Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminal Charges Filed Against AT&T iPad Attacker

Posted by CmdrTaco on from the someone-will-be-sad dept.

Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday. Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville. Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."

21 of 122 comments (clear)

  1. Umm, yeah... by fuzzyfuzzyfungus · · Score: 4, Insightful

    Uncle Sam and Ma Bell go wayyy back if you know what I mean. You don't sass the latter unless you are ready to deal with the former in a very bad mood.

    They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...

    1. Re:Umm, yeah... by Cytotoxic · · Score: 2

      You don't want to screw with the phone cops, man. They blew up a transmitter in Cincinnati back in the 70's when some DJ named "Dr. Johny Fever" got out of hand...

  2. Let's get this straight by Tiger+Smile · · Score: 4, Interesting

    AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.

    --
    -- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
    1. Re:Let's get this straight by dunezone · · Score: 3, Informative

      Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.

      Claiming to help? That is a great excuse there. They found a security hole in the system and instead of just reporting it to AT&T they pulled down private information which they did NOT have the right to access. In other words I left my front door unlocked, this doesn't give you the right to go in and snoop around and take my stuff, you CAN however report to me and the newspaper that my door is unlocked. That is why these "hackers" are in trouble. AT&T probably looked at the exploit and then realized not only was there a problem but the people reporting it took private and sensitive information, this then required them to go to the legal system because their liable for this. Most of these major companies have insurance to cover these types of incidents but unless they follow protocol the insurance might not pay out.

      Also the article attached to slashdot is missing information. They also gave the private information to Gawker.

      http://www.informationweek.com/news/storage/security/showArticle.jhtml?articleID=229000863&cid=RSSfeed_IWK_All

      And in apparently chat logs exists of these "hackers" discussing to sell or use this information in an illegal way.

      http://www.crn.com/news/security/229000878/feds-nab-web-trolls-in-at-t-ipad-hack.htm

    2. Re:Let's get this straight by erroneus · · Score: 3, Interesting

      We are at the point ("beyond" the point is still at the point) where we need a Wikileaks for security issues. Increasingly, it is becoming hazardous to expose weaknesses in systems and services that render personal and/or sensitive information vulnerable. We are not going to change the government or regulatory bodies' minds about what appropriate means or whose interests are of higher priority. So it is best to decide whether it is best to claim the glory of being the discoverer or implementer of the exploit or if the knowledge needs to be out there without risk to your identity being connected with it.

      Stupidly, there are going to be "myspace/facebook" mentalities who will go for the fame regardless of the dangers. Personally, I would prefer to conceal my identity and get behind a wikileaks body to launder my identity from the work.

    3. Re:Let's get this straight by shakah · · Score: 2

      Point taken -- how about:

      I put a bunch of things in my driveway (think "free" garage sale) along with a sign that says "please take whatever you want". I mistakenly include sexually graphic pictures of my wife in the stuff I've put on display. You find them and take pictures of them with your smartphone, then show them to your friends -- should I be able to charge you with theft (or some other crime?) because you should have known that I didn't intend to give those away?"

  3. Bogus Charges by Anonymous Coward · · Score: 2, Insightful

    The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.

    Anyone know what the fraud charges are?

  4. AT&T's motto: Trust Us by digitaldc · · Score: 2

    AT&T has the fastest 4G network....trust us.

    AT&T would NEVER compromise your data...trust us.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  5. Information must be free! by Anonymous Coward · · Score: 3, Funny

    You're 100% right! He needed to scrape all the user information he could and go public with it! Your personal information wants to be FREE, and no corporation can stop its freedom.

  6. This may scream for jury nullification or no-bill by davidwr · · Score: 3, Interesting

    I'm going to assume for the sake of argument that the facts will prove he broke the law. If they don't the rest of this post doesn't apply to this case but it is still interesting from an academic/hypothetical perspective:

    It's hard to say what is "just" in a case like this.

    Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions, or is it more just to officially (in the form of a non-guilty verdict or a grand jury declining to indict even if the facts prove guilt) say that it's in society's best interest that this behavior be tolerated or even encouraged in this context?

    Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence. While such events should be very rare as prosecutors should never let cases get this far, no-bills and jury nullifications "in the interest of justice" are the people's last chance to say "the application of the law in this case is unjust -or- the law itself is unjust." Assuming the law or its application is not unconstitutional or otherwise illegal, once a jury convicts the now-convicted-criminal is at the mercy of the Executive Branch for a pardon or commutation.

    The sad part is neither the jury nor the grand jury will likely be allowed to see anything but the hard evidence and most or all of both groups will be too technically naive to make an informed decision as to whether it is more just to release this person or to indict and convict him.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. Ethical disclosure by SirGarlon · · Score: 4, Interesting

    "We believe what we did was ethical," Auernheimer told Computerworld last June. "What we did was right."

    The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

    Rather than contact AT&T directly with what they'd uncovered, Goatse [Security] tipped off an unnamed third party, who in turn reported the design flaw to AT&T. Goatse took that route, Auernheimer said, to prevent AT&T from preventing the group from publicizing the e-mail address exposure.

    So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Ethical disclosure by gnasher719 · · Score: 4, Insightful

      The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

      So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.

  8. Re:This is appropriate by Pojut · · Score: 4, Insightful

    That's not the problem.

    Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.

    THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.

    It's that pesky "went public with the information" part that screwed him up.

    --
    Living With a Nerd
  9. web browsing is illegal now? by wolfgang_spangler · · Score: 4, Interesting

    From the article:
    In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."

    How did he do anything illegal?

    1. Re:web browsing is illegal now? by Cwix · · Score: 2

      Thats like putting a sign on your lawn and suing anyone who pauses to read it.

      --
      You are entitled to your own opinions, not your own facts.
  10. Re:This is appropriate by Monkeedude1212 · · Score: 2, Interesting

    Something thats bothering me is that I can't seem to find any notion that AT&T fixed the flaw.

    Now I'm willing to take their word that the guy didn't put forth much effort trying to contact them - but it seems like this court case has made it easier for them to brush the issue under the rug rather than fix.

  11. Re:he is the one in trouble? by Jaysyn · · Score: 2

    Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted it about the flaw.

    That pretty much sums it up. I wonder if the EFF will get involved?

    --
    There is a war going on for your mind.
  12. Re:Dissapointing title by Graff · · Score: 2

    There is probably a legal precedent somewhere. Laptops have been around for a long time enough, that someone whacked someone else on the head with a laptop.

    Google is your friend.

    --
    Sapere aude!
  13. Re:This is appropriate by melikamp · · Score: 2

    IMHO, the problem is the desire to be famous NOW. Sign your leaks with strong encryption and leak them anonymously, and you will be safe.

  14. mens rea by davidwr · · Score: 2

    You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of your customer confidential data are on your desk in plain view.

    I walk in and start taking pictures then share those pictures.

    Did you do anything illegal?

    I can probably beat a trespassing rap but I probably could not beat charges related to my copying and disseminating the information unless it was extremely clear what I was doing was in society's best interest.

    Another example where justice demands no indictment:

    You run a business. Your front door was open. Your office is open and it didn't say "private" or "employees only" on the door and there was no reason for me to think it was off-limits to the public. Printouts of records of your criminal or not-quite-criminal-but-shocking-to-the-conscience activity are lying around. Records of bribes or not-quite-bribes-but-clearly-influence-peddling payments to corrupt politicians.

    I walk in and start taking pictures then share those pictures with a responsible news organization who then runs a story on them.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  15. The definition of insanity by Zontar_Thing_From_Ve · · Score: 2

    ... is doing the same thing over and over again and expecting a different result.

    How many times on Slashdot have we seen the following scenario?
    1) Hacker finds security hole.
    2) Hacker uses security hole to login to system. He may or may not do questionable things there.
    3) Hacker gets caught and there's proof he was on the system and he wasn't authorized to be there.
    4) Hacker looks at a trial and possible jail time.
    5) Hacker claims innocence, saying that he was "just trying to help get the problem fixed".

    Really, if you haven't learned by now that logging into systems where you don't belong may get you into deep trouble, there is no hope for you.