corporation's data services. The breech has tremendous privacy implications, and a lot of these fall squarely on the head of the consumer. However, I'd like to see a silver lining to this by seeing the data employed to put paid to the idea that SMSes have to cost so much. Time after time, the data has shown that SMSes *should* be giant cash cows for these monopolistic entities, but lacking internal financial data it has always been difficult to make an issue out of this at Congress. Of course the cell companies have every interest to keep this data private, but maybe in this case T-Mobile won't have the choice.
www.eissq.com/BandP.html Ball and Plate System. Amuse your friends. Crush your enemies.
Maybe the hackers can offer better service?
Have you fscked your local propeller head today?
Funny - I get an fraud warning from the link disclosing the breach . . . Opera being over-sensitive I think. "This site is known to distribute malicious software" - NMap has got such a bad name!!
From the "hackers" We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Seriously, how do they think T-Mobile's competitors are going to legally pay and use such information?
Run and catch, run and catch, the lamb is caught in the blackberry patch.
I happen to know a Nigerian Prince who would be *very* interested in their offer.
If you were a T-Mobile user and smart, you didn't trust T-Mobile in the first place and used a prepaid phone and so there isn't a whole lot of data on you in the first place.
If you choose to trust a company with an enormous amount of your data, it's not a question of whether that will be abused. It's just a question of which will happen first: whether crackers will acquire it or whether the company will get into financial trouble and sell that data (or use it itself to try and make a return somehow).
All of their production servers are running UNIX- or UNIX-like operating systems. Had they been running a Windows-only setup, this would not have happened.
Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so.
Interesting. I only saw HP-UX, SunOS, AIX and Linux. No Windows used in T-Mobile, or they could not be cracked? Or T-Mobile just don't put anything important on Windows servers?
And the best thing they can think of doing with it all is to offer it to T-Mobiles competitors? Seriously? I can think of tons of ways to profit off of all that information.
However not one of those ways involves attempting to sell the information to companies that are legally required to report it. Or when that fails, announcing it to the public and getting every police agency in the world on my trail.
If you are, you better start thinking about where to go next. Their service is now wide open. Anything transferred through their network is now questionable.
Can you afford to send an email from a smartphone and have a couple of bytes changed, say from "no" to "yes"? Or from $100 to $10,000?
Can you afford to have your phone records available to everyone on the Internet? How far back could T-Mobile's records go? Two years? Five years?
I'd say if this was played right to the media it could shut T-Mobile down in about two weeks. After all, wouldn't that be a great goal? Their inability to keep hackers out equals no reason to be in business.
Of course this was almost certainly an inside-assisted job. But then you better watch who your employees are. If you're employing people that have access to potentially sensitive data, how do you know they aren't in a financial bind and will do anything to make next month's mortgage payment? Or have some gambling debts that they have to pay or their wife will work off?
I won't be happy to see T-Mobile (really Vodaphone from Germany) go under, but if these hackers have half a brain they will take the company down. If they are just your average script kiddies this will not make to the nightly news and will have no effect on the company.
There is no mention of this in the press. Perhaps it's because this is just some trouble makers whipping up a scam story? Is there any real evidence that this hack has actually occurred? No...
If you want news from today, you have to come back tomorrow.
Liquid Matrix has a link to the same story but they say as of 22 hours ago it has not been confirmed by T-Mobile . . .
We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.
Does not it sound just like a scam? What about sending them one of these 419eater funny guys?
what if they just got a very convincing Honey Pot ?
Now!
I'll wait for some validation. Cuz, you know;
prodsrv1|192.168.1.200|root@cia.gov sekret files|for realz|RHEL4
isn't especially convincing.
Even if it's a real list, it could be something as simple as a pilfered company document off a laptop, a script-kiddie wannabe hacker employee showing off to his friends on IRC, or any of a hundred scenarios.
Do I doubt it's difficult to own a bunch of HP-UX boxes? Nah.
Have I learned to not spastically freak out every time some random people claim they hacked something? Yah.
Trouble is, T-Mobile wouldn't exactly be forthcoming with any confirmations.
At the end of the day, you just have to plan around being hacked. You have to ensure your payment method associated with external services can handle being owned. You have to be ready for people getting your SSN and private info, since it's moronically being used for frivolous purposes everywhere.
Which is not to say you shouldn't do your best to keep your data protected and secure - I just try to plan around any data I give out to various companies being owned.
Does this mean service will improve?
If I posted to some well-respected security mailing list that "i hacked slashdot!" and posted a bunch of gibberish....would slashdot post a story about it?
Seriously, unless there is some _real_ information (like T-mobile acknowledgment), this story doesn't belong here.
Hacker: T-Mobile? I'd hit it. Hard.
Why so many in the black community using safe mail? Is it really as safe as it seems to be?
I remember some years ago, I saw a forum where there was a guy offering thousands of E tablets over his "Safe Mail" account. He was a regular supplier.
"PRIVACY: Safe-mail will not disclose information about you or your use of the Safe-mail system, unless Safe-mail believes that such action is necessary to comply with its legal requirements or process; enforce these terms; or protect the interests of Safe-mail, its members or others. You agree that Safe-mail may access your account, including its contents, for these reasons or for service or technical reasons. Please note that your Internet Protocol address is transmitted with each message sent from your account." From Safemail web site.
I wonder if Safe Mail cares about so many crimes committed used by their customers..
Look here- from the list: protbm01 Prod Projects #N/A #N/A #N/A 10.133.65.54 HP-UX 11.23 NEXUS #N/A #N/A 1
protbm01 Prod Projects #N/A #N/A #N/A 10.133.65.54 HP-UX 11.31 NEXUS #N/A #N/A 1
protbm02 Prod Projects #N/A #N/A #N/A 10.133.65.55 HP-UX 11.31 NEXUS #N/A #N/A 1
protbm02 Prod Projects #N/A #N/A #N/A 10.133.65.55 HP-UX 11.23 NEXUS #N/A #N/A 1 Dupes of IP's and host addresses. You wouldn't have a host with same IP and different OS versions. Unless it was a spreadsheet of planned upgrades or something...... BO ---- wait for it ---- GUS! Next they will tell us they are part of a Beowulf cluster.....
How hard is it to keep a Linux, AIX and SunOS servers patched with security updates, seriously. These boxes must of never been properly secured in the first place for that many operating systems to be compromised. I know it is a bit of security through obscurity but having multiple server OS usually offers you some protection but to have this many fail seems like they need to pay more $$$$ and get a competent sysadmin group. I would not be surprised if a majority of their day to day sysadmin work was outsourced. If you do not have someone that is there with the firewall logs in real time, at least one honeypot behind the firewall and tripwire setups that page everyone but god when your honeypot is disturbed you are not even trying. Hell, I have that at home.
An Education is the Font of All Liberty
I've worked at other telecoms.
One was hacked with the servers actually being used to provide VoIP services about 4 years ago. It guess financial data hacks matter but internal server hacks don't?
The other was not hacked to my knowledge, but did get spyware and viruses internally occasionally, just like every other company does. An employee setup a porn website on company servers, but was caught, fired and prosecuted.
I am a current customer of T-Mobile, but only with a pay-as-you-go cell phone. I am not a customer of either of the telecoms that I worked and will avoid being a customer to them.
Telecoms is not a free market. It is an oligopoly. As such, there is no meaningful competition. The pricing of SMS is an ABOMINATION. At a personal level, this kind of gouging would be an unforgivable breach of ethics. I for one do not see why corporations should be licensed to disregard ethics.
How does a faceless corporation browbeat tens of millions of customers? One at a time, of course.
If I were a hospital, following your logic, I would negotiate with each patient. "Well, Mr. Gates, how much would you pay for a heart transplant? A billion dollars? OK, make it $1.2 billion and you've got a deal." Then one day this schmuck shows up. "Well, Mr. Schmuck, how much would you pay for a heart transplant? A hundred dollars in installments is all you can come up with? Do you know that just last week another gentleman paid us over a billion? You are insulting me. Go away. There are plenty of wealthy people who need new hearts." (the hospital negotiator seems not to notice that he is describing himself all too literally)
You may say that regulations and planned economies and safety nets do not work. That is arguable. The logical response, however, would be to say, let us apply human ingenuity, work ethic, and compassion, and try to make them work. Not, let's not even try.
Oh this is hilarious. When T-mobile's stock tanks Monday morning, someone is going to have made a killing on short-selling the stock.
Follow the money. Who stands to gain a lot by a supposed breach of all of T-Mobile's systems? Is there some proof the system is really hacked? I doubt anyone on ATT or Verizon's payroll would be dumb enough to pull this. But there are lots of hedge fund traders looking for new 'angles' to make a buck, and after having destroyed the banking system, I suspect someone has gotten wise to what could be pulled off with a little hacking. (Or suggestions of hacking)
Is there any confirmation for this? I have T-Mobile, and I just called their support line. The customer service representative, and her supervisor, haven't heard anything about this. The CSR I talked to said that they have a "T-Mobile news ticker" of some sort on their screens, that updates with whatever's happening with the company. There has been no company-wide memo sent out, or anything like that. I'll see if I hear anything else about this, perhaps something from someone who's done some actual research on the matter. Incidentally, it was a pain in the ass to try to tell the CSR how to get to Slashdot. (As it should be, of course.)
This could be a "shill" event. *NEW* Cyber Czar! Think about it. A manufactured cyber emergency to justify new cyber regulations and lockdown in the best of interest of "everyone".
leather-dog muksihs
Blog: @muksihs
Also, since customers can't easily switch companies due to contract terms, there is not enough fluidity in the market such that a company which lowers prices can quickly attract customers from another corp, and lead to a price war or reduction in prices.
This wouldn't be the case if everyone used prepaid phones. What I don't understand is why many people like the idea of plans instead of prepaid phones. Look at the implications of plans:
* Limited mobility. If I get pissed off at my provider, I want to be able to walk, right then and there. I want to be able to choose my phone. With prepaid phones, my only cost is whatever I've loaded on my phone (and the cost of the phone itself).
* Pricing doesn't reflect costs. If I make a total of one call in a month, I want my payment to reflect that. I don't want to have a pricing model that encourages me to purchase more of their product than I want.
* Payment model makes no sense for most consumers. Many people seem to buy into plans because they "get a phone free". But they wind up *paying* for that phone on a payment plan. What they're getting is a small, unsecured loan to buy a phone that gets paid off via higher fees over a couple of years -- the sort of thing that you normally want to avoid in personal finance (think rolling credit card debt).
* Poor privacy. T-Mobile doesn't need to know who I am or anything about me -- it's not their business. If I want to switch phones, it's easy enough to do. I don't want their junk mail, I don't want targeted ads, I don't want them selling my call history, I don't want them selling my number...basically, there are very few reasons for me to want T-Mobile to know who I am other than "someone who wants telecom service without lock-in and will pay for it".
I, for one, welcome our new hacker overlords. Who cares who sees my cell phone records or texts. Besides, you'd have to be stupid to do anything REALLY private over the airwaves these days anyway, what with Bush and Obama both agreeing that warrantless wiretaps are a good idea.
Seriously though, I've done PLENTY of shopping around over the years, and T-Mobile always has the best rates, best coverage, and best customer service out of all the US cellular providers. That might be like calling them a tall midget, but the best is the best. I get 2 lines with completely unlimited calling for less than $90.
If this is real and T-Mobile's networks actually DO get shut down temporarily, then that will just be one less way that I get bothered.
looks like some serious jail time to me... http://www.law.cornell.edu/uscode/18/1030.html
This doesn't surprise me at all. I used to work there a few years ago. Security was not something they were concerned with in the least. RSH was used everywhere and they refused even use telnet let alone ssh. The root passwords on all the Unix servers that controlled the switch was the name of the switch manufacturer. So Nokia was nokia and Nortel was nortel. Frankly this wasn't the worst thing there, don't try to do anything that might improve service or change the way things are done because that would upset the norm.
Now's my chance to call all those phone-sex lines I've always been curious about!
Sir, you owe $15,239 and 33 cents.
"But I never made those calls!?! You people got hacked last month, didn't you? They must have stolen my info!"
Oh, that's right. Alright sir, we'll take care of it. Uhmmm...by the way, sir? I can barely hear you. Why do you sound so far away?
"Oh, I can't hold my phone. I uhhh...I sprained my wrists."
[End Of Line]
Is anyone else getting tired of the media's and even Slashdot's own misuse of the word 'hacker'?
Crackers Claim To Hit T-Mobile Hard
Fixed it for you.
If they want to really prove it start by handing out the private emails of the CTO and idiot IT team that let it happen in the first place.Heck call them at home from a voip proxy.
Hey did you upgrade the security yet?
Nope, couldn't figure out what the words encrypted connection mean.
What's so hard there?
If it's encrypted then I can read it.
Duh... remember your password or tattoo it to the bosses buttcrack so you have a reminder
The "cyber czar" deals primarily with internal government IT matters. He has no power to enact regulations affecting the public.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
FWIW - I don't know if it could be related or quite how, exactly, but I am a T-mobile client in the SE US, and noticed yesterday and the evening before that calls were dropping like crazy. Very, very inconsistent from their usual service, IME. T-mobile has shown good network 'uptime' since they bought out a smaller cellular company I was with about 18 months ago. (They *have* tried to dick me for a little extra cash here and there on my bill, but were good after a call to billing.) The unusual poor performance I was witness to yesterday in conjunction with this story makes me go "Hmmm...", while hoping it bears out as untrue.
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Sounds like a hoax to me.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Anyone who does not have the wherewithal and sense to not make public their extortion demand, very likely does not have the sense and wherewithal to actually harvest information. I see a text depiction of a list of alleged connections to T-Mo servers.
I do not see actual data - show me a 500 data item sample if you have anything at all.
My best guess: Some 15 year old in an Eastern European country will shortly have some 'splainin to do.
----- In Your Cubicle No One Can Hear You Scream...
nice!
We all joke, and to some extent say, "good job" to the hackers. We forget these guys are no different than the robbers and thugs you see on "cops" or the evening news, they are just more covert. No one cheers on the armed gunman, robbing a convenience store. It bothers me these guys aren't viewed in the same light.
If you could reason with religious people, there would be no religious people
This is the same guys that previously claimed to have broken into Checkpoint: http://seclists.org/fulldisclosure/2008/Dec/0344.html
No doubt that they are bad guys, but to say that they are 'no different' is taking it a little far. How many convenience store robberies have you heard of that have ended badly for the staff? There is a good chance that a convenience store robber is willing to deprive someone of their life to get what they want. A hacker is merely willing to deprive someone of property. They are more like the guy who breaks into the convenience store after hours, with the intent to run away if confronted.
The curious thing is that the typical slashdotter would have some appreciation for the skills required to pull off such a hack (assuming they didn't just find a backup tape full of passwords in the trash :) - we can more readily identify with the nerd in his basement with the world at his fingertips 'sticking it to the man' than we could with the armed robber desperate to get cash for his next drug hit. And we all hate cell phone companies. I don't know what's on the agenda for these guys though... presumably blackmail or extortion.
But when you are king and are rounding up all the hackers, remember to include the guys who are unlawfully downloading copyright material too :)
I do not applaud law-breaking, but nobody deserves it more than you do. Worst company I've ever had the displeasure of doing business with.
Where do I sign up for the class action suit? I long-ago canceled my account, but I couldn't delete my private information out of your system.
I've worked in I.T. long enough to know that the vast majority of security products and services out there are little more than selling companies a "bill of goods". Sometimes, it's a great investment, simply as a CYA move. (As a systems administrator, you're a lot less likely to get fired because of a hack if you can show you tried your best to secure everything, using products X, Y and Z, right?)
But ultimately, you can go with the most highly regarded firewall product, the top-rated anti-spyware and anti-virus solutions, implement policies requiring employees change their passwords every 30 days, encrypt sensitive information, and the whole 9 yards. But one employee who has been given access is all it takes to make it all come tumbling down. (And I imagine the vast majority of the time, that's a key component of successful hacks anyway. Remember the AOL credit card leaks a while back? Total inside job.)
In most cases, you really don't have much of a guarantee that a given product truly gives you the security it claims either. How do you REALLY know that expensive firewall doesn't have some kind of back-door in it that's never been publicized? Maybe one of their developers stuck it in there secretly, knowing he'd made FAR more than his salary selling the password to a few key hackers in the underground later?
Unless a product offers to cover all your expenses to recover from a hack, if their product or service is hacked, it's pretty weak insurance.
"Ever heard of a high-profile Windows shop being compromised during the last five years? No? Didn't think so." - by Anonymous Coward on Sunday June 07, @04:58PM (#28243965)
It happens to Linux, & right from the horses' mouths (in UBUNTU (Canonical) &/or REDHAT being hacked):
Is This The Biggest Linux Security Breach? REDHAT SERVERS HACKED:
http://slashdot.org/firehose.pl?op=view&id=827351 [slashdot.org]
-----
UBUNTU SERVERS HACKED:
http://it.slashdot.org/it/07/08/15/1341224.shtml [slashdot.org]
-----
APK
P.S.=> Pretty "high-profile" I'd say - the oem's of Linux distros were hacked... so much for the mod you received, because vs. what I just put up? That IS about all it is, humor (& poor @ that)... apk
They might have technical chops or they might just be taking advantage of a disgruntled employee or other low-tech hole; it's impossible to say so far. What's clear is that they obviously had no idea what to do with the data once they got their hands on it.
I mean, did they really think they could just grab a dump of T-Mobile's customer database and sell it to AT&T? C'mon. Let's think about that for a minute -- what the hell is AT&T going to do with it? I'm sure their marketing department knows all about T-Mobile's demographics versus their own, and if not (and if they care) they could find out with a few calls and some relatively small payments to a research firm. Same with just about anything else I can possibly imagine them extracting from T-Mobile's servers. If AT&T or Verizon is really dying to know something about T-Mobile's operations, they have lots of easier ways to figure it out that involve a lot less risk than buying red-hot DB dumps from criminals.
Also, anyone with half a brain ought to realize that all the telco companies live in fear of being broken into, and that a major breakin is going to hurt the public's perception of the entire industry. The U.S. cellular telcos are, basically, a cartel: and if there's one thing cartel members hate more than each other, it's disruptive outsiders. T-Mobile's competitors probably didn't respond because they thought it was a joke, or some sort of Nigeria scam; if they'd known it was serious, they almost certainly would have done what Pepsi did and called the cops. Not for altruistic reasons, but for sound business ones: having basically mercenary criminals screwing around, stealing data, scaring customers, and generally upsetting the normal business environment is not to any legitimate player's advantage.
The other red-flag that screams amateur hour about the whole thing is what they did after being turned down by the "competitors" -- they posted what amounts to a "for sale" ad to the Full Disclosure list. They thought that was the best venue for selling a shitload of customer financial records? Really? There are bulletin boards, whole online communities, where criminals trade identity information. It's a mature underground economy; the information they had -- names, addresses, CC numbers, SSNs -- would have been a fungible, commodity product, well-understood and easy to resell for cash.
However they got the information in the first place, it's pretty clear they didn't think their cunning plan all the way through.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I am working for a Relatively Large Teleco in Europe and can say from the list of server names that this is a plausible hack.
Whether or not however they have real information or just DNS entries however is yet to be seen.
What is the basis for this conclusion?
protib02 Prod IHAP TIBCO 582 Tibco 10.1.81.21 HP-UX 11.11 BOTHELL_7 582 #N/A 1 - Tibco. An application layer messaging bus used heavily in FAB (Fulfilment Assurance Billing) area of large telecos
proetl02 Prod IHAP Teradata 576 teradata 10.133.17.51 HP-UX 11.11 NEXUS #N/A #N/A 1 - Teradata.... another product I know we are using (unknown however exactly what it does)
prowac06 Prod IHAP EAI 151 EAI - Middleware 10.1.80.91 HP-UX 11.11 BOTHELL_7 151 #N/A 1 - EAI - Middleware application used also in telecos.
Similarly the SAP Naming convention used roughly translates to some deployments I have seen in the past.
What does this whole thing give away....
Looking at the naming conventions they have three "defined" network zones:
TAMPA - Management (HP OVO, DNS, Backup Servers)
BOTHELL - Application Server zone with all sorts of stuff. Big flat topology....(ugly with lots of different services using the same subnets and DB Servers not seperated from AS)
NEXUS - Another Application Server Zone with a mix of stuff within it. This appears smaller and newer than the other from the server names.
What does this show from a security perspective?
- No clear Security Architecture ... No 3 tier architecture DMZ/Application Server/DB Server split.
- No clean separation of Backup network (backup mixed with Management functions... this should be in a seperate network).
- No clean separation of Management Network (SAN/Backup/OVO located together)
In any Teleco situation with thousands of servers it is impossible to prevent a security breach. There is always going to be servers somewhere which are unpatched, legacy, forgotten etc.
What is important is a "defence in depth" principle to limit any disclosure. In this instance that appears not to have been followed. The topology is "Flat" with an emphasis on easier communications between systems rather than minimizing communications to minimum required. This essentially stopped any chance of them being able to limit a breach.
Hopefully someone will get some lessons learned out of this. I know I will be presenting some points to our management where we should be focusing based upon this. Our security is definitely better but nothing is perfect.
I'm interested in any points that anyone else could offer here, I have not discussed all points however I am interested in the perspective of others from what they can mine there.
Please more comments!
http://streetstyles.ch/ - Schweiz Band & Fashion Tshirts
Hello world, The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers. Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.
All your database are belong to U.S.
All your BTS are belong to us
We forget these guys are no different than the robbers and thugs you see on "cops"
I do. I cheered for the handstanding midget that was climbing that pole.
Stop Computers/Cars Analogies on S
Just an update....Teradata is usually used as a DWH solution.
So they can offer 3-5gig on 3g for like $10 or $15 extra on your plan.
Yet to get the cheapest voice rates you must pay $100+, even though unlimited voice
if spoken 8hrs talk per 24hrs, would equal no more than 750MEGbytes of data. Thats
about $2.50 of data.
Can one ask for 100% data plan for flat $10pm and use 100% VOIP?
If industry makes averate $30 per client, then if the max ever possible was to change $10, they would loose billions!! (of the over charges)
Liberty freedom are no1, not dicks in suits.
People cannot choose different rates, because of arcane stupid plan systems.
They should ban all plans except the paying of phone rate.
Plans have wierd rates of nnn free per month for y plan, then xx free for same network, then others at b prices.
People have no freedom to 'keep plan' but move to different price schemes.
Two year plans should be banned, since most phones die within 18 months instead.
Liberty freedom are no1, not dicks in suits.
Yes, Imagining yourself as Walter Mitty the 733t hacker is an entertaining daydream that many of us have while piling numbers into excel. There is though one very important distinction you and i don't don't act on it. The phone is a utility that lives depend on.
15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
I always thought that hackers bypassed system security, and crackers broke software security. I know the whole kewl-haxor thing might define it differently, but historically that was the case. Otherwise surely hackers would never have received such a name, they'd have been fixers or something
And please, not the inevitable Wikipedia link, just because it's on Wikipedia doesn't make it true
We forget these guys are no different than the robbers and thugs you see on "cops" or the evening news
When thieves rob ordinary citizens, it's sad.
When thieves rob other thieves, it's schadenfreude.
No one cheers on the armed gunman, robbing a convenience store. It bothers me these guys aren't viewed in the same light.
Actually in The Netherlands, there were a number of robber gangs that targeted strongboxes of companies and municipalities. These were seen as modern Robin Hood-types, stealing from the rich (as opposed to regular burglars that stole from the common people). They drove around in fancy cars and even flaunted with the gas cylinders (of cutting torches) sticking out of the back windows of their cars.
I can't really imagine admiring a robber, but I do remember that some ten years ago, hackers were seen in much the same light. Grandparent poster is probably stick in that era.
8 of 13 people found this answer helpful. Did you?
This seems to be a small node of servers, but a lot of them seem to have integrated backups of databases. Either the person is on the inside, and got a backup of info from them without them noticing, or someone on the outside was able to fingerprint all the servers, and this can only be done if you have access into the network, either way, this is not good!!!
As an out of work GM software engineer, I would hack t-mobile, but I got a raid in 20min...
I kid, I kid.
Although I do play WOW now and again. I just had a thought. Most hackers in the past I had always thought were those individuals who are interested, pretty smart, and have a lot of time on their hands, like kids, and out of work people.
Now of course both those groups of people can spend inordinate amounts of time playing WOW! I just kind of wonder how big a dent WOW is putting into the Hacking community? :)
'Leet Haxxor 1: We are taking down t-mobile this weekend! OK so Phiber Optik you...
Phiber Optik: Whoa whoa! Soory Braa! I got Uldar content to do! Gots to get me raid on if you know what I am sayin'! Booya!
BlackHatz: Ya I got a guild run too, sorry. Maybe next week.
'Leet Haxxor 1: Fine fine, I might as level my death knight then...
When thieves rob other thieves, it's schadenfreude.
The people who stand to lose here are the T-Mobile customers who have their billing data stolen, their credit card numbers traded, and so on. T-Mobile will lose money on this, but to believe that the hackers are after T-Mobile's money is silly and naive. Everyday citizens are exactly who are going to get robbed.
I think the "good job" attitude we refer to in situations like this is not because of the actual property / data compromised but the fact it sheds light to the public that computer security is not being scaled as it should. Mom & Pop shops getting hacked likely happens quite a bit but for a much larger company (that specializes in data) to get touched like this is a wake up call. If we talk about bank robbers it would be similar to some kid taking all the money out of a bank with out having to walk into it and no one noticing it was gone, for something like that to happen it is not legally the banks fault but in reality they should taken to the wood shed and smacked around. I think the mentality behind this is that the "hackers" want to be caught and get somewhat disappointed when they don't that's why they raise all this bs. It's kinda like saying this shouldn't be happening what's going on. I'm almost happy this has happened since if there are vectors that can be exploited to result in this, these guys were not likely the first ones to do it. Now all we need is for each T-Mobile customer to dispute their bill based on this for them to really start to take this stuff seriously.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
If that server list is to be believed, several infrastructure servers running root level apps (Tidal Scheduler & HP Openview) were extremely out of date. They are listed as HP-UX version 11.00, which was released in 1997.
If lives depend on this service then would you rather these guys bring this flaw to light or wait until someone wants the system to fail takes it from under you with out a word of warning?
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
What I enjoy about Hackers is this: they are a check to the system, regardless of the system, the system's owner, or how much money/resources that system's owner has at his disposal.
Now, if only all hackers acted with "Robbin Hood" mores rather than juvenile pumpkin-smashing vandals...
[Insert pithy line of moxie here.]
Not Yet.
leather-dog muksihs
Blog: @muksihs
If they were interested in doing a public service they would notify TMobile of the problem and we never would have heard about it. They aren't trying to make the network more stable, they're trying to steal and sell the data. This isn't exactly a Robin Hood scenario.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
A few years ago , T-mobile had a customer support website, where one could see a customers SS and other information using just a email address (no passwd). This was the customer support site I think run by third-party and not the main t-mobile account. When you post a question the customer service one could track your questions and answers from support using this website. I called T-mobile and tried to escalate the issue but was unable to convince them the seriousness of the issue.
I tried to reach TMo customer service using their "Live Chat" service this morning, and the first time I tried, I couldn't get through. Then I saw this story and wondered if it was related. But probably all the reps were getting donuts.
Well said. If this turns out to be true, and people have all their billing info, usage info, etc. compromised... I feel bad for those people.
My father signed up $39/month contract with T-Mobile and a few days ago, he got a bill for like $200. No, he didnt use the phone crazy, its just tmobile sucks and they are greedy bastards. My next carrier is going to be Verizon. Lets see how greedy they are.
Ok so someone knows how to run Nessus. Whoopty do...
When you want to send an e-mail to a T-Mobile user, you address it to [10-digit-number]@tmomail.net But many (including myself) address it to [10-digit-number]@tmobmail.net (there should not be a "b"). So I registered @tmobmail.net and have an auto-reply that informs the sender of the mistake. I would not believe the amount of sexting messages I receive through it. When I tried to contact T-Mobile folks (unsolicited e-mail) to see if they cared / wanted it, etc, I received no replies.
Maybe they should change their password from "PASSWORD1" to "PASSWORD!"
The people who stand to lose here are the T-Mobile customers who have their billing data stolen, their credit card numbers traded, and so on.
There's way more money in having the data than the actual content of the data. I'm sure these guys couldn't be bothered with all the work involved in identity theft or credit card fraud. Too many small deals, too much exposure. Not to mention all those cards will be quickly flagged and effectively useless.
According to the article, these guys wanted to make one big sale to a competitor. Sprint or Verizon or their ilk won't care about your credit card numbers, either. They're more interested in knowing what "the other guy" is using for a database, or what kind of hardware they use, or their backup policy, or the vendors they use... fairly mundane stuff to you or I, but a huge competitive advantage for them.