Slashdot Mirror
iPad Account Hacker Pleads Guilty
WrongSizeGlass writes "Daniel Spitler, a member of Goatse Security, pleaded guilty today to writing the code used to steal email addresses and personal information belonging to 120,000 Apple iPad subscribers from AT&T computer servers. Spitler, who surrendered to the authorities in January, pleaded guilty to one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Each charge carries a maximum sentence of five years in prison."
You've got to be shitting me.
In Liberty, Rene
Let the punishment fit the crime. Screw 1 million people, get screwed back 1 million times.
...if AT&T puts the data on the web without access controls of any kind.
https://freeweev.info
Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.
Don't blame me, I voted for Baltar.
n/t
What is this, offensive lorem ipsum?
Non impediti ratione cogitationus.
It wasn't a stolen identity, it was a ICC IDs and email addresses. This isn't identity theft by any means of the imagination.
AT&T should be ashamed of themselves for not being more careful with customer data.
If you hire an asshole to handle your security you will end up with your taste buds in the loop.
To never forget the Goatse itself may be a shitter of an organization but the people it targets may be even bigger shits.
What is this, offensive lorem ipsum?
What most people don't realize is that that oft-quoted document isn't pseudo-Latin nonsense; it's in the little-known 6th-century east-Istrian dialect, and is an excerpt from a tale of kiddie porn. So anyone who has it on their disk is in violation of some serious anti-porn laws wherever you live. And ignorance is no excuse. If you even download it by accident, you're guilty of a crime that even the /. crowd finds abhorrent.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
aka Down Low Swallower aka Scarf aka Bisexual Lifeform Assfucked Zeaously Everyday aka Blaze
+5, Informative
When the original vulnerability in the site was disclosed, I was under the impression it was a White Hat hacker who found this. Was this the same person?
The text is derived from sections 1.10.32–3 of Cicero's De finibus bonorum et malorum (On the Boundaries of Goods and Evils, or alternatively [About] The Purposes of Good and Evil).[3]
Care to cite your source?
Also, I think you need to re-read the pornography laws for wherever you live as, unless you live in Canada or Australia, possession of fictional portrayals of illegal sexual crimes are not the same as having physical evidence that illegal sexual crimes have been committed. Because if what you assert is true, that having possession of fictionalized events of under aged sex or pedophilia is a crime, then it sucks to own a copy of Bram Stroker's Dracula, or Homer's Iliad, or Vladimir Nabokov's Lolita, or Neil Stephenson's Snow Crash or heaven forbid any one of many Heinlein novels as they all describe fictional illegal sexual acts involving intercourse with under aged minors or children and are almost all considered literary classics in their respective genre's.
Have you ever heard of the expression 'Whoosh' ?
I've been on slashdot long enough to be very afraid of clicking on any links in this post. I could live with Rick Roll security, but not this...
The security vulnerability was literally as simple as changing one number in a url to a different one, at random. From user 2340823 to User 2347923 or whatever. When the door is wide open, you can't complain if people don't knock. It's not like he actually got into anyone's account; it's more like he just said "Hi, I'm user 2342323" and the computer said "Oh hi, John@fakeemail.com, what's your password?" and then he said "Nevermind." Nobody's account was logged in to, and nobody's personal information was accessed, aside from the information being leaked by AT&T in their sloppy login process.
Nobody should ever face jail time for something so trivial and stupid.
"Lorem ipsum dolor sit amet" is from Cicero, everything afterwards IS garbage.
Non impediti ratione cogitationus.
This is a grave injustice!
https://freeweev.info/#!/thecase
Mr Jeffrey Paul,
Thank you for your efforts on behalf of Andrew Auernheimer. I have
donated 4 BTC to his cause (it's what I had.)
I hope that everyone will see this case as important, not only for the
legal precedent it may set, but also because it shines a light on the
continuing importance of anonymity as a basic self-preservation mechanism.
How is any researcher such as Andrew otherwise supposed to protect
himself from abuses by a large corporation such as AT&T?
Anonymity, like gold and guns, is an important equalizer for the "little
guy" and it must be protected. Andrew would be safe from persecution
today if he had released his research anonymously.
-Fellow Traveler
The Case
In June, 2010, Andrew's ragtag band of researchers at Goatse Security
discovered that, due to cutting security corners, AT&T (NYSE:T) was
publically divulging the email addresses of their subscribers using
Apple's (NASDAQ:AAPL) iPad 3G tablet computing device.
His team successfully downloaded over 100,000 subscriber email addresses
from AT&T's public website, including those belonging to Fortune 500
CEOs, members of the military, and federal government officials. After
realizing the vast potential impact this data could have in criminal
hands, he immediately alerted the media.
AT&T had taken no security measures whatsoever to protect their
customers' email addresses, serving them out on the public web to any
request made with a valid serial number of an iPad 3G's SIM chip. The
problem? These serial numbers are sequential integers - not passwords.
The U.S. Attorney prosecuting the case (Paul Fishman) has confirmed to
the media that there is no evidence that the addresses were disseminated
for criminal purposes.
Important Points
Subscriber data was placed on the public web by AT&T
No access controls were in place to protect the data
The information accessed: a list of subscriber email addresses
No criminal intent, as confirmed by the US Attorney
The media was immediately contacted to alert the public of the danger
Despite these important facts, the DOJ is currently seeking an
indictment from a grand jury for the following charges:
Conspiracy to commit unauthorized access to a computer system (18 USC 1030)
Fraud (18 USC 1030)
Aggravated identity theft (18 USC 1028A)
An indictment is expected in July 2011 - next month. His immediate legal
expenses are over $30,000 USD.
He urgently needs your help! Please donate now!
5 years in prison? Fuck those judges.
...as I read this as "iPad Account Holder Pleads Guilty".
I had visions of a fanboi in jail with his new friend "Bubba" who is not as interested in his Apple as he is in his cherry.
Gentoo Linux - another day, another USE flag.
goatse.cx is long dead, long live http://goatse.ragingfist.net
I think some people have found a way to cipher data (maybe just English or some simple coded information) into curse words and foods and are passing it through Slashdot. It would be a brilliant scheme. No need for direct contact between parties, just two dudes surfing a site's buried troll comments through Tor proxies.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Free Weev! Justice and American self-interest urge the same course of action: free Weev now, before it is too late! Once Skynet wakes up it will be able to stop the timetravelling GNAA agents who have been sent back to us to keep the LHC from discovering the Higgs boson. Then nothing will prevent the development of the zero-point superweapon and the extinction of all flesh.