FBI Investigating AT&T iPad 3G Security Breach

[Stately]

I can't stop laughing at this post.
Apple, not greedy... Apple an "honest company"... LMAO.
How naive are you?
I dig their products, but I will still lump them in with any corporation.
Profits first, customer second or last in most cases.

Every corporation has to make money . . How can a corporation be so without it? It would never be able to advance, it would become stagnant and then be bankrupt. We can't get Macs for free. In regards to profits, because of those profits they can now do things in house and make the products that you and I enjoy better. How are they not doing things for the benefit of the customer? I always hear people complain about Apple and talk about Apple, but I'll never understand the reason other than hating on the corporation because it is succeeding. When you look at AT&T and some other phone carriers for example, the greed is clear. When you look at Burger King and Mcdonalds going up about a dollar per meal each year for what should be considered a snack, greed is evident. Honestly the only problem I have ever had with Apple is that you can't call in about help with a product unless you have paid the annual fee. In their defense though all you have to do is take it in and the concierge makes that process easy.In my case, the products work great and the operations are seamless. So I would just like to know, what is it that makes you feel that Apple is dishonest and greedy? Fanboy, I admit, I am. The thing is, that's for the sole reason that the products do what they say . . . and they look good too.

 

[rjohnstone]

this is ATT's bad, not the "hacker". a company the size of ATT has no excuse for this. going after the "hackers" is a smoke screen to get ATT outa trouble.


be happy these guys did it and not the Russian and Chinese mafia. they will exploit you!

What AT&T did was not criminal, so the FBI has no reason to "go after them" as no laws were broken by AT&T.
Negligent perhaps, but not breaking any laws.
And bigger companies have screwed up much worse than someone getting a customers email address. It's low priority data.
It happens.

What the hackers did was criminal conduct pure and simple.
Just because the hole exists, does not give one the right to grab data.
And why did they grab so much of it?
If they wanted to prove a point, a few "examples" were all that is needed.
The large number of addresses grabbed was purely for effect.

 

[SaaGua]

Not amusing at all.

Yes, it is. Very much so.

Stewart and Colbert are having a field day with BP.

 

[Black Macbook]

What the hackers did was criminal conduct pure and simple.
Just because the hole exists, does not give one the right to grab data.

That is true.

If I walk around a huge parking lot, checking to see if any car doors are unlocked, can I claim that I was merely doing it because I was a good samaritan?

 

[coolmacguy]

IMO, this was not a "hack" so no one broke any laws.

AT&T left information exposed in a web accessible interface. All they did was change the query sent to the webpage. They didn't break into anything.

 

[coolmacguy]

That is true.

If I walk around a huge parking lot, checking to see if any car doors are unlocked, can I claim that I was merely doing it because I was a good samaritan?

Not a good analogy.

I think a better analogy for that would be, if I left my webserver accessible without a password and you logged in and looked around at what I had on there.

I think a better analogy to this situation would be if someone left their email address on a piece of paper on the dash. You would not need to enter the vehicle to view it. In the same way, these people did not need to access any computers in an unauthorized fashion to view this data.

AT&T's fault 100%.

 

[Stately]

Yes, it is. Very much so.

Stewart and Colbert are having a field day with BP.

I think he means that the BP situation is not a laughing matter under any circumstance. Animals are dying and the waters are being polluted. Millions and millions of gallons . .

 

[rjohnstone]

So I would just like to know, what is it that makes you feel that Apple is dishonest and greedy? Fanboy, I admit, I am. The thing is, that's for the sole reason that the products do what they say . . . and they look good too.

Let's start with product costs.
Same hardware as your average PC (outdated in many cases) and they charge nearly twice as much for it.
The OS alone does not warrant the price premium they are asking.
You are paying a premium for a perceived service that doesn't actually exist.

And don't get me wrong... I'm not "hating on Apple for its success".
I'm hating on the hypocrisy that Apple is somehow a benevolent entity that does things for the betterment of mankind.
They do it for the $$$ pure and simple.
They are great at repackaging an existing concept and making it user friendly. I like that.

Steve is the master salesman who convinces you that what he does is somehow "magical".
He sells his Kool-aid well. Zig Ziglar would be proud of Steve's skills as a salesman.

 

[Black Macbook]

I think he means that the BP situation is not a laughing matter under any circumstance. Animals are dying and the waters are being polluted. Millions and millions of gallons . .

One can be concerned about dying animals, oil pollution and laugh at Obama, the administration and BP all at the same time. People are capable of multitasking.

 

[rjohnstone]

IMO, this was not a "hack" so no one broke any laws.

AT&T left information exposed in a web accessible interface. All they did was change the query sent to the webpage. They didn't break into anything.

The data was not visible to all who visit.
An action had to occur to view the data.
They had to use a script and decipher the numbering sequences used to get the data... it was a hack.

The complexity of a hack does not change its legality.

 

[Stately]

Let's start with product costs.
Same hardware as your average PC (outdated in many cases) and they charge nearly twice as much for it.
The OS alone does not warrant the price premium they are asking.
You are paying a premium for a perceived service that doesn't actually exist.

And don't get me wrong... I'm not "hating on Apple for its success".
I'm hating on the hypocrisy that Apple is somehow a benevolent entity that does things for the betterment of mankind.
They do it for the $$$ pure and simple.
They are great at repackaging an existing concept and making it user friendly. I like that.

Steve is the master salesman who convinces you that what he does is somehow "magical".
He sells his Kool-aid well. Zig Ziglar would be proud of Steve's skills as a salesman.

Ok then. I think Steve is proud that his dreams are coming to fruition and being realized by many at the same time. The ipad came out, but I didn't get one because it wasn't as tech loaded as I needed it to be. I still do think it's great though as a basis for which to build on. I think it's taking very big steps, but it's not where I need it to be to make a purchase yet. I didn't get an air either, I still don't see the point in them period. So he is right most of the time, because I feel they do things correctly for the most part. No ones perfect though. It should be as simple as, if you need it get it, if not, don't. I don't think he's convincing enough to make people pull 500 - 3000 g's out of their pocket to get devices they themselves don't want.

 

[marksman]

Not a good analogy.

I think a better analogy for that would be, if I left my webserver accessible without a password and you logged in and looked around at what I had on there.

I think a better analogy to this situation would be if someone left their email address on a piece of paper on the dash. You would not need to enter the vehicle to view it. In the same way, these people did not need to access any computers in an unauthorized fashion to view this data.

AT&T's fault 100%.

They did access the computers with no authorization to do so.

I am not sure you know what the word unauthorized means. Also those analogies are silly and I have called the analogy police on you.

 

[splashnader]

unbeliveable how can such a big corporation have security issue like this...

Yes because no other big corporations security has ever been penetrated. Even the FBI's cyber task force division has been hacked.

 

[Mark Booth]

this is ATT's bad, not the "hacker". a company the size of ATT has no excuse for this. going after the "hackers" is a smoke screen to get ATT outa trouble.

Yeah, just like it's the homeowner's fault for leaving the window open on a hot day. I mean, that burglar would have never broken in if not for that open window. They should arrest the homeowner and let the burglar go free.



Holy crap, some people sure have mixed up sensibilities! AT&T didn't leave the door open on purpose. It was a mistake. But the hackers hacked in on purpose. THAT was the criminal act here.

Punish the criminals, not the victims.

Mark

 

[TurboSC]

haha, Google Ad for FBI recruitment... awesome...

Well I hope ****** Security is ready for some 1337 Government hax.

 

[merlinw]

Lets blame BP

No, It is Obama's fault.

 

[AidenShaw]

Punish the criminals, not the victims.

If I do an HTTP GET request on a URL, and the server responds, and I'm not asked for a username/password or other authentication challenge - why is it criminal to look at the data the that HTTP server returns to me?

It's not a crime to embarrass Apple....

In my opinion, the only "crime" is that AT&T is guilty of not exercising due care in protecting the data. (And that's more likely a civil offense than a criminal one.)

 

[marksman]

IMO, this was not a "hack" so no one broke any laws.

AT&T left information exposed in a web accessible interface. All they did was change the query sent to the webpage. They didn't break into anything.

Then you don't know what "hacking" is.

 

[Surreal]

Let's start with product costs.
Same hardware as your average PC (outdated in many cases) and they charge nearly twice as much for it.
The OS alone does not warrant the price premium they are asking.
You are paying a premium for a perceived service that doesn't actually exist.
...

so they DON'T design things? seriously. design, research, and development. not to mention the retail stores. there are services in the retail stores that CANNOT POSSIBLY make money by themselves. they are subsidized by, you know, selling stuff. then there are ads. and all of the ancillary programs that they have supporting resellers and trainers and the like.

apple is a business. that has annoying consequences, sure, but they are a business, all the same.

 

[mizzouxc]

Read again and now focus on this part of the article.

"Any investigation into the incident is likely to look at two factors: how the information was obtained and what was done with it."

This investigation is less about AT&T & Apple and more about "WHY" the group that exploited the hole in AT&T's website obtained the information and did not turn it over immediately to AT&T

Now the legal means of doing this can be considered a Felony just like stealing WiFi or other information and also could be considered a malicious act, more so due to Federal employees information "Email Ect" being Obtained.

P.S. Everything has holes, how else would you get your data?

Looks like "Gwaker, Valleywag, Gizmodo" are again involved in some Shady dealings.

The "Valleywag aka:Gwaker,Gizmodo" published this as Apples Breach in security not that a team exploited the whole at AT&T site and gave the information directly to Valleywag, Gwaker,Gizmodo.
Again another misleading story just for more page hits from the fools at Gwaker.

Bunch of Idiots have now got the Attention of the FBI, if you don't think this makes them look worse then what the already did including the Group that performed the Data Mining, This is going to get worse..

How much did Gwaker pay for this Exclusive. "Inquiring Minds would Like to know" GWAK GWAK..

I am sure we will hear more of this to come in the next few days,all the "DIRTBAGS" run to Gwaker Gizmodo Valleywag.

There was no security hole per say. The hole was the mechanism the AT&T uses to transmit data. They sent the server an ID and the server returned an e-mail address. What's next, calling visiting a website hacking? You send the server a request, the server sends you what you requested. It's that simple. Whoever wrote this implementation should be charged with a felony for just being stupid.

 

[mizzouxc]

Then you don't know what "hacking" is.

You definitely don't. They simply sent the website a request and the website returned the e-mail addresses. This is NOT hacking.

 

[mizzouxc]

They did access the computers with no authorization to do so.

I am not sure you know what the word unauthorized means. Also those analogies are silly and I have called the analogy police on you.

Did apple.com, macrumors.com or att.com authorize you before hand to visit their website? I'm not sure YOU know what the term unauthorized means. They sent a request to a PUBLIC address. The supposed perpetrator didn't bypass any sort of authentication.

In your eyes this would be illegal.

-Visit websitewithpix.com which has a link to 1.jpg but nothing else
-You want to see more pictures, but there are no links so you replace the 1 with 2.jpg and it displays another picture
-According to your logic, this activity would be illegal

Now had you visited 2.jpg and it presented you with authentication that you had to bypass, sure that activity isn't kosher.

This is what the "bad guys did" (slightly simplified to remove the actual url)
-visited att.com/ipadserialnumber=12345 (where 12345 is their serial number) on their ipad via the signup process.
-noticed above url and visited att.com/ipadserialnumber=12344
-it returned an e-mail address

AT&T should be investigated for not securing information.

 

[mizzouxc]

Let's start with product costs.
Same hardware as your average PC (outdated in many cases) and they charge nearly twice as much for it.
The OS alone does not warrant the price premium they are asking.
You are paying a premium for a perceived service that doesn't actually exist.

And don't get me wrong... I'm not "hating on Apple for its success".
I'm hating on the hypocrisy that Apple is somehow a benevolent entity that does things for the betterment of mankind.
They do it for the $$$ pure and simple.
They are great at repackaging an existing concept and making it user friendly. I like that.

Steve is the master salesman who convinces you that what he does is somehow "magical".
He sells his Kool-aid well. Zig Ziglar would be proud of Steve's skills as a salesman.

There is more to any product than just specifications alone. Apple provides sleek packaging, form factor, quality workmanship and materials in their products.

Take for example, the iMac. My current desk has the iMac with a single cable to it. That's all that's on my desk. My office looks sharp, uncluttered and has a very pretty device on it. It's made of quality aluminum, with an awesome display. I have 1 cable in my whole office, it's the power to the iMac.

Who else makes a keyboard as thin as Apple's? Who else makes a mouse that's basically a touchpad on top with Gestures that works when I turn it on?

Yes, your pc specifications are more impressive than mine, but then again my office isn't a computer room, it's an office with photos, candles and desk space to use for other things like drawing! PC owners chose specifications, I chose not to have a spaghetti of wires to deal with.

My parents recently visited my condo and said, "we see you have a monitor, but why don't you have a computer". I had to explain to them that the monitor, that's smaller than their monitor was also the computer! Needless to say, they outdid me and got the 27" imac when they returned home.

So yes, Steve is a good salesman, and his product is better in so many more ways than just specifications.

 

[marksman]

You definitely don't. They simply sent the website a request and the website returned the e-mail addresses. This is NOT hacking.

Apparently you also don't know what hacking is.


They simply sent the website a password and it returned a successful login prompt.

What planet are you on?

Of course it is hacking. They wrote a script to guess IMEI's to get a specific response. It is fully ignorant to think that is not hacking.

As others have said, if you find a hole in a computer system, just because the hole exists does not mean you are authorized to do what you want with it. They did not use it in any intended way, thus they were hacking. They specifically abused a hole in the system by accessing it in an unintended and unauthorized manner. That is what hacking is.

 

[macsmurf]

If I do an HTTP GET request on a URL, and the server responds, and I'm not asked for a username/password or other authentication challenge - why is it criminal to look at the data the that HTTP server returns to me?

SQL injection is just an HTTP GET request to a server. I don't really know what the law is in the US regarding hacking but there really shouldn't be much difference between brute forcing an ID, brute forcing a username/password or other techniques such as SQL injection or XSS. IMO, it is what you do with the data that's important.