Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

FBI Investigating AT&T iPad 3G Security Breach

ibwb said:
I don't know... if I used a random number generator to try thousands of credit card numbers against Amazon's order page, say, that would sure be illegal.
Click to expand...

Amazon- and almost everyone for that matter- has measures in place to prevent this.

Computer-knowledgeable people frequently make a mistake with regards to the law, in that we get hung up on the specific techniques because we imagine hacking as some sort of sophisticated act. We think of breaking encryption or delving into the depths of a restricted system, not just running a script against a Web site, but the law doesn't really care about the technique. A huge amount of computer crime is very low-sophistication stuff.

That's why people make metaphors to physical security/locks -- the law doesn't care if the lock was very good, or even if the door was locked, or if someone left a window open by accident. Same thing with "hacking".
Click to expand...

But the physical security lock analogy assumes private property; a public, corporate web site is more like a public store leaving the employee's-only section wide open and unmanned.
 
I also don't understand why everyone here is so upset/angry/concerned about Gawker (or any news website) that has/bought/promoted the story.

This is news. This is how news works. News stories like this have been happening since the dawn of newspapers and then again on TV. Have people here never seen the evening news?...or 20/20?...or 60 Minutes?...or any other bleeping tv news show? What about reading Time or Newsweek or other?

Reporting corporate laziness/problems/whistleblowing/etc has been a publicly (and legal) accepted practice forever.

Trust me...you want to know about (especially security) problems about a COMPANY YOU ARE PAYING for services/products...not to mention a company that has allllll your personal info (address, credit card, SSN, bank info, your credit score, etc)


I am very thankful that this problem was found...and that is was publicly advertised.

-Eric
 
Gawker is destroying the credibility of journalists in general in the public eye and potentially eroding the possibility of any blogger being considered a "journalist" in the eyes of the law.

They appear to have no code of ethics whatsoever.
 
why people are so worried about this? Okay, they do have your emails now but what they can do with them? Pretty much nothing except spam that you can receive from anywhere else that you register your email at.

Even emails of those important people you can find very easily online. E.g georgebush@whitehouse.gov or email of wall street journal ceo and whatnot ceo@wsj.com
 
Stately said:
How would it be Apples fault at all? It's AT&T's system that houses the information. This is why it would be great (just dreaming here) if Apple would build their own infrastructure as far as communications. I betcha it would run smooth as silk and prices would be fair. Oh, no that would mean every one would rely mostly on Apple for things. They have music locked down, books and mags in a couple years . . Guess that's what happens when you run an honest establishment that is mostly out for the consumer instead of being greedy. ;)
Click to expand...

As great as most of Apple products are, I wouldn't say they're "mostly out for the consumer". Sure, they could do it, and assuming they were able to do it successfully (despite having absolutely to do with telecommunication backends) I'm sure it'd be a good experience. You'd just be paying half as much again as you are for your current contract and have to wait a year before they provided infrastructure support for MMS and another year after that before you'd be able to tether :rolleyes:
 
I say "BFD".... it was a stupid mistake on AT&T's part, but stuff happens too. So what... someone got email addresses.... Seems every spammer already has mine.

Maybe you'd be worried if you're a politician and your mistresses email addresses can be associated with yours?? :D LOL!

This is just the media looking to cash in on the hot product right now... the iPad.
 
ericinboston said:
The script/generator probably just ran and every time it found a non-error it would dump it to a text file. Programming 101.

I bet the script didn't run much longer than 30 mins...they probably let it run while they made a sandwich.
Click to expand...

Let's assume that a HTTP roundtrip takes 100 ms. That's a pretty optimistic number. Let's also assume that they get a hit for each request. That's also pretty optimistic. That is about 3 hrs.

Anyway, it's a stupid argument. Of course they knew what they were doing. There is simply no reason to harvest unless the company doesn't take you seriously, of course. In any case, you shouldn't report the confidential data to a third party.
 
Mahler12x said:
The FBI can go to hell. The truth is, AT&T should thank the hackers for exposing the breech rather than whine about them getting in. THEY did the job that AT&T failed to do.

The FBI doesn't exist to protect YOU, they exist to protect the REGIME. Their very existence is a violation of Constitutional separation of powers which forbids a federal police force.
Click to expand...

You're so wrong.

What you're suggesting quickly leads to blackmail. Any system can be hacked and the larger the system (with more moving parts) the easier it becomes.

Let's not forget the late 80's and early 90's when hackers started to exploit security holes and then threaten companies that they would not reveal them unless they were "hired" (paid off) or they would leak them to the public.
 
I think you missed the point.....

DylanLikesPorn said:
Good! I really hope they throw the book at AT&T's dismal security policies.
Click to expand...

They are not investigating AT&T -- they are investigating the group that exploited the security hole without notifying AT&T. It seems that they made sure they had email addresses of some prominent people before reporting anything. That's not how these things are suppose to work.

1) You find security hole
2) You notify company of security hole
3) If company does not fix security hole then you threaten to go public with the breach by a specified deadline in order to embarrass them into doing it.

You don't snoop around see what you can find and after extracting 114,000 records that are not yours then report it to some less-than-ethical media firm.

What this "Goats" group did was something illegal. They are investigating these hackers for the manner in which they went about this.

Further you will note that "Goats" does not even know who they shared this exploit with or how many other records might have been extracted. They were very sloppy and the FBI should work with whomever they have to bring penalties against these guys -- including seizing their computers.
 
fox777 said:
why people are so worried about this? Okay, they do have your emails now but what they can do with them? Pretty much nothing except spam that you can receive from anywhere else that you register your email at.

Even emails of those important people you can find very easily online. E.g georgebush@whitehouse.gov or email of wall street journal ceo and whatnot ceo@wsj.com
Click to expand...

I have nine E-mail addresses. I only use two of them on an "everyday" basis. They are the ones I use with all the E-tailers I do business with and the ones that I use to register for forums such as this one. Those two addresses get a ton of spam (most of it rooted out by my ISP).

The other seven E-mail addresses are, as far as I am concerned, private in every respect. Yes, a limited number of people know those addresses but I know who all of those people are and they don't share the address with anyone else.

Had I purchased an iPad and had I decided to use one of those seven E-mail addresses to register the iPad (for whatever reason, which would be my own personal business for doing so), you can be darn sure I'd be unhappy about the address being exposed when it shouldn't have been.

Now, all of the above is true and now pretend I am a White House staffer, CEO, or a member of Congress. You can be DAMN sure I'd be pissed off.

Mark
 
Mark Booth said:
I have nine E-mail addresses. I only use two of them on an "everyday" basis. They are the ones I use with all the E-tailers I do business with and the ones that I use to register for forums such as this one. Those two addresses get a ton of spam (most of it rooted out by my ISP).

The other seven E-mail addresses are, as far as I am concerned, private in every respect. Yes, a limited number of people know those addresses but I know who all of those people are and they don't share the address with anyone else.

Had I purchased an iPad and had I decided to use one of those seven E-mail addresses to register the iPad (for whatever reason, which would be my own personal business for doing so), you can be darn sure I'd be unhappy about the address being exposed when it shouldn't have been.

Now, all of the above is true and now pretend I am a White House staffer, CEO, or a member of Congress. You can be DAMN sure I'd be pissed off.

Mark
Click to expand...

Your logic is flawed. If you do divide your emails between private and public for retailers, forums, cell phone then that person would 99.9% register his "public" email with ATT service. So now his email got exposed and it will potentially receive spam from some people BUT it is most likely already receiving some from all those other services and purchases that were made with this account.

I am not saying that it is good thing that emails were exposed. I am saying that this is not anywhere close to huge "situation/problem" that media and other people pretend it to be.
 
Were they Scottish?

That illustration of the hacker looks like he must be wearing a kilt or skirt. I guess the hackers are either Scottish or cross-dressers... :p
 
This 'G o a t s e Security Group' should have reported it to AT&T, but instead of this they let Gawker Media do the dirty work for them. Not a great move for a self proclaimed security expert group, but at least they asked no money for it.
 
AT&T is to blame, Apple needs to monitor them now

NoExpectations said:
Why is this not Apple's fault? This service allowed for the iPad to have a field pre-filled with the user's email address. Clearly, this is what Apple wanted and they should have known about the security exposure.
Click to expand...

You don't understand how this stuff works apparently. Collecting the email address is not a problem. However, at some point later the iPad needs to send a request to the provider (AT&T) server to authenticate.

Typically how these secure handshakes work involves two pairs of keys. A public and private key pair for the server and a public and private key pair of the client. The client and server each maintain their own private key and keep it safe, however they share their public key with anybody who wants to ensure that they are really talking to the right party. The private key can encrypt messages that can only be decrypted by the public key and the public key can encrypt messages that can only be decrypted by the private key.

I am guessing the secure handshake for the iPad involves sending the SIM identifier to AT&T on an SSL channel (something anybody can do) and possibly the same value encrypted with the iPad SIM's private key. AT&T looks up the public key for that iPad based on the provided ID and then decrypts the encrypted version of it to see if they match.

Now suppose they don't match and AT&T returns an error message to the client saying: The encrypted SIM ID does not the match the specified SIM ID for user johndoe@nowhere.com.

That would be one example of how something like this could occur. The iPad ignores the error message that never should have been provided by AT&T.

I am guessing that in the initial handshake exchange, AT&T is sending a response header of some kind that includes the user's email address that is stored in their database. Hence it is AT&T's problem and could have been introduced at any point by a server-side code update. It's AT&T responsibility to keep it secure and its Apple's responsibility to ensure they do business with folks that keep data secure. If this sort of thing is repeated and Apple does nothing with regards to their contract with AT&T (such as enforcing some kind of penalty) then Apple is to blame as well.
 
kdarling said:
I agree, it's basically the same problem with reporting the lost iPhone to Apple. How do you get the right person's attention?
Click to expand...

There is no problem.

You take reasonable actions to contact the proper department. If you contact AT&T's security department and they blow you off, well you contacted the right folks.

If you contact AppleCare (which, from the last available information released may not have been done) and they blow you off, that is not a reasonable action.

Of course the question is "Who are the right folks?" Well, the person who lost the phone would be a good start, Steve Jobs clearly has been reading his email and even if he did not someone would have read it and alerted the right people.

But I digress.
 
iPastor said:
One thing missing in this picture is Gawker (parent of Gizmodo). They took illegal information, again, and proceeded to share it with the world. Telling us who is using iPads in the White House, Congress, and anyone else of worth. Just to get more hits on their website.

The trouble with Gawker/Gizmodo, is they are like a spoiled child who get's pissed at their parents because they (the child) did something wrong. Gizmodo was in the wrong for how they handled the Apple iPhone situation, and Apple has reprimanded them accordingly by not inviting them to the party this past Tuesday. It's Apple's business who they invite, don't invite, and I don't blame them for keeping Gizmodo at a distance. Gizmodo used illegal, and immoral methods, to obtain and broadcast the iPhone found in a bar. Not only did they show the pics, the dismantled somebody else's product. I teach my kids to treat other people's things with respect, perhaps Gizmodo should follow the same advice.

You see, Gizmodo / Gawker points the finger at Apple for the AT&T security breach, of which I am probably one of those who had their email exposed. The reality is that AT&T bears ALL the responsibility, and Apple none of it. One might argue that Apple is responsible since they partnered with AT&T, but that didn't cause the security breach.
Click to expand...

This is almost a "going for broke" strategy if Gawker / Gizmodo in fact did this. I can see how they claimed what they did is not illegal since they didn't steal any passwords.

However, this could be viewed as the old "war dialing" trick of programming a computer to dial a range of phone numbers and log all the lines you detect carriers signals. Instead, here they probably incremented machine IDs and kept logging the email addresses found.

If anyone here is or is connected to an attorney that knows the latest case rulings concerning this, I'd love to know how far into a legal gray zone this action alleged compromising action transverses.
 
GFLPraxis said:
Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.
Click to expand...


Absolutely! Why my computer is just crawling with written random number generator scripts... sheesh... :(

GFLPraxis said:
The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

So after collecting over 100,000 names they went public... Hmm, don't know about that. You know, if I stand in front of one of those baseball pitching machines and get beaned in the head. It's only going to take a couple of times before I get smart and take a step left or right to get out of the way. :rolleyes:

That is if I am still conscious... :D
 
GFLPraxis said:
Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.

The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.
Click to expand...

Actually the very act of writing code to create a random generator to gain access to a data set is hacking. Mind you a simple hack considering the poor effort via AT&T (All trash & troublesome) but still a hack non the less :)
 
aprilfools said:
The company that hacked into the system says "they didn't do anything wrong".
Well than why did they do it? Idiots. I hope they go down in flames.
Click to expand...

So long as they kept the identities secure, that is a completely plausible and even laudable scenario. "White hat" hacking is as old as computers (well, older, really), and is a vital activity in system security.

As for motive: because there was a hole there, and they could prove it themselves or let a black hat group use it, and because AT&T would not have done anything with a "theoretical" report, and finally because they gain some level of respect and notoriety for having their names attached to the discovery of the hole.
 
Full of Win said:
No. The FBI operates under the mandate of Congress and are subject to the rulings of the judiciary. Congress retains the right to dissolve them or to stop funding their operations; the fact that they haven't does not mean they don't have the capability to do so.
Click to expand...

You are correct, however an act of Congress does not equal Constitutional by any stretch of the imagination.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back