PDA

View Full Version : Hacker Pleads Guilty in AT&T iPad Breach




MacRumors
Jun 23, 2011, 02:27 PM
http://images.macrumors.com/im/macrumorsthreadlogo.gif (http://www.macrumors.com/2011/06/23/hacker-pleads-guilty-in-att-ipad-breach/)


http://images.macrumors.com/article-new/2011/06/172558-ipad_3g_badge.jpg

(http://images.macrumors.com/article-new/2011/06/172558-ipad_3g_badge.jpg)Daniel Spitler pleaded guilty (http://www.computerworld.com/s/article/9217889/AT_T_iPad_hacker_pleads_guilty) Thursday to two felony charges related to the publishing of 120,000 AT&T customers' email addresses on Gawker.com (http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed). One other member of hacking group "Goat-se Security", Andrew Auernheimer, was charged as well and is still in plea bargain negotiations. Spitler's plea agreement recommends a 12-18 month sentence.
According to reports and court filings, they wrote a script that guessed the ICC-ID numbers (used to identify the iPad's SIM card) and then queried AT&T's website until it returned an e-mail address. Spitler had been accused of co-authoring this software, called "iPad 3G Account Slurper."The original breach (http://www.macrumors.com/2010/06/09/email-addresses-and-sim-identifiers-of-114000-atandt-ipad-3g-users-exposed/) occurred in June of last year. The hackers discovered a security hole on AT&T's website that allowed users to plug in a SIM card identifier called an ICC-ID, and receive back the email address connected to that SIM card.

More than 114,000 email addresses were disclosed including the personal email addresses of a number of high-profile political and business figures, though it appears no actual damage occurred beyond the exposure of the email addresses.

Article Link: Hacker Pleads Guilty in AT&T iPad Breach (http://www.macrumors.com/2011/06/23/hacker-pleads-guilty-in-att-ipad-breach/)



dethmaShine
Jun 23, 2011, 02:32 PM
Well, the punishment is due.

But lets first hear this: http://www.youtube.com/watch?v=nf7Q-163KyQ

supmango
Jun 23, 2011, 02:34 PM
Remind me again what AT&T got for this? Oh, that's right. A slap on the wrist.

unlinked
Jun 23, 2011, 02:39 PM
Remind me again what AT&T got for this? Oh, that's right. A slap on the wrist.

Did they even get a slap for this?

What did the guys plead guilty to anyway? It sounds like all they did was download info AT&T made available on their site. It AT&T had put all that info in a single txt file would downloading it have been a crime?

johnalan
Jun 23, 2011, 02:39 PM
I bet he didn't think he'd spend time in prison when he did it.

NoExpectations
Jun 23, 2011, 02:43 PM
Remind me again what AT&T got for this? Oh, that's right. A slap on the wrist.

It's also easy to steal merchandise in a store, why would a store get punished when someone steals from them?

AT&T got more than a slap....bad PR is hard to recover from.

Hackers are criminals. They should realize that.

soco
Jun 23, 2011, 02:44 PM
AT&T got more than a slap....bad PR is hard to recover from.

This is so true. People forget this all too often.

ChazUK
Jun 23, 2011, 02:47 PM
It shows up on the main page... It's G-o-a- t-s-e

Thanks. :) I had a look at the original Gawker article in the end to see, bought back bad memories. :o

RawBert
Jun 23, 2011, 02:48 PM
I wonder how many job offers he's received because of this. :rolleyes:

iphoneblack
Jun 23, 2011, 02:58 PM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

Not from ATT & apple for sure

gnasher729
Jun 23, 2011, 03:00 PM
I wonder how many job offers he's received because of this. :rolleyes:

Zero. Hacking doesn't exactly take a genius, and it shows lack of morals and in this case lack of good judgement. Getting caught makes it worse. Not exactly what recommends you to any employer.

Look at it like this: If I did something bad that costs a customer lots of money, my company will say "well, we couldn't expect that; he came well recommended, had no complaints about him for years; no idea why he suddenly sold your customer data to a competitor; not our fault". If a convicted hacker did the same thing, my company would be in deep trouble, because any jury would say that the damage is their fault for hiring a known criminal.

logandzwon
Jun 23, 2011, 03:01 PM
Releasing personal info was bad mojo. IF they are being giving time for that, maybe I can understand. For actually gathering the information and doing the "hack" I think at most they should get a small fine and community service hours.

supmango
Jun 23, 2011, 03:10 PM
It's also easy to steal merchandise in a store, why would a store get punished when someone steals from them?

AT&T got more than a slap....bad PR is hard to recover from.

Hackers are criminals. They should realize that.

A store that is holding YOUR merchandise for you would have some accountability if they allowed it to be stolen.

A better analogy is a museum that is holding a collection of valuable artifacts from some other museum or group of museums. Don't you think there would be some kind of retribution if the museum was robbed? Especially if the robbery was due to a flaw in the security of the museum.

Obviously the value of the merchandise (data) should be considered. But more than likely some rather important people had their email addresses exposed.

I agree the hackers should be punished, but that does not negate AT&T's responsibility.

waterskier2007
Jun 23, 2011, 03:19 PM
Am I the only one who could care less if my email was "leaked". Sure, what they did is wrong but I think people blow things out of proportion a lot...

burtonrider117
Jun 23, 2011, 03:21 PM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

I can not believe that companies like at&t can get hacked by some guy sitting in their bedroom and they're not the ones standing trial! It's far from okay and irresponsible on their part.

mylios101
Jun 23, 2011, 03:50 PM
Writing a script to guess some numbers and querying AT&T's website is in no way hacking anything.

pmjoe
Jun 23, 2011, 03:54 PM
Both this article and the one linked saying they pled guilty left me totally confused as to what they actually did. It sounds like all they did was discover that if you went to a certain public URL on one of AT&T's servers and gave it a valid SIM number, it'd give an email address back that was associated with that SIM number. It wasn't even clear to me if the people who were charged did anything with the data, and it sounded to me like they may have reported the security hole.

Wow, really?!? You can get a maximum of 10 years for downloading data from a public web server? What was the charge??? Who decides which data makes it a criminal offense?

Rodimus Prime
Jun 23, 2011, 03:55 PM
Writing a script to guess some numbers and querying AT&T's website is in no way hacking anything.

no but it shows AT&T system had crap security and there is no denying that. It depends how it is done if you get a job offer.
One guy wrote a script to test something security wise on face book and turned out it spread like wild fire. Now Facebook offered him a job but it took some pretty fancy work to exploit the flaw and even find it. On top of that he made no attempted to even hide who he was when he did it. It just spread a lot father than he planned on because at first it was just a test to see if it could be done.
he told facebook exactly how he did it and what the hole he found. They gave him a job but that was more of a white hacker example.

orfeas0
Jun 23, 2011, 03:57 PM
It's also easy to steal merchandise in a store, why would a store get punished when someone steals from them?

AT&T got more than a slap....bad PR is hard to recover from.

Hackers are criminals. They should realize that.

Ok so someone hacked and got a bunch of e-mail addresses. Did he exploit/steal anyone? No. He even helped at&t by pointing out that security breach before someone else with worse intentions hacked it.
And you think that person should rot in jail for a year and more? Have you seen how is a jail inside? It's not easy to go in there you know. And especially for someone who didn't commit such a big crime...

Radoo
Jun 23, 2011, 03:57 PM
Zero. Hacking doesn't exactly take a genius, and it shows lack of morals and in this case lack of good judgement. Getting caught makes it worse. Not exactly what recommends you to any employer.
And that is how hackers get bad reputation... Maybe people should google more about hacker vs cracker.

Holoshed
Jun 23, 2011, 03:57 PM
Writing a script to guess some numbers and querying AT&T's website is in no way hacking anything.

Exactly! The general public has no idea what a script kiddie is vs a hacker and the media has branded hacker as someone who is "out to destroy all computers."

To be honest I really am not sure what of this was illegal except maybe posting the emails.

It's like a website that gives the current time when polled and someone writes a script to poll it every second.

If no password or security is offered it is not hacking. Through my web travels I find numerous examples of this, the worst is one of AT&Ts competitors but anyhow...

Plutonius
Jun 23, 2011, 04:42 PM
Wow, really?!? You can get a maximum of 10 years for downloading data from a public web server? What was the charge??? Who decides which data makes it a criminal offense?

He pled guilty two two felony charges. Sounds pretty serious to me.

AppleDude
Jun 23, 2011, 05:43 PM
Well, the punishment is due.

I'm no anarchist but from my perspective, these folks did the world a huge favor. By exposing a security flaw without any malicious intentions, they have made use all a little safer from those who possess the same skills but use their powers for evil. So I tip my hats to them and would like to see the most lenient sentencing the law permits.

doctor-don
Jun 23, 2011, 05:49 PM
A hacker is a hacker is a hacker. :mad:

OFF WITH HIS HEAD.

doctor-don
Jun 23, 2011, 05:50 PM
Well, the punishment is due.

But lets first hear this: http://www.youtube.com/watch?v=nf7Q-163KyQ

Are you trying to crash computers? ;)

doctor-don
Jun 23, 2011, 05:54 PM
Am I the only one who could care less if my email was "leaked". Sure, what they did is wrong but I think people blow things out of proportion a lot...

Depends. How much more spam would YOU get?

doctor-don
Jun 23, 2011, 06:00 PM
Ok so someone hacked and got a bunch of e-mail addresses. Did he exploit/steal anyone? No. He even helped at&t by pointing out that security breach before someone else with worse intentions hacked it.
And you think that person should rot in jail for a year and more? Have you seen how is a jail inside? It's not easy to go in there you know. And especially for someone who didn't commit such a big crime...

How many e-mail addresses / account did he get? 120,000

He could have stopped at ONE and reported the security hole to AT&T.

How much did he get from Gawker to publish the addresses?

winston1236
Jun 23, 2011, 06:02 PM
haha his "deal" was two felonies

tinman0
Jun 23, 2011, 06:42 PM
Ok so someone hacked and got a bunch of e-mail addresses. Did he exploit/steal anyone? No. He even helped at&t by pointing out that security breach before someone else with worse intentions hacked it.
And you think that person should rot in jail for a year and more? Have you seen how is a jail inside? It's not easy to go in there you know. And especially for someone who didn't commit such a big crime...

He released the information, that's the difference.

j-traxx
Jun 24, 2011, 12:17 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5)

Why sympathize with this doo doo head? If he wasn't a criminal he would have taken this to AT&T in the first place and not sell it to a techie tabloid. He wanted glory and now he has it. Gawker are a bunch of techdouches anyway.

Papajohn56
Jun 24, 2011, 04:35 AM
lol, weev's gonna get a prison sentence

djstile
Jun 24, 2011, 05:54 AM
He released the information, that's the difference.

Exactly. That's the problem, the hacker does (arguably) a "good" thing by exposing a security hole. Instead of being a Good Samaritan and doing something to help society in general, they post the information for the attention. Now Email addresses aren't NEARLY the same thing as credit card numbers or something, but the gov. should (and did) make a very tough stand against this sort of Cybercrime.

thecypher
Jun 24, 2011, 08:10 AM
I'm no anarchist but from my perspective, these folks did the world a huge favor. By exposing a security flaw without any malicious intentions, they have made use all a little safer from those who possess the same skills but use their powers for evil. So I tip my hats to them and would like to see the most lenient sentencing the law permits.

Sorry it doesn't work that way. Bottom line is they caused financial damage to a business. If their intention was not malicious and they were "only doing public service" as you think, they would have contacted AT&T and told them there is a flaw in their system. Which they didn't. Instead they chose to get name and fame (infamy in their case) and published hundreds of SIM IDs and email addresses on the Internet.

Agreed publishing email addresses seems benign. But the news article says there were several high profile personalities among that list and I am sure it affects them more than an average person. It is basically an invasion of privacy and I am glad they went after them and made an example out of them. People need to know they can't do crap like this because they don't have a life and nothing better to do and expect to get away with it.

This is no different than you or me breaking into a local convenience store just because they didn't lock their door before leaving for the night and publishing this information out causing them damage. Hey technically you and I didn't steal anything from the store. We just broke in and announced publicly that they don't lock their door at night which in turn made other crooks steal from the store and cause them financial damage. So are we responsible in any way? Hell yes!

phillipduran
Jun 24, 2011, 08:16 AM
Ok so someone hacked and got a bunch of e-mail addresses. Did he exploit/steal anyone? No. He even helped at&t by pointing out that security breach before someone else with worse intentions hacked it.
And you think that person should rot in jail for a year and more? Have you seen how is a jail inside? It's not easy to go in there you know. And especially for someone who didn't commit such a big crime...

Agreed, this jail time is nuts.

Doesn't AT&T put my name, my phone number and my address in a big book and drop it of at EVERYONES doorstep in my city every single year?

What in the world is criminal about posting email addresses? Don't most people put their email addresses on their business cards and hand them out to people?

The fault lies with AT&T who put a web interface that takes sim numbers and kicks back email addresses.

This is like them posting the email list on the front door of their business and then you getting 18 months in jail for taking a picture of it.

blueroom
Jun 24, 2011, 08:28 AM
I bet he didn't think he'd spend time in prison when he did it.

"Hope you like prison food... and penis."
from the movie "The Other Guys"

Furrybeagle
Jun 24, 2011, 01:16 PM
Bottom line is they caused financial damage to a business.

So AT&T screws up and other people are responsible for their financial loss? So, can Microsoft sue Apple for taking advantage of a botched Vista release? Businesses are not more important than people.

Agreed publishing email addresses seems benign. But the news article says there were several high profile personalities among that list and I am sure it affects them more than an average person.

Oh, so you're saying if the email addresses belonged to a bunch of poor people, it wouldn't matter? Nice.

It is basically an invasion of privacy and I am glad they went after them and made an example out of them. People need to know they can't do crap like this because they don't have a life and nothing better to do and expect to get away with it.

And you see absolutely no reason to hold AT&T even partially accountable?

This is no different than you or me breaking into a local convenience store just because they didn't lock their door before leaving for the night and publishing this information out causing them damage. Hey technically you and I didn't steal anything from the store. We just broke in and announced publicly that they don't lock their door at night which in turn made other crooks steal from the store and cause them financial damage. So are we responsible in any way? Hell yes!

Is that really breaking in? It's illegal to open an unlocked door now?

Here's a more apt comparison: this is like walking into the lobby of AT&T, seeing that someone dropped a stack of papers in the corner, and publishing them on the Internet.

Should they still be held accountable for releasing the information instead of notifying AT&T? Probably. But screaming hackers and throwing them in prison for a year (to ten years) is the wrong way to go about this.

NewtonsApple
Jun 25, 2011, 07:00 AM
He should get the death penalty for making apple and at&t look bad.

TheNerdyNurse
Jun 26, 2011, 05:26 PM
Seems like AT&T should be faced with the bigger punishment, since they are the ones that are not protecting their customers.

RawBert
Jun 28, 2011, 02:34 PM
Zero. Hacking doesn't exactly take a genius, and it shows lack of morals and in this case lack of good judgement. Getting caught makes it worse. Not exactly what recommends you to any employer.


Apparently, hackers are still getting hired by big companies.

June 28, 2011
CBS Link: Facebook hires hacker George "Geohot" Hotz (http://www.cbsnews.com/8301-501465_162-20075058-501465.html)

George "Geohot" Hotz, famous for iPhone hacking skills and reverse-engineering Sony's PlayStation 3, is officially working at Facebook, CNET reports.