Slashdot Mirror
AT&T Leaks Emails Addresses of 114,000 iPad Users
Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"
Wait, the iPad suffered a leak? That's why you always buy pads with wings. (groan)
#fuckbeta #iamslashdot #dicemustdie
Ok, "goatse" in a story, followed by a link... Is anyone really going to click it without hesitation?
AT&T making a technical goof. That _is_ news.
---
Book(n): Utensil used to pass time while waiting for the TV repairman
Who is in charge of that? Ben Dover?
What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".
I love the tacky and insensitive image of the iPad disappearing down the massive sinkhole in Guatemala City. At least nobody is dead because some email addresses maybe got leaked.
Accidents happen.
Does anyone think this will cost AT&T anything? Not when you've let the NSA use your phone system for illegal wiretaps.
That was the quid and things like this are the quo.
You are welcome on my lawn.
Yes, after seeing how impressive the scope of their work is, I can't wait to dive in and hire Goatse Security.
For those of you who don't get it, Goatse Security is a division of the great Gay Niggers Association of America.
I'm not fucking joking.
Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.
I'm not a consumer, and least of all a gadget one. I'm a business guy and I like business toys. And when I buy a business toy, I consider the brand and the source, and almost always pay more to get the better source -- especially when the product/service is otherwise identical.
But when have you seen a consumer choose to buy an iPad from a source that's $10 more expensive than another they've found? Anyone here have friends who choose to pay more? Anyone have friends who chose an iPad from not AT&T because they actually thought about the AT&T factor? I'd bet otherwise.
What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".
Well, I was rather amused by the fact that "Goatse" "Leaked" something from said "Gaping Hole," I suppose that if you spend all your time playing with your "gaping hole," then something is eventually going to leak.
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
/me predicts ipad users being offered many, many ipad-relevant super deals in their email in the next few days.
I'm sure they won't mind!
expandfairuse.org
Besides revealing the e-mail addresses of a number of prominent PUBLIC figures (emphasis on the word PUBLIC) it's just another spam list. Whoopee...
I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T. I do wonder how Apple would spin if it were opened to other carriers and they all experienced the drop call issue?
If brevity is the soul of wit, then how does one explain Twitter?
Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled,
nuff said
ACTUAL SIZE!!!
The funniest part of this entire story is that news organizations are either completely clueless as to what Goatse is, or refuse to mention it.
But some people are going to google it anyway.
The person who leaked this is a true internet superhero.
In the age of Facebook, I wouldn't be surprised that many people just flat out don't care.
Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed.
Is it? Is it really? Or is this just Gawker being Gawker and making things up? Emails, folks. That's it. Emails. You're on some public list alread, emails are not "confidential".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
why would it affect Apple at all? This was an AT&T issue.
Gawker doesn't suggest that "every iPad owner in the US" may have been exposed. It says every iPad 3G owner may have been exposed. I don't think that's splitting hairs, either, given the short time the 3G model has been available. Things are bad enough without making them seem worse.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
The last thing that comes to my mind when I think goatse is security. That guy can't secure shit.
And trust me, I've thought about alot of things while viewing / thinking of goatse..And security was definitely the last because I read an article about it on some site.
Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?
From a source not being sued by Apple for theft
http://www.pcworld.com/businesscenter/article/198453/should_you_worry_about_the_ipad_3g_data_leak.html
Goatse Security: We will show you every gaping hole in your security!
Contractual obligations. Here's some info.
Basically, Apple signed a five-year deal in 2007 because they badly needed a carrier who was willing to sink many millions into the release.
Here's the thing that sucks for early adopters: If you bought in '07, you had to sign a two-year deal with AT&T. Par for the course for a phone the way we've got it structured in the US. But after your two years are up, you'd still be stuck with AT&T for another three years due to the 5-year deal they have with Apple. Either that, or jailbreak your phone, etc.
Practically, though, the extra three years are no big deal for the early adopters... surely most of them would move onto a new phone after two years, since they are early adopters.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I couldn't imagine why would a telco need user's mail address and how on earth trusts to the user entered mail address.
I also wonder if the infrastructure was using http or httpS for that communication, you know while collecting user mail addresses for some (??) reason.
You know what? It should be Apple to protest this massive leak at first place. Didn't they declare monopoly on location based advertising "to protect user privacy"? Eh, mail address in some organization named itself "goatse", anything worse could happen?
You jest, but I'm sure iPad owners would love nothing more than for Apple to open their wallet and contribute to AT&T getting a good walloping. I'm not a US citizen so I don't know if private prosecutions or whatever you might call them happens there.
Thank you Slashdot for not running the sensationalist headline found on that other "tech" blog. Kudo's to you for calling it what it is - an AT&T security breach.
Civilization, the death of dreams.
Couldn't have said it better myself.
Don't lead me into temptation... I can find it myself.
The title:
AT&T's Gaping Hole Exposes...
and
... before reporting this gaping hole to AT&T...
and this gem:
Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled
Goatse FTW.
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
I'm surprised nobody else has commented how offensive it is that the group that found the leak published the email addresses. By all means publish the fact of the breach, get pie on AT&T's face, but why punish the users? That's just mean.
No, that was me complaining about how I was modded troll.
But it turns out that my troll mods may have been deserved: I spelled it out like Gay Niggers Association of America instead of Gay Nigger Association of America, which is correct.
My bad, guys. Keep up the good work. I'd join your public affairs department if I weren't so damn busy these days...
This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.
I put together some more in-depth comments here:
4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers
--Dan
@danielcornell
"That guy who leaked 114,000 emails? What a big asshole!"
Apple doesn't have to open their wallet, they simply have to end their exclusive agreement with AT&T when it expires next year, that will cost AT&T a couple billion a year which is more than any lawsuit could possibly extract from them.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Did you even read the article?
Tequila: It's not just for breakfast anymore!
I'm guessing they named the company as such in hopes of getting a headline like this.
Could've been worse
Todos mis movimientos están friamente calculados
http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163
"Citrix makes it easy to use enterprise applications, including Windows applications, on your iPhone, Blackberry, Android and Windows mobile devices on-demand."
every day http://en.wikipedia.org/wiki/Special:Random
...just imagine how much worse it would have been if those iPads had Flash installed...
From the summary: 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.'
If I give you my car keys, and you give them to someone else, and that person steals it, you can't claim it's not your fault. You were responsible for those keys.
Dilbert RSS feed
HAHAHAHAHAHAHAHAHA!
That is truly funny coming from the company that hosts NSA spy rooms.
Who is in charge of that? Ben Dover?
Close - it's a partnership with Phillip McAvity.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
Ummmm...apparently, actually true. It really is a division of the GNAA. Makes me wonder how accurate this story is.
My blog
why would it affect Apple at all? This was an AT&T issue.
I admit, I don't own an iPad so I might be slightly mistaken as to how this works but from the summery it mentions that Apple is the one that 'users, who must provide the company with their email addresses to activate their iPads' which indicates Apple is the wanting the email, not AT&T. Now if Apple wants the emails, why would if have a 3rd party (AT&T) hold on to this data and not just upload it all to their servers every few hours and delete the AT&T server of this information? Now, if Apple is the one who wants the emails then I'd view it to be more Apples fault for not being in more control over the information it is requesting from its customers.
Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
The group that hacked AT&T's Web servers is called Goatse, which has "previously...
http://www.msnbc.msn.com/id/37602751/ns/technology_and_science-tech_and_gadgets
They have, with an added layer of credibility, managed to propagate the danger to your Grandma in main-stream reporting.
I just hope Mat Lauer is wise enough not to look too deep.
The name seems redundant. Why not just call themselves "Goat Security" which already contains "goatse." I guess goatse fans aren't known for their subtlety.
... and then they built the supercollider.
http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/
Was the summary tl;dr for you? And for everyone who modded you up?
Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. [emphasis added]
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Now we know who to block to avoid those douche "Sent from my iPad" email footers
I have taken to replying to ANY of these with a "Sent from my Combine Harvester" or similar thing back.
We don't care about your toy. And while we are at it, do you have to mention your iPad in every tweet and email? sheesh.
Sorry. Been a long day.
Burma?
Your telco just loves to help anyone that take the time to request your data in bulk.
You had MS Sidekick data loss, Amazon 1984 data removal, Room 641A, googles data collection, now ipad email gape.
Time to buy a Dell streak, install Ubuntu and float on the Canonical cloud.
You will be safe from all but SCO as you hunt for a teclo that takes customer security very seriously.
Domestic spying is now "Benign Information Gathering"
I saw this few hours ago on twitter. Source: http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed http://cache.gawkerassets.com/assets/images/7/2010/06/ileakinside3.jpg http://security.goatse.fr/
Follow me: http://www.twitter.com/dfg
As much as I want my iPhone carrier-unlocked, what other US carrier with GSM/HSDPA and a nationwide footprint do I have access to?
Point being, what am I supposed to do with my newly unlocked iPhone - go to T-Mobile? Not really, at least not in this country. The use I can see for an unlocked US iPhone is simply that were I to travel overseas I could use a local SIM over there and use it with a native carrier instead of getting violated with international roaming fees.
Not having left the States in seven years, I'm not worrying about it too much so far.
When the day eventually comes that LTE is everywhere, then it's worth worrying more about unlocking the iPhone for me. Because then I'll be free to shop between AT&T, Verizon, or whomever else is on LTE by then. Until then, unlocking an iPhone is mainly for the international traveler. And in many other countries, you can buy your unlocked, unsubsidized iPhone there and bring it back with you. Which sounds like the way to go at this point.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
100% accurate. Why blame leakers unless it's your bank or other important association? Just give these companies a disposable email address for any commodity purchased.
I think therefore I can't be ~TTNH
This is AT&T's security model:
(almost safe for work) http://goatkcd.com/424/sfw
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
So folks get up-in-arms about a 100k email addresses leaked by AT&T api but never mind the *millions* of emails, email contents, phone conversations, irc chats, *everything* that we've sent over the intertubes that AT&T, for the last 8 years, shuffled to the NSA? Really?
Awesome, have the government archive my internet content just don't send me SPAM?
http://www.youtube.com/watch?v=lsjU0K8QPhs
GNAA is a group of people who are occupied primarily in flooding the irc channels of their enemies. This attack obviously required very little in the way of technical skill, just proxying a bunch of requests to a server, and storing the results. The sad truth of the matter is that even idiots get lucky eventually.
Specialization is for insects. -Heinlein
For those of you who don't get it, Goatse Security is a division of the great Gay Niggers Association of America.
I'm not fucking joking.
Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.
I see that for myself and I still don't believe you. Or me, for that matter. What has the world come to?
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"
A classic textbook non-response from a corporation's P.R. machine. A guide, for those unfamiliar with the terminology:
* "We continue to..." / "We are continuing..." - Translation: We're not doing a thing
* "investigate" - Translation: To lawyer-up and get paperwork straight for a lawsuit
* "may have" - Translation: "did"
* "been obtained" - Translation: given out by us through incompetence
* "We take XYZ very seriously" - Translation: It only comes up in meetings when emergencies happen
* "we have fixed this problem" - Translation: We fired the employees who told us this problem would happen
* "we apologize" - Translation: We admit no legal wrongdoing
* "customers who were impacted" - people who paid us for the pleasure of a good corporate rogering
Why anyone even reads press releases by companies anymore, one can only guess. You'll hear those catch phrases in every one.
oops, I missed
well, I am on /.
Steve wants something, AT&T makes a quick response. Something bad happens, AT&T makes a quick reaction. Anything good happens, AT&T makes a claim.
I to would had liked to get in contact with them, hiring them to probe and try to exploit my system.
Perhaps we shouldn't spread the story too widely until we have the hole truth. /ducks
Do world wide telcos make their own networks or does ipad networking come in a box from the USA?
Domestic spying is now "Benign Information Gathering"
Since the iPad/AT&T users actually gave their email addresses directly to AT&T through the sign-up web form, your analogy is a bit off. A better one is of a restaraunt that contracts with a specific vallet parking company. You give your keys to the valet company and they ding your car. The restaraunt is certainly in some way involved (having chosen the valet company), but at no time were they directly responcible.
Has the Internet really been around long enough to have bigger leaks than this before its "recent history"?
We are all God's parents.
Both are great security experts, but in my opinion they should reconsider their stance on government back doors.
There is an article? When has /. started to add articles?
Don't fight for your country, if your country does not fight for you.
kunwon1 is a KNOWN registered sex offender:
Name: David J Moore
Alias: kunwon1
Email: dave.j.moore@gmail.com
Occupation: Unemployed
Eye color: Brown
Hair color: Ginger
Tel: 1.8157517281
Location: 217 W Cortland Center Road
Cortland, IL 60112
From Daily Tech's description, it sounded like the attacker needed an ICC ID to query an ATT Server for an email address. "Apparently AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber. " Where did they get 114k ICC IDS 's?
For in politics, as in religion, it is equally absurd to aim at making proselytes by fire and sword. - Publius
> The sad truth of the matter is that even idiots get lucky eventually.
They've also found holes in Safari and Firefox, actually.
If you think this story was bad, you should've seen some of the others in the Firehose. Nothing but bad puns based on gaping holes.
From TFA: > continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained I know where they can get the list of customers...
-- Make America hate again!
Part of me feels sorry for all the people who this might affect. The other part of me is like it could not have happened to a better duo.
What has the world come to?
/b/
'nuff said.
Man who leaps off cliff jumps to conclusion.
Yes you could go to T-Mobile in the US, you just would not have 3G.. and if you think that is "usesless".. well not quite.. for example, I am on T-Mobile, and I went to Europe recently.. of course no 3G due to the freq differences.. but I still had Edge, and you know it wasn't that bad.. I could still use Google maps and navigation with Edge for some directions, and access some web pages.. Phone wise (it is a phone) if worked flawlessly.. Would I only want to "live on the Edge".. probably not.. BTW.. although LTE may seem like the answer, I don't think it will be.. I think the carriers (all of them).. like things a bit incompatible as they are.. I highly doubt they are going to fix it. and if they do, it will be a decade before things are truly swappable between carriers.
waiting for ad.doubleclick.net
Were they also jewish and part of a clan for tolerance and understanding?
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Seems it also is a group occupied in collecting and using mod points. ;)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.'
Just HOW does APPLE "bear responsibility" for AT&T's bad website coding practices?
Talk about yellow journalism!!!
Look in your spam box. Your email address has been leaked to V1agra merchants and worse, a million times over, whether you're an iPad user or not. Let's not act like these were some sort of unsoiled email addresses that have now been deflowered. There are no such things on the internet. Yeah, I don't want these jerks knowing what kind of gear I own, but in the big picture, I'd say that these people need a good spam blocker this week, and they needed it last week too.
I'm so glad that kind of business practice of keeping a phone locked after the contract ends is illegal in Norway...
Sometimes when stuff like this happens it opens peoples eyes and they are more prepared for next time or they take better care of thing so this situation does not happen again.
http://www.thetechnologygeek.org
I have been amazed over the last few years that both the general public and security professionals think that email addresses and social security numbers can be made confidential, like passwords. Surely that is impossible to achieve. If spam is to be stopped, it will certainly be another way. If identity theft is to be stopped, it is certain to be another way.
That was pretty much my point. If I unlock the iPhone here in the US, my options are T-Mobile (with a tiny footprint and hardly any 3G presence, and what there is for 3G isn't iPhone compatible) and a handful of small rural carriers. That's it. If I want an iPhone in the US AT&T is pretty much the only way to go.
Taking that phone overseas, though, becomes useful with an unlocked phone. I can pay local rates for phone calls instead of roaming rates of $1-$2 per minute. I'd lose my phone number for the duration doing that but at least I'd have a choice.
In the LTE world (once the technology settles down) I should be able to take an unlocked phone and use it with any provider. Might be a while, but that's the best hope - and it's also what AT&T and Verizon have both announced they are using. There is hope...
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Apple suckered 114,067 people into buying iPads?!
Anyone have a link to this Goatse security firm. I am afraid to search google for it.
Agreed, snooping around an unlocked house is bad. If, say, my bank left their front door open, and my money was stolen, or information that led to my identity being misused, I'd have grounds to sue my bank.
The thieves did something wrong, but so did my bank by not taking elementary precautions and LETTING THEM DO IT.
To a Lisp hacker, XML is S-expressions in drag.
If you go to their website, you'll find that behind Goatse Security is weev, well known troll. Slashdotters might know him as head of the GNAA.
Give me Classic Slashdot or give me death!
About a company calling itself Goatse Security?
Hang on, let me serve myself a glass of Tubgirl (tm) orange juice.
Seven puppies were harmed during the making of this post.
I did, did you use your brain or just accept what the doucebags at gawker said as fact?
So, by their and your account, if I decide to sell my product exclusively at a store, and you use a credit card, and said credit card number is stolen, it's my fault and not the store's?
Better analogy, an HTC phone is available only at Verizon, so to get this phone I have to subscribe to Verizon's service. To do this, I have to give up personal information and a credit card. Once again, someone gains access to my personal information through a data breach at Verizon, it's HTC's responsibility?
Complete bullshit to you, sir.
No, it's those legendary Scottish homosexuals Ben Doon and Phii Macavity.
To have a right to do a thing is not at all the same as to be right in doing it
There are actually a lot of big names on this list. From Michael Bloomberg to Rahm Emanuel to the CEO's of many highly recognizable institutions, people will care.
But then I realized the cable was blue, so I only gave it one star. I hate blue.
Nope. That's just the 3G model.
Blown out of proportion, always look beyond the hype: http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/
Bow before me, for I am root.
I've used RDC software on my windows mobile phone often to log into a SBS server..
beats the hell outta getting in the car...
every day http://en.wikipedia.org/wiki/Special:Random