Kennedy 0 #1 March 24, 2013 AT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People Andrew ‘weev' Auernheimer Obtains New Lawyer, Files Appeal Aaron Swartz. Andrew Auernheimer. The latest victims of prosecutorial overreach and ridiculous laws that rely on others to define what constitutes a crime, other than simply embarassing powerful and connected people. Does anyone here think what they were accused of is even a crime? Visiting open sites and saving information published there... Now it equals accusation, prosecution, bankruptcy, and imprisonment if you don't code yourself out.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
Arvoitus 1 #2 March 24, 2013 I think the person/people who should be prosecuted are the idiots who wrote the code/designed the system. At least where I'm from, if you collect that kind of data there are requirements on how to handle it. And having it on publicly accessible server isn't in those requirements.Your rights end where my feelings begin. Quote Share this post Link to post Share on other sites
IJskonijn 38 #3 March 24, 2013 QuoteI think the person/people who should be prosecuted are the idiots who wrote the code/designed the system. At least where I'm from, if you collect that kind of data there are requirements on how to handle it. And having it on publicly accessible server isn't in those requirements. That works both ways. If you find a security exploit, and gain personal information through that, you also should be required to handle it with care. Simply throwing it out in the open with a "look-how-flawed-their-security-is" is (in my opinion) not ethical. So yeah, the programmers that made that security system are definitely at fault. But so may the hacker be, depending on how the data is handled after finding the fault. Quote Share this post Link to post Share on other sites
Gravitymaster 0 #4 March 24, 2013 I hope he gets as aggressive a prosecution as possible. His calims are ridiculious. It's equivalent to walking into a retail store, shoplifting and then claiming they should have had better security. He is also the former President of this organization. http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America Crocodile tears...... Quote Share this post Link to post Share on other sites
Kennedy 0 #5 March 24, 2013 QuoteI hope he gets as aggressive a prosecution as possible. What, exactly is the action for which you want him prosecuted? Please be specific. Quote His calims are rediculious. It's equivelent to walking into a retail store, shoplifting and then claiming they should have had better security. Actually it's like a retail store putting merchandise in the parking lot overnight with a sign that says "Free Stuff" and then being upset someone took it. How is it stealing something when it is published? That's like saying reading information in a library books and listing the authors and publishers information is stealing. It's not that he bypassed or "hacked" any security. There wasn't any security. It was published. Posted on a fully accessible website. If USPA put the name, email, and info of every skydiver on a public server, it not the fault of any who looks. It's USPA fault. QuoteHe is also the former President of this orgsnization. http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America Crocodile tears...... So now unpopular conduct should be used to determine who is prosecuted? I guess Wayne LaPierre should be brought up on federal charges. Plenty of powerful people hate him and the organization he represents.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
GeorgiaDon 340 #6 March 24, 2013 QuoteIt's not that he bypassed or "hacked" any security. There wasn't any security. Out of curiosity, in "internetworld" is failure to maintain adequate security equivalent to "published"? Sort of like, if I forget to lock my door one morning that means anyone can come in my house and help themselves to my stuff? Indeed, is not locking the door equivalent to posting a sign "free stuff" on my door? Or, to make the analogy a better fit to the situation, if I use a lock but the lock is simple enough to be defeated by a moderately skilled thief, is that the same as if I took all my stuff and piled it on the sidewalk? In the pre-internet world, at least, "published" meant publicly distributed, including providing notice to the public of how to access the publication. For example, as a researcher I publish my work by submitting it to appropriate scientific journals, where the work is peer reviewed and then distributed to everyone with a subscription to the journal, including university libraries where it is available to a broad audience. If I fail to update my firewalls and some hacker is able to gain access to my research data, and they take it and post it on some public forum without my consent or knowledge, is that information "published"? In this case, no link was put up to say "for our customers private information click here". No effort was made to intentionally distribute the information, and indeed Auernheimer had to create a tool to access the information. From the article you linked: "Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw." So, AT&T provided a simple way for customers to gain access to their own information. Obviously too simple, as Auernheimer showed. However the information was not "published" (at least in any sense that I recognize the word). More like it was protected by a simple digital lock, and to break the lock Auernheimer just had to write some code that randomly generated a lot of numbers that emulated the iPAD numerical identifier, and used that to "try the door" a lot of times. The information was not "openly available", Auernheimer had to make a tool to try the lock enough times to sometimes guess the correct combination. Seems like "break and enter" to me. Then he posted the information, so he didn't just look in and leave after he opened the door, he took stuff. So add theft to the list. I hope this hacker version of "public" doesn't catch on outside the internet. Otherwise, it seems if I leave my rig unattended while I go to manifest, that'll be equivalent to giving it away. Finders keepers and all that. Don_____________________________________ Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996) “Education is not filling a bucket, but lighting a fire.” (Yeats) Quote Share this post Link to post Share on other sites
Gravitymaster 0 #7 March 24, 2013 QuoteQuoteI hope he gets as aggressive a prosecution as possible. QuoteWhat, exactly is the action for which you want him prosecuted? Please be specific. Stealing confidential information and publishing it. Quote His claims are ridiculious. It's equivalent to walking into a retail store, shoplifting and then claiming they should have had better security. QuoteActually it's like a retail store putting merchandise in the parking lot overnight with a sign that says "Free Stuff" and then being upset someone took it. How is it stealing something when it is published? That's like saying reading information in a library books and listing the authors and publishers information is stealing. It's not that he bypassed or "hacked" any security. There wasn't any security. It was published. Posted on a fully accessible website. If USPA put the name, email, and info of every skydiver on a public server, it not the fault of any who looks. It's USPA fault. Not seeing where AT&T had a sign out saying "Free Stuff". He took something that did not belong to him and then published it. Are you actually suggesting that unless something has an ownership identity, it's OK for someone to take it? If I leave my lawn mower in my yard over night, can anyone walking by just come up and take it? QuoteHe is also the former President of this organization. http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America Crocodile tears...... QuoteSo now unpopular conduct should be used to determine who is prosecuted? I guess Wayne LaPierre should be brought up on federal charges. Plenty of powerful people hate him and the organization he represents. No, but when someone has a history of using the internet to create havoc, that information weighs on their intent. In this case, I hope this little fucker gets some serious jail time. I also hope they get his little hacker buddies. Quote Share this post Link to post Share on other sites Gravitymaster 0 #8 March 24, 2013 +1. Well said. Quote Share this post Link to post Share on other sites Andy9o8 0 #9 March 24, 2013 I think that, both legally and ethically, yours is the correct perspective. He crossed the line from whistle-blower to thief. I do think that pressing the felony charge was unduly heavy-handed and the sentence was extremely harsh. Quote Share this post Link to post Share on other sites Gravitymaster 0 #10 March 24, 2013 I think they took his hacking history into consideration. Quote Share this post Link to post Share on other sites Andy9o8 0 #11 March 24, 2013 QuoteI think they took his hacking history into consideration. Quite possibly. I don't know much about his personal hacking history, or whether it was done merely recreationally, with little harm to others, or more maliciously and/or with some harm having come to others. Those are relevant factors. Quote Share this post Link to post Share on other sites Gravitymaster 0 #12 March 24, 2013 http://www.gnaa.eu/wiki/news# Quote Share this post Link to post Share on other sites skypuppy 1 #13 March 24, 2013 QuoteAT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People Andrew ‘weev' Auernheimer Obtains New Lawyer, Files Appeal Aaron Swartz. Andrew Auernheimer. The latest victims of prosecutorial overreach and ridiculous laws that rely on others to define what constitutes a crime, other than simply embarassing powerful and connected people. Does anyone here think what they were accused of is even a crime? Visiting open sites and saving information published there... Now it equals accusation, prosecution, bankruptcy, and imprisonment if you don't code yourself out. Well, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. In this case I am thinking that this is much the same. The results we're seeing may be opposite ends of the same extreme.If some old guy can do it then obviously it can't be very extreme. Otherwise he'd already be dead. Bruce McConkey 'I thought we were gonna die, and I couldn't think of anyone Quote Share this post Link to post Share on other sites kallend 1,635 #14 March 25, 2013 QuoteQuoteAT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People Andrew ‘weev' Auernheimer Obtains New Lawyer, Files Appeal Aaron Swartz. Andrew Auernheimer. The latest victims of prosecutorial overreach and ridiculous laws that rely on others to define what constitutes a crime, other than simply embarassing powerful and connected people. Does anyone here think what they were accused of is even a crime? Visiting open sites and saving information published there... Now it equals accusation, prosecution, bankruptcy, and imprisonment if you don't code yourself out. Well, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. In this case I am thinking that this is much the same. The results we're seeing may be opposite ends of the same extreme. Are you REALLY telling us that you can't tell the difference between public information and information stolen on account of a security flaw? Really?... The only sure way to survive a canopy collision is not to have one. Quote Share this post Link to post Share on other sites OHCHUTE 0 #15 March 25, 2013 Publishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. Quote Share this post Link to post Share on other sites Andy9o8 0 #16 March 25, 2013 QuoteWell, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. I felt, and still do, that that was morally and ethically repugnant. That being said, the paper neither violated any criminal laws nor committed any torts. Trust me, there was nothing to charge them with (aside from bad judgment), and nothing to sue them for. Quote Share this post Link to post Share on other sites Andy9o8 0 #17 March 25, 2013 QuotePublishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. I don't have any problem with them exposing the mere existence of the flaw. It was publishing information gained via that flaw that crossed the line. (And if they argue that publishing the info was the only credible way of proving the flaw, I call bullshit.) Quote Share this post Link to post Share on other sites Kennedy 0 #18 March 26, 2013 I want to be clear about what Auernheimer did. He typed an address into a web browser. The server returned info including customer emails. He didn't hack, bypass, break a code, or do anything to get something that AT&T wasn't putting out in the public. I'm trying to find the source, but as I recall, AT&T admitted that they published the information. Here is a better analogy than any involving physical property. If you want to paper over a window that faces a public street and you use paper with information you didn't mean to give away, you can't be upset if someone walks by, sees the info, copies it down, and gives it to a reporter. If you put information in the open where anyone can see it, whether you want them to see it or not, you can't blame them for looking. Quote Or, to make the analogy a better fit to the situation, if I use a lock but the lock is simple enough to be defeated by a moderately skilled thief, is that the same as if I took all my stuff and piled it on the sidewalk? No. That involves (A) picking a lock, (B) B+E, and (C) larceny. None of that fits the facts of this case. Quote In the pre-internet world, at least, "published" meant publicly distributed, including providing notice to the public of how to access the publication. For example, as a researcher I publish my work by submitting it to appropriate scientific journals, where the work is peer reviewed and then distributed to everyone with a subscription to the journal, including university libraries where it is available to a broad audience. What do you call it when a person puts information in a server that is openly accessed by a website? QuoteIf I fail to update my firewalls and some hacker is able to gain access to my research data, and they take it and post it on some public forum without my consent or knowledge, is that information "published"? No, that involves illegaly hacking past your defenses. If you were to place in on your university CV page, where anyone can look, without needing password or other security measure, that would be published. Quote In this case, no link was put up to say "for our customers private information click here". No effort was made to intentionally distribute the information, What do you call putting it on the internet? If it's on a publicly accessible url, isn't it published? Quoteand indeed Auernheimer had to create a tool to access the information. From the article you linked: "Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw." There is your misunderstanding. He didn't have to code a script to access the information. He could just as easily have typed the numbers into the url bar of his browser. He just used a script to visit pages faster than having to type them in by hand. The script just entered www.blah.com/1, then www.blah.com/2, then www.blah.com/3, and so on. It's AT&T that posted the information. They did the equivalent of putting it on the glass windows of their storefront. Quote More like it was protected by a simple digital lock, and to break the lock Auernheimer just had to write some code that randomly generated a lot of numbers that emulated the iPAD numerical identifier, and used that to "try the door" a lot of times. The information was not "openly available", Auernheimer had to make a tool to try the lock enough times to sometimes guess the correct combination. Seems like "break and enter" to me. Then he posted the information, so he didn't just look in and leave after he opened the door, he took stuff. So add theft to the list. No. It was not "protected by a simple digital lock" anymore than google or dz.com are "protected by a simple digital lock". There was no lock. It was published to the internet, just like your facebook page if you don't have it set to "friends view only". As to your theft charge, even the overreaching USDA didn't think so. There was no charge of theft because there was no larceny. If I go to a bookstore sidewalk sale and walk around writing down author and publisher information, am I stealing it? Quote I hope this hacker version of "public" doesn't catch on outside the internet. Otherwise, it seems if I leave my rig unattended while I go to manifest, that'll be equivalent to giving it away. Finders keepers and all that. Nope. More accurate analogy: if you leave your rig laying around at the dz and somebody writes down what container, main, reserve, and aad you have, then walks away without touching your rig, let alone stealing.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites Kennedy 0 #19 March 26, 2013 QuoteQuoteWhat, exactly is the action for which you want him prosecuted? Please be specific. Stealing confidential information and publishing it. Funny, he wasn't charged with theft, let alone convicted of it. Care to avail yourself of the facts and try again? QuoteNot seeing where AT&T had a sign out saying "Free Stuff". He took something that did not belong to him and then published it. Are you actually suggesting that unless something has an ownership identity, it's OK for someone to take it? If I leave my lawn mower in my yard over night, can anyone walking by just come up and take it? They published it to a website. That is the sign for free stuff. If techcrunch puts it on their site, it's published. AT&T put it on their page, just not the front page. QuoteQuoteQuoteHe is also the former President of this organization. http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America Crocodile tears...... So now unpopular conduct should be used to determine who is prosecuted? I guess Wayne LaPierre should be brought up on federal charges. Plenty of powerful people hate him and the organization he represents. No, but when someone has a history of using the internet to create havoc, that information weighs on their intent. In this case, I hope this little fucker gets some serious jail time. I also hope they get his little hacker buddies. So did you make a mistake when you started your reply with "no" when the content says emphatically "yes"?witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites Kennedy 0 #20 March 26, 2013 QuotePublishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. It doesn't matter if you intend to keep it private if you take actions to make it available to anyone and everyone.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites Andy9o8 0 #21 March 26, 2013 You know what they say about a bad analogy: if a dead horse is worth two in the bush, make lemonade! Quote Share this post Link to post Share on other sites GeorgiaDon 340 #22 March 26, 2013 Here's a description of the function of the script Auernheimer wrote: "It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user. From June 5, 2010, through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers." I guess we will just have to agree to disagree, but this process seems IDENTICAL to me to picking a lock by trying every possible combination. No doubt this reflects a difference of cultures. To you, having to fraudulently pretend to be millions of iPAD users, trying so many combinations that you have to run a program for days, is the exact same as if ATT had put the information on the front page of the New York Times. Tell me, in your world do identity thieves do anything wrong when they use a skimmer to help themselves to people's credit card numbers? After all, they are just collecting information, information that the victims provide (unknowingly) when they use their credit card. Don_____________________________________ Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996) “Education is not filling a bucket, but lighting a fire.” (Yeats) Quote Share this post Link to post Share on other sites Kennedy 0 #23 March 26, 2013 QuoteHere's a description of the function of the script Auernheimer wrote: "It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user. From June 5, 2010, through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers." Where did you get that from? Sounds even more over the top that the US ADA indictment. QuoteI guess we will just have to agree to disagree, but this process seems IDENTICAL to me to picking a lock by trying every possible combination. No doubt this reflects a difference of cultures. To you, having to fraudulently pretend to be millions of iPAD users, trying so many combinations that you have to run a program for days, is the exact same as if ATT had put the information on the front page of the New York Times. When you type "http://www.google.com/" into a browser, do you think of it as picking a lock? I don't think typing letters and numbers into a url bar is pretending to be the iPad owners. If AT&T is dumb enough to use customer info as the url, that's their choice. If an employer used my work ID as the last section of a url meant for me, that's their choice, but if the page is published to the internet, I would not say someone is pretending to be me if they type in the url. Stop saying combinations. There was no lock, there was no lock picking. Seriously, is it your contention that going to a webpage is picking a lock? If it is, you're right up there with the NJ US ADA in believing that anyone can be charged with a federal crime for using the internet. QuoteTell me, in your world do identity thieves do anything wrong when they use a skimmer to help themselves to people's credit card numbers? After all, they are just collecting information, information that the victims provide (unknowingly) when they use their credit card. No, they are not just collecting information. They are conducting illegal man in the middle attacks and hacking information that was protected. They are attacking defenses and overcoming them. That is illegal. THAT IS NOT THE SAME AS GOING TO A PUBLISHED WEBSITE.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites champu 1 #24 March 26, 2013 I think the precedent sucks either way. On one hand, we can't go prosecuting people for "conspiracy to access a computer without authorization" because they go directory diving*. On the other hand, SQL injection attacks are essentially "just typing a url into a web browser and viewing what comes back from the server as it was programmed by the owner to do." I doubt many would argue the latter isn't crossing a line. In any event, thinking we can make progress towards solving the information assurance problems our country has (in both the private and public realms) by just "giving enough of these little fuckers serious jail time" is as boneheaded as making customer personal data available via an unauthenticated GET query. * for the uninitiated, directory diving is when someone embeds an image in a forum with something like "www.mywebsite.com/images/example.jpg", and you type "www.mywebsite.com/images/" into your web browser and look at what else they have stored there (assuming they don't have -Indexes set to block directory listings.) Quote Share this post Link to post Share on other sites Kennedy 0 #25 March 26, 2013 I agree with you about SQL, but try not to confuse these guys. They think using a code means you hacked something. witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites Prev 1 2 3 Next Page 1 of 3 Join the conversation You can post now and register later. If you have an account, sign in now to post with your account. Note: Your post will require moderator approval before it will be visible. Reply to this topic... × Pasted as rich text. Paste as plain text instead Only 75 emoji are allowed. × Your link has been automatically embedded. Display as a link instead × Your previous content has been restored. Clear editor × You cannot paste images directly. Upload or insert images from URL. Insert image from URL × Desktop Tablet Phone Submit Reply 0
Gravitymaster 0 #8 March 24, 2013 +1. Well said. Quote Share this post Link to post Share on other sites
Andy9o8 0 #9 March 24, 2013 I think that, both legally and ethically, yours is the correct perspective. He crossed the line from whistle-blower to thief. I do think that pressing the felony charge was unduly heavy-handed and the sentence was extremely harsh. Quote Share this post Link to post Share on other sites
Gravitymaster 0 #10 March 24, 2013 I think they took his hacking history into consideration. Quote Share this post Link to post Share on other sites
Andy9o8 0 #11 March 24, 2013 QuoteI think they took his hacking history into consideration. Quite possibly. I don't know much about his personal hacking history, or whether it was done merely recreationally, with little harm to others, or more maliciously and/or with some harm having come to others. Those are relevant factors. Quote Share this post Link to post Share on other sites
Gravitymaster 0 #12 March 24, 2013 http://www.gnaa.eu/wiki/news# Quote Share this post Link to post Share on other sites
skypuppy 1 #13 March 24, 2013 QuoteAT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People Andrew ‘weev' Auernheimer Obtains New Lawyer, Files Appeal Aaron Swartz. Andrew Auernheimer. The latest victims of prosecutorial overreach and ridiculous laws that rely on others to define what constitutes a crime, other than simply embarassing powerful and connected people. Does anyone here think what they were accused of is even a crime? Visiting open sites and saving information published there... Now it equals accusation, prosecution, bankruptcy, and imprisonment if you don't code yourself out. Well, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. In this case I am thinking that this is much the same. The results we're seeing may be opposite ends of the same extreme.If some old guy can do it then obviously it can't be very extreme. Otherwise he'd already be dead. Bruce McConkey 'I thought we were gonna die, and I couldn't think of anyone Quote Share this post Link to post Share on other sites
kallend 1,635 #14 March 25, 2013 QuoteQuoteAT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People Andrew ‘weev' Auernheimer Obtains New Lawyer, Files Appeal Aaron Swartz. Andrew Auernheimer. The latest victims of prosecutorial overreach and ridiculous laws that rely on others to define what constitutes a crime, other than simply embarassing powerful and connected people. Does anyone here think what they were accused of is even a crime? Visiting open sites and saving information published there... Now it equals accusation, prosecution, bankruptcy, and imprisonment if you don't code yourself out. Well, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. In this case I am thinking that this is much the same. The results we're seeing may be opposite ends of the same extreme. Are you REALLY telling us that you can't tell the difference between public information and information stolen on account of a security flaw? Really?... The only sure way to survive a canopy collision is not to have one. Quote Share this post Link to post Share on other sites
OHCHUTE 0 #15 March 25, 2013 Publishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. Quote Share this post Link to post Share on other sites
Andy9o8 0 #16 March 25, 2013 QuoteWell, when that newspaper in the north east took public information about firearms owners and published it, they claimed they were doing nothing illegal, just taking information that was publically available and putting it on their website. I would have like to have seen them charged and sued for that travesty. I felt, and still do, that that was morally and ethically repugnant. That being said, the paper neither violated any criminal laws nor committed any torts. Trust me, there was nothing to charge them with (aside from bad judgment), and nothing to sue them for. Quote Share this post Link to post Share on other sites
Andy9o8 0 #17 March 25, 2013 QuotePublishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. I don't have any problem with them exposing the mere existence of the flaw. It was publishing information gained via that flaw that crossed the line. (And if they argue that publishing the info was the only credible way of proving the flaw, I call bullshit.) Quote Share this post Link to post Share on other sites
Kennedy 0 #18 March 26, 2013 I want to be clear about what Auernheimer did. He typed an address into a web browser. The server returned info including customer emails. He didn't hack, bypass, break a code, or do anything to get something that AT&T wasn't putting out in the public. I'm trying to find the source, but as I recall, AT&T admitted that they published the information. Here is a better analogy than any involving physical property. If you want to paper over a window that faces a public street and you use paper with information you didn't mean to give away, you can't be upset if someone walks by, sees the info, copies it down, and gives it to a reporter. If you put information in the open where anyone can see it, whether you want them to see it or not, you can't blame them for looking. Quote Or, to make the analogy a better fit to the situation, if I use a lock but the lock is simple enough to be defeated by a moderately skilled thief, is that the same as if I took all my stuff and piled it on the sidewalk? No. That involves (A) picking a lock, (B) B+E, and (C) larceny. None of that fits the facts of this case. Quote In the pre-internet world, at least, "published" meant publicly distributed, including providing notice to the public of how to access the publication. For example, as a researcher I publish my work by submitting it to appropriate scientific journals, where the work is peer reviewed and then distributed to everyone with a subscription to the journal, including university libraries where it is available to a broad audience. What do you call it when a person puts information in a server that is openly accessed by a website? QuoteIf I fail to update my firewalls and some hacker is able to gain access to my research data, and they take it and post it on some public forum without my consent or knowledge, is that information "published"? No, that involves illegaly hacking past your defenses. If you were to place in on your university CV page, where anyone can look, without needing password or other security measure, that would be published. Quote In this case, no link was put up to say "for our customers private information click here". No effort was made to intentionally distribute the information, What do you call putting it on the internet? If it's on a publicly accessible url, isn't it published? Quoteand indeed Auernheimer had to create a tool to access the information. From the article you linked: "Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw." There is your misunderstanding. He didn't have to code a script to access the information. He could just as easily have typed the numbers into the url bar of his browser. He just used a script to visit pages faster than having to type them in by hand. The script just entered www.blah.com/1, then www.blah.com/2, then www.blah.com/3, and so on. It's AT&T that posted the information. They did the equivalent of putting it on the glass windows of their storefront. Quote More like it was protected by a simple digital lock, and to break the lock Auernheimer just had to write some code that randomly generated a lot of numbers that emulated the iPAD numerical identifier, and used that to "try the door" a lot of times. The information was not "openly available", Auernheimer had to make a tool to try the lock enough times to sometimes guess the correct combination. Seems like "break and enter" to me. Then he posted the information, so he didn't just look in and leave after he opened the door, he took stuff. So add theft to the list. No. It was not "protected by a simple digital lock" anymore than google or dz.com are "protected by a simple digital lock". There was no lock. It was published to the internet, just like your facebook page if you don't have it set to "friends view only". As to your theft charge, even the overreaching USDA didn't think so. There was no charge of theft because there was no larceny. If I go to a bookstore sidewalk sale and walk around writing down author and publisher information, am I stealing it? Quote I hope this hacker version of "public" doesn't catch on outside the internet. Otherwise, it seems if I leave my rig unattended while I go to manifest, that'll be equivalent to giving it away. Finders keepers and all that. Nope. More accurate analogy: if you leave your rig laying around at the dz and somebody writes down what container, main, reserve, and aad you have, then walks away without touching your rig, let alone stealing.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
Kennedy 0 #19 March 26, 2013 QuoteQuoteWhat, exactly is the action for which you want him prosecuted? Please be specific. Stealing confidential information and publishing it. Funny, he wasn't charged with theft, let alone convicted of it. Care to avail yourself of the facts and try again? QuoteNot seeing where AT&T had a sign out saying "Free Stuff". He took something that did not belong to him and then published it. Are you actually suggesting that unless something has an ownership identity, it's OK for someone to take it? If I leave my lawn mower in my yard over night, can anyone walking by just come up and take it? They published it to a website. That is the sign for free stuff. If techcrunch puts it on their site, it's published. AT&T put it on their page, just not the front page. QuoteQuoteQuoteHe is also the former President of this organization. http://en.wikipedia.org/wiki/Gay_Nigger_Association_of_America Crocodile tears...... So now unpopular conduct should be used to determine who is prosecuted? I guess Wayne LaPierre should be brought up on federal charges. Plenty of powerful people hate him and the organization he represents. No, but when someone has a history of using the internet to create havoc, that information weighs on their intent. In this case, I hope this little fucker gets some serious jail time. I also hope they get his little hacker buddies. So did you make a mistake when you started your reply with "no" when the content says emphatically "yes"?witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
Kennedy 0 #20 March 26, 2013 QuotePublishing the flaw is what got him into trouble. These hackers wouldn't be anything if they didn't publish what they learn. They need to be shut down. They have no right to the information intended to be secure and private. It doesn't matter if you intend to keep it private if you take actions to make it available to anyone and everyone.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
Andy9o8 0 #21 March 26, 2013 You know what they say about a bad analogy: if a dead horse is worth two in the bush, make lemonade! Quote Share this post Link to post Share on other sites
GeorgiaDon 340 #22 March 26, 2013 Here's a description of the function of the script Auernheimer wrote: "It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user. From June 5, 2010, through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers." I guess we will just have to agree to disagree, but this process seems IDENTICAL to me to picking a lock by trying every possible combination. No doubt this reflects a difference of cultures. To you, having to fraudulently pretend to be millions of iPAD users, trying so many combinations that you have to run a program for days, is the exact same as if ATT had put the information on the front page of the New York Times. Tell me, in your world do identity thieves do anything wrong when they use a skimmer to help themselves to people's credit card numbers? After all, they are just collecting information, information that the victims provide (unknowingly) when they use their credit card. Don_____________________________________ Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996) “Education is not filling a bucket, but lighting a fire.” (Yeats) Quote Share this post Link to post Share on other sites
Kennedy 0 #23 March 26, 2013 QuoteHere's a description of the function of the script Auernheimer wrote: "It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user. From June 5, 2010, through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers." Where did you get that from? Sounds even more over the top that the US ADA indictment. QuoteI guess we will just have to agree to disagree, but this process seems IDENTICAL to me to picking a lock by trying every possible combination. No doubt this reflects a difference of cultures. To you, having to fraudulently pretend to be millions of iPAD users, trying so many combinations that you have to run a program for days, is the exact same as if ATT had put the information on the front page of the New York Times. When you type "http://www.google.com/" into a browser, do you think of it as picking a lock? I don't think typing letters and numbers into a url bar is pretending to be the iPad owners. If AT&T is dumb enough to use customer info as the url, that's their choice. If an employer used my work ID as the last section of a url meant for me, that's their choice, but if the page is published to the internet, I would not say someone is pretending to be me if they type in the url. Stop saying combinations. There was no lock, there was no lock picking. Seriously, is it your contention that going to a webpage is picking a lock? If it is, you're right up there with the NJ US ADA in believing that anyone can be charged with a federal crime for using the internet. QuoteTell me, in your world do identity thieves do anything wrong when they use a skimmer to help themselves to people's credit card numbers? After all, they are just collecting information, information that the victims provide (unknowingly) when they use their credit card. No, they are not just collecting information. They are conducting illegal man in the middle attacks and hacking information that was protected. They are attacking defenses and overcoming them. That is illegal. THAT IS NOT THE SAME AS GOING TO A PUBLISHED WEBSITE.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
champu 1 #24 March 26, 2013 I think the precedent sucks either way. On one hand, we can't go prosecuting people for "conspiracy to access a computer without authorization" because they go directory diving*. On the other hand, SQL injection attacks are essentially "just typing a url into a web browser and viewing what comes back from the server as it was programmed by the owner to do." I doubt many would argue the latter isn't crossing a line. In any event, thinking we can make progress towards solving the information assurance problems our country has (in both the private and public realms) by just "giving enough of these little fuckers serious jail time" is as boneheaded as making customer personal data available via an unauthenticated GET query. * for the uninitiated, directory diving is when someone embeds an image in a forum with something like "www.mywebsite.com/images/example.jpg", and you type "www.mywebsite.com/images/" into your web browser and look at what else they have stored there (assuming they don't have -Indexes set to block directory listings.) Quote Share this post Link to post Share on other sites
Kennedy 0 #25 March 26, 2013 I agree with you about SQL, but try not to confuse these guys. They think using a code means you hacked something. witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites