Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Investigating iPad E-Mail Leaks

Posted by timothy on from the seeking-cause-of-action dept.

CWmike writes "The Federal Bureau of Investigation has opened an investigation into the leak of an estimated 114,000 Apple iPad user e-mail addresses. Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com. Now the FBI is trying to figure out whether this was a crime. US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

40 of 209 comments (clear)

  1. No relation by Anonymous Coward · · Score: 4, Funny

    "The FBI is aware of these possible computer intrusions and has opened an investigation into addressing the potential cyberthreat," said Lindsay Godwin

    Fucking Nazis.

    1. Re:No relation by penix1 · · Score: 2, Interesting

      US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

      There is a problem with that line of logic. As I see it,IANAL and all, they got them on at least one violation of the law. That violation was the initial intrusion which they can't argue was a script. Also, since when is an intrusion with the intent to obtain information they should know they are not entitled to considered a "test"?

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    2. Re:No relation by aliquis · · Score: 3, Interesting

      Uhm..

      They aren't arguing that the script may not be unauthorized access because it was automatic and that only the first attempt would be illegal because they did it in person.

      They where rather arguing that visiting that page once and get an e-mail address may be something you just happen to do, but writing a script which fetches lots of e-mail address would be abusing the system / doing something you shouldn't do.

      Personally I think "they should know they are not entitled to" is very weak juridical term/claim/charge/whatever. I can't see how visiting a web page which return data it's supposed to return (as in not trick it with malign data) could be a crime. If you don't want people to access the web page don't put it up for them to watch.

      And yeah, if anything I think AT&T would become the ones in the hot seat for making it possible and leak the information in first place.

    3. Re:No relation by vivian · · Score: 3, Interesting

      I dont entirely disagree with you, but I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

      You could argue that the web pages were not ever intended to be accessed in the way that they were, because firstly the site's owner does not provide direct orindirect links to those pages, and secondly, the URL's used to get to the page are obviously being used as an extraordinarily weak form of secority (ie. through obscurity).

      Now that is just plan stupid on behalf of AT&T, but so is having your email password set to "12345", yet if someone accessed your email or other system you owned through by going to the login screen and guessing your password, or writng a script to try obvious passwords, it would certainly be considered hacking - because that person has not been authorized to have access to that system.

      At the end of the day, it is the courts and possibly a jury that will determine whether this is considered a hack (in the system cracking sense). Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info, and they are using a script to do the accessing in a way that is a litle similar to how password guessing programs work, I would say that this will eventually be considered a hack, by the court system.

      If the justice system court can convict a someone of murder even without an actual murder weapon, witness or definitive motive (Not thinking of a particular case, but I am sure there are plenty) , I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

    4. Re:No relation by Spad · · Score: 4, Funny

      The rarely seen and difficult to pull off Reverse Godwin?

    5. Re:No relation by Goaway · · Score: 2, Insightful

      There were plenty of much more responsible ways to get that vulnerability fixed. That was clearly not the intent of the people involved, since they chose this course of action rather than a responsible one.

  2. sheesh by Izabael_DaJinn · · Score: 5, Funny

    I've always had problems with my ipads leaking

    --
    Careful What You Wish For....
    1. Re:sheesh by yincrash · · Score: 4, Funny

      something something fcc-mandated wings

    2. Re:sheesh by commodoresloat · · Score: 3, Funny

      Well given the name of the hacker group, one figures that with a hole that large no ipad will be big enough to prevent leakage

  3. Ha ha, I love the genius of the hackers' name by apparently · · Score: 5, Funny

    Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

    My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

    1. Re:Ha ha, I love the genius of the hackers' name by arkenian · · Score: 5, Funny

      My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

      I'm just trying to imagine what the first story to try to describe the origin of the name will say...

    2. Re:Ha ha, I love the genius of the hackers' name by DJRumpy · · Score: 4, Insightful

      I don't know if I would call them journalists:
      Title: Apple's Worst Security Breach
      "Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking."

      This is squarely AT&T's fault, yet the first paragraph implies it was "Apple Worst Security Breach". I also like how they imply that a spammer getting your e-mail address is the be-all-end-all of hacking. Really? These folks have never seen spam before? How will they venture out onto the internet without feeling exposed and dirty? Oh wait. They get a new e-mail address. *sigh*

    3. Re:Ha ha, I love the genius of the hackers' name by Anonymous Coward · · Score: 5, Funny

      My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

      I'm just trying to imagine what the first story to try to describe the origin of the name will say...

      Like a giant gaping security flaw...

    4. Re:Ha ha, I love the genius of the hackers' name by Anonymous Coward · · Score: 4, Interesting

      If it was any other company I'd agree with you, however this is Apple, and the fact that they tightly control who sells their product and how, I would expect some kind of oversight. You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?
      They got themselves into their own self policed walled garden, now they have to deal with it. It was a security breach at a carrier inside the walled garden... deal with it.

      And yes, email addresses are valuable information. Sure, not as bad as SSNs, but would you post your email address on a billboard? Why do you think websites, companies etc keep their customer emails under lock and key? because it's a valuable information

    5. Re:Ha ha, I love the genius of the hackers' name by aliquis · · Score: 2, Insightful

      I like how they seem to think it's amazing to get some of those e-mail addresses, I mean, come on, just look at it:
      http://cache.gawkerassets.com/assets/images/7/2010/06/500x_ileakinside3.jpg
      Do you think Les Hintons e-mail address may be les.hinton@dowjones.com ?!

      Top secret!

    6. Re:Ha ha, I love the genius of the hackers' name by SoupIsGoodFood_42 · · Score: 2, Insightful

      You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?

      As long as Vodafone paid Apple what they agreed upon, I doubt Apple would care. Why would they?

      The security breach was with AT&T, because it was on their servers and only affected their customers.

    7. Re:Ha ha, I love the genius of the hackers' name by mwvdlee · · Score: 5, Funny

      There are black hat hackers, there are white hat hackers and now there are brown hat hackers.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  4. I applaud this hacker group by Nicky+G · · Score: 5, Funny

    No, not for revealing a potentially dangerous flaw in AT&T security. What-evs.

    I heard and read the word Goatse more today in the mainstream media than all points of my life added together, and I can only imagine how many lives were ruined by the ensuring Google searches! Hahahahahah!!!!!!!

    1. Re:I applaud this hacker group by inode_buddha · · Score: 5, Funny

      I've long fantasized about renting a billboard along the I-90 and putting www.goatse.cx on it. No image or anything, just the URL.

      --
      C|N>K
  5. Not you too, Slashdot by Kashell · · Score: 4, Informative

    These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links?

    Here, I've done your homework. Was it that hard?

    http://security.goatse.fr/blog/

    >>
    "Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us."
    >>

    1. Re:Not you too, Slashdot by arkenian · · Score: 5, Insightful

      These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links? Here, I've done your homework. Was it that hard?

      I'm sorry, but googling 'goatse' was not on the list of activities I had planned for the night. I mean, seriously? This said, you have my admiration for your fortitude and thanks for the sacrifices for the cause.

      Also, really, with a name like 'goatse' most people aren't going to automatically leap to the idea of it being a white-hat group.

    2. Re:Not you too, Slashdot by rolfwind · · Score: 4, Insightful

      Hacker is not a term that means you are the bad guy although it conjures the fear in the ignorant (i.e. the general public). It just meant someone who hacks.

      This was a hack.

      http://en.wikipedia.org/wiki/Hack_(technology)

    3. Re:Not you too, Slashdot by Wuhao · · Score: 2, Insightful

      I have to admit, I had to ignore years of experience with Internet forums to follow a link to "goatse.fr."

    4. Re:Not you too, Slashdot by blackraven14250 · · Score: 3, Informative

      It wasn't reconfigured or reprogrammed to change the function of the script on AT&T's website. The system was doing exactly what it was intended to do, give the iPad information as a number was given to the script. It gave the information to the wrong people, because the script was public, but that doesn't qualify. These guys didn't change anything on AT&T's side, just utilized tools that were already there.

    5. Re:Not you too, Slashdot by Anonymous Coward · · Score: 2, Funny

      brown-hat maybe?

    6. Re:Not you too, Slashdot by DJRumpy · · Score: 2, Informative

      They may have discovered it, but they didn't report it to AT&T. From TFA:

      "The person or group who discovered this gap did not contact AT&T."

      Not that 'good' in my opinion.

    7. Re:Not you too, Slashdot by Fartypants · · Score: 3, Insightful

      These guys aren't hackers. They are security advisors. They are the good guys.

      So, if you were one of the people who had their personal email leaked, would you be thanking the good guys right now for doing it? It's sort of like if a security consultant pushed somebody through a broken railing to "demonstrate" the flaw in security. Couldn't they have just called AT&T and pointed it out? Or would that not have been rad enough?

    8. Re:Not you too, Slashdot by mcgrew · · Score: 2, Insightful

      Language evolves, whether we like it or not. I used to be a gay hacker untill they changed the meaning of "gay" and "hacker", now I'm just a happy nerd.

      Changing the meaning of "hacker" only affects us, but when they changed "gay" it affected hundreds of years of song and poetry -- "Deck the Halls" for example. I have an MP3 I ripped from an old 78 with lyrics "gay as a New Year's party"; it has a completely different meaning today than it did in my dad's youth, because the meaning of the word has changed.

      We just have to live with it. I blame Hollywood for the change in "hacker". Blame gays for the change of "gay".

      --
      Free Martian Whores!
  6. ole by britneys+9th+husband · · Score: 4, Funny

    AT&T needs to fix this wide, gaping hole that has been stretched open on their website before more iPad email addresses are exposed.

    --
    Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
  7. assholes by xaoslaad · · Score: 5, Insightful

    This country is so egregiously fucked up it isn't funny. AT&T puts 114,000+ users info on the internet and that's OK. No investigation. Someone pulls it from their site and they get hunted down like a witch.

    FUCKED! UP!

    1. Re:assholes by $RANDOMLUSER · · Score: 2, Interesting

      I think "embarrassing the FBI's (corporate) domestic surveillance wing" is the crime being investigated here.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    2. Re:assholes by Simmeh · · Score: 2, Insightful

      Agreed, if this happened in Europe there could have been an investigation into the failure to protect the users data. Instead, a group who made the flaw public is being investigated. Fact is, they might not of been the first to harvest this data, not that AT&T will ever admit otherwise.

  8. Why is this "news"? by manicbutt · · Score: 2, Insightful

    It's not a hack, it's only indirectly related to Apple (despite Gawker's attempts to paint it otherwise), and the government email addresses that were "exposed" are public anyway. It's not difficult for me to send email to Rahm Emanuel. Goatse's brute force script isn't that interesting (see http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/) so why are we wasting so much time on this non-story?

  9. Downloading 114k users != white hat by Anonymous Coward · · Score: 3, Insightful

    A white hat would see the hole, download a few to verify, write a script as a proof of concept and verify that the script worked, and then report the hole to AT&T. Downloading over 100,000 email addresses and sending them to the press is NOT what responsible security researchers do.

  10. This isn't so simple by tpstigers · · Score: 3, Interesting

    What if some of those 114,000 iPad users live in Massachusetts? http://yro.slashdot.org/story/10/04/25/1745210/Mass-Data-Security-Law-Says-Thou-Shalt-Encrypt

  11. Someone is lying, who do you think it is? by KingSkippus · · Score: 4, Interesting

    They may have discovered it, but they didn't report it to AT&T.

    ...According to AT&T. Someone is lying. From TFA:

    Goatse Security notified AT&T of the breach and the security hole was closed.

    Then later in the article:

    AT&T sent us a statement...: "The person or group who discovered this gap did not contact AT&T."

    Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground, and when choosing who to believe between AT&T and just about anyone else, I'm inclined to believe anyone else. I'd bet dollars to doughnuts that someone did indeed notify AT&T, but now they're trying to cover their ass and make it sound like they somehow proactively found the hole themselves.

    1. Re:Someone is lying, who do you think it is? by OverlordQ · · Score: 5, Informative

      From their 'goatse security' homepage (before they edited it)

      g0udatron[gapp]: Perl/PHP/js/c/objc/c++ pirate. m68k/z80/mips/x86 asm. series 7, series 66, series 62, series 42 licensed Texas broker. Bane of EFnet #anxiety and co-founder of the CUSSE certification track.

      Hurm, what's this CUSSE?

      Certified Unethical Security Systems Expert

      Huuuuurm?

      CUSSE Principles
              * Keeping 0-Days Private
              * IRC
              * Taking down Whitehats
              * Poor Netiquitte
              * Hacking the Planet
              * Ruin
              * No Disclosure
              * Mayhem
              * Nobody is Safe
              * Info is Money
              * Destruction
              * Only Death Saves You
              * Conf

      Yup, they sound perfectly professional and believable.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Someone is lying, who do you think it is? by Krusty_Klown · · Score: 2, Informative

      The guy admitted in a cnet interview that he did NOT tell AT&T for fear of them coming after him. link

  12. Stay classy, Reuters by l00sr · · Score: 5, Funny

    Dare I say Reuters has figured it out, with this story image.

  13. Sensible l by Anonymous Coward · · Score: 2, Insightful

    THIS is a serious breach of privacy, and yet releasing the IPs of people accused of downloading a torrent is cool with the authorities, media, and seemingly everyone else? Do we really want to be turning to 4Chan for insight into how fucked our system is? http://i.imgur.com/LgjPH.jpg