back to article Outrage over AT&T iPad data slurp hacker conviction

A grey hat hacker has been found guilty of breaching AT&T's site security to obtain iPad customer data. Andrew "Weev" Auernheimer, 27, from New York, was convicted of conspiracy to hack and identity fraud over his role in a 2010 exploit against an AT&T account maintenance website that resulted in the leak of 120,000 email …

COMMENTS

This topic is closed for new posts.
  1. Steve Todd
    Stop

    He did however pretend to be other than who he was

    By sending random IDs to the AT&T server. You don't let burglars off if the door they came through wasn't locked. The fact that AT&Ts security was crap isn't an excuse for publishing data that he got from the system.

    1. Anonymous Coward
      Anonymous Coward

      Re: He did however pretend to be other than who he was

      Oh, be quiet.

      Stop using moronic analogies that don't apply here; either you have the barest minimum grasp of computer networking (because what weev and GoatSec did is clearly not the same as a burglar walking into an open house; and even using the term burglar is an appeal to emotion: you're loading it already), or you're a troll, and not a clever one.

      Chilling effects on computer security research are serious. People are trying to help YOU, the end user, be secure. If it turns out that I am going to get prosecuted for finding and reporting/exposing a vulnerability, then I won't disclose it. Why would I risk that?

      You can be sure that'll increase the amount of people selling their exploits privately to groups like Vupen, or to Iran, or Russian cybercriminals. In the end, the person getting shafted will be you, the end user.

      1. Kevin Johnston

        Re: He did however pretend to be other than who he was

        I think a more reasonable analogy would be 'tailgating' at businesses. There should be some form of security check to stop unauthorised people coming in but if you can tailgate someone without some other process spotting you (an observant doorman for instance) then you are in without being required to ID yourself.

        The whole white/grey/black-hat thing is an ever shifting swamp but the one thing that is clear is that some form of independent security checking should be expected for Corporations as otherwise only areas they want tested will get any effort. As to where the line between legal/illegal is well you roll the dice and hope that it comes up your way as there will always be people willing to swear white is black if it distracts the viewer from their own problems.

        1. P. Lee

          Re: He did however pretend to be other than who he was

          Or perhaps an even closer analogy would be a company that has put your stuff in self-storage locker and not bothered putting locks on the doors. Someone comes along, opens a couple of doors and photographs some people's stuff and posts the pics on a noticeboard.

          He hasn't removed anything so that it isn't there, merely put people's stuff on display. Not very nice, but probably not criminal.

          But point taken, real-world analogies don't map well to information.

          1. Anonymous Coward
            Anonymous Coward

            Re: He did however pretend to be other than who he was

            Let's upgrade the analogy a bit.

            Weev's friend found a man, who, upon being told your SIM number, would tell you your email.

            Weev's friend told him 120,000 random SIM numbers and was told the corresponding emails.

            Weev thought this was bad so he took the list of emails to journalists, hoping they would help him to get other people angry at the man's bosses.

            But the bosses didn't like this, so weev got arrested for a crime he didn't even really commit.

      2. Steve Todd
        Stop

        Re: He did however pretend to be other than who he was - @AC 13:19

        That's pretty much EXACTLY what he did. He tried doors at random, and if they opened he collected the data behind the door. If you're using a public system that asks you for a user ID then you can't complain that guessing an ID isn't hacking if the system doesn't then demand a matching password. It's not difficult hacking, but the degree of difficulty doesn't distinguish between legal and illegal.

        Now if he'd proved the exploit and told AT&T about it then (without publishing the results) that's fair game. Embarrassing them in public after they fixed the hole is fine too. He crossed the line by publishing the data he'd extracted.

      3. My Alter Ego
        FAIL

        Re: He did however pretend to be other than who he was

        "... because what weev and GoatSec did is clearly not the same as a burglar walking into an open house ..."

        No, what he did was the equivalent of selecting a house at random, opening the door to determine who the occupant is, then moving on to the next house and so on. The server wasn't just handing out the data, he had to send requests (brute force) to get the data.

        "If it turns out that I am going to get prosecuted for finding and reporting/exposing a vulnerability, then I won't disclose it."

        No, you'll get prosecuted for publishing private data after exposing a vulnerability. Was it really necessary to fetch 120,000 email addresses and provide them to Gawker? It's great that he informed AT&T, but he was an idiot for handing out the collected data just because he could. AT&T were definitely negligent here, but it didn't warrant divulging the data as well as the method.

        1. Anonymous Coward
          Anonymous Coward

          Re: He did however pretend to be other than who he was

          Your analogy is also incorrect. Technical matters don't map properly to real-world objects.

          Your analogy could just as easily be used to describe port scanning, connecting to a HTTP server and checking the Server field, or exploiting a service and then unaming. It's imprecise and it's not a fair analogy.

          Also, it probably was necessary. Weev didn't act particularly cleverly, but have you ever reported a vulnerability to any vendor?

          I have. Many times, I don't get a reply whatsoever from them. Twice, I've been threatened with legal action. Sometimes, the vendor has just discarded the vulnerability as "not critical/no evidence of it being used in the wild/exploit is too difficult to pull off/exploit reveals information but doesn't grant a system shell", etc.

          If you want responsible disclosure, encourage responsible corporations.

          Also, weev was charged with fraud and one count of accessing a computer without authorization, not "publishing private data".

  2. Anonymous Coward
    Anonymous Coward

    Did everyone miss

    the word goatse?

    lol

  3. Anonymous Coward
    Anonymous Coward

    Re: Did everyone miss

    didn't he just pull these results out of his arse?

This topic is closed for new posts.

Other stories you might like