AT&T Leaks Emails Addresses of 114,000 iPad Users

Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

Bad joke

[girlintraining]

Wait, the iPad suffered a leak? That's why you always buy pads with wings. (groan)

Re:Bad joke

[dotgain]

Certainly this is stuff that matters, but News it ain't. Give another year and dropping a DVD full of records will probably be what passes for "viral campaign"

Re:Bad joke

[Peach+Rings]

It's going to become news when this hits the courts:

in what appears to be a legal fashion by querying a public interface

Since when does the interface being public have anything to do with whether accessing it is legal? The law makes statements about authorized and unauthorized access, not technically possible and technically impossible access. In all hacking crimes the system is happily serving up content exactly as built by the designers, but it's still a crime. In many cases, the system is even working as intended (no buffer overflows and the like) but if unauthorized access is obtained, it's still a crime.

Does anyone else remember this case that was on slashdot some years ago? A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter. Obviously this destroyed his career.

This is the text of the law that convicted him.

a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case

Re:Bad joke

[afidel]

By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.

Re:Bad joke

[Moridineas]

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.

Re:Bad joke

[aliquis]

And how are you supposed to know you're unauthorized if it's out there in the open?

To make the good old car analogies:
* You ride a road and get caught because obviously you're not allowed to use THAT road, not that anyone told you so..
* You get a speed ticket for following the speed on the signs because they intended to put some others up last week but haven't got them up yet.

If you try to access /.. I can see how that claim holds, but for a function/webpage just lying around?

Pretty weak description, over here in Sweden we've got laws about how digitized/stored personal data should be handled instead. So if you fuck up and leak the data the problem is most likely not the one who happened to see or get the data but rather the idiot who let it happen.

Re:Bad joke

[aliquis]

.. or well, scrap the later part, I'm trying to find what the law actually says over at datainspektionen but it's hard to find anything relevant to the security of storing or sharing the personal data. I don't wanna claim too much in case it's not true :/

Re:Bad joke

[icebraining]

So when you click on a link, are you sure the website allows you to access it?

Nobody "broke in" anything. They requested the service, the server gave it to them. I don't see any illegality here.

Re:Bad joke

[OrangeCatholic]

>A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter

Wow I just realized what that does.

That's about the lowest definition of "hacking" you can possibly have. It's more like basic literacy.

Re:Bad joke

[sharkey]

The iPad is full of blue liquid?

Re:Bad joke

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.

I usually just pass these type of posts by, but I must say that walking into someones house or climbing in a windows is totally, not even close to accessing a PUBLIC interface on a web site.
A house or a window is quite obvious that you don't belong, but come on, how are you supposed to know that a PUBLIC interface was NOT meant to be PUBLIC.

Give me a freaking break. The point is pointless.....

Re:Bad joke

[Moridineas]

That's exactly the problem.

Randomly searching directories for non-listed files? Is that a problem? What about typing "/private" to the end of a URL and finding something?

For instance with this story, it's not clear how the hacking group found the script in question. If it's not publicly listed is it a problem? The second it started returning what is obviously non-public information, is that a problem?

I completely agree that stumbling across something private on a public website is easy to do. But if the "stumbler" has to do a lot of work to stumble on the information...? (and I absolutely DON'T excuse AT&T for this leak either)

Re:Bad joke

[aliquis]

Personuppgiftslagen / personal data law

Google translation (enhanced by hand ..)

Safety measures
31 The liable data manager must take appropriate technical and organizational measures to protect the personal data processed. These measures must achieve a level of security that is appropriate with regard to

a) the technical options available,
b) what it would cost to implement the actions;
c) the specific risks involved in the processing of personal data, and
d) how sensitive the treated personal information is.

When the liable data manager uses a personal data assistant, the liable data manager must ensure that the personal data assistant can implement the security measures required and ensure that the personal data assistant actually take those measures.

The regulatory authority may decide on security measures.

Re:Bad joke

[icebraining]

Nothing of that should be illegal. Come on, you can set up basic authentication in Apache in five lines in .htaccess.

Any URL that doesn't require authentication should be fair game, imho. Anything less than that and we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

Re:Bad joke

[Albanach]

Given they wrote a script to automatically generate SIM IDs which could then be passed to retrieve another email address, I suspect they were well aware that this was data they should not be accessing.

There was no need to retrieve over 100,000 addresses before notifying AT&T nor was there any need to share the security hole with others as was also done.

The leak shouldn't have been there, but the responsible thing to do upon discovery is report it, not exploit it.

Re:Bad joke

[biryokumaru]

If you leave your doors open and your house gets robbed, the cops are going to laugh at you. Seriously.

Re:Bad joke

[debatem1]

Analogies are why we can't have nice things. This gives a data provider the ability to make an innocently and legally undertaken action illegal after the action has been completed. I would suggest that we not extend powers we deny the government to AT&T.

Re:Bad joke

Man, this is fucking truly TRULY beautiful!! Beautifully engineered way to get at the telcos...

I mean, it'd suck if one of these addresses were mine; then again, I'd SUE THEM if that was the case.

Well played, Goatse...

P.S. What a great headline, reporter on TFA fully aware of Goatsex, playing on words ol' times' style...

Re:Bad joke

[ArsonSmith]

So if a store has an "OPEN" sign out front but nobody in watching everything it's ok to walk in and take what you want?

Re:Bad joke

[adelgado]

Now that's a committed Slashdotter!! You actually spent half an hour of your time for the greater knowledge.

Kudos! I wish I had modpoints...

Re:Bad joke

It's more like being arrested for trespassing after the fact when all you did was walk in the store and look around.

Re:Bad joke

[Cylix]

I had a friend who did that a great deal.

The world friend being used with a good deal of imagination as well.

Often he would return the merchandise to the store and explain how he wasn't really happy with the goods he acquired. He would then get store credit and usually sale the card off. This is of course all hearsay because I never witnessed the behavior.

Then one day I bumped into my "friend" at a Wal-Mart and I thought it would be a good idea to give him a good friendly greeting.

While next to an attendant I shouted, "Hey Scott! Have you gained weight buddy or is your coat filled with things you are currently taking from the shelves!"

Unfortunately, my "friend" had a very important appointment to attend to and consequently began running very quickly towards the exit. The very friendly staff caught up with him probably to inform him of some item on sale.

Re:Bad joke

[aliquis]

it's ok for anybody to enter your house and look around?

I don't know, read or quote the law for us?

I don't know how the law is over here when it comes to open buildings. Regarding anyone other property I got no idea there either, but you for sure aren't allowed to steal them.

In this case however being able to access a web-page and get a result is what you could expect and what most of them does. How are you supposed to know whatever you where expected to access that page or not?

Re:Bad joke

[aliquis]

obviously non-public information

Yeah... obviously! Because e-mail addresses has never been seen on the web before!

Now leave Slashdot since my post header contain my e-mail address. You may not be supposed to see that.

Re:Bad joke

[aliquis]

No, stealing isn't ok. The sign didn't said "feel free to take any goods" did it?

The sign said OPEN!

You're free to go into a store which is open. If no-one is around you go around look, and if you find something you want to pick it up and head to the counter and wait for the cashier to return so you can pay. If you don't want to or don't have time to wait you go back with the item and leave the store.

It's not that hard really.

And I don't know whatever it's trespassing to go into an open area around here, somewhat weird if it was but peoples morals tell them they shouldn't. You do however have to leave private property if the owner tell you to. And if it's locked I'm quite confident you're not free to break in. I don't know how "obvious" the lock / restriction of access have to be, I assume a very low level of security is enough because really it's not that hard to get into a house if you want to regardless of whatever the door is locked or not. It's more of a way of saying "don't go in here."

Re:Bad joke

[Cylix]

There was a bug at one time that did not evaluate security descriptions when using the .. in the path.

Thus, you could use freely accessible content to access private content.

It wasn't a huge number of revisions, but it was somewhat of an annoyance if you had restricted or pay per view content.

Re:Bad joke

[aliquis]

It's requesting an URL.

Which if you're not allowed to see the web server should say so (or whatever the fuck it wants..) or if it shows you the content then obviously(!) you was allowed to see that content.

Can't understand how one can be prosecuted for that. Scanning for security flaws would be somewhat more obvious that you try to gain unauthorized access but I can't understand how that would be illegal either. I guess this is what happens then the judge/jury don't know anything about the things they are supposed to judge in.

Re:Bad joke

[ZosX]

I don't think there is a pad big enough! I mean have you seen the goatse guy?!

Re:Bad joke

[negRo_slim]

narc

Re:Bad joke

[negRo_slim]

There was no need to retrieve over 100,000 addresses before notifying AT&T nor was there any need to share the gaping security hole with others as was also done.

http://security.goatse.fr/

Re:Bad joke

[Firehed]

It doesn't make it OK, but it certainly raises the chance of it happening, and one shouldn't be terribly surprised when it does.

That said, the appropriate response would be more along the lines of notifying the company that there's an issue, not publishing the contact info of an eighth of a million of their customers. After all, it's not the customer's fault that AT&T can't get their shit together. Though by all means, expose anyone with at AT&T email address if there's no response to your heads-up (and by extension, expose MY banking info if I make a similar screw-up and then ignore your warning).

Maybe I just have no sense of imagination, but if your intentions are to get the security flaw fixed, "Goatse Security" *cough* is going about it the wrong way. And lord knows they're on the lookout for gaping holes. If, on the other hand, you're trying to do as much damage as possible, there are much more interesting things to do with the data. While I actually do care quite a lot about the security of the data I'm responsible for, if I were an irresponsible developer, I'd respond a lot faster to "fix this or I'll post YOUR information everywhere" than to "fix this or I'll post your customer database everywhere" since it makes me specifically the target.

Re:Bad joke

[aliquis]

NP, I have no life you see ;)

The regulatory authority may decide on security measures.

== Your master may decide that it's time to plug that gaping hole of yours.

Re:Bad joke

[Psaakyrn]

No goods were stolen though. But are you forbidden to take photos, which would be the closest equivalent?

Re:Bad joke

[aliquis]

IANAL.

Re:Bad joke

[Peach+Rings]

Well it's not exactly that easy. How do you define "require authentication"? If you guess /private/ then that's certainly fair game, but if you guess someone's password, the jury isn't going to be able to tell the difference no matter how many giant cards you hold up containing millions of 1s and 0s :)

Re:Bad joke

[houghi]

When breaking and entering a house, there should be a difference whether the people cleaned out your house and it is empty of everything or if they just came in and swam in your swimming pool like in the movie "The girl next door". Sure, both is illegal, but on different levels.

One is clearly for pure profit, the other was not. Should both be put in jail for the same amount of time?

And if you leave your car open and the motor running and the keys in, where I live you could be charged as well. And the thief would be getting much less of a punishment.

Re:Bad joke

[laughingcoyote]

Not only a poor analogy, but not applicable. A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.

And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked). If you accidentally leave confidential business records laying on the front counter of the store, and I see them there, I'm also doing nothing wrong-you left them in a public area, I just saw what was there.

At some point, yes, you are responsible to take reasonable security precautions. If you leave things in an area that the public is allowed to access, you can hardly yowl and scream when it becomes publicly known. Now, if you keep it in an area that is not normally accessible to the public and clearly is secured, and someone deliberately cracks in, you are much more likely to have a legitimate grievance. But only then, and this is not such a case. It was laying right out in the open for anyone at all to look at, and someone did.

Re:Bad joke

That is good to know. I personally don't do anal.

Re:Bad joke

[pasamio]

To reasonably extend your analogy, they didn't come in through the front door - they came through the tradesman entrance. Services (trades) were expected to come through this interface not the general public. It is like testing the front door, finding yes you can come in but no you can't have that information and then finding that they left the services door unlocked and decided to waltz through there and get the information they were previous denied. Both are "public" entrances in the sense that they aren't strictly private to the organisation or it's employees (anyone might go up to the services entrance and knock) but not all may enter and it could be considered illegal to enter without permission. They may exist on the same shop front (perhaps a smaller door or slightly to the side) to complete your analogy or they might be better hidden.

Re:Bad joke

[ArundelCastle]

By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.

But the people who make the laws seldom understand the technical and practical realities of the situation.
The people who exploit them do.
Therefore most written law and court rulings are made with more concern about the motivation, than how easy (in computer terms) something can be done. Because the people most likely to do it are the ones looking to exploit it.

Unlike walking around naked with your curtains open, it's very unlikely a grandmother will happen to glance through 114,000 e-mail addresses.

Re:Bad joke

[hairyfeet]

I thought we had already gotten to that point since the government can kick down your door and arrest you for clicking on a hyperlink (which BTW IIRC they didn't even bother to collect a referrer). So remember kids, that link might be the information you want, might be a rickroll, or it might be a free ride to PMITA prison, you never know!

As for TFA, is anyone actually surprised AT&T left a door the size of a Mac truck wide open? Old Steve needs to be seriously looking at this, as what good is all that control gonna do if AT&T keeps fucking up? From what I understand their network already can't give the "iExperience" Steve was touting, thanks to not having enough infrastructure to handle the load, and with apple customers generally having more $$$ they make an inviting target and stupidity like this is just gonna make that bullseye that much larger.

The big selling point of Steve's iStuff is how everything "just works" but if the networking blows and the lack of security at AT&T has your info spammed across the planet all the great UI in the world isn't gonna keep people coming and buying. Old Steve needs to go Godzilla on their ass for pulling this stupid shit and be doing damage control but quick.

Re:Bad joke

[Mr_Plattz]

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

Would you forget to lock your door if the moment you left every single person in the entire world could pass your door? Oh, and would you *still* forget to lock your door if you happened to have the personal information for everybody in your neighborhood at that point in time?

Re:Bad joke

[Robert+Zenz]

I think it's more like you walk into the store, no ones around, and a customer list is laying on the counter, open to see and easy to read.

Re:Bad joke

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.

I usually just pass these type of posts by, but I must say that walking into someones house or climbing in a windows is totally, not even close to accessing a PUBLIC interface on a web site.
A house or a window is quite obvious that you don't belong, but come on, how are you supposed to know that a PUBLIC interface was NOT meant to be PUBLIC.

Give me a freaking break. The point is pointless.....

They had to write a script which passed false data to the site, this is absolutely nothing at all like clicking a link. Give us a break please.

Re:Bad joke

[afidel]

No, in the physical world you can be asked to leave, trespass doesn't apply until you have been informed that you are not welcome. I would consider HTACCESS to be the equivalent of an employees only sign which is the lowest form of sufficient proof for trespass.

Re:Bad joke

[Hurricane78]

Your logic is *extremely* flawed. You seem to lack the most basic understanding how that WWW that you use works.

It’s more like the “thief” standing in front of your house, asking the butler nicely if he could hand him the contents of your safe.

You ask the server nicely.
If the server then tells you what you want to know, (sends you the packets) then that’s the damn fault of the idiot who configured the server this way.

Re:Bad joke

[master811]

Well from TFA,the Judge would have let him off had he not originally lied to the police about what happened.

Re:Bad joke

[butlerm]

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

A house door or window is a perfect example of something that is "private" in the legal sense of the term.

HTTP, on the other hand, was developed primarily to allow people to publish documents for public consumption. If you place a web server on a network wide open to the public and do not protect access to your documents or indicate that you intended to do so with the equivalent of a "no trespassing" sign, you are giving the public an implicit license to view what you publish. HTTP is a publishing system after all. The similarity between "publish", "public", and "publication" is not coincidental. An implied license means authorization.

The law concerning electronic communications "interception" is relevant here:

"It shall not be unlawful under this chapter or chapter 121 of this title for any person -- (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;" (18 USC 2510 (g))

If you operate a web server that is "configured so that such communication is readily accessible to the general public" you have granted an implied license as strong as the one you have to listen to a run of the mill FM radio channel.

Re:Bad joke

[L4t3r4lu5]

There is no way, not in a month of Sundays, that I will ever click on a link containing the words "goatse" "tubgirl" or "lemonparty"

They might as well have called themselves "We Publish Snuff Videos Security Group."

Re:Bad joke

[macs4all]

I think it's more like you walk into the store, no ones around, and a customer list is laying on the counter, open to see and easy to read.

Are you REALLY saying that what they did is NOT "unauthorized access"?

No, the real analogy is that you walk into our hypothetical "unattended" store, and the cashier's POS terminal says "Enter Account Number". And you do... 100,000 times. Then you write down the names and addresses of each of the account holders and PUBLISH THAT LIST IN THE NEWSPAPER.

So, you wouldn't mind if that happened to YOUR information?

Gimme a break, fucktard!

Re:Bad joke

[macs4all]

How are you supposed to know whatever you where expected to access that page or not?

I've got a simple test for you that may help: If you have to write a fucking SCRIPT to access something (100,000 times!) that the owner of the website expects you to access with a hypertext LINK (once or twice), then I'd say you MIGHT be a hax0r.

You REALLY wouldn't be pissed-off if this was YOUR email address that was published?

Really?

Re:Bad joke

[butlerm]

Since when [slashdot.org] does the interface being public [slashdot.org] have anything to do with whether accessing it is legal?

It has everything to do with it. If an interface is is configured so that it "is readily accessible to the general public" as part of a system traditionally designed to provide such access, a person has an implied license to use that interface to do what it it is traditionally intended to do. Otherwise you couldn't legally call someone on the phone.

If an interface is obscure enough that it is obviously not configured to provide services readily accessible to the general public, it is not a "public" interface in the legal sense of the term at all, but rather a "private" one - there is no implied license to use it, and one who does is implicitly engaged in computer trespass.

If you know or have reason to believe that an ostensibly public interface is not public at all you have crossed the line. One would have extraordinary evidence to conclude that the interface under discussion was intended to be accessed by the general public, based on its very function.

Re:Bad joke

[Dr.+Spork]

If you really want an analogy, think about it like some stupid people who write confidential information on their hand and then go out in public. Then imagine another, somewhat unscrupulous sharp-eyed person, who looks for such people in public places, and writes down what he reads from their hands. This may not be "nice" but it's certainly not illegal.

If he puts this information to illegal use (fraud, for example) that's a different matter, but just calling a number that you see written on someone's hand or shirt is not an illegal use.

Re:Bad joke

[Bacon+Bits]

It depends entirely on what you do once inside. Entering an unlocked home is mere trespassing (generally a misdemeanor offense). If you damage something, that's destruction of property. If you take something, that's theft. If you take or destroy something of significant value that's a felony. The law isn't binary. It allows for a significant sliding scale as long as you don't do stupid things like "zero tolerance" or "mandatory sentencing" laws.

So it depends entirely on what happened when the data was accessed. Merely accessing the data isn't such a big deal. Copying the data is much worse. Actually profiting from this (now stolen) information should have even stiffer penalties. You'll note that this is how the HIPAA law reads with respect to protected health information. In addition to punishing those who access, steal, and profit from use of protected health information, the HIPAA laws also require the data holders to take adequate measures to protect the data. You face stiff fines and possible prosecution for negligence. Just because the guy who took the data did something wrong (and illegal) doesn't mean the entity in charge of protecting the data didn't. I think it's time there exists some accountability on the part of information holders for all personally identifiable information, quite frankly.

Re:Bad joke

[mauhiz]

I'm not a cop, but I have a hard time laughing seriously. How do you do it? :p

Re:Bad joke

Nowadays, the cops will laugh at you anyway, and Taser you just to be safe.

Re:Bad joke

As said elsewhere, THIS case isn't about "just clicking a link"... This case is about "just clicking a link 114,000 times".

For a "security company", this is amazingly stupid. I could see downloading 100 records, just to be able to prove the exploit exists, and then provide ATT the information.
But 114,000 times? that's overkill and reckless, and the "security company" should now be liable for following proper information handling guidelines.
They then go completely overboard by PUBLISHING that (private) information.

A simple PHP script later, Goatse Security had a hoards of email addresses to sift through. And here's the kicker -- before reporting this gaping hole to AT&T, they shared the exploit with various interested parties. So there's no telling who else used it, how many more IDs were leaked, or what other damage could have resulted.
-TFA

These guys aren't a "friendly security company", they're crackers, and they should be treated as such.

Re:Bad joke

Nobody "broke in" anything. They requested the service, the server gave it to them. I don't see any illegality here.

The server isn't a person, though: the server can't "voluntarily" hand out anything.

To pick up the previous example, you could just as well say that the burglar didn't break into the house: he merely requested access by pushing the handle, and the door gave it to him.

Of course, the analogy only goes so far because a http server IS intended to serve information, generally speaking, whereas my house, even if the front door isn't locked, is NOT intended to be entered by random people.

I think a better analogy would be a library; you walk through the library, come to a door, open it and find another room with books which you then proceed to read. If the door was neither locked nor had a sign saying "no entrance" or so, then I think it's fair that you should not be able to be prosecuted for opening it and entering the room: the library is public, and there was nothing to indicate that this room was't. In this case, it IS fair to put the blame on the library, as, lacking evidence to the contrary, you could reasonably assume that this unlocked room full of books was OK to access, too.

Re:Bad joke

[TheRaven64]

Why? People write scripts to collect information from sites that is spread out over multiple pages. Google basically is a script that does this - are they 'hax0r's?

You REALLY wouldn't be pissed-off if this was YOUR email address that was published?

I'd be pissed off, yes, but I'd blame AT&T for making it public in the first place, not the person who visited the web page and downloaded it.

Re:Bad joke

Meh, I consider it more like putting a naughty picture you don't want anyone to see on a public bulletin board but covering it with a piece of paper that lists who can look at it instead of putting it in a locked box on that bulletin board.

Re:Bad joke

It is not so bad if you disable javascript first - and it helps if you're blind..

Re:Bad joke

[mcgrew]

I had an iPad back in 2006 -- after my iSurgery I had to have an iKotex on my i overnight.

Re:Bad joke

Well this analogy has really gone far enough, but this wouldn't be like just walking into the open store taking photos. This would be more like walking into the open store, digging around in the office and finding the "books" in an unlocked drawer and photographing 114,000 pages from their financial books. Then, publishing the data and the "exploit" (every Monday morning at 6:00 they have a store meeting and all the employees go to the conference room and you can see anything in the store then), before informing the store that they should fix their security.

Re:Bad joke

[mickisdaddy]

All businesses post the hours they are open at the entrance. If the owner forgets to lock the door at the end of the day and you enter after hours you are still tresspassing (entering unauthorized). Also businesses are still private (not public) places. A door is an acccess control mechanism. With AT&T leaving the 'access control mechanism' unlocked it does not leave them off the hook for what happened, but what Goatse did can still be considered unauthorized access of a computer system.

Re:Bad joke

[mayko]

More like. If you forgot to close your blinds your neighbors can see how your furniture is arranged (maybe even photograph it). But, they can't sit in it, rearrange it, or take it from your house.

Re:Bad joke

That brotha was stickin' it to the man and you fuckin' snitched on him? I ougta pop a cap in yo' bitch cracka ass!

Re:Bad joke

[mcgrew]

In all hacking crimes the system is happily serving up content exactly as built by the designers, but it's still a crime.

Since the meaning of "hacker" has changed from "someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code" to "electronic burglar", who do we now call someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code?

Re:Bad joke

[todrules]

No, I see it more like the store is giving away free food, but they say limit one per customer. However, you keep going to the end of the line to get more, but they keep on giving you more anyways. While that's not necessarily the right thing to do, it's not illegal.

Re:Bad joke

[Kiaser+Zohsay]

Google Cache is your friend. From the page:

Goatse Security is a wholly owned subsidiary of the GNAA.

As Dave Barry says, I am not making this up.

Re:Bad joke

I wonder why there is all this focus of the hacker on getting the data legally or not and not on the fine that should come to AT&T for having had a security breach

Re:Bad joke

[jayme0227]

How about if you forget to put an "Employee's Only" sign on the back room to your storefront? I think that analogy is more appropriate. Is it illegal for me to walk through that door?

Re:Bad joke

[blueskies]

They didn't pass false data. They passed valid data which is why it returned valid results.

Re:Bad joke

So I fucked up a line in a script or configuration file. That equates to permission?

You happen upon a password, does that equate to permission too?

All systems have security flaws. In your book, all systems are fair game for whatever purpose because the systems "let" you do it. If I bot net a bunch of Windows boxes that's ok? They "let" me do it after all.

I sent a malformed packet and the server responded. I sent more malformed packets and now I own the server. It let me do it without "authentication." How is a URL any different from any other packet you might send to a server?

I don't see where you draw the line.

Re:Bad joke

No, moron, it's when I knocked on the door you answered and let me in (or handed me your stuff, whatever)!

Re:Bad joke

[misexistentialist]

The internet is more like a lawn. You need to yell at the kids on your lawn to get off before you can begin any legal process charging those specific individuals with trespassing.

Re:Bad joke

[tehcyder]

If you leave your doors open and your house gets robbed, the cops are going to laugh at you. Seriously.

It may come as a surprise to you that contributory negligence applies to civil, not criminal cases.

The criminal act of theft can't be excused because the victim didn't take sufficient security measures. If you nick my wallet, you can't say in your defence in court that it was my fault for leaving it on view in my back jeans pocket. You still stole the fucking thing.

Re:Bad joke

[Moridineas]

That's an incredibly disingenuous reply...do you know what happened here?

Re:Bad joke

[Moridineas]

Or like cops with speeding cameras recording what goes on on the road? An issue a lot on slashdot have a problem with? ;-)

I'm not so sure that the mere fact that "it's accessible via something on the internet" makes information automatically public.

Re:Bad joke

[Moridineas]

Nothing of that should be illegal. Come on, you can set up basic authentication in Apache in five lines in .htaccess [cyberciti.biz].

Any URL that doesn't require authentication should be fair game, imho. Anything less than that and we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

Simple question then--by your standard if a company or even a person makes a mistake (pick your reason, bad syntax in httpd.conf, web server software error, web app software error, etc) and accidentally leaves some data available (akin to leaving a car or home door open?) can anybody access and not be at fault?

As I said before, it's pretty clear that the hacking group here knew they were getting into something they shouldn't. Is that a problem? Yes or no?

Re:Bad joke

[tehcyder]

Since the meaning of "hacker" has changed from "someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code" to "electronic burglar", who do we now call someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code?

We still call ourselves hackers, and revel in the thrill that outsiders think we are elite master cyber-criminals who get blowjobs while typing quickly on our keyboards, like in that film with Halle Berry.

Re:Bad joke

[Yert]

I hadn't heard of lemonparty until this reply... thank you for helping me to scour what few optical receptors I have left from my eyeballs. No, really, thank you - if I can't see, I'm no longer chained to this desk...

With my luck, they'll have me dictate bash scripts to the hot chick who sits 15 feet in front of my office, knowing I won't be able to make lewd comments about her bra and panties not matching anymore...

Re:Bad joke

[icebraining]

The difference is sending a GET request to some URL is something we are supposed to do even without asking. This is a link. How are you supposed to know if you can legally click it? Do you check with the domain owner of every link to see if you have permission before you click it?

The difference between a GET request and a malformed packet/running code on other's servers is that the GET is a legal, safe action that everyone on the web does hundreds of times per day.

Re:Bad joke

[starfarer42]

A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.

All stores and restaurants have private areas -- the stock room, the kitchen, etc.-- that are *not* open to the public. If you're found in one of those employee-only areas then at best you'll be politely asked to leave -- at worst they'll call the cops. A website can be the same way, with public and private areas served up from the same domain.

And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked).

I am neither a lawyer nor a cop (IANALNAC?) but that fits my definition of trespassing pretty well. Most stores and restaurants are open maybe nine or ten hours a day. That means they're closed more often than they're open. The only reasonable assumption you can make is that you're not welcome unless you're obviously invited to come in.

If you check the law I think you'll find that businesses are not public spaces at all. Rather, they are private spaces into which the public is invited to enter. There are many cues we can use to determine if we are allowed in. Some of them are overt (does the sign say "Open" or "Closed"?) and some of them are subtle (are the lights on?) but nobody would deny that it's usually obvious when the invitation is being made and when it's not. The same holds true for a website. Anyone competent enough to find an unpublicized page on a website is also competent to know that they aren't welcome there. You wouldn't tolerate someone snooping behind every unlocked door in real life so why make excuses for it when it happens on the Internet?

Re:Bad joke

[icebraining]

Simple question then--by your standard if a company or even a person makes a mistake (pick your reason, bad syntax in httpd.conf, web server software error, web app software error, etc) and accidentally leaves some data available (akin to leaving a car or home door open?) can anybody access and not be at fault?

No, it's not akin to leaving a car or home door open. An HTTP request is supposed to be safe and legal - we've launched dozens do access /. and post this message. Entering someone else's car or home isn't - everyone knows they're not supposed to do it.

As I said before, it's pretty clear that the hacking group here knew they were getting into something they shouldn't. Is that a problem? Yes or no?

Knowing that it was an error made them to be assholes, not criminals.

Re:Bad joke

I don't disagree, but that is not how the law works. If I setup an ftp server that by default allows anonymous access and don't configure it to not allow said anonymous access and someone finds it and leaches my private data from it -- they have almost certainly broken the law (courts will decide, a real case is not likely to be quite that simple, I am not a lawyer). The key is my *intent* was not to set up a public ftp server.

And intent seems to matter for a lot of laws. If you *intend* to kill someone the charge is worse than if you *accidentally* killed someone. Often it is necessary to prove intent on the part of the defendant.

In your eyes, not securing access equals intent to distribute publicly. So, if you forget to lock your door and someone enters your residence and takes items from it they are not a thief? After all, if you hadn't wanted them to wander in and take things you would have locked the door, right?

thoromyr

Re:Bad joke

[emillman]

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc.

this would fall more under mis-configuration of access controls than a total lack there of. it is IANAL but it seems more analogous to building a house without glass in the windows, doors in the frames, or having a car without door locks entirely. that doesn't change the process of breaking and entering which refers to the crossing of the boundary between the public area and private area. this is why such protections also apply to the homeless. where the trick lies I think is whether or not AT&T had a no unauthorized access or use permitted warning posted with regards to the service hosting the script used at least in a legal sense. this would be analogous to a no trespassing sign.

Re:Bad joke

[qazwart]

Let's take the case of a restaurant. It has a public access space (the front tables) and a private space (the kitchen area). If someone forgets to lock the kitchen door, you still have no right to "access" the kitchen. You further have no right to take stuff, publish the secret recipes you found in the filing cabinets, or to vandalize the place.

A website is public, and you can expect the public to use the publicly accessible parts of it. However, if you find a security hole, you have no right to access that.

I think the problem is that this is Apple, AT&T, and the proprietary iPhone and not the super cool Android phone. But, AT&T also sells Android phones. And, so does Verizon which also had similar issues. What if someone accessed via AT&T and Verizon information about YOUR phone. YOUR phone number. YOUR billing address, YOUR bank account. Is that still okay?

If I leave my keys in the car. If I leave my front door open, the police might "laugh at me", but a crime has still taken place.

As for the "implied" license: Are you saying that if you can figure out some sort of hack via a security hole, you have permission to enter? This was not a link that said "Click here to view iPad account holder information". This was a script written probing for a security hole. It as if someone port scanned your PC.

Internet security is extremely difficult. You have millions of people you want to let in, but at the same time, you have information you don't want public. Even Google gets hacked. Hackers aren't just kids. They're sometimes backed by crime syndicates and foreign governments. Don't be so sure of yourself. How much do you know of your own computer? Are all those protocols your computer uses to communicate absolutely secure? Could there be some bug in one of the hundreds of third party libraries that you don't know about?

Don't be so gun ho on Linux/GNU either. It is far from secure unless you keep your machine off, unplugged, locked in a closet, and off any network. Almost every day, my Linux desktop machine reports about a half dozen security issues and bugs. And, since it is a desktop machine, I can update it, reboot it, and hopes everything keeps working. I can't do this with my database server or my web server. It needs to be up almost 24 hours each day, and I have to certify that bug fixes won't break anything. Takes about a week to go through the process, so it's about 3 months behind in updates. Maybe longer.

Hacking is a crime whether you like it or not. It doesn't matter if something was easily hackable or hard to hack. It doesn't matter if the security hole was well known or zero day.

Your argument that since this was a webserver, thus not a hack is laughably immature. You really think writing a PHP script to poking around at various non accessible directories, and taking random guesses is public access?

There maybe some liability AT&T has in this case if they were negligent in securing the information. That would be for the court to answer. This would be like a bank that has a master key to their safety deposit boxes kept on a nail by the front door in the lobby. However, that guy who took the key, and rummaged through the safety deposit boxes would still have committed a crime.

Re:Bad joke

[CAIMLAS]

There will be no legal prosecution for this. In fact, I'd be surprised if we saw anything more about it.

Why?

Because the exploit involves numerous high-profile users: CEOs, military officials, and (most significantly) federal employees who just happen to be of a fairly high status. The White House is using iPads for daily briefings and the like. The fact that this leak is out would be a huge, huge embarrassment on account of its security implications.

The story isn't going anywhere.

Re:Bad joke

[icebraining]

In your eyes, not securing access equals intent to distribute publicly. So, if you forget to lock your door and someone enters your residence and takes items from it they are not a thief? After all, if you hadn't wanted them to wander in and take things you would have locked the door, right?

In my eyes, that's a flawed analogy. Here's a better one, by Mr. Coward.

Btw, have you clicked that link? How did you know that you were supposed to access that resource? Have you called Geeknet, Inc requesting their permission before issuing a GET request to their server? No? Exactly what they did.

Re:Bad joke

[LifesABeach]

AT&T accidentally left exposed.

Really? Then how can one show Intent? You gotta love the irony. But a more objective observer would ask the question, "who will profit from this event?"

Re:Bad joke

[ChronoFish]

If you enter unlocked property you are trespassing.

If you enter locked property your breaking and entering.

If you enter a property with criminal intent, you are committing burglary and trespassing.

-CF

Re:Bad joke

[TRRosen]

Yeah go ahead and try that by walking into a store at 1am with the lights off and the closed sign up. While your bleeding in the back of the police car on your way to jail you can ponder the fact that just because a door is open does mean you can go inside when you know your not suposed to.

Or next time your at your doctors office walk around the counter and start going the the patient files. After all there is no lock and its open to the public.

Re:Bad joke

[Moridineas]

No, it's not akin to leaving a car or home door open. An HTTP request is supposed to be safe and legal - we've launched dozens do access /. and post this message. Entering someone else's car or home isn't - everyone knows they're not supposed to do it.

Ok, you don't like the analogy. I personally think there is something of merit in it, you don't. I've admitted since post #1 that it is flawed, and explained exactly why (for reasons we largely agree upon).

What we DON'T agree upon I suppose is the remedy. Forget the analogy. Should somebody accessing data they know full well they should not be accessing--data that in this case has personal information it--is this a problem? I say it is! This particular case is perhaps confounded by the fact that AT&T is stupid douchebags...

"It's HTTP ergo public" cannot be a defense. Passwords and protection have existed since the early days of computers and have FAILED since the early days of computer. Think of the government employees who merely accessed a database of personal information on private citizens and have gotten into a great deal of trouble (think of Joe the Plumber and Obama personal info).

To get back to the realm of analogy (but away from the house!) if you found a print out of email addresses and iPad cell identifiers just sitting on a public park bench, is it ok to publish information from that? This is of course not a perfect analogy either (no analogy is...) because the hacking group in question did no just stumble across this information, they actively sought it out.

Re:Bad joke

[bdenton42]

So if a store has an "OPEN" sign out front but nobody in watching everything it's ok to walk in and take what you want?

No, but it is ok to walk in and *look* at anything you want. Even all 100,000 items.

Re:Bad joke

[dreamchaser]

Wrong. It's a perfect analogy. Ok let's take your store front. The operative word is front. If you fake your way in through the loading dock by pretending to be a delivery man and/or using forged or stolen credentials then you're going in the back door. Even if you go in the back door because it was left unlocked and unguarded it's still considered a crime in most jurisdictions. The key is the intent, and the fact that the perpetrator evaded the front door.

Re:Bad joke

[jm2morri]

IANAL...

I'm sure this depends on your location, but here in Canada theft is theft, it is irrelevant if you lock things up. If someone comes onto my physical property and takes something that is theft. Whether there was a lock on the door or a window open is irrelevant. I don't see why it would be any different in the cyber-world.

Now if I have a big sign on the front yard that said "free lawnmower" and then someone came on my property and took the lawnmower I would imagine that I'd have a hard time saying it was theft. But if they took my chainsaw at the same time, that would still be theft, even if it was sitting right next to the lawnmower. I think that analogy is similar to what may have happened here (not exact I understand, hence "analogy"). I get a sign (URL) that points to a page that gives me my information as intended (in my example, lawnmower). If I use that to "get into the database" and then happen to take someone else's information (in my example, chain saw) then that would still be theft would it not? I've been granted access to the database to get my information but not someone else's. The fact that it is sitting right there and available to take does not mean it is "legal" to take it.

Cheers.

Re:Bad joke

[Hatta]

we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

We're already there.

Re:Bad joke

[orient]

Bad analogy: a home is the owner's residence and it's private property and there's a law that says you cannot enter without approval.

A website is created with the intention of making information available; so, unless unequivocally forbidden, the access is permitted. The question is: was there a warning on that page/script?

Re:Bad joke

[Sancho]

The only sensible way of handling such things is to ask what a reasonable person would do. Reasonableness tests are littered throughout the law, and are good for cases where there's a general grey area.

Would a reasonable person consider the AT&T interface to be public? It was an interface meant to be used by an application, not by a person. A reasonable person would not likely consider that public.

Would http://slashdot.org/ be considered public by a reasonable person? Probably.

Geeks work in a world with hard-and-fast rules, and they like to think that they live in such a world, too. They don't. The law is very, very grey.

Re:Bad joke

[Sancho]

It wasn't even expecting you to access it via a link. The way it works (I'm making a few assumptions here, based upon the behavior of the iPad) is that the applet which logs you in to AT&T to sign up for data pre-fills your e-mail address based upon the ICC. To do that, presumably, it called this interface. If this is all true, then the interface was never meant to be accessed by a human at all. It's also difficult to practically secure.

Re:Bad joke

[swdepth]

If the interface is not advertised publicly and used internally, then the user had to decode, disassemble, or hack the non-advertised web service (to find it). They also had to test and exploit the interface to learn of it's functionality. This is all illegal. If I leave my door unlocked, it does not give you permission to enter my house. They are coming into my house (website) which I gave them access to. But I did not give them permission to go into my garage and mess with my power tools!

Re:Bad joke

[swdepth]

And if you were invited into my house and decided to go in a room you should go in like my Child's room. If I don't approve (authorization), I am going to call the police if you don't comply by leaving! How would you react in this situation. If I leave my car unlocked (interface), does it mean that you can go in and yank my radio (e-mail addresses) out of the dashboard when I'm sleeping?

Re:Bad joke

No this is not a reasonable extension of his analogy. They came in through the front door. The "tradesman entrance" always has a security keypad (password protected). What the security firm did was walk right in the front door doing a bit of a silly walk holding a clipboard to appear official and asked for the documents, witch were promptly given to them by an authorized representative of the store.

Re:Bad joke

[swdepth]

What if you a sound plumbing? And..., all of a sudden, you discover that you have vermin that punched holes in your pipes. Now your loosing water.

Re:Bad joke

[butlerm]

A website is public, and you can expect the public to use the publicly accessible parts of it. However, if you find a security hole, you have no right to access that.

I agree, assuming you know or have good reason to believe it is a security hole. The presumption for a page on a public website is the other way around.

Re:Bad joke

[Mister+Whirly]

If they hadn't done it this way, AT&T would have downplayed it, or covered it up. When a list of 100,000+ of your customers is posted online, it is kind of hard to deny a security breach. Do you honestly think AT&T would have disclosed this if not forced to?

Re:Bad joke

[Peach+Rings]

Your analogy is ludicrously flawed. I could maybe stretch the analogy to its breaking point to be more accurate:
Instead of being on the lawn, "Free x" signs are distributed as fliers. Each flier has a different x, so one flier says "Free 1" and another says "Free 2" etc. The directions on the flier say to approach your garage and speak your flier number into the intercom, and their Free x will emerge from a conveyor belt. These guys gathered up a bunch of fliers and went to your garage to collect the Xes. They noticed an obvious pattern, so instead of counting "1, 2, 3, 4." they keep going: "5, 6, 7, 8, 9, 10..." and the garage keeps giving them free xes. They're just speaking numbers into the air.

Re:Bad joke

It wasn't news when walmart leaked addresses to spammers.

It's just email addy's.

Re:Bad joke

[laughingcoyote]

I'm pretty sure my doctor keeps patient files in a locked cabinet. I hope I would've noticed if he didn't-I might have mentioned it, or be looking for a different doctor.

That being said, leaving a public-facing web service open to anyone to read is like leaving a patient file open and on the counter, not like someone cracking into a cabinet. So, yes, here, I'm still going to say, if you don't want the public to look at stuff, don't leave it where anyone can look at it! There are always curious people about. And there's certainly no excuse for sloppy security when you're handling someone else's sensitive information.

Re:Bad joke

[TRRosen]

Me thinks you should see an eye doctor then because your going blind. I've never been to a medical office that didn't have a few thousand files behind the desk.

Re:Bad joke

[mcgrew]

Swordfish? In that one, the hacker broke into a government computer with a gun at his head while getting a blow job.

Re:Bad joke

[sjames]

In the case of a business, if the lights are on, the door unlocked, and no closed sign in the window the public may presume that they may enter. AT&T forgot to lock up. The convention for computers tends to closely track the conventions for a business.

Goatse Security

N/T

Re:Goatse Security

[SolidAltar]

The funniest part of this entire story is that news organizations are either completely clueless as to what Goatse is, or refuse to mention it.

But some people are going to google it anyway.

The person who leaked this is a true internet superhero.

Re:Goatse Security

[Titoxd]

Goatse Security: We will show you every gaping hole in your security!

Re:Goatse Security

[cosm]

I willing to bet the writers / editors of the dailytech story knew exactly the wide open possibilities of this exploit's verbiage flexibility, FTA:

The title:

AT&T's Gaping Hole Exposes...

and

... before reporting this gaping hole to AT&T...

and this gem:

Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled

Goatse FTW.

Re:Goatse Security

Goatse Security: We will show you every gaping hole in your security!

"That guy who leaked 114,000 emails? What a big asshole!"

Re:Goatse Security

Apple users are used to having their anuses stretched open, both by Apple and by other men. It makes sense that Goatse Security would be the group to gain access to their personal information.

Re:Goatse Security

[BluBrick]

Who is in charge of that? Ben Dover?

Close - it's a partnership with Phillip McAvity.

Re:Goatse Security

[nacturation]

This is AT&T's security model:

(almost safe for work) http://goatkcd.com/424/sfw

Re:Goatse Security

[audunr]

Both are great security experts, but in my opinion they should reconsider their stance on government back doors.

Re:Goatse Security

[Hatta]

If you go to their website, you'll find that behind Goatse Security is weev, well known troll. Slashdotters might know him as head of the GNAA.

Re:Goatse Security

[tehcyder]

No, it's those legendary Scottish homosexuals Ben Doon and Phii Macavity.

Re:Goatse Security

He associates with Ivor Bigun and Onya Bagyabic.

Re:Goatse Security

Apparently the FBI has just begun a probe into Goatse's exposure of the gaping hole.

Goatse? Really?

[ewoods]

Ok, "goatse" in a story, followed by a link... Is anyone really going to click it without hesitation?

Fixed? It already leaked!

From the BP school of leak fixage

Oops

[Zalgon+26+McGee]

AT&T making a technical goof. That _is_ news.

Bad move, Apple

[DogDude]

Apple's market for the i* just got destroyed. The risk that Apple took by partnering with AT&T has finally come and bit them in the ass. Dumb move, Apple.

Re:Bad move, Apple

[Shadow+Wrought]

I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T. I do wonder how Apple would spin if it were opened to other carriers and they all experienced the drop call issue?

Re:Bad move, Apple

[Titoxd]

In the age of Facebook, I wouldn't be surprised that many people just flat out don't care.

Re:Bad move, Apple

[Red+Flayer]

I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T.

Contractual obligations. Here's some info.

Basically, Apple signed a five-year deal in 2007 because they badly needed a carrier who was willing to sink many millions into the release.

Here's the thing that sucks for early adopters: If you bought in '07, you had to sign a two-year deal with AT&T. Par for the course for a phone the way we've got it structured in the US. But after your two years are up, you'd still be stuck with AT&T for another three years due to the 5-year deal they have with Apple. Either that, or jailbreak your phone, etc.

Practically, though, the extra three years are no big deal for the early adopters... surely most of them would move onto a new phone after two years, since they are early adopters.

Re:Bad move, Apple

[jht]

As much as I want my iPhone carrier-unlocked, what other US carrier with GSM/HSDPA and a nationwide footprint do I have access to?

Point being, what am I supposed to do with my newly unlocked iPhone - go to T-Mobile? Not really, at least not in this country. The use I can see for an unlocked US iPhone is simply that were I to travel overseas I could use a local SIM over there and use it with a native carrier instead of getting violated with international roaming fees.

Not having left the States in seven years, I'm not worrying about it too much so far.

When the day eventually comes that LTE is everywhere, then it's worth worrying more about unlocking the iPhone for me. Because then I'll be free to shop between AT&T, Verizon, or whomever else is on LTE by then. Until then, unlocking an iPhone is mainly for the international traveler. And in many other countries, you can buy your unlocked, unsubsidized iPhone there and bring it back with you. Which sounds like the way to go at this point.

Re:Bad move, Apple

Why would they?

Re:Bad move, Apple

[dbcad7]

Yes you could go to T-Mobile in the US, you just would not have 3G.. and if you think that is "usesless".. well not quite.. for example, I am on T-Mobile, and I went to Europe recently.. of course no 3G due to the freq differences.. but I still had Edge, and you know it wasn't that bad.. I could still use Google maps and navigation with Edge for some directions, and access some web pages.. Phone wise (it is a phone) if worked flawlessly.. Would I only want to "live on the Edge".. probably not.. BTW.. although LTE may seem like the answer, I don't think it will be.. I think the carriers (all of them).. like things a bit incompatible as they are.. I highly doubt they are going to fix it. and if they do, it will be a decade before things are truly swappable between carriers.

Re:Bad move, Apple

[omglolbah]

I'm so glad that kind of business practice of keeping a phone locked after the contract ends is illegal in Norway...

Re:Bad move, Apple

[jht]

That was pretty much my point. If I unlock the iPhone here in the US, my options are T-Mobile (with a tiny footprint and hardly any 3G presence, and what there is for 3G isn't iPhone compatible) and a handful of small rural carriers. That's it. If I want an iPhone in the US AT&T is pretty much the only way to go.

Taking that phone overseas, though, becomes useful with an unlocked phone. I can pay local rates for phone calls instead of roaming rates of $1-$2 per minute. I'd lose my phone number for the duration doing that but at least I'd have a choice.

In the LTE world (once the technology settles down) I should be able to take an unlocked phone and use it with any provider. Might be a while, but that's the best hope - and it's also what AT&T and Verizon have both announced they are using. There is hope...

Re:Bad move, Apple

[jayme0227]

There are actually a lot of big names on this list. From Michael Bloomberg to Rahm Emanuel to the CEO's of many highly recognizable institutions, people will care.

Goatse Security

Who is in charge of that? Ben Dover?

Re:Goatse? Really?

What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".

Stupid article

[JamesRing]

I love the tacky and insensitive image of the iPad disappearing down the massive sinkhole in Guatemala City. At least nobody is dead because some email addresses maybe got leaked.

Re:Stupid article

[uofitorn]

Nobody was reported to have been killed by the sinkhole. Though the other floods and landslides are a different matter..

Re:Stupid article

[JamesRing]

Apparently one body was recovered from the sinkhole. http://www.guatemalasinkhole.org/ http://www.smh.com.au/world/hole-that-swallowed-a-threestorey-building-20100601-wvgg.html

Oh well...

[PopeRatzo]

Accidents happen.

Does anyone think this will cost AT&T anything? Not when you've let the NSA use your phone system for illegal wiretaps.

That was the quid and things like this are the quo.

Re:Oh well...

Not when you've let the NSA use your phone system for illegal wiretaps.

Heh. Maybe that interface was for NSA? :P

Re:Oh well...

So what you're saying is that the missing element is a "pro" or some kind of person to act professionally? I certainly would agree.

Re:Goatse? Really?

[akanothing]

Yes, after seeing how impressive the scope of their work is, I can't wait to dive in and hire Goatse Security.

Re:Goatse? Really?

[Ethanol-fueled]

For those of you who don't get it, Goatse Security is a division of the great Gay Niggers Association of America.

I'm not fucking joking.

Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.

Will consumers actually care?

[holophrastic]

I'm not a consumer, and least of all a gadget one. I'm a business guy and I like business toys. And when I buy a business toy, I consider the brand and the source, and almost always pay more to get the better source -- especially when the product/service is otherwise identical.

But when have you seen a consumer choose to buy an iPad from a source that's $10 more expensive than another they've found? Anyone here have friends who choose to pay more? Anyone have friends who chose an iPad from not AT&T because they actually thought about the AT&T factor? I'd bet otherwise.

Re:Will consumers actually care?

[Beyond_GoodandEvil]

I'm not a consumer, and least of all a gadget one. I'm a business guy and I like business toys.
I'm confused, how are business toys not gadgets?

Re:Will consumers actually care?

[holophrastic]

Business toys tend to have a profitable purpose. So it really doesn't matter if you pay $100 or $150, because you're using it to make $5'000.

Re:Goatse? Really?

[TinBromide]

What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".

Well, I was rather amused by the fact that "Goatse" "Leaked" something from said "Gaping Hole," I suppose that if you spend all your time playing with your "gaping hole," then something is eventually going to leak.

Goatse? Gaping Hole..?

[zardozap]

... In the articles title no less. Really. Sometimes you can't make this internet shit up.

Re:Goatse? Gaping Hole..?

[Psaakyrn]

I'm guessing they named the company as such in hopes of getting a headline like this.

can't put the genie back in the bottle

[rastoboy29]

/me predicts ipad users being offered many, many ipad-relevant super deals in their email in the next few days.

I'm sure they won't mind!

Oh joy, another spam list...

[beaverdownunder]

Besides revealing the e-mail addresses of a number of prominent PUBLIC figures (emphasis on the word PUBLIC) it's just another spam list. Whoopee...

Re:Goatse? Really?

[mavasplode]

FTA:

Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled,

nuff said

Gawker Being Gawker

[Saeed+al-Sahaf]

Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed.

Is it? Is it really? Or is this just Gawker being Gawker and making things up? Emails, folks. That's it. Emails. You're on some public list alread, emails are not "confidential".

Re:Doesn't Matter

[aesiamun]

why would it affect Apple at all? This was an AT&T issue.

not every iPad owner

[feldsteins]

Gawker doesn't suggest that "every iPad owner in the US" may have been exposed. It says every iPad 3G owner may have been exposed. I don't think that's splitting hairs, either, given the short time the 3G model has been available. Things are bad enough without making them seem worse.

Re:not every iPad owner

[robogun]

At first I thought it said "all 114,000" Ipad owners. Because I don't see them around and there's no way they sold as many as they said they did.

No way.

The last thing that comes to my mind when I think goatse is security. That guy can't secure shit.
And trust me, I've thought about alot of things while viewing / thinking of goatse..And security was definitely the last because I read an article about it on some site.

Re:No way.

That guy can't secure shit.

If you had an anus that wide, you wouldn't be able to secure your shit either!

Hunch

Just a hunch. I think this is round two, apple versus gawker media. My hunch is this is the lesser of two or more sploits they have against apple products, more or less telling them to back off the gizmodo iPhone lawsuit stuff.

Re:Doesn't Matter

[Wyatt+Earp]

Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?

From a source not being sued by Apple for theft

http://www.pcworld.com/businesscenter/article/198453/should_you_worry_about_the_ipad_3g_data_leak.html

They have great benefits at Goatse Security

But the exit interview is tough to get through.

The trick is to relax.

What is mail for again? and how it was sent?

[Ilgaz]

I couldn't imagine why would a telco need user's mail address and how on earth trusts to the user entered mail address.

I also wonder if the infrastructure was using http or httpS for that communication, you know while collecting user mail addresses for some (??) reason.

You know what? It should be Apple to protest this massive leak at first place. Didn't they declare monopoly on location based advertising "to protect user privacy"? Eh, mail address in some organization named itself "goatse", anything worse could happen?

Re:What is mail for again? and how it was sent?

And that is why I have a couple of "spare" e-mail addresses...

And why I haven't bought any Apple products yet. I was going to buy an Imac, but that ideation is now on hold.

Thankfully, AT&T is not my wireless provider, either...

Re:Goatse? Really?

[dotgain]

You jest, but I'm sure iPad owners would love nothing more than for Apple to open their wallet and contribute to AT&T getting a good walloping. I'm not a US citizen so I don't know if private prosecutions or whatever you might call them happens there.

Re:Goatse? Really?

At least he didn't do it AC?...

Re:Goatse? Really?

I'd never give the GNAA credit, but.. .they won this time.

I've never laughed this hard reading Slashdot in my entire life.

Thank you...

[xgadflyx]

Thank you Slashdot for not running the sensationalist headline found on that other "tech" blog. Kudo's to you for calling it what it is - an AT&T security breach.

Re:Ironic...

That's not *ironic*, that's *appropriate*.

You are more right than you know.

[tak+amalak]

anyone with half a brain has a droid anyway.

Couldn't have said it better myself.

Re:You are more right than you know.

[konohitowa]

I was I had mod points. That was hilarious!

Re:You are more right than you know.

[matunos]

How is that new droid tablet? Oh, they don't have one yet?

Check the fanboyism at the door please.

Re:You are more right than you know.

[BattleApple]

best description of the droid I read recently was something like "It's like playing basketball with Robocop... he has all these cool moves, but can't execute them without looking all awkward"

Re:You are more right than you know.

[Mr2001]

How is that new droid tablet? Oh, they don't have one yet?

Nice try, but actually Archos has had an Android tablet out for months now. And more from other manufacturers (like the MSI WindPad) are slated to come out this year.

Re:You are more right than you know.

[aliquis]

I don't know why they said "droid" and not "android phone" since I don't see what would be so special with exactly those models.

But anyhow: There exist Android tablets.

Re:You are more right than you know.

[matunos]

Archos makes a Droid?

Okay, that's a technicality, but if you mean the 8"x4.2" Archos, I don't think that's exactly equivalent to the 9"x7.5" iPad. Not equivalent enough to suggest that "anyone with half a brain" would have one.

As for those models that are "slated to come out this year"... well, you can't very well have one yet, right?

Re:You are more right than you know.

best description of apple products I read recently was something like "you paid too damn much for it."

Re:You are more right than you know.

[intheshelter]

Wow, Archos has an Android tablet out for months and no one knows about it. Quite the successful product.

Apple has one out for 2 months and it's still getting good reviews and is selling left and right.

I guess people are voting with their wallet and Android is losing.

Go away Android fanbois, the world is tired of your psuedo-open platform already.

Re:You are more right than you know.

[Mr2001]

Wow, Archos has an Android tablet out for months and no one knows about it. Quite the successful product.

Apple has one out for 2 months and it's still getting good reviews and is selling left and right.

Funny how that works, isn't it? The press fawns over every word that comes out of Steve Jobs's mouth, treats every Apple product announcement as front-page news, hypes the iPad for months before its release, and coincidentally Apple's tablet ends up better-known and better-selling than a more capable tablet from a company that doesn't receive the same treatment. Why, it's almost as if Apple's success has more to do with marketing than product quality.

Re:You are more right than you know.

[Mr2001]

Okay, that's a technicality, but if you mean the 8"x4.2" Archos, I don't think that's exactly equivalent to the 9"x7.5" iPad.

Please, let's not pretend that matching the exact size of the iPad is some kind of requirement for tablets -- especially in light of all the reports that the iPad itself is too heavy to hold comfortably for more than a few minutes. It's ridiculous to suggest that a million tablet buyers considered the Archos tablet but rejected it because the dimensions weren't quite right.

Re:You are more right than you know.

[intheshelter]

Except for maybe your definition of "capable" is not what people want. Maybe they want something that is easy to use, intuitive, fun, great form factor, and DOES WHAT THEY WANT IT TO DO.

As for marketing over product quality, that is bullshit. I'm sure that helps you sleep at night, but the facts don't bear your out. Apple has LED everyone else in customer satisfaction and customer support for SEVERAL YEARS now. Slick marketing doesn't earn you those accolades, a quality product does.

Funny how that works, isn't it? The Android fanbois just can't seem to understand that feature lists are not the sole deciding factor in the consumer's decision. Until you can understand that you can hardly look down your nose at anyone else.

Re:You are more right than you know.

[Mr2001]

Except for maybe your definition of "capable" is not what people want. Maybe they want something that is easy to use, intuitive, fun, great form factor, and DOES WHAT THEY WANT IT TO DO.

That is my definition of "capable". Android is equally easy to use, equally intuitive, equally fun, has a possibly better form factor, and does even more of what they want it to do.

The Android fanbois just can't seem to understand that feature lists are not the sole deciding factor in the consumer's decision.

Meanwhile, the Apple fanbois just can't seem to understand that while they've been making excuses about "feature lists", Android has caught up or surpassed them in just about every other respect, too.

(Speaking of excuses about feature lists, remember when it was in style to pretend you didn't need a third party SDK, copy and paste, multitasking, or tethering? Funny how that changed. I guess people do care about that stuff after all.)

Why punish the users?

I'm surprised nobody else has commented how offensive it is that the group that found the leak published the email addresses. By all means publish the fact of the breach, get pie on AT&T's face, but why punish the users? That's just mean.

Re:Why punish the users?

[BluBrick]

I'm surprised nobody else has commented how offensive it is that the group that found the leak published the email addresses. By all means publish the fact of the breach, get pie on AT&T's face, but why punish the users? That's just mean.

Dude, they call themselves Goatse! With that in mind, I'm sure you can think of something more offensive than "sharing" a few thousand email addresses. Besides, I can imagine what might happen if the addresses were not leaked - ATT would invoke the "no harm, no foul" clause. This way, you can be sure they will be penalised for it.

This was a metaphorical bukkakke for Apple & A

I'm guessing most Apple fanbois won't mind the bukkakke. "Thank you Steve Jobs, sir! May I have another?"

Captcha = apostle. Classic!

Wild West Out THere

Anybody that gives companies their main email address is completely ignorant of the Internet and online security. I have several emails addresses set aside for providing to companies for online registration. I assume that these addresses will be leaked and treat them so. I even have a dedicated email account just for domain registration. I assume most slashdot reader do the same. Maybe the suits in government and business will learn a lesson from this. It's a wild west out there.

Re:Wild West Out THere

[herojig]

100% accurate. Why blame leakers unless it's your bank or other important association? Just give these companies a disposable email address for any commodity purchased.

Re:Goatse? Really?

[Ethanol-fueled]

No, that was me complaining about how I was modded troll.

But it turns out that my troll mods may have been deserved: I spelled it out like Gay Niggers Association of America instead of Gay Nigger Association of America, which is correct.

My bad, guys. Keep up the good work. I'd join your public affairs department if I weren't so damn busy these days...

Smartphone Developers: Take Note

[dancornell]

This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.

I put together some more in-depth comments here:
4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers

--Dan
@danielcornell

Re:Smartphone Developers: Take Note

[Tumbleweed]

This is certainly a high-profile breach, but not apparently immediately catastrophic.

When you consider that some of this information belongs to people with *.mil email addresses, I think you're underestimating the shit storm that is about to be (well, SHOULD be) unleashed on AT&T and Apple.

On the bright side for Apple users, perhaps Apple can use this to break their exclusivity deal with AT&T? Perhaps Apple will learn the value of 'due diligence' before signing contracts in the future.

Re:Smartphone Developers: Take Note

[Taevin]

When you consider that some of this information belongs to people with *.mil email addresses, I think you're underestimating the shit storm that is about to be (well, SHOULD be) unleashed on AT&T and Apple.

Why? I mean, sure, I'd be a little annoyed if I had been on a list of emails that got leaked but mostly because some company couldn't be bothered to actually implement some software correctly.

Why all this secrecy over email addresses? Most people I know are more than happy to have their email address plastered all over the internet and to anyone who asks. It's a primary point of contact and brings in new business. In what ways do I become vulnerable if I tell you my email address is joedirt@aol.com (sorry to whoever this is ;)?

Re:Goatse? Really?

[afidel]

Apple doesn't have to open their wallet, they simply have to end their exclusive agreement with AT&T when it expires next year, that will cost AT&T a couple billion a year which is more than any lawsuit could possibly extract from them.

Re:Doesn't Matter

[Pharmboy]

Did you even read the article?

Re:Goatse? Really?

[gringofrijolero]

Could've been worse

Cough

[way2trivial]

http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163

"Citrix makes it easy to use enterprise applications, including Windows applications, on your iPhone, Blackberry, Android and Windows mobile devices on-demand."

Re:Cough

[afidel]

Have you actually TRIED using a desktop app on a smartphone, doesn't work very well at all. The ipad is almost exactly the right size for a portable tablet which makes desktop UI apps usable.

Re:Cough

[Mr2001]

Have you actually TRIED using a desktop app on a smartphone, doesn't work very well at all. The ipad is almost exactly the right size for a portable tablet which makes desktop UI apps usable.

Then it ought to work just fine on one of the Android tablets that's already out, or one of the ones coming out later this year.

Re:Cough

[aliquis]

http://wetab.mobi/en
http://www.archos.com/products/imt/archos_5it/
http://www.slashgear.com/dell-streak-5-inch-3g-android-mid-leaks-2161220/
http://mashable.com/2009/11/12/vega-android-tablet/
http://www.slashgear.com/icd-vega-and-ultra-android-tablets-hands-on-video-0869180/
http://www.youtube.com/watch?v=C4OCItW6ecc
http://www.viddler.com/simple_on_site/4d5337e2
http://www.engadget.com/2010/01/08/quanta-tegra-2-prototype-hands-on/
http://www.engadget.com/2010/01/28/msis-10-inch-tablet-launching-this-year-at-500-patently-ignor/

Yeah, I to wouldn't want to run my whole desktop on a smartphone... and not on an iPad either. Probably better to design an UI which work well on the smaller screen ..

Depending on what it is.

Re:Cough

I have. It works surprisingly well on WVGA screens with resistive touch and a stylus. I can only imagine the suckage on an HVGA/capacitive system, though.

IMO more pixels is more important than more inches, assuming a decent pixel-precision input device, but since the droid and iStuff are both capacitive, I I guess the iPad's needed. Really silly, IMO, that high-density screens almost entirely stop above WVGA. It makes way too many tablets suck.

Re:Cough

You forgot the ADAM Tablet, due to release in Q3

Re:Cough

[Skuld-Chan]

You could develop an application easily enough that was touch friendly, fit on the screen properly etc for a smartphone. I can honestly see this sort of thing being used in the enterprise.

Coulda been worse...

[mad.frog]

...just imagine how much worse it would have been if those iPads had Flash installed...

Re:Goatse? Really?

[OrangeCatholic]

At least someone knows what a troll mod is. I doubt you were modded for the right reason.

Re:Doesn't Matter

[icebraining]

ince this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?

From the summary: 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.'

If I give you my car keys, and you give them to someone else, and that person steals it, you can't claim it's not your fault. You were responsible for those keys.

AT&T takes your privacy seriously!

[Beelzebud]

HAHAHAHAHAHAHAHAHA!

That is truly funny coming from the company that hosts NSA spy rooms.

Re:Goatse? Really?

[morgan_greywolf]

Ummmm...apparently, actually true. It really is a division of the GNAA. Makes me wonder how accurate this story is.

Re:Doesn't Matter

[Lord+Kano]

Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?

Because Apple chose their exclusive partner poorly. If your business partner does something boneheaded like this, I'm going to think twice before I do any business with you.

LK

Re:Doesn't Matter

[Kitkoan]

why would it affect Apple at all? This was an AT&T issue.

I admit, I don't own an iPad so I might be slightly mistaken as to how this works but from the summery it mentions that Apple is the one that 'users, who must provide the company with their email addresses to activate their iPads' which indicates Apple is the wanting the email, not AT&T. Now if Apple wants the emails, why would if have a 3rd party (AT&T) hold on to this data and not just upload it all to their servers every few hours and delete the AT&T server of this information? Now, if Apple is the one who wants the emails then I'd view it to be more Apples fault for not being in more control over the information it is requesting from its customers.

MSNBC Investigates Goatse

[Tauto]

The group that hacked AT&T's Web servers is called Goatse, which has "previously...
http://www.msnbc.msn.com/id/37602751/ns/technology_and_science-tech_and_gadgets

They have, with an added layer of credibility, managed to propagate the danger to your Grandma in main-stream reporting.

I just hope Mat Lauer is wise enough not to look too deep.

Re:MSNBC Investigates Goatse

I just hope Matt Lauer is wise enough not to look too deep.

I see what you did there.

I just wish I could unsee it.

Re:Goatse? Really?

[dangitman]

The name seems redundant. Why not just call themselves "Goat Security" which already contains "goatse." I guess goatse fans aren't known for their subtlety.

In other news...

Google has been tracking our browsing habits and keeping the data all to itself... and the NSA, the FBI and the CIA.

The script used to harvest the iPad user e-mails:

[danielkennedy74]

http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/

Re:Doesn't Matter

[sootman]

Was the summary tl;dr for you? And for everyone who modded you up?

Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. [emphasis added]

Good

[rat7307]

Now we know who to block to avoid those douche "Sent from my iPad" email footers

I have taken to replying to ANY of these with a "Sent from my Combine Harvester" or similar thing back.

We don't care about your toy. And while we are at it, do you have to mention your iPad in every tweet and email? sheesh.

Sorry. Been a long day.

Re:Good

[mjwx]

Now we know who to block to avoid those douche "Sent from my iPad" email footers

I just add them to the blocklist. If they cant be bothered to remove that from their communications device they are clearly not intelligent enough to warrant my time reading their message.

Re:Good

[ActionDesignStudios]

That'll show 'em!

Posted from my magical iPad

Re:Good

[mjwx]

Did someone say something?

From the NSA to a wide open port

[AHuxley]

Your telco just loves to help anyone that take the time to request your data in bulk.
You had MS Sidekick data loss, Amazon 1984 data removal, Room 641A, googles data collection, now ipad email gape.
Time to buy a Dell streak, install Ubuntu and float on the Canonical cloud.
You will be safe from all but SCO as you hunt for a teclo that takes customer security very seriously.

iLeak

[LordDfg]

I saw this few hours ago on twitter. Source: http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed http://cache.gawkerassets.com/assets/images/7/2010/06/ileakinside3.jpg http://security.goatse.fr/

wait.. what?

[neotokyo]

So folks get up-in-arms about a 100k email addresses leaked by AT&T api but never mind the *millions* of emails, email contents, phone conversations, irc chats, *everything* that we've sent over the intertubes that AT&T, for the last 8 years, shuffled to the NSA? Really?

Awesome, have the government archive my internet content just don't send me SPAM?

Re:wait.. what?

[AHuxley]

Think back to FISA, Church report and The Puzzle Factory" and "The Crystal Palace" books.
If you need to worry about the NSA, you have a good sneaker net in place or know you are totally compromised.
ATT, Google, the NSA, fusion centers ect are a fact of life. But AT&T should have known better. They have a monopoly, the funds, skill set and understand US law.
They seemed to have protected Room 641A rather well, how about protecting consumer data too :)
Real networks need real admins, not just Idiots Out Walking Around until a pager/email/call makes them wonder back to their SUVs.
One person to cover hardware and a regional software admin on call?

Headline writers are having fun with this

http://www.v3.co.uk/v3/news/2264505/goatse-security-claims-gaping

MadTV predated Ipad

[sponga]

http://www.youtube.com/watch?v=lsjU0K8QPhs

Re:Goatse? Really?

[kunwon1]

GNAA is a group of people who are occupied primarily in flooding the irc channels of their enemies. This attack obviously required very little in the way of technical skill, just proxying a bunch of requests to a server, and storing the results. The sad truth of the matter is that even idiots get lucky eventually.

Re:Goatse? Really?

[jollyreaper]

For those of you who don't get it, Goatse Security is a division of the great Gay Niggers Association of America.

I'm not fucking joking.

Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.

I see that for myself and I still don't believe you. Or me, for that matter. What has the world come to?

HAHAHA

hahaha

oh, i think i hurt myself...

hahaha

Corporate-speak

[Stiletto]

'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

A classic textbook non-response from a corporation's P.R. machine. A guide, for those unfamiliar with the terminology:

  * "We continue to..." / "We are continuing..." - Translation: We're not doing a thing

  * "investigate" - Translation: To lawyer-up and get paperwork straight for a lawsuit

  * "may have" - Translation: "did"

  * "been obtained" - Translation: given out by us through incompetence

  * "We take XYZ very seriously" - Translation: It only comes up in meetings when emergencies happen

  * "we have fixed this problem" - Translation: We fired the employees who told us this problem would happen

  * "we apologize" - Translation: We admit no legal wrongdoing

  * "customers who were impacted" - people who paid us for the pleasure of a good corporate rogering

Why anyone even reads press releases by companies anymore, one can only guess. You'll hear those catch phrases in every one.

Re:Corporate-speak

[tyldis]

I find the wording "customers who were impacted" interesting. Once something has leaked the problem doesn't go away by only plugging the leak and not cleaning up. Just ask BP.

Re:Corporate-speak

[AHuxley]

And now you can do a Google too:
"As we said before, this was a mistake”
http://www.wired.com/threatlevel/2010/06/google-wifi-debacle/

fist pump

[macbeth66]

oops, I missed

well, I am on /.

Re:Ironic...

Reminds me of this time I got pulled over on a bridge in Connecticut. A cop was parked in the median at the far side of the bridge and got me going 5 mph over the speed limit. During the course of pointless questioning, he asked me what I do for a living... it went something like this:
Me: I'm a "Rectum Stretcher"
Cop: What the hell is that??
Me: Well.. I stretch people's assholes.. just a little at a time, until it's as big as they want
Cop: WTF, how big?
Me: Anywhere from 6" to 6'
Cop: What the hell would someone do with a 6 foot asshole?!
Me: I dunno.. Give him a radar gun and place him at the end of a bridge?

Re:Goatse? Really?

You're right. I think this is a Slashdot first. I can't believe I'm about to login to mod up GNAA post. As if that's not enough, it's going to be marked informative.

What is this world coming to?

a trend with AT&T

[xclay]

Steve wants something, AT&T makes a quick response. Something bad happens, AT&T makes a quick reaction. Anything good happens, AT&T makes a claim.

Re:Goatse? Really?

[aliquis]

I to would had liked to get in contact with them, hiring them to probe and try to exploit my system.

Re:Doesn't Matter

"Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?"

It should. Apple forces people to do business with AT&T via their exclusive contracts and releasing limited devices, namely the iphone lineup, specifically for AT&T. This affects Apple customers.

When there's a breach of a platform specific or popular app, the OS is usually pointed to as being somewhat at fault too, isn't it? It may not be an MS OS security breach, but because MS didn't handle something ideally, they get faulted to (maybe they didn't use the latest memory protection, have the easiest API, etc.).. Same with Linux--a breach of a popular app associated with Linux because associated with Linux. I remember Samba having a security bug in it that was there for years, and Linux being thrown in pretty damn quickly.

Or, are you saying the Apple rule applies? That being the only rule that applies to Apple--rules don't apply to Apple.

Re:Goatse? Really?

[SeaFox]

Perhaps we shouldn't spread the story too widely until we have the hole truth. /ducks

Re:The script used to harvest the iPad user e-mail

[AHuxley]

Do world wide telcos make their own networks or does ipad networking come in a box from the USA?

Re:Doesn't Matter

[larkost]

Since the iPad/AT&T users actually gave their email addresses directly to AT&T through the sign-up web form, your analogy is a bit off. A better one is of a restaraunt that contracts with a specific vallet parking company. You give your keys to the valet company and they ding your car. The restaraunt is certainly in some way involved (having chosen the valet company), but at no time were they directly responcible.

Recent history?

[KarlIsNotMyName]

Has the Internet really been around long enough to have bigger leaks than this before its "recent history"?

Re:Doesn't Matter

[houghi]

There is an article? When has /. started to add articles?

Re:Goatse? Really?

kunwon1 is a KNOWN registered sex offender:

Name:                      David J Moore
Alias:                           kunwon1
Email:            dave.j.moore@gmail.com
Occupation:                   Unemployed
Eye color:                         Brown
Hair color:                       Ginger
Tel:                        1.8157517281
Location:     217 W Cortland Center Road
              Cortland, IL 60112

Where did they get the ICC IDS 's?

[BenJCarter]

From Daily Tech's description, it sounded like the attacker needed an ICC ID to query an ATT Server for an email address. "Apparently AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber. " Where did they get 114k ICC IDS 's?

Re:Where did they get the ICC IDS 's?

[daid303]

They are sequential, so you just need 1 find a whole load around them.

Re:Goatse? Really?

> The sad truth of the matter is that even idiots get lucky eventually.

They've also found holes in Safari and Firefox, actually.

If you think this story was bad, you should've seen some of the others in the Firehose. Nothing but bad puns based on gaping holes.

Getting the list of exposed customers

[Buchenskjoll]

From TFA: > continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained I know where they can get the list of customers...

Re:Getting the list of exposed customers

[chip_s_ahoy]

Ok, where?

I feel so torn,

[TheRealQuestor]

Part of me feels sorry for all the people who this might affect. The other part of me is like it could not have happened to a better duo.

Re:Goatse? Really?

[dakameleon]

What has the world come to?

/b/

'nuff said.

name fail

[stealth_finger]

Goatse security????? Well I wouldn't use them.

Re:Goatse? Really?

[Hurricane78]

Were they also jewish and part of a clan for tolerance and understanding?

Re:Goatse? Really?

[Hurricane78]

Seems it also is a group occupied in collecting and using mod points. ;)

How is this APPLE's Fault?

[macs4all]

'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.'

Just HOW does APPLE "bear responsibility" for AT&T's bad website coding practices?

Talk about yellow journalism!!!

I hate to break it to everyone, but...

[Dr.+Spork]

Look in your spam box. Your email address has been leaked to V1agra merchants and worse, a million times over, whether you're an iPad user or not. Let's not act like these were some sort of unsoiled email addresses that have now been deflowered. There are no such things on the internet. Yeah, I don't want these jerks knowing what kind of gear I own, but in the big picture, I'd say that these people need a good spam blocker this week, and they needed it last week too.

Re:I hate to break it to everyone, but...

[metrometro]

Knowing a random string may be a valid email addess is not nearly the same as knowing Michael Bloomberg's email address. AT&T gave up the latter.

RE:

[helix2301]

Sometimes when stuff like this happens it opens peoples eyes and they are more prepared for next time or they take better care of thing so this situation does not happen again.

Can email addresses really be confidential?

[feenberg]

I have been amazed over the last few years that both the general public and security professionals think that email addresses and social security numbers can be made confidential, like passwords. Surely that is impossible to achieve. If spam is to be stopped, it will certainly be another way. If identity theft is to be stopped, it is certain to be another way.

Really? That many?

[Chris.Nelson]

Apple suckered 114,067 people into buying iPads?!

Hmm

[Combatso]

Anyone have a link to this Goatse security firm. I am afraid to search google for it.

If my bank did that...

[alispguru]

Agreed, snooping around an unlocked house is bad. If, say, my bank left their front door open, and my money was stolen, or information that led to my identity being misused, I'd have grounds to sue my bank.

The thieves did something wrong, but so did my bank by not taking elementary precautions and LETTING THEM DO IT.

And no one thinks twice

[Dunbal]

About a company calling itself Goatse Security?

Hang on, let me serve myself a glass of Tubgirl (tm) orange juice.

Re:Doesn't Matter

I did, did you use your brain or just accept what the doucebags at gawker said as fact?

So, by their and your account, if I decide to sell my product exclusively at a store, and you use a credit card, and said credit card number is stolen, it's my fault and not the store's?

Better analogy, an HTC phone is available only at Verizon, so to get this phone I have to subscribe to Verizon's service. To do this, I have to give up personal information and a credit card. Once again, someone gains access to my personal information through a data breach at Verizon, it's HTC's responsibility?

Complete bullshit to you, sir.

Which only proves that...

What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".

Which only proves that AT&T is usually full of shit.

Re:Really? That many?

[metrometro]

Nope. That's just the 3G model.

In other news...

ATT leaks phone numbers of millions of residential phone users. It's called a phone book.

Heavens forbid that your email address, which is probably already plastered everywhere already, get out into the open.

Overhyped

[wiedzmin]

Blown out of proportion, always look beyond the hype: http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/

Yes..never with citrix though..

[way2trivial]

I've used RDC software on my windows mobile phone often to log into a SBS server..

beats the hell outta getting in the car...