FBI Investigating iPad E-Mail Leaks

CWmike writes "The Federal Bureau of Investigation has opened an investigation into the leak of an estimated 114,000 Apple iPad user e-mail addresses. Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com. Now the FBI is trying to figure out whether this was a crime. US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

Reegulatiooon Ree gulatiioon of noo retuuurnn

[unity100]

At&T needs one. else, they will 'regulate' all of us, as they see fit.

Re:Reegulatiooon Ree gulatiioon of noo retuuurnn

[Impy+the+Impiuos+Imp]

> "Hackers belonging to a group called Goatse obtained the e-mail addresses"

I wonder about the hackers' point of view. Anyone have a link?

No relation

"The FBI is aware of these possible computer intrusions and has opened an investigation into addressing the potential cyberthreat," said Lindsay Godwin

Fucking Nazis.

Re:No relation

[Ethanol-fueled]

Hey, at least the GNAA -- er -- Goatse Security didn't steal 1.5 million dollars worth of free information by "hacking" a public library computer with that malware called Perl that was already installed on it.

Sometimes it's hard to be mad at the FBI, though -- they're just like the bumbling idiots who play them on TV -- except that the ones on TV are at least somewhat lovable. Actually, I'm kinda surprised, because I thought they just trolled Torrents and Limewire all day looking for CP and other i.p.'s to refer to the RIAA's litigation machine. Actually, I'm not at all surprised, because they wouldn't have cared if it weren't their spying buddy ATT.

Re:No relation

[Peach+Rings]

Do you mean this FBI?

Re:No relation

[penix1]

US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

There is a problem with that line of logic. As I see it,IANAL and all, they got them on at least one violation of the law. That violation was the initial intrusion which they can't argue was a script. Also, since when is an intrusion with the intent to obtain information they should know they are not entitled to considered a "test"?

Re:No relation

[aliquis]

Uhm..

They aren't arguing that the script may not be unauthorized access because it was automatic and that only the first attempt would be illegal because they did it in person.

They where rather arguing that visiting that page once and get an e-mail address may be something you just happen to do, but writing a script which fetches lots of e-mail address would be abusing the system / doing something you shouldn't do.

Personally I think "they should know they are not entitled to" is very weak juridical term/claim/charge/whatever. I can't see how visiting a web page which return data it's supposed to return (as in not trick it with malign data) could be a crime. If you don't want people to access the web page don't put it up for them to watch.

And yeah, if anything I think AT&T would become the ones in the hot seat for making it possible and leak the information in first place.

Re:No relation

[AHuxley]

Stonewall and do a Google "As we have said before, this was a mistake".
Our lawyers will get back to the FBI some time ..
Equal protection and due process for all :)

Re:No relation

[vivian]

I dont entirely disagree with you, but I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

You could argue that the web pages were not ever intended to be accessed in the way that they were, because firstly the site's owner does not provide direct orindirect links to those pages, and secondly, the URL's used to get to the page are obviously being used as an extraordinarily weak form of secority (ie. through obscurity).

Now that is just plan stupid on behalf of AT&T, but so is having your email password set to "12345", yet if someone accessed your email or other system you owned through by going to the login screen and guessing your password, or writng a script to try obvious passwords, it would certainly be considered hacking - because that person has not been authorized to have access to that system.

At the end of the day, it is the courts and possibly a jury that will determine whether this is considered a hack (in the system cracking sense). Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info, and they are using a script to do the accessing in a way that is a litle similar to how password guessing programs work, I would say that this will eventually be considered a hack, by the court system.

If the justice system court can convict a someone of murder even without an actual murder weapon, witness or definitive motive (Not thinking of a particular case, but I am sure there are plenty) , I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

Re:No relation

[hvm2hvm]

So if you go on a site that has a commenting system but no captcha it's OK to spam it because it's something the site is meant to do? Anything that harms other people should be illegal. Of course we can't create laws for every possible situation so I think that the idea of "something you should know you're not supposed to do" is actually good. Everything about laws is taken too literally these days. I'd love a juridicial system where even if the law says something different, if it's clear that the accused did something bad that hurt someone else, he/she will get punished.

Re:No relation

[Spad]

The rarely seen and difficult to pull off Reverse Godwin?

Re:No relation

[WNight]

If you can say that about looking behind a curtain then sure, the site has been cracked.

But the whistle-blowing far outweighs the "crime". There was a weakness, now there will be one less weakness. Had this not been caught there could have been an actual security breach.

Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info

But the owners of iPads have a legitimate interest in the knowledge they gained.

I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

Yeah, shoot the messenger and allow the pathetic AT&T to quietly remain so.

That's a good use of court resources.

Re:No relation

Ok and ok.

"Harm" could be relative.

In this case they didn't do anything bad though. They found a problem, had some fun with it (by writing a script fetching some e-mail addresses), reported it, and that's all.

I don't know if "spamming" an open forum/whatever is illegal either.

Post AC because it's crap.

Re:No relation

[Pikoro]

wait. by spamming a website, who got hurt? Nobody. Unless you count spraining your index finger because you had to scroll more than normal. Jeez. The web is not a physical place. Hacking someone's website does not cause physical harm. Oh, and they're just words people. "sticks and stones" and all that...

Re:No relation

was there the need to obtain all those addresses? a thousand weren't sufficient "just for the lulz"? I agree that the messenger should not be shot, but it may be slapped, but...

But overall I see a dangerous precedent with this court case: if accessing a site in "a different fashion" than the site creator intended becomes a crime, everybody becomes subject to potential lawsuits unless you do exactly as the site creator thinks you ought to access the site. They could dictate the ads to be seen, the scripts to be run, the plugins to be loaded, the OS to use. Whatcouldpossiblygowrong....

Re:No relation

[hvm2hvm]

it wastes your time and brain cells. that is the worse thing you could do to someone. There is a very good quote in Dune about this:
``The convoluted wording of legalisms grew up around the necessity to hide from ourselves the violence we intend toward each other. Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. You have done violence to him, consumed his energy. Elaborate euphemisms may conceal your intent to kill, but behind any use of power over another the ultimate assumption remains: "I feed on your energy." ``

Re:No relation

[icebraining]

An unclear law is the first step towards totalitarianism. Who decides what is something bad? I don't find what they did to be bad. Obviously you do. Who gets to choose whether they're convicted?
A fair justice system (mandatory condition for democracy) requires clear laws.

And by the way, "juri" isn't who decides if what you did was bad. It decides whether you did that bad thing that's written in the law. It's very different.

Re:No relation

I am not one to usually respond on slashdot, but by your reasoning, any site owner can deem at any time the user's "intentions" criminal.

If I have a website that provides sports statistics via an AJAX API, and someone uses my site that I believe is not a sportsfan, I could then argue "that the web pages were not ever intended to be accessed in the way that they were..."

I could go even further, and state, that every time Google or any search engine indexes a page "that the web pages were not ever intended to be accessed in the way that they were."

Now you also bring up insecure passwords as no defense. I agree, however, the AT&T system did not require a password at all.

Also, I realy don't see how you can compare murder to a PHP script.

By using the Firefox extension, Firebug, am I accessing webpages in a way they were never intended to be accessed?

What if an iPad user visits my "no-iPad" site? Should they be criminally investigated by the FBI because "the web pages were not ever intended to be accessed in the way that they were"? I don't want iPad users visiting my site and obtaining my content. Can I not have the Federal Bureau of Investigation launch a criminal probe into this offending visitor?

Now, if the iPad user had somehow breached my password-protected website and content, then I can see getting the FBI involved.

Re:No relation

[dyingtolive]

I feel there was a grievous crime committed here. Atrocities like this should not be able to be perpetuated. I demand immediate and the most severe punishment for all those responsible for this. AT&T should not be allowed to continue leaving sensitive and vulnerable data available for anyone who happens upon a server.

Re:No relation

[hvm2hvm]

I don't want unclear laws, I want laws that are retarded or incomplete to not be taken literally and I want more common sense to be used in courts. I also don't think that what those people did is bad, even remotely. What's the worse thing that can happen if some spammer finds your email address? You just change it and you're done.

Also, look at the quote in my post above, it expresses some of my ideas more clearly.

Re:No relation

[Goaway]

There were plenty of much more responsible ways to get that vulnerability fixed. That was clearly not the intent of the people involved, since they chose this course of action rather than a responsible one.

Re:No relation

[Hatta]

I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

Do you really want to live in a world where the legality of your actions depends on the goodwill of a company such as AT&T?

Re:No relation

Great - thanks for that - now I have to change my email password.

Re:No relation

Also, since when is an intrusion with the intent to obtain information they should know they are not entitled to considered a "test"?

You bring up a good point. I had to walk a fine line a few years back, where I was the "white hat" security guy (at least those were my intentions), probing at a website looking for vulnerabilities for a court case. I used only permissions that were granted to me (and every other internet user), and wrote scripts to show how easy it was to hack the security of the site and pull content out of the site's database. I planned to turn it in to the courts, in support of the plaintiffs of the case. I don't want to mention the name of the site that was so easy to hack, lest I turn it in to a free-for-all, where people start stealing the content of the site's database!

Unfortunately, none of my work saw the light of day, as the case settled. But it still makes me nervous that some backwoods court will find my actions to be illegal. Fortunately, the settlement of the case relieved me of any tort claims. But it's hard to be a white hat, without being a little nervous and losing some sleep! I considered using WikiLeaks to get the information out there... but decided that my risks were still too great.

Hopefully, some other white-hats will carry the ball forward some day.

Re:No relation

[jc42]

Do you really want to live in a world where the legality of your actions depends on the goodwill of a company such as AT&T?

Too late; we're already living in just such a world.

If we weren't, we'd be reading about how the Goatse guys are being commended for their actions that benefit the general welfare.

Re:No relation

[icebraining]

But you said "Anything that harms other people should be illegal."

For many people, this does harm them - not physically, of course, but as you very well referred, it'll increase spam and that can be seen as "harm".

I want laws to say explicitly what I am or not allowed to do, not "do no harm".

Re:No relation

[icebraining]

You'd taken energy from me by posting that message. By your logic, you've done me harm and hence should be punished.

And yes, I know I wasn't forced to read it. I'm not forced to read spam either.

Re:No relation

[hvm2hvm]

Exactly, all the conversations here are more or less eating our energy. There are many situations where I'd want to reply to someone but it doesn't seem important enough that I waste my time with it (in this case I'm making an exception for obvious reasons).

Going back to the discussion about spam, you are not obligated to read it, but just the effort required to realize it's spam and skip it is a time waster. Anyway, I was thinking more about the hosters and the site maintainers. They have a lot of trouble paying for wasted bandwidth and deleting spam.

Re:No relation

[WNight]

Wah, to a tune of no real damage. You're trying to manufacture a false sense of urgency here. It's not even vandalism, it's peeking through an employees-only door and seeing supposed secrets printed there for everyone to see.

While these ipad owners might get some spam now depending on who got the addresses they won't get deceived by phishing attempts like they would have. And now everyone knows AT&T can't handle basic web security. If you tell a company that does this they'll quietly clean up the one instance (and sue you to prevent you finding any more flaws), if you tell the news the company will be forced to make broader and more useful changes.

Too bad Apple gives you no choice of carriers - suck that lock-in.

Re:No relation

[WNight]

Yeah, punish them because their script was scripted... And see how many people step forward next time. Doy!

If we want people to publicly disclose vulnerabilities we can't punish them for incidental crimes like trespassing. Had they used the addresses to defraud someone this would be different, but they didn't. They saved these people from fraud by ensuring they knew their email address wasn't a secret between them and Apple/AT&T.

sheesh

[Izabael_DaJinn]

I've always had problems with my ipads leaking

Re:sheesh

[yincrash]

something something fcc-mandated wings

Re:sheesh

I think you have your products mixed up. Easy mistake to make, given what a cunt Steve Jobs is.

Re:sheesh

[deniable]

Now that you mention it, the ads for both feature all of the things they enable you to do. I'm waiting for the iPad ad featuring swimsuit clad girls running on the beach.

Re:sheesh

[commodoresloat]

Well given the name of the hacker group, one figures that with a hole that large no ipad will be big enough to prevent leakage

Re:sheesh

[mcgrew]

I had an iPad back in 2006, for one day. It was after my iSurgery.

Re:sheesh

Wings did not work for PAul MacCartney why would they work here?

Re:sheesh

[BillX]

iPad. For when your robot girlfriend's flying the flag.

Ha ha, I love the genius of the hackers' name

[apparently]

Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

Re:Ha ha, I love the genius of the hackers' name

[arkenian]

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

I'm just trying to imagine what the first story to try to describe the origin of the name will say...

Re:Ha ha, I love the genius of the hackers' name

[DJRumpy]

I don't know if I would call them journalists:
Title: Apple's Worst Security Breach
"Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking."

This is squarely AT&T's fault, yet the first paragraph implies it was "Apple Worst Security Breach". I also like how they imply that a spammer getting your e-mail address is the be-all-end-all of hacking. Really? These folks have never seen spam before? How will they venture out onto the internet without feeling exposed and dirty? Oh wait. They get a new e-mail address. *sigh*

Re:Ha ha, I love the genius of the hackers' name

[WoRLoKKeD]

I for one hope this is taken further, then someone releases the fact that these Goatse guys are the good guys.

How often do you see an opportunity for a headline to read "GOATSE INCIDENT BLOWN WIDE OPEN!"?

Re:Ha ha, I love the genius of the hackers' name

Oh come on... the background images weren't THAT bad.

Re:Ha ha, I love the genius of the hackers' name

[Kitkoan]

Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

Well, according the the story about the leak yesterday, the official description is 'the group is steeped in off-the-wall, 4chan-style internet culture—its name is a reference to a famous gross-out Web picture' I don't see many people looking it on Google... unless your only reading /.'s summery.... I personally preferred the one description of 'a picture of a man stretching his anus to 'olympic' proportions'. Just calling it 'olympic' proportions is a bad mental image enough.

Re:Ha ha, I love the genius of the hackers' name

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

I'm just trying to imagine what the first story to try to describe the origin of the name will say...

Like a giant gaping security flaw...

Re:Ha ha, I love the genius of the hackers' name

[noidentity]

I don't think it's so funny. These hackers are diminishing goatse's good reputation.

Re:Ha ha, I love the genius of the hackers' name

If it was any other company I'd agree with you, however this is Apple, and the fact that they tightly control who sells their product and how, I would expect some kind of oversight. You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?
They got themselves into their own self policed walled garden, now they have to deal with it. It was a security breach at a carrier inside the walled garden... deal with it.

And yes, email addresses are valuable information. Sure, not as bad as SSNs, but would you post your email address on a billboard? Why do you think websites, companies etc keep their customer emails under lock and key? because it's a valuable information

Re:Ha ha, I love the genius of the hackers' name

[aliquis]

I like how they seem to think it's amazing to get some of those e-mail addresses, I mean, come on, just look at it:
http://cache.gawkerassets.com/assets/images/7/2010/06/500x_ileakinside3.jpg
Do you think Les Hintons e-mail address may be les.hinton@dowjones.com ?!

Top secret!

Re:Ha ha, I love the genius of the hackers' name

[aliquis]

Just as long as they don't take it too far and go after GNAA, that would be racism!

Re:Ha ha, I love the genius of the hackers' name

[aliquis]

.. and sexual persecution came to think about it.

Re:Ha ha, I love the genius of the hackers' name

[SoupIsGoodFood_42]

You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?

As long as Vodafone paid Apple what they agreed upon, I doubt Apple would care. Why would they?

The security breach was with AT&T, because it was on their servers and only affected their customers.

Re:Ha ha, I love the genius of the hackers' name

[GoochOwnsYou]

Goatse has a long history of exposing gaping holes

Re:Ha ha, I love the genius of the hackers' name

[GuruBuckaroo]

OK, seriously. Why do people post things like this? I'm actually curious. It can't be "for the lulz", 'cause nobody's laughing - they're all thinking "god what an idiot this guy is". What possible purpose could you have for doing this? It's not even like you're getting some kind of notoriety out of it, 'cause you're posting as AC. I honestly can't think of any reason so much of this kind of pap gets posted here, or on any open forum. It baffles me.

Re:Ha ha, I love the genius of the hackers' name

It can't be "for the lulz"

The receiver of the "lulz" merely has to be the originator. So that blows your theory out of the water.

Also: Your mother's a whore.

Re:Ha ha, I love the genius of the hackers' name

No worries, from their site http://security.goatse.fr/:

Goatse Security is a wholly owned subsidiary of the GNAA.

Re:Ha ha, I love the genius of the hackers' name

[Ethanol-fueled]

You sound like a faggot.

Re:Ha ha, I love the genius of the hackers' name

[PBoyUK]

Because it cuts into two of Apple's core user segments:

1.) People who like to pay far more than something is actually worth.
2.) Exclusivity. To their userbase, an Apple product is a statement of who you are. IE, someone with more money than sense and probably homosexual (*). If everyone started picking up $1 iPads, they wouldn't be so special anymore.

* A funny aside, when the iPhone was new, Stephen Fry was doing an interview on Top Gear, espousing its virtues, and in particular talking about gaydar app that he found very useful. I fear though that this particular app may have fallen foul of App Store policy, as it would no doubt be duplicating functionality already present - in the hardware, no less.

Re:Ha ha, I love the genius of the hackers' name

[mwvdlee]

There are black hat hackers, there are white hat hackers and now there are brown hat hackers.

Re:Ha ha, I love the genius of the hackers' name

[ArsenneLupin]

There are black hat hackers, there are white hat hackers and now there are brown hat hackers.

Do you really think they bother with condoms if they skip the enema?

Re:Ha ha, I love the genius of the hackers' name

[deniable]

Once you've been on the Internet for a couple of months you'll learn about trolls. Don't feed the trolls. See also GIFT.

Re:Ha ha, I love the genius of the hackers' name

[MadKeithV]

Bunch of asshats.

Re:Ha ha, I love the genius of the hackers' name

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

I'm just trying to imagine what the first story to try to describe the origin of the name will say...

Say? Why on earth should they say anything?

A picture is worth a thousand words.

Re:Ha ha, I love the genius of the hackers' name

Some people have nothing better than script bots that can break captchas. Theres big money in the underworld for captcha breakers.

Re:Ha ha, I love the genius of the hackers' name

[qubezz]

And once again, Apple (nee AT&T) calls in the cops to criminalize publicising its goofs, and have jackboot thugs toss the media's computers...

Re:Ha ha, I love the genius of the hackers' name

[Tim+C]

As long as Vodafone paid Apple what they agreed upon, I doubt Apple would care. Why would they?

Because it lowers the perceived worth of the product. People in general don't tend to think "OK, so it's X up front then Y/month for Z years, that makes it a total of X+(Y*Z)...". They see the up-front cost as being what the device costs. Sure, most will try to balance the two ("If I spend a little more now, it'll cost less per month...") but I don't think they join the dots in quite the same way.

Re:Ha ha, I love the genius of the hackers' name

[delinear]

I personally preferred the one description of 'a picture of a man stretching his anus to 'olympic' proportions'. Just calling it 'olympic' proportions is a bad mental image enough.

Brings a new meaning to the Olympic rings, definitely.

Re:Ha ha, I love the genius of the hackers' name

Terrorist cells could be using steganography to communicate via troll posts.

I think he said something about your mother.

Re:Ha ha, I love the genius of the hackers' name

[FunPika]

Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

Also to the poor saps who go to Google after reading a random article about it and going "Who the **** is Goatse Security?"

Re:Ha ha, I love the genius of the hackers' name

[lowrydr310]

I'd have to agree with you - I'm no Apple fan, however I fail to see how this is Apple's fault. Apple still has full control over their product, but they weren't the ones who had a poorly designed website that returned an email address when the request included a valid ICC-ID. That sounds like poor web security, and sounds like it was AT&T's website.

I also fail to see how what the "Goatse" guys did is a crime. If I send a legitimate request to a website and it returns someone's email address, is it my fault that the website gave it to me? The website is responsible for protecting this stuff.

Re:Ha ha, I love the genius of the hackers' name

[DJRumpy]

I'm of two minds about the Goatse folks being accountable. You could argue that they knew they were exploiting a weakness each time they sent this script the device ID's, but in their defense, it's rational to ask what kind of brain dead person would drop a script into the public domain knowing the information it could return while not securing said script?

I think I would have to take the 'open garage door' approach. Although someone may leave their garage door open, it is not an open invitation to walk in and steal something, tempting though it might be to some. Unless AT&T published information which led Goatse to believe they were invited or authorized into the AT&T's servers to retrieve that information, I would still have to consider what they did 'hacking' in a very basic sense.

Re:Ha ha, I love the genius of the hackers' name

[hey!]

I'm not so sure about that. Apple *requires* customers provide their email address in order to activate their iPad, then they turn the email address over to AT&T.

Under the circumstances, Apple is morally (although probably not legally) responsible for ensuring that AT&T only use that information for appropriate purposes and take reasonable security precautions with it.

Apple has a very simple recourse if it doesn't want to do that. It could provide every iPad with its own email address. Users could then forward email from that address to their real email, or not if they prefer to remain anonymous.

Re:Ha ha, I love the genius of the hackers' name

[DJRumpy]

Apple doesn't really matter in the equation at all. AT&T has a responsibility to secure users personal information due to privacy laws. It really doesn't matter who gave them that information, they are legally bound to secure it. When users purchased a 3G contract WITH AT&T, they signed the agreement with AT&T as to what was allowed. I know the Apple haters are all excited, but they always gloss over that point. Apple doesn't sell 3G access. AT&T does, and the user goes into the contract directly with AT&T, NOT Apple.

Apple is not a police force. The FBI was called in for this purpose. Apple has no authority to inspect AT&T's servers, data, or anything of the sort. They can demand certain contractual obligations, but that doesn't mean AT&T will simply open it's doors and allow Apple free feign to it's data centers.

At some point, AT&T has to comply with local and federal laws regarding data and privacy. They failed to do so.

Re:Ha ha, I love the genius of the hackers' name

Actually, apple DOES care. They have a long history of supply agreements that feature near MSRP price floors. They have sued several large distributors in the past for non-face price apple products [ipods, mostly] below msrp. They do not allow their products to be loss leaders because it reveals their cheap consumer junk for what it is.

Re:Ha ha, I love the genius of the hackers' name

[lowrydr310]

I see where your "Open Garage Door" approach applies, however nothing was really 'stolen.' In this case it's more like an open garage door with somebody's email address or social security number written in big letters on a wall inside the garage.

The owner of that garage has the responsibility to keep the door closed, and prevent the information from being so easily seen.

Re:Ha ha, I love the genius of the hackers' name

[DJRumpy]

I don't think that's a valid comparison. We all know what data theft is. These e-mail addresses were not sitting in some text file on the server in plain sight. The Goatse folks specifically had to send formatted data to an undocumented script to get it to return an address. I don't equate that with 'the address was written in big letters on the door'.

Re:Ha ha, I love the genius of the hackers' name

How appropriate a group called goatse would go around looking for open holes.

Re:Ha ha, I love the genius of the hackers' name

OK, seriously. Why do people post things like this? I'm actually curious. It can't be "for the lulz", 'cause nobody's laughing - they're all thinking "god what an idiot this guy is"

No, they're thinking "What an asshole!"

Re:Ha ha, I love the genius of the hackers' name

[hey!]

Apple is tying its products to another vendor. It can't stand behind its products without policing the actions of its partner as far as customers for Apple products are concerned.

It'd be different if it were just AT&T being sloppy with its email users, and *some* iPad users used AT&T mail. That'd be AT&T's problem. But the deal Apple is offering is "use AT&T's network services or don't use an iPad."

It'd be different if Apple gave you a choice of providers, and you chose wrong.

Like it or not, AT&T service is part of the iPad, just like Foxconn circuit boards.

Re:Ha ha, I love the genius of the hackers' name

But what of the insanity of apple still holding on to ATT, I mean if you look at the situation, ATT is holding a monopoly on service to ipad, iphone, 3g, and the service allegedly, sucks.

    there is no incentive, for ATT to do a good job, because there is no competition, I think that sucks and so allegedly does SJ

Re:Ha ha, I love the genius of the hackers' name

[DJRumpy]

I would imagine that they are probably in a legal contract. AT&T was the only provider that would event talk to Apple when they went around to each peddling the iPhone.

I imagine AT&T got a pretty good deal including this exclusivity deal. It makes no logical sense for Apple to want to stay with AT&T. It limits their customer base with arguably the worst of the big three, and by extension, limits their growth. I think it's more of a 'they have to".

Re:Ha ha, I love the genius of the hackers' name

[soppsa]

The iPad isn't carrier locked your Apple hating troll. If Vodaphone paid Apple for the devices, they can charge whatever they want. At that price Vodaphone would certainly not make money, so its moot.

Re:Ha ha, I love the genius of the hackers' name

[SoupIsGoodFood_42]

Well, this isn't confirmation, but I guess we'll soon see.

I applaud this hacker group

[Nicky+G]

No, not for revealing a potentially dangerous flaw in AT&T security. What-evs.

I heard and read the word Goatse more today in the mainstream media than all points of my life added together, and I can only imagine how many lives were ruined by the ensuring Google searches! Hahahahahah!!!!!!!

Re:I applaud this hacker group

[buchner.johannes]

Yeah, typical. AT&T are the victims of brutal cyberweapons.

Re:I applaud this hacker group

[inode_buddha]

I've long fantasized about renting a billboard along the I-90 and putting www.goatse.cx on it. No image or anything, just the URL.

Re:I applaud this hacker group

[deniable]

It got taken down. goat.cx is still around and suitable for Halloween.

Re:I applaud this hacker group

http://www.comedycentral.com/tosh.0/2009/07/14/new-political-party-uses-flyers-to-drive-traffic/

Re:I applaud this hacker group

[mcgrew]

As if ten million souls cried out in unison "MY EYES! MY EYES!"

Gaping hole in their security

They might as well have bent right over for this one.

I'm still married to my iPad though. I'm keeping the wedding ring on, if you know what I mean.

Not you too, Slashdot

[Kashell]

These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links?

Here, I've done your homework. Was it that hard?

http://security.goatse.fr/blog/

>>
"Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us."
>>

Re:Not you too, Slashdot

[arkenian]

These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links? Here, I've done your homework. Was it that hard?

I'm sorry, but googling 'goatse' was not on the list of activities I had planned for the night. I mean, seriously? This said, you have my admiration for your fortitude and thanks for the sacrifices for the cause.

Also, really, with a name like 'goatse' most people aren't going to automatically leap to the idea of it being a white-hat group.

Re:Not you too, Slashdot

Note to technology backwards prosecutors, if you were not asked for a password then it wasn't unauthorized.

Re:Not you too, Slashdot

[rolfwind]

Hacker is not a term that means you are the bad guy although it conjures the fear in the ignorant (i.e. the general public). It just meant someone who hacks.

This was a hack.

http://en.wikipedia.org/wiki/Hack_(technology)

Re:Not you too, Slashdot

[Kashell]

Of course, "hacker" isn't necessarily evil, but the context of post certainly implies these guys were up to no good.

Re:Not you too, Slashdot

[Wuhao]

I have to admit, I had to ignore years of experience with Internet forums to follow a link to "goatse.fr."

Re:Not you too, Slashdot

[blackraven14250]

It wasn't reconfigured or reprogrammed to change the function of the script on AT&T's website. The system was doing exactly what it was intended to do, give the iPad information as a number was given to the script. It gave the information to the wrong people, because the script was public, but that doesn't qualify. These guys didn't change anything on AT&T's side, just utilized tools that were already there.

Re:Not you too, Slashdot

brown-hat maybe?

Re:Not you too, Slashdot

[DJRumpy]

They may have discovered it, but they didn't report it to AT&T. From TFA:

"The person or group who discovered this gap did not contact AT&T."

Not that 'good' in my opinion.

Re:Not you too, Slashdot

[Fartypants]

These guys aren't hackers. They are security advisors. They are the good guys.

So, if you were one of the people who had their personal email leaked, would you be thanking the good guys right now for doing it? It's sort of like if a security consultant pushed somebody through a broken railing to "demonstrate" the flaw in security. Couldn't they have just called AT&T and pointed it out? Or would that not have been rad enough?

Re:Not you too, Slashdot

Contacting ATT...

- not rad enough? ... maybe

- not getting this fixed? ... for sure (out of sight, out of mind)

Re:Not you too, Slashdot

[wiredlogic]

I think it's more of a cherry red.

Re:Not you too, Slashdot

One reason for playing sentimental about the "emails" is because your the software engineer who wrote such bad stuff.. A good lawyer views a contract and leverages off its features.. so do good software engineers

Re:Not you too, Slashdot

[CoolGopher]

Here, I've done your homework. Was it that hard? http://security.goatse.fr/blog/

Dude, I know what's on goatse.fr - you're not going to trick me by adding a sub-domain and a directory name!

Re:Not you too, Slashdot

[TubeSteak]

They may have discovered it, but they didn't report it to AT&T. From TFA:

"The person or group who discovered this gap did not contact AT&T."

Not that 'good' in my opinion.

"Good" is a relative thing.
Companies would rather have you never disclose their flaws to the public.
OTOH, the public is at least as well served by publicly embarrassing them.

There merits of full vs responsible/non- disclosure have been debated since the 1800s
and if the totality of your contribution is "Not that 'good' in my opinion,"
then you really haven't added much to the discussion.

Think of the iPad e-mail leak as an oil spill.
It's 'big', it's public, and it'll definitely cause changes in security to be made.

Re:Not you too, Slashdot

http://www.youtube.com/watch?v=6RI9wVgOO1s (not a rick roll.)

Re:Not you too, Slashdot

So, if you were one of the people who had their personal email leaked, would you be thanking the good guys right now for doing it?

Yes I would.

In this case I would argue the people involved deserved it (given the track record and my personal opinion of the company they were dealing with). Not so much that they deserved ill on them... but that they pretty much had it coming.

And yes: I've never had my personal email leaked.... but I have had my SSN, name, and address leaked along with employer info... So if you think I'm a hypocrite... well I'm not.

These were just email addresses, idiots. Get over yourself, fucktards.

Re:Not you too, Slashdot

[aliquis]

IDNRTFA, BIRTP: http://apple.slashdot.org/comments.pl?sid=1682430&cid=32531390

I don't know what Ryan is, anyone of them? At AT&T? Someone who wrote an article? But in any case depending on who he is maybe they did not spread the data to plenty of others?

What do I know.

Still it was AT&T leaking the data, not the group. If you're frustrated blame and speak to AT&T.

Re:Not you too, Slashdot

[aliquis]

So, if you were one of the people who had their personal email leaked, would you be thanking the good guys right now for doing it?

From http://security.goatse.fr/blog/:

We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.

So they didn't contact AT&T directly, probably to stay anonymous from any kind of investigations or such, but they still tipped of AT&T indirectly before the article and most likely did not spread the information further. Gawker got it for their article, AT&T got to close the leak and that's it.

So yeah, definitely good guy approach to me.

Re:Not you too, Slashdot

[WNight]

You're hopelessly emotional and stack the deck. "Push someone through a broken railing" ... presumably between them and something deadly.

Oh yeah, that totally compares to snooping.

The scale of this is relevant, because it's a far lesser problem to have your email publicly leaked (as happened) than to be approached in a phishing scam when you thought you were safe.

So yeah, I'd rather some snoopers inconvenience some people (mostly AT&T who need inconveniencing!) than serious fraudsters scam them. And I'd like attention brought to crap security because it's endemic in the industry. Apple presents itself as "just working" and insists that the entire stack, software and hardware will. Now they're discovering the stack includes network providers and other "partners".

Re:Not you too, Slashdot

Also, really, with a name like 'goatse' most people aren't going to automatically leap to the idea of it being a white-hat group.

Good. The more people do this, the faster we move away from pretentious "your name defines you" bullshit that lends credibility to shady groups. Too many corrupt assholes hide behind fancy, positive words. Just look at your average conservative think-tank or law initiative.

Re:Not you too, Slashdot

[icebraining]

Then you wouldn't know about it, so you wouldn't learn that if you want to keep your email address private, you don't give it to AT&T.

Re:Not you too, Slashdot

Oh, wow, their name itself implies security, trust, moral and ethics.

http://tinyurl.com/cgoc66

Re:Not you too, Slashdot

[mcgrew]

Language evolves, whether we like it or not. I used to be a gay hacker untill they changed the meaning of "gay" and "hacker", now I'm just a happy nerd.

Changing the meaning of "hacker" only affects us, but when they changed "gay" it affected hundreds of years of song and poetry -- "Deck the Halls" for example. I have an MP3 I ripped from an old 78 with lyrics "gay as a New Year's party"; it has a completely different meaning today than it did in my dad's youth, because the meaning of the word has changed.

We just have to live with it. I blame Hollywood for the change in "hacker". Blame gays for the change of "gay".

Re:Not you too, Slashdot

Herp de derp, it is clearly flamebait to point out that a group that puts exploits in the wild are, in fact, not the good guys.

(Note: by "in the wild" I mean "they were actively using this to attack a service, severely disrupting usage for others, with no intention of stopping".)

ole

[britneys+9th+husband]

AT&T needs to fix this wide, gaping hole that has been stretched open on their website before more iPad email addresses are exposed.

Re:ole

Well thank goodness they have the Federal Bureau of Investigation running this investigation. How appropriate. For a moment there I was worried they might hire BP for the job, and we all know how bad THEY are with leaks.

Re:ole

[outsider007]

The situation will not be rectified until the ass responsible for this is wiped out.

Van der Sloot investigators on the case?

[theodp]

So the FBI cut Joran Van der Sloot some slack, but this is worth pursuing?

assholes

[xaoslaad]

This country is so egregiously fucked up it isn't funny. AT&T puts 114,000+ users info on the internet and that's OK. No investigation. Someone pulls it from their site and they get hunted down like a witch.

FUCKED! UP!

Re:assholes

[$RANDOMLUSER]

I think "embarrassing the FBI's (corporate) domestic surveillance wing" is the crime being investigated here.

Re:assholes

AT&T puts 114,000+ users info on the internet and that's OK. No investigation. Someone pulls it from their site and they get hunted down like a witch.

Parent has a point. From what I understand, the emails were obtained through simple URL rewriting. The information was already public. If this is criminal, so is anybody who edits the URL bar to go somewhere that the site owner did not explicitly link to.

Re:assholes

[Ethanol-fueled]

If this is criminal, so is anybody who edits the URL bar to go somewhere that the site owner did not explicitly link to.

inb4 404

Re:assholes

[Simmeh]

Agreed, if this happened in Europe there could have been an investigation into the failure to protect the users data. Instead, a group who made the flaw public is being investigated. Fact is, they might not of been the first to harvest this data, not that AT&T will ever admit otherwise.

Re:assholes

[phantomfive]

It's more than that. If AT&T had wanted to, they could have put up a public API with the same info and let people use it for a fee, if they'd wanted to. Not only is what they did not illegal, but it is a legal way to make profit if they'd wanted to.

Re:assholes

[vlueboy]

Parent has a point. From what I understand, the emails were obtained through simple URL rewriting. The information was already public. If this is criminal, so is anybody who edits the URL bar to go somewhere that the site owner did not explicitly link to.

Just a day ago someone posted about a UK conviction of a man for appending this to a URL:

../../

So, yes. The world can deem you a criminal for using features of technology that are supposed to be obscure; it doesn't make it any less of an attack for doing so. Getting caught with your hand in a cookie jar just is bad, but not necessarily for morally righteous reasons.

Knowledge of science doesn't mean the whole world is your playground (paraphrased from Fringe)

Re:assholes

[MichaelSmith]

I think the interpretation of the law is wrong in that case because there are many situations where it is appropriate to append ../../ to a URL. How is the person browsing the site expected to know the difference?

Re:assholes

[vlueboy]

I think the interpretation of the law is wrong in that case because there are many situations where it is appropriate to append ../../ to a URL. How is the person browsing the site expected to know the difference?

This is a very specific case, but your question's answer is: The GUI does not prevent them from entering the special string. However, the GUI discourages this by providing a perfectly usable Home/Forward/Back button [even "Up" in Konqueror]. For most non-savvy John Doe users like the convicted "criminal," pages have their own hyperlinks and pictures to navigate the site.

In dumbing down interfaces and savvy expectations, the UK and anyone else can criminalize and label as misuse what is technologically allowed by the system. Example? AT&T plus "illegal" iPhone tethering.

Re:assholes

How private are email addresses really? Not like we are talking SSNs and CC numbers.

Re:assholes

[WNight]

And that we tolerate them cracking down on reasonable things means we're partly the ones to blame when frustrated hackers - now labeled black-hats by the system for URL rewriting - melt our cell-phone (well, flash them to uselessness) as part of their next demonstration.

I mean, if we blow every little thing up into jail-time they'll blow every quiet security notification up into a hilarious media scandal. Right? Nobody else seeing this?

Re:assholes

Then what stake can I burn Microsoft's Bing team on? Recently, I have gotten a few reports of pages on my site that I haven't linked anything to in the last 3 years coming up in Bing's search results. Google doesn't show them, Yahoo, doesn't.... all of the referrers show Bing......so how do I get them hunted down?

Re:assholes

[mapkinase]

Well, the sentiment is alright, but isn't entering somebody's unlocked house and taking the stuff you are not supposed to take still "breaking and entering"?

Or, better, imagine you have entered somebody's house for a party. You are assumed to enjoy food and drinks, but you are not supposed to take objects of art from the walls, are you? You are not supposed to take somebody's diary notebook from the top of the desk or somebody's addressbook...

Depends on how are the rules written. What are the rules of using that particular website? How well are they exposed to the average user?

The situation is not as black and white as many /.ers would like to see it.

Re:assholes

[drinkypoo]

Well, the sentiment is alright, but isn't entering somebody's unlocked house and taking the stuff you are not supposed to take still "breaking and entering"?

No, it is not. In order to have breaking and entering, the house must be locked. Otherwise it's just trespassing, and in California you're not trespassing until you've been told to leave, dunno about other states. "posted keep out" signs don't mean shit unless you can't possibly fail to see one on your way onto some property.

Depends on how are the rules written. What are the rules of using that particular website? How well are they exposed to the average user?

Accessing accidentally exposed information is not illegal. Web-site EULAs do not trump law.

The situation is not as black and white as many /.ers would like to see it.

No, it's green and white. Although we do still use some black ink on our money.

Re:assholes

[bill_mcgonigle]

Someone pulls it from their site and they get hunted down like a witch.

AT&T paid good money for their legislators and regulators. They're entitled, in return, for some "protection service", aren't they?

Re:assholes

[tekrat]

Hey, someone puts a useless "bomb" that wouldn't have killed anyone in Times Square, and in less than a week, they've got the guy and he'll never see the light of day again.

BP on the other hand, kills 11 people, and wipes out the entire gulf coast, and so far, the only thing that has happened is that their stock price has dropped a bit. If you're moaning because there's no justice in the world, all I gotta say is wake up and smell the coffee.

As I've been saying for a long time now, Corporations have *more* rights than people.

"Not misused"?

How is handing email addresses over to Gawker (i.e. a third party) anything other than misusing them?

Re:"Not misused"?

[Dr+Herbert+West]

Mod parent up. I find the whole "front door unlocked" aspect of the iPad to be a legit, hilarious target of asshole hacker spam and kind of a dealbreaker functionality wise (gee, I guess maybe now I won't buy one)... but you can't say you're one of the good guys if you pass data on to the internet equivalent of the Nat. Enquirer.

If I find a wallet on the floor, and I don't immediately look around and yell "whose wallet is this?" or give it to the nearest cop (however, the last time I did that, the cop told me to take the money out and drop the rest in a mailbox or else someone at the post office would "steal" it, ) it's reasonable to assume I have planned to keep it.

Re:"Not misused"?

[exomondo]

What resulting damage occurred to anyone who's data was leaked by AT&T? How did they abuse the data they collected? Seems to me that it wasn't misused at all.

Re:"Not misused"?

+1 informative
+2 sad

Thanks, man. At least that way the wallet's owner has some chance of recovering his cash by retracing their steps.
I guess inaction is the best.

Re:"Not misused"?

Uhh what? How is that better than taking it to a police station. Here in the UK, lost property gets taken to the police station so people know where to at least try looking, and if it goes unclaimed for a certain period the finder gets to keep it. Seems like a much more sensible approach than taking out the money (??) and then dropping the wallet in a mailbox (??) - how will the guy who lost it know to look in the mailbox? Will the mail try and track it down or just throw it away, what happens if it gets tracked back to you and you're arrested for taking the money?

Re:"Not misused"?

How is handing "customer traffic and emails" over to "FBI" (i.e. a third party) anything other than misusing them?

there, fixed that for you.

The real reason AT&T is mad

[Sabalon]

Basically - they couldn't find a way to charge for each downloaded e-mail address.

Re:The real reason AT&T is mad

[aliquis]

Basically - they couldn't find a way to charge for each downloaded e-mail address.

Atleast it looks like Gawker got their bill:
http://cache.gawkerassets.com/assets/images/7/2010/06/500x_ileak_inside1.jpg

they ..

[prozaker]

Found a hole in the system !

I'm just hoping we capture the event ...

[Krishnoid]

They are journalists, after all. I hope people are ready with their cameras to contribute to the wonderful collection of humanity that is first goatse before the surprise value is lost from reading about it in the press.

Follow up Report

Apple Plugging the Gap Exposed by GOATSE!

Steve Jobs says he is using a hands on approach!

The jokes just write themselves!

Re:Follow up Report

[oldspewey]

The jokes just write themselves!

"Some people say our app store rules are dark and impenetrable, so we're opening things up in order to give everyone a better look at the internal workings."

AT&T - not Apple

[bokmann]

I realize saying AT&T made the headline more sensational, but really - RTFA and you'll see this is AT&T's data breach, NOT Apple's. If AT&T had lax security on some other database, would this have been classified a data breach by RIM or Motorola?

No, because that wouldn't have been very interesting.

Re:AT&T - not Apple

I realize saying AT&T made the headline more sensational, but really - RTFA and you'll see this is AT&T's data breach, NOT Apple's

Please explain the logic underlying this sentence.

Why is this "news"?

[manicbutt]

It's not a hack, it's only indirectly related to Apple (despite Gawker's attempts to paint it otherwise), and the government email addresses that were "exposed" are public anyway. It's not difficult for me to send email to Rahm Emanuel. Goatse's brute force script isn't that interesting (see http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/) so why are we wasting so much time on this non-story?

Re:Why is this "news"?

[AHuxley]

"force script isn't that interesting" - Goggle is learning that too, so is MS and the US mil.
How complex, encrypted and expensive does a backend have to be before the FBI and US law spins up?
From Google to a UFO hunter to a telco database, it seems the US wants very flexible laws.
Enter a mil MS network with a script its a hack, collect packets from wifi networks without permission, its a mistake, run a brute force script on a telco and its a .... ????
Most parts of the world sorted their cyber crime laws out a long time ago.
Not your network, your in trouble.

Re:Why is this "news"?

[aliquis]

Because it's got goatse in it.

Everything anal is hot stuff nowadays.

Wide Hole

[codepunk]

Goatse finds a "hole" wide enough to drive a truck through, oh the irony!

Downloading 114k users != white hat

A white hat would see the hole, download a few to verify, write a script as a proof of concept and verify that the script worked, and then report the hole to AT&T. Downloading over 100,000 email addresses and sending them to the press is NOT what responsible security researchers do.

Re:Downloading 114k users != white hat

[aliquis]

But now they got noticed for it, can still remain anonymous (if they are) and still no-one was hurt, unless Gawker spread them further.

Nothing wrong with a little ego.

Re:Downloading 114k users != white hat

[delinear]

Not only that, and I'm certainly not defending their actions, but how many times have we seen it in the past that people with good intentions alert the owners of the code to the flaw and it just gets sat on or ignored for years. It seems the only way to get these companies to respond is to show them the consequences rather than just warn them. It's a sad state of affairs, but all too common.

Re:Downloading 114k users != white hat

A white hat would see the hole, say "Ah, crap" and close that browser window. Not familiar with goatse?

This isn't so simple

[tpstigers]

What if some of those 114,000 iPad users live in Massachusetts? http://yro.slashdot.org/story/10/04/25/1745210/Mass-Data-Security-Law-Says-Thou-Shalt-Encrypt

Re:This isn't so simple

What happens when the data in the database *is* encrypted but the application itself un-encrypts the data before displaying it? otherwise it would be a jumbled, unreadable mess on the screen.

Re:This isn't so simple

[ShOOf]

Email addresses aren't considered personal information.

Someone is lying, who do you think it is?

[KingSkippus]

They may have discovered it, but they didn't report it to AT&T.

...According to AT&T. Someone is lying. From TFA:

Goatse Security notified AT&T of the breach and the security hole was closed.

Then later in the article:

AT&T sent us a statement...: "The person or group who discovered this gap did not contact AT&T."

Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground, and when choosing who to believe between AT&T and just about anyone else, I'm inclined to believe anyone else. I'd bet dollars to doughnuts that someone did indeed notify AT&T, but now they're trying to cover their ass and make it sound like they somehow proactively found the hole themselves.

Re:Someone is lying, who do you think it is?

[oddTodd123]

This is how it all started:

AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground

They heard "goatse" could help them with their problem...

now they're trying to cover their ass

After news of this broke, they are now claiming...

they somehow proactively found the hole themselves.

Re:Someone is lying, who do you think it is?

[OverlordQ]

From their 'goatse security' homepage (before they edited it)

g0udatron[gapp]: Perl/PHP/js/c/objc/c++ pirate. m68k/z80/mips/x86 asm. series 7, series 66, series 62, series 42 licensed Texas broker. Bane of EFnet #anxiety and co-founder of the CUSSE certification track.

Hurm, what's this CUSSE?

Certified Unethical Security Systems Expert

Huuuuurm?

CUSSE Principles
        * Keeping 0-Days Private
        * IRC
        * Taking down Whitehats
        * Poor Netiquitte
        * Hacking the Planet
        * Ruin
        * No Disclosure
        * Mayhem
        * Nobody is Safe
        * Info is Money
        * Destruction
        * Only Death Saves You
        * Conf

Yup, they sound perfectly professional and believable.

Re:Someone is lying, who do you think it is?

[Krusty_Klown]

The guy admitted in a cnet interview that he did NOT tell AT&T for fear of them coming after him. link

Re:Someone is lying, who do you think it is?

Yup, they sound perfectly professional and believable.

I think the real problem is that traditional media and government officials are incapable of detecting jokes and rabidly fight everything they cannot understand.

Re:Someone is lying, who do you think it is?

[Wireless+Joe]

Maybe they tried to "report" it like the guy who found the iPhone 4 prototype tried to "report" it.

Goatse: "Hello, AT&T customer service? I found a hole in your website that gives me access to iPad user email addresses."

AT&T drone:"Huh?"

Re:Someone is lying, who do you think it is?

[mcgrew]

Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground

I've hel the same opinion since they bought out Cingular and my phone bill skyrocketed. I'm a happy Boost Mobile user now.

Re:Someone is lying, who do you think it is?

Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground, and when choosing who to believe between AT&T and just about anyone else, I'm inclined to believe anyone else. I'd bet dollars to doughnuts that someone did indeed notify AT&T, but now they're trying to cover their ass and make it sound like they somehow proactively found the hole themselves.

sock puppet. Op is weev.

Stay classy, Reuters

[l00sr]

Dare I say Reuters has figured it out, with this story image.

Re:Stay classy, Reuters

[oldspewey]

Classic.

Re:Stay classy, Reuters

"probing" lol

Re:Stay classy, Reuters

[1+inch+punch]

Definitely; check out the headline: "FBI probing AT&T iPad security breach"

Re:Stay classy, Reuters

[bennomatic]

That, along with the title of the article, is brilliant. Thank you for that link.

Re:Stay classy, Reuters

[ArsenneLupin]

Brilliant! Only nitpick: The hands are positioned a little bit too low for the apple logo.

Re:Stay classy, Reuters

I agree, that complaint was really worth writing home about

Re:Stay classy, Reuters

[stephanruby]

+1 insightful to Reuters.

It's almost as good as the Fedex Arrow.

Re:Stay classy, Reuters

He's missing a gold ring...

I just hope that my mom

[Decollete]

would not Google the hackers' group name

Re:Lame

GNAA, Beloved Slashdot trolls, seems to have passed away (or, well, grown up). TFS mentions goatse and no GNAA troll? No ASCII art goatse? This isn't the Slashdot of my youth.

Actually, /. crapflooders (they weren't really trolls) have all but vanished - what do you think, did /. moderation finally work, or was it the creation of the Chans?

Re:Leaky iPads?

Wings did not work for Paul MacCartney what makes you think iWings would be better?

So THAT'S why it's stretched so wide...

[Chas]

I now know where Apple's been hiding their top secret stuff when they aren't out getting drunk and losing them.

And it's a place most people would NEVER go to steal something.

Think "Christopher Walker" "Pulp Fiction" and "Watch".

Excuse me, I need to go scrub my head out with a sandblaster now.

Re:So THAT'S why it's stretched so wide...

[delinear]

It also explains the leakage...

Re:So THAT'S why it's stretched so wide...

[Pax681]

Think "Christopher WALKEN" "Pulp Fiction" and "Watch".
there fixed that for you

They publicised the SIM number?

That seems even more dangerous than an email address. I mean whats to stop me getting the list, calling up AT&T and saying its (email name here) can you cancel my SIM number 12345678901234

Re:They publicised the SIM number?

[delinear]

Well, much as AT&T seems to be generally clueless, I'd expect even they would get suspicious if you called and the only identifiable details you had were your email (even if you can use that to get the name) and the SIM number. When I wanted to cancel my (UK so not AT&T admittedly) mobile phone contract, I was asked for my account number, name, address, date of birth and the answer to my security question before they'd even think about taking action.

Re:Frosty piss

[Lavene]

This is just sad. An article about a group actually called Goatse and this is the FP you manage to come up with? Tsk tsk...

Sensible l

THIS is a serious breach of privacy, and yet releasing the IPs of people accused of downloading a torrent is cool with the authorities, media, and seemingly everyone else? Do we really want to be turning to 4Chan for insight into how fucked our system is? http://i.imgur.com/LgjPH.jpg

New sport for the Olympics?

[AliasMarlowe]

I personally preferred the one description of 'a picture of a man stretching his anus to 'olympic' proportions'. Just calling it 'olympic' proportions is a bad mental image enough.

Now I know why I avoid watching the Olympics...

Joke much?

Professional? Not so much. But that page is clearly a joke, man. Lighten up.

Wow, who would've thought?

Gawker morons again?????

Humor flame, please disregard;

[Delusion_]

It always irritates me when someone refers to "goatse.cx" as "goatse". It's like they missed the whole point of the joke.

Re:Lame

I remember one time someone did a full parody of "Sultans of Swing" by Dire Straits, only it was called "Faggots of Slashdot" and it was all about how the editors like to have gay sex with each other. Where is that creativity now? Slashdot could use an injection of that type of verve right now if you ask me!

more than 2GB of data???

[tekrat]

So now, if you get spammed, because AT&T gave out your email address for any script that asks for it, does that count against your draconian "unlimited" 2GB data-plan? How can they ALLOW you to get spammed, all the while charging you for every packet you get. Pretty double-faced of them, eh?

Re:more than 2GB of data???

You get that much spam? really???? come on.... Anyway, why don't you filter it before you download it to your mobile device. If your email provider doesn't do it then get fetchmail, procmail, spam assassin, and courier IMAP and pop your own accounts, filter your mail and connect to your server from your mobile device via IMAP. It isn't a lot of work really.

First the local police, now the FBI

[ClosedSource]

What's next? INTERPOL?

Slashdot has the solution!!!

[warGod3]

They now have an article posted here. "How to Destroy a Black Hole" - Goatse, watch out!

Re:Lame

Blame some changes to Slashcode, the death of Trolltalk and the ZOG.

Headlines are Good here

[cry0g3n]

obviously this was not Apples fault, but headlines make the story.... Apple is a Media darling ... Only good thing here is it MIGHT push SECURITY to the fore front some more.... my .02c

Who do they work for?

Who the #&@* does the FBI work for??? AT&T and their ilk, I guess...

wtf??

Does the FBI do all US companies tech support for them these days? "oh we got hacked again... lets call the FBI!". Seriously, isnt it a complete waste of FBI resources to get involved at such an early stage? Let the telco do it's own internal investigation first with hired consultants to figure out what happened, and if it turns out to have been a real crime, then contact the authorities. WTF!!

Hacker must die

[Sloppy]

We just have to live with it.

No, we don't. We can fight. We can't win but if we hurt them bad enough, maybe we can discourage future aggression.

I blame Hollywood for the change in "hacker". Blame gays for the change of "gay".

You can blame them for the first change in the word "gay" but to whom do we give credit for the continued evolution of the word after that? I don't know who did it, but it was an inspirational act of vengeance. I hope "hacker" can be similarly destroyed.. some day.

If we do our sacred duty, "hacker" could mean any bad person, with no technological connotations. Join me, mcgrew. If we can't have it, nobody can. Let's kill the word, publicly and messily, as a deterrence to other wordthieves.

Changing the meaning of "hacker" only affects us, but when they changed "gay" it affected hundreds of years of song and poetry

If we don't act, the future will parody us: "First they came for the happy people, but I wasn't happy so I didn't speak up. Then they came for the nerds, but I wasn't a nerd so I didn't speak up." I don't want to be belittled as just another line in a lame joke comparing language evolution to genocide. Do you? Of course not! Don't let the joke's pattern continue to a third line. Make it end with, "But the nerds dealt bitter retribution, such that no one ever again dared to artificially evolve a word, and language was freed from tyranny!"

Just think what this example could do for oppressed populations in the future. We may save millions of lives.

Re:Hacker must die

[mcgrew]

A couple hundred years ago a hacker was someone with few swordsman skills. Cab drivers and pulp fiction writers are still called "hacks". And smokers are usually hacking.

Re:Hacker must die

[Sloppy]

One of the basic necessities for indignance and rage against usurpers, is never to admit that you're an usurper yourself. I choose to ignore your precious facts, mcgrew.