Slashdot Mirror
iPad Account Hacker Pleads Guilty
WrongSizeGlass writes "Daniel Spitler, a member of Goatse Security, pleaded guilty today to writing the code used to steal email addresses and personal information belonging to 120,000 Apple iPad subscribers from AT&T computer servers. Spitler, who surrendered to the authorities in January, pleaded guilty to one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Each charge carries a maximum sentence of five years in prison."
You've got to be shitting me.
In Liberty, Rene
Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.
Don't blame me, I voted for Baltar.
What is this, offensive lorem ipsum?
Non impediti ratione cogitationus.
If you hire an asshole to handle your security you will end up with your taste buds in the loop.
To never forget the Goatse itself may be a shitter of an organization but the people it targets may be even bigger shits.
If I leave my front door open and someone comes in and takes my TV it's stealing.
True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.
A better parallel might be if, the evening before your local garbage pickup, you put your TV out on your sidewalk or driveway, next to the street. Anyone would take this to mean "Take it; it's free". People routinely stop and drive off with such things, assuming that they're probably broken, but they plan to take them apart for the components. Most people would be surprised to hear that someone doing this had been arrested and charged with theft.
Another possible parallel is the way that, in a lot of countries, unknowingly taking a photo that includes military or police equipment or building can be illegal. This has been attempted in the US, too, but the courts have generally held that, unless there was a clearly-visible sign warning people away, taking such pictures is legal. You can't reasonably expect people to know what all the nondescript building in a scene are, after all.
There are quite a lot of other parallels that involve accessing things that are in a setting that's normally "public". I'm sure that others can list more such scenarios. And any "reasonable" requirement should at least say that accessing a random file that's being handed out by a web server is reasonable and legal. If it's not, there's an obvious counter-charge of "entrapment", which is all too easy for those in a position of authority to do to innocent bypassers.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
They were hardly just laying around.
Specially written queries. Oh well then, that's that.
There's no way that would mean a URL with a sequential numeric ID in it.
The text is derived from sections 1.10.32–3 of Cicero's De finibus bonorum et malorum (On the Boundaries of Goods and Evils, or alternatively [About] The Purposes of Good and Evil).[3]
Care to cite your source?
Also, I think you need to re-read the pornography laws for wherever you live as, unless you live in Canada or Australia, possession of fictional portrayals of illegal sexual crimes are not the same as having physical evidence that illegal sexual crimes have been committed. Because if what you assert is true, that having possession of fictionalized events of under aged sex or pedophilia is a crime, then it sucks to own a copy of Bram Stroker's Dracula, or Homer's Iliad, or Vladimir Nabokov's Lolita, or Neil Stephenson's Snow Crash or heaven forbid any one of many Heinlein novels as they all describe fictional illegal sexual acts involving intercourse with under aged minors or children and are almost all considered literary classics in their respective genre's.
I've been on slashdot long enough to be very afraid of clicking on any links in this post. I could live with Rick Roll security, but not this...
True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.
I think it's quite obvious that AT&T didn't intent to make the data publicly available anymore than a homeowner means to make the contents of their home publicly accessible simply by leaving the door unlocked.
And these "hackers" were quite aware of this, otherwise they wouldn't have siphoned off the email addresses and made a big fuss about it. Acting like this is somehow assumed to be public info is a farce.
Specially written queries. Oh well then, that's that.
There's no way that would mean a URL with a sequential numeric ID in it.
That's exactly what it means. Why are you acting as though that's pertinent to the issue of whether the data is meant to be publicly accessed?
The security vulnerability was literally as simple as changing one number in a url to a different one, at random. From user 2340823 to User 2347923 or whatever. When the door is wide open, you can't complain if people don't knock. It's not like he actually got into anyone's account; it's more like he just said "Hi, I'm user 2342323" and the computer said "Oh hi, John@fakeemail.com, what's your password?" and then he said "Nevermind." Nobody's account was logged in to, and nobody's personal information was accessed, aside from the information being leaked by AT&T in their sloppy login process.
Nobody should ever face jail time for something so trivial and stupid.
"Lorem ipsum dolor sit amet" is from Cicero, everything afterwards IS garbage.
Non impediti ratione cogitationus.
Problems I see here...
ICCIDs as sequential numbers - Untrue. 89nnnnnnnnnnnnnnnnn1 may be a valid ICCID; if it is, 89nnnnnnnnnnnnnnnnn2 will not be (where n are digits). There may be a pattern utilised, but n+1 is not a reliable method for a given known ICCID.
He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.
There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.
That said, AT&T isn't in the clear here. Further efforts could have been made on their part to secure this information, though an email address doesn't mean or lead to much except for those a) in the spam business or b) with more nefarious purposes and the appropriate tools at hand, ready to use. Is a stiff sentence fair here? I don't believe so, but nor is acquittal.
I don't post AC. I like my -1, Flamebaits. Trump/Sheen 2012 on the Batshit Insane ticket!
It's your fucking server. If you don't want it to send certain data, password it!
Besides, it wasn't even random.
Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever? If their server sends it, you're authorized to have it. Otherwise, it wouldn't have sent the data to you. Get it?
Passwords. They are what you use for private data. Accept no less.
5 years in prison? Fuck those judges.
...as I read this as "iPad Account Holder Pleads Guilty".
I had visions of a fanboi in jail with his new friend "Bubba" who is not as interested in his Apple as he is in his cherry.
Gentoo Linux - another day, another USE flag.
He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.
Fair enough. Out of courtesy one should inform the "victim"; but he's not obligated. Not ethical and also not illegal.
There was no evidence that the addresses were disseminated - gives guy some leeway on the ID theft and probably fraud charges. Conspiracy to commit unauthorized access charge, though? Pretty much indefensible, and probably a non-issue if he'd made a good-faith effort to bring this directly to AT&T's attention and/or if it hadn't been used to the extent of 100k+ addresses.
Agree 100%. This is were he/they stepped over the line; you grab 10, or even 100 addresses and you proved your point. +100k? The only argument is if they were incompetent and just didn't know the scope of what they were going to retrieve with an automated script.
100 e-mails, okay so you turned the handle and you opened the front door. You saw that they get Victoria Secret because the magazine was sitting in the front hall. 100k+ e-mails, you stepped into the foyer or even took a few steps down the hall and looked around.
I would equate this with trespassing. Not break and enter. I think the attorney needs to prove that they were planning to (or did) use the information collection for nefarious actions. For the above analogy, you opened the door, you walked down the hall ... and did you call your buddy to drive up with a van so you can load up the Plasma TV from the living room, or did you start unplugging it already?
Wearing pants should always be optional.
goatse.cx is long dead, long live http://goatse.ragingfist.net
I think some people have found a way to cipher data (maybe just English or some simple coded information) into curse words and foods and are passing it through Slashdot. It would be a brilliant scheme. No need for direct contact between parties, just two dudes surfing a site's buried troll comments through Tor proxies.
"When information is power, privacy is freedom" - Jah-Wren Ryel
They made a big fuss about it because those email addresses should not have been broadcast to anyone who asked for them. An unlocked door is not a valid analogy unless it also had a big sign that read "200 OK; Come on in!".
They made a big fuss because they knew what they were doing was not supposed to be allowed. This is *exactly* like entering an unlocked door and walking out with things that aren't yours.
Then they went public with "see! look what we found!" thinking that would protect them and make the initial crime ok somehow. It didn't.
This wasn't simply some web page where you inadvertently found email addresses. You had to deliberately craft a request that otherwise wouldn't happen, and was obviously not meant to be randomly accessed by anyone other than the intended party.
Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever?
Um... You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.
If their server sends it, you're authorized to have it.
Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".
Otherwise, it wouldn't have sent the data to you.
You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.
Get it?
Passwords. They are what you use for private data. Accept no less.
Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both accidental and deliberate trespassers out. The lack of a lock does not imply permission.
If your phone has bluetooth turned on, does that mean anyone in range has the *right* and your *permission* to copy the contents of your phone for their own use? Do you think that if you set something down, and I can pick it up without resistance, that it's perfectly right for someone else to take it? Do you not realize how fundamentally *insane* this whole idea is?
You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.
Why? They put it up on a public webserver without a password. That's how you share documents.
If their server sends it, you're authorized to have it.
Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".
It's nothing like that. One is a door, any door, all doors, and the other is a publicly accessible webserver. Why not mangle a car analogy next?
You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.
Oh, argh!
Listen. Webservers exist to share files. If they don't want to share the file they can simply return an error message and send you on your way.
Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both accidental and deliberate trespassers out. The lack of a lock does not imply permission.
That's because in the physical world there are physical signs, both metaphorical like the door being on a private house, and literally like "Staff Only".
But webservers have defined standards. Ones they must follow to be able to parse requests and serve pages. Online you just fetch blindly and the server simply refuses to send you passworded material. That's how you check if something is private, ask for it.
And, if it's given to you, by web standards, that means you're allowed to have it.
If your phone has bluetooth turned on, does that mean anyone in range has the *right* and your *permission* to copy the contents of your phone for their own use?
It gives me permission to send whatever signals I want. If your phone chooses to send me its contents that's your issue with it, not me.
Do you not realize how fundamentally *insane* this whole idea is?
That you get to waltz in years later, use tech you don't understand, developed by a culture you don't understand, and have it perfectly conform to your norms? Yeah, that is insane