Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

FBI Investigating AT&T iPad 3G Security Breach

The fact that Gawker was only outside party to receive the info does not make me feel better. Clearly, they aren't terribly ethical and it wouldn't surprise me to see my email filled with spam as a result of this because they sold the addresses.

I would think a list of early adopters would be a valuable database to sell.
 
I'd like the FBI to look more at AT&T for not protecting their customers' private data, but whatever. I'm not sure how well the hacking argument of "we just accessed a public website" will hold up.
 
DylanLikesPorn said:
Good! I really hope they throw the book at AT&T's dismal security policies.
Click to expand...

Read again and now focus on this part of the article.

"Any investigation into the incident is likely to look at two factors: how the information was obtained and what was done with it."

This investigation is less about AT&T & Apple and more about "WHY" the group that exploited the hole in AT&T's website obtained the information and did not turn it over immediately to AT&T

Now the legal means of doing this can be considered a Felony just like stealing WiFi or other information and also could be considered a malicious act, more so due to Federal employees information "Email Ect" being Obtained.


Looks like "Gwaker, Valleywag, Gizmodo" are again involved in some Shady dealings.

The "Valleywag aka:Gwaker,Gizmodo" published this as Apples Breach in security not that a team exploited the whole at AT&T site and gave the information directly to Valleywag, Gwaker,Gizmodo.
Again another misleading story just for more page hits from the fools at Gwaker.

Bunch of Idiots have now got the Attention of the FBI, if you don't think this makes them look worse then what the already did including the Group that performed the Data Mining, This is going to get worse..

How much did Gwaker pay for this Exclusive. "Inquiring Minds would Like to know" GWAK GWAK.. :)

I am sure we will hear more of this to come in the next few days,all the "DIRTBAGS" run to Gwaker Gizmodo Valleywag.
 
reubs said:
So does this mean it's not entirely Apple's fault? I imagine with this and the new data plans that Apple is pretty pissed off at AT&T right now...
Click to expand...

How would it be Apples fault at all? It's AT&T's system that houses the information. This is why it would be great (just dreaming here) if Apple would build their own infrastructure as far as communications. I betcha it would run smooth as silk and prices would be fair. Oh, no that would mean every one would rely mostly on Apple for things. They have music locked down, books and mags in a couple years . . Guess that's what happens when you run an honest establishment that is mostly out for the consumer instead of being greedy. ;)
 
GFLPraxis said:
Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.

The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

Yes, because when you see an unlocked door, your first response should always be to go in and take stuff, then see if the owner catches on before giving the stuff to...a third party. Nice.:rolleyes:
 
GFLPraxis said:
The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

Or... they could've simply contacted AT&T and told them about it. Did they? Or did they unnecessarily download thousands of extra names just to make the news?

---

From what I've read, an ATT programmer (or possibly their manager) somewhere thought it might be a nice idea to prefill the user email address from the registered device id.

In other words, they were simply trying to be helpful to novice iPad users.

The idea backfired because hackers easily discovered that they could generate random ids and get names filled in. If ATT security had been told about it, the code could've (and probably would've) been quickly changed without downloading all those names.
 
The FBI can go to hell. The truth is, AT&T should thank the hackers for exposing the breech rather than whine about them getting in. THEY did the job that AT&T failed to do.
 
Nothing will come of this investigation. I'm sure ATT will say sorry as profusely as possible, but at the end of the day the compromised users will get nothing but a meaningless email with the expected hackneyed terminology we have come to expect.

This is why we need a CDMA based iPad; because having a one carrier lock prevents competition. If I could call ATT and tell them where to shove their bait-and switch tactics and loose security policies, I would. However, I don't have a viable option to fall back on.
 
GFLPraxis said:
Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.

The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

Exactly! Would people would rather have them SELL the data? These guys did everyone a favor. If they just went to AT&T with it first, AT&T would have never said a word about it, denied it and then go on as if nothing happened. GoatZe (Sorry, MacRumors doesn't let me spell it properly, being a "bad word" and all) acted in a sense like a whistle blower exposing the ridiculous manner in which AT&T had this system set up. Anyone in their right mind would have a more strict and encrypted method to verify someone's email address then they way these blow-hards did. Really AT&T? With all your billions, THIS is the method you came up with?

Anyone who is saying "I hope they throw the book at them" is missing the point. I will be thanking these guys, not condemning them.
 
kdarling said:
Or... they could've simply contacted AT&T and told them about it. Did they? Or did they unnecessarily download thousands of extra names just to make the news?

The idea backfired because hackers easily discovered that they could generate random ids and get names filled in. If ATT security had been told about it, the code could've (and probably would've) been quickly changed without downloading all those names.
Click to expand...

The funny thing is, have you ever tried to contact the Security or similar department of a giant corporation!? Seriously. All you have are the 800-phone-number drones that (in my cases in the past) say "well, you're the first to report that. Thanks. We'll pass it along". Surrrrrrrre you'll pass it along. And that's if they even want to talk to you after asking you for 39 pieces of customer information. Hackers are not going to spend hours researching how to contact a real person at a real desk at "corporate headquarters"...they'll report the problem via email or some kind of website Feedback form (yeah, like that gets read every day) and if the problem doesn't get fixed, the hackers assume the company didn't get the report.

The only way to get any kind of attention (and attention is not a negative) is to go public with security problems...because it's impossible to contact the security team...Now if most/all websites had a link at the bottom of the page that said "contact us about a security problem" that would be a different story.

-Eric
 
iPastor said:
One thing missing in this picture is Gawker (parent of Gizmodo). They took illegal information, again, and proceeded to share it with the world. Telling us who is using iPads in the White House, Congress, and anyone else of worth. Just to get more hits on their website.

The trouble with Gawker/Gizmodo, is they are like a spoiled child who get's pissed at their parents because they (the child) did something wrong. Gizmodo was in the wrong for how they handled the Apple iPhone situation, and Apple has reprimanded them accordingly by not inviting them to the party this past Tuesday. It's Apple's business who they invite, don't invite, and I don't blame them for keeping Gizmodo at a distance. Gizmodo used illegal, and immoral methods, to obtain and broadcast the iPhone found in a bar. Not only did they show the pics, the dismantled somebody else's product. I teach my kids to treat other people's things with respect, perhaps Gizmodo should follow the same advice.

You see, Gizmodo / Gawker points the finger at Apple for the AT&T security breach, of which I am probably one of those who had their email exposed. The reality is that AT&T bears ALL the responsibility, and Apple none of it. One might argue that Apple is responsible since they partnered with AT&T, but that didn't cause the security breach.
Click to expand...

When people read "iPad security breach!!!" they are going to think of Apple and not AT&T this reflects very poorly on both though. I see your point about Gizmodo/Gawker and I see it more as genius. They are showing Apple they they have guns too.
 
GFLPraxis said:
Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.

The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

I don't know... if I used a random number generator to try thousands of credit card numbers against Amazon's order page, say, that would sure be illegal.

Computer-knowledgeable people frequently make a mistake with regards to the law, in that we get hung up on the specific techniques because we imagine hacking as some sort of sophisticated act. We think of breaking encryption or delving into the depths of a restricted system, not just running a script against a Web site, but the law doesn't really care about the technique. A huge amount of computer crime is very low-sophistication stuff.

That's why people make metaphors to physical security/locks -- the law doesn't care if the lock was very good, or even if the door was locked, or if someone left a window open by accident. Same thing with "hacking".
 
ericinboston said:
The only way to get any kind of attention (and attention is not a negative) is to go public with security problems...because it's impossible to contact the security team...Now if most/all websites had a link at the bottom of the page that said "contact us about a security problem" that would be a different story.
Click to expand...

I this case they actually fixed the problem before the story went public.

If the hackers were responsible they should've contacted AT&T, which they did, and if AT&T fixed the problem, they should've either shut up about it or reported it in a general way (that is, no names). Also, why harvest names/emails when all you needed were a few to prove the concept?

Security breaches usually get in the news when the companies ignore the problem. This is not the case here.
 
Ok they got my e-mail... OMG! What do I do oh yea click delete... It was dumb how much attention this has gotten. I get 700 billion spam emails a day either way thanks Gmail, Yahoo, & AOL... :cool:
 
macsmurf said:
why harvest names/emails when all you needed were a few to prove the concept?
Click to expand...

The script/generator probably just ran and every time it found a non-error it would dump it to a text file. Programming 101.

I bet the script didn't run much longer than 30 mins...they probably let it run while they made a sandwich.

And...what do you think is going to get ATT/someone's attention:

1)"Hey! We found a hole in your site and got 5 email addresses!"

or

2)"Hey! We found a hole in your site and got over 100,000 email addresses!"


Seriously. Principles aside, it's what's going to grab the public's attention when the news is announced...hence they just let the script run.

-Eric
 
ericinboston said:
The funny thing is, have you ever tried to contact the Security or similar department of a giant corporation!?
Click to expand...

I agree, it's basically the same problem with reporting the lost iPhone to Apple. How do you get the right person's attention?

The question is, did they even try? And did they need to actually download all those names? ( It's like discovering a hole in a bank and actually removing all the money you can before reporting it.)

The other problem I have in this case, is that the programming goof was clearly just someone trying to make life easier for newbies.

In other words, there's no basis for all the drama queen articles and forum posts calling for AT&T's head. It was a goof. Welcome to real life. I bet every person who has posted here has goofed up at least once. Most are in such low profile jobs however, that it doesn't matter as much.
 
I also find it amusing that they call themselves ****** security.

reubs said:
So does this mean it's not entirely Apple's fault? I imagine with this and the new data plans that Apple is pretty pissed off at AT&T right now...
Click to expand...

It had nothing to do with Apple at all. AT&T collected the data when people signed up with them, and AT&T caused the leak.
 
MacRumors said:
While the group has taken some criticism for not directly contacting AT&T about the situation, it claims that it "made sure that someone else tipped them off" and waited for AT&T to fix the issue before going public.
Click to expand...

Yeah, they made sure Gawker tipped them off, right after the group probably SOLD the story to Gawker.

Undoubtedly, more "checkbook journalism" by Gawker. I hope the FBI is investigating them too.

Mark
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back