Slashdot Mirror
Criminal Charges Filed Against AT&T iPad Attacker
Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday.
Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville.
Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."
Uncle Sam and Ma Bell go wayyy back if you know what I mean. You don't sass the latter unless you are ready to deal with the former in a very bad mood.
They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...
AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
When you buy this product you sign an agreement. You should abide by it, or be ready to face the consequences.
The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.
Anyone know what the fraud charges are?
this isnt a matter for the courts. I say we gather all the apple fanboys, give em apple branded pitchforks and let em loose. To give the guy a sporting chance, we hold the event in a large forest and he gets a 30sec head start
AT&T has the fastest 4G network....trust us.
AT&T would NEVER compromise your data...trust us.
He who knows best knows how little he knows. - Thomas Jefferson
You're 100% right! He needed to scrape all the user information he could and go public with it! Your personal information wants to be FREE, and no corporation can stop its freedom.
I thought an iPad Attacker whacked someone else on the head with an iPad. It would be a hoot and a half in court:
Prosecution: "Your Honor, we charge the suspect with assault with a deadly weapon."
Defense: "Your Honor, iPads are not classified as deadly weapons."
There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I'm going to assume for the sake of argument that the facts will prove he broke the law. If they don't the rest of this post doesn't apply to this case but it is still interesting from an academic/hypothetical perspective:
It's hard to say what is "just" in a case like this.
Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions, or is it more just to officially (in the form of a non-guilty verdict or a grand jury declining to indict even if the facts prove guilt) say that it's in society's best interest that this behavior be tolerated or even encouraged in this context?
Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence. While such events should be very rare as prosecutors should never let cases get this far, no-bills and jury nullifications "in the interest of justice" are the people's last chance to say "the application of the law in this case is unjust -or- the law itself is unjust." Assuming the law or its application is not unconstitutional or otherwise illegal, once a jury convicts the now-convicted-criminal is at the mercy of the Executive Branch for a pardon or commutation.
The sad part is neither the jury nor the grand jury will likely be allowed to see anything but the hard evidence and most or all of both groups will be too technically naive to make an informed decision as to whether it is more just to release this person or to indict and convict him.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
So by Tigers reasoning, I have the right the just take what I want then.
Perhaps I misread the story, but this "hacker" wrote a script to gather information that AT&T made public on their website, and HE is the one in trouble?
Weev doesn't do anything with good intentions, and this was no exception.
"If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
It's more like:
I opened your safe and took pictures of what was inside.
Assuming the pictures were of mundane items that didn't reveal any secrets - such as a mundane picture of a bank vault with stacks of cash - then you can argue that no harm was done.
If the picture is a clearly readable copy of the Coca Cola recipe on the other hand, then releasing it may be harmful.
As to releasing "the picture" to an "responsible third-party escrow" as was done here, the ethics boil down to:
* Was there a good reason to believe that using an escrow served the public interest?
* Did you do your due diligence to make sure the escrow was an agency that would act in the public interest?
When it comes to security holes that vendors have an incentive to sit on, the answer to the first question is almost always yes. I don't know the specifics of this case so I can't answer the second.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
From the article:
In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."
How did he do anything illegal?
Exactly! That was the argument I used when I was busted for showing my neighbor that he leaves his door unlocked by taking his TVs and computers.
Fucking judge said, "You could have just told him and if he kept doing it, then he would suffer the consequences of his stupidity."
... of course they did. They are a massive company in size, and any company that size who puts info on the Web knows that they must legally protect this data.
Since I don't have all the info in this I can only make assumptions based on what I read in the article.
* AT&T made an application on their web site that allows an individual to enter in key info and pull back specific user data.
* Individuals were surfing around AT&T's website
* It was stated in one article that Hackers "guessed" 114,000 iPad ICC-IDs
* Defendant wrote a script to collect the email data of associated to the iPad ICC-IDs
* Some of the emails belong to High-Profile people in govt., military, FAA, News, and more.
* This only affects 3G users.
While I don't know all the technical facts of the case, it appears that the two being charged, were not being all that above board in their method of obtaining info.
Regardless of their actions... Shame on AT&T, they know this information is sensitive. The iPad ICC-IDs should never been made available via the Web in any form or fashion. Companies of this size know how much this information is worth. If I were one of the people exposed, I would first look to AT&T and question their lack of security. I would hold AT&T responsible for allowing such an easy breach of data.
But the reality is even more simplified. If you are going to be on the Web, and use your professional email address on a purchase of this type on a network, 3G or otherwise, you fall under the same situation as the rest of us. Anything that goes across the web is not Private and is always hackable.
Life takes interesting turns, but the most interest is when you're off the beaten path.
If you read the actual complaint you see that an awful lot of the case is built around IRC logs given to them by a "confidential source." I think there is no question they did this hack, but most of the malitious intent is gleamed form these logs. That seems like some really shady evidence. How could they possibly confirm those logs?
on a website where copyright infringement is routinely defended as !stealing, are we really going to insist that copying 'confidential' information is comparable to theft?
AT&T has no 4G network, and for that matter, nobody has one. The 4G specs mandate 100mbps of bandwidth.
p.s. at 14-21mbps, theirs is definitely in the running for fastest HPSA+ or 3G+.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Jury nullification is a double edged sword. While the pot smokers and computer hackers amongst us can imagine a world in which they'll never see a conviction based solely upon a jury's refusal to convict them in spite of clear definition of the law and no reasonable doubt, that same jury could find an innocent black man guilty of a crime against a white woman (think "To Kill a Mockingbird"), even though the evidence clearly shows that no crime was committed.... just because he's black. Of course, while the civil rights movement went a long way toward solving THAT particular problem (with perhaps some room for improvement yet), consider instead that you are the victim of a crime, and the jury decides to acquit the defendant because despite his breaking the law, they really think you deserved to be victimized. Hey... maybe you DID sleep with his girlfriend and he decided to beat your ass for it. There would be a LOT of people who would think his actions were perfectly justifiable. However, it's not a jury's job to decide that. If they feel sympathetic to the plight of the defendant, they can take that into consideration during the sentencing phase if they wish. They don't get to just not convict the guy because they think you deserved that beating. THAT would also be jury nullification. In that case, you probably wouldn't be quite as supportive of the concept.
Don't get me wrong, I understand the concept in theory, and I can even envision times when it might be well supported by everyone. How many times have you heard someone say "They might press charges, but no jury would ever convict him"... But understand, as powerful a weapon as that potentially can be, it's not something you'd want to dilute by corrupting jurors country-wide to disregard what they're instructed to do and instead just do whatever they want. The CSI effect is bad enough. Do you really want a jury to decide your fate based on whether they like you or not? Especially if you're innocent that could be a real concern. You would WANT them to pay close attention to the evidence and not get sidetracked by the empathic pleas of those who are trying to put you away. Face it, the jury is already ticked off that they have to be there. They can get the deliberations over with much quicker if they just decide you're guilty... because.. hey.. you look like a criminal.. or someone who might be... You had better hope that at least ONE of those jurors decides to actually pay attention to the law and the duty they've been entrusted with.
-Restil
Play with my webcams and lights here
MasterCard has agreed to work with the **AA. Does that wrong justify some punk exploiting a security hole and downloading credit card account information for several hundred thousand MasterCard customers?
Of course not.
This makes as much sense as being charged for theft because one day when you were out walking and you noticed a bunch of papers fluttering around, you picked up one and noticed it was a list of names and addresses, and you told others about it because you thought it was interesting/concerning that they were fluttering about for the world to see. It doesn't sound like they cracked any passwords or reverse engineered any programs. They simply noticed that the information was openly available the web and told others about it. I hope the DOJ gets an earful from the judge for this and if it does go to court the jury laughs the prosecution out of the courtroom.
You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of your customer confidential data are on your desk in plain view.
I walk in and start taking pictures then share those pictures.
Did you do anything illegal?
I can probably beat a trespassing rap but I probably could not beat charges related to my copying and disseminating the information unless it was extremely clear what I was doing was in society's best interest.
Another example where justice demands no indictment:
You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of records of your criminal or not-quite-criminal-but-shocking-to-the-conscience activity are lying around. Records of bribes or not-quite-bribes-but-clearly-influence-peddling payments to corrupt politicians.
I walk in and start taking pictures then share those pictures with a responsible news organization who then runs a story on them.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
... is doing the same thing over and over again and expecting a different result.
How many times on Slashdot have we seen the following scenario?
1) Hacker finds security hole.
2) Hacker uses security hole to login to system. He may or may not do questionable things there.
3) Hacker gets caught and there's proof he was on the system and he wasn't authorized to be there.
4) Hacker looks at a trial and possible jail time.
5) Hacker claims innocence, saying that he was "just trying to help get the problem fixed".
Really, if you haven't learned by now that logging into systems where you don't belong may get you into deep trouble, there is no hope for you.
Monster lizard ravages east coast! Mayors in five New England cities have issued emergency requests for federal disaster relief as a result of a giant lizard that descended on the east coast last night! Officials say that this lizard, the worst since '78, has devastated transportation, disrupted communication, and left many hundreds homeless!
Granting that didn't contain anything sensitive. Rare to see a real name.
It did contain a wealth of usage data which their competitors wanted.
That was not hacking in any meaningful sense of the word. Program entered player# then sucked results into database.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Please don't link him.
bloody Computerworld "article" doesn't even cite Goatse Security
And I know we're talking about AT&T here, but here's a protip for corperateAmerica : fix your problem, don't shoot the messenger.
By definition your first situation is not "Jury Nullification", I'm not sure if there is a good term for it besides "Racism". The second situation kind of qualifies but that is where the Judge is supposed to come in, preventing any evidence/opinion from coming into the courtroom that is irrelevant to the crime committed (Victim is a call girl/criminal/etc). And in both cases if the judge believes the jury is being swayed by something improper as a mater of law the judge can declare the defendant "not guilty". I realize it would not work if for example a black individual was victimized by a white individual and the jury found the white individual not guilty simply because his accuser was black (the judge can't exactly keep all parties skin color under wraps). But in our system of law it is supposed to be better that 10 guilty individuals go free than 1 innocent person be imprisoned. Unfortunately I would bet that's exactly what we have today, I would guess at least 10% of the "criminals" currently in prison/jail are guilty of "victimless crimes" (drug use, call girls, public intoxication, "disorderly conduct", etc). I think its unfortunate that our current judicial system is so hostile to Jury Nullification, for being the "beacon of hope for the free world" talk, we also have BY FAR the highest per capita incarceration rate of any country on the planet.
And when the US Gov raided AT&T for customer info, they had signed an agreement called "The Constitution".
They don't seem to be ready to face the consequences.
But shouldn't the public know that their data was vulnerable? How does the alleged attacker know that if he sent sent the info to AT&T that they wouldn't have sat on it and then had him prosecuted in a more quiet sort of way so this info doesn't go public? Shouldn't AT&T and/or Apple be the ones being prosecuted and/or sued for leaving this information vulnerable?
"A claim for equality of material position can be met only by a government with totalitarian powers." Hayek
I didn't say I agreed with it, I just said that's the way it probably is.
Living With a Nerd
Why is the ipad data collector called an "attacker" ?
I had a friend on a jury not long ago and one of his fellow jurors said guilty in the initial vote. When asked why, she responded, because the cops arrested him. Don't think every juror understands the concept of logic. They are, more often than not, average people and the average person, at least where I live, is pretty dumb. It took hours of arguing that while the guy very well might have been guilty, witnesses' memory was too flaky by this time to really say what happened. The trial was over an assault, but since the trial took place almost a year after the incident, no two people could really agree on what happened that night. The only guy who was certain was a police officer who changed his testimony after being contradicted by other officers. If my friend hadn't been there, this guy would have been found guilty simply because most people don't have his stamina for arguing. It is truly epic, and has been since he was a kid. While I don't agree with him on many issues, I am in awe of what he can get people to do if they make the mistake of listening to him for too long. ;^)
If [the jury] feel sympathetic to the plight of the defendant, they can take that into consideration during the sentencing phase if they wish.
No, they cannot. You fail on two accounts:
1) Juries do not participate in sentencing for non-capital criminal cases, except in a handful of states (and even then they don't set the sentence). The Duke Law Journal had a nice article http://www.law.duke.edu/shell/cite.pl?52+Duke+L.+J.+951 arguing that historical accidents contributed to the switch from English jury sentencing to modern judge sentencing.
2) And judges lost the ability to express sympathy for the plight of the defendant as consideration during the sentencing phase when the legislatures began passing "mandatory minimum sentencing" laws designed to take away that sympathy.
but i DID submit a much better title for this story:
"Goatse Security Busted Wide Open"
http://slashdot.org/submission/1447640/Goatse-Security-Busted-Wide-Open
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
You consider someone who already contacted AT&T and never got a returned phone call or email a hacker because he thought the people should know their info is unsecure...well then I guess most people could be considered hackers too....as I would want anyone in my close proximity of services to know if their services was ailing.
Two articles this and one refered to by the first state "facts" that are in opposition.
The first states that the accused ran their tool June 5 to June 9th, and released on July 10th.
The second states that AT&T fixed the hole on June 8 and told affected users about the breach on June 9th.
I see reports that this information was on Gawker on the 9th, not the 10th.
I see reports from June 14 that AT&T sent messages claiming to have learned of the fault June 7th. This seems likely to have been because Auernheimer and Co. tipped them off through a third party, and waited for AT&T to close the hole. This also explains the claim "we never heard from (these people)", as well as the hole being closed before the news went public.
Goatsec has responded on their blog: http://security.goatse.fr/fbi-arrests-goatsec-members
Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions...
I don't know how you prove your "good intentions" in court without taking the stand and exposing yourself to a withering, relentless, wholly unconstrained, examination of your character, history and behavior.
The prosecutor will take you apart, piece-by-piece, beginning with your taste for "Goatse."
Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence.
The geek is the wierdo, the out-of-towner.
Who has pissed on someone else's turf.
No brass band.
No key to the city.
What awaits him is a stout oak and thirty feet of hemp. Because that is what "jury nullification" is really all about.