
Jury convicts NY man accused of AT&T-iPad hacking - jason_slack
http://news.yahoo.com/jury-convicts-ny-man-accused-t-ipad-hacking-023305967--finance.html
======
neya
And this my friends, is the fake world of democracy we live in. We are being
illusioned to posses freedom that we don't really have. This is a game played
by very powerful people at the top, who have the right amount of money at the
right time and these people will continue to game this system. We need a
change, desperately!

~~~
smsm42
Could you please explain how convicting a person that hacked into AT&T means
we have fake democracy? I must be missing something here, could you elaborate
a bit?

~~~
cheald
Can you please explain how "GET /iccid/12345" is hacking? I must be missing
something here, could you elaborate a bit?

~~~
s_henry_paulson
He knew that he was obtaining sensitive information that he shouldn't have
been able to access (through at&t's negligence), however instead of following
any sort of responsible disclosure, and reporting the incident to the company,
he goes to IRC and talks openly about trying to use the information to benefit
himself through insider trading and then gives the information to Gawker
(again instead of contacting AT&T).

He probably could have had the charges dropped, had he composed his actions
differently.

~~~
cheald
Absolutely. He was a dick about it. I don't think that anyone would argue
differently.

But the fact of the matter is, he's been convicted for unauthorized access to
a public computer system. Last I checked, being a dick and a braggart wasn't
criminal.

I think he was rather stupid about the whole thing, but criminal? The fault
should lie with AT&T, who put their customer data on a public webserver for
the world to see.

~~~
smsm42
Being a dick in general is not criminal. Being a dick by stealing 100K private
emails and giving them to press, apparently, is criminal.

~~~
cheald
But it's not stealing if AT&T was just happily giving them away. Which they
were.

~~~
cmsj
Is that still defensible if you go out of your way to brute force download as
many as you can and you then distribute that list?

------
welder
From what I just read, he didn't hack anything. He found out that AT&T didn't
require a password to check if an email was valid, then just got a list of
valid email addresses.

How could a jury equate this with conspiracy to access a computer?

~~~
ajross
The computer held a list of addresses. It did not present that list to the
public. He found a trick where he could probe the addresses, and used that
trick to extract the list counter to the desires of the owner (and the owners
of the addresses). I can't imagine how you think that access was authorized.

Now, sure, it's not much of a "hack" in a security analysis sense. And it was
a terribly dumb bug, and a huge security goof by AT&T. But why should criminal
law care about how difficult something is? You don't get off of burglary
charges if someone's door is unlocked. And if AT&T is culpable for their poor
engineering, they are so in a civil sense for damages; it doesn't make the
hack less of a crime.

Admittedly there's a spectrum between "full disclosure" security research and
grey hat anarchic asshattery, and there are cases where people have been
wrongly prosecuted. But this case looks pretty black and white to me.

~~~
scotty79
Information whether email is valid or not was made publicly available by AT&T.
Shouldn't access to publicly available information be assumed to be authorized
by the one who made the information public?

If you forget to wear your pants in public you are the one who is to be
charged with indecent behavior not the people looking at you with intrusion on
your privacy.

~~~
cmsj
What about if you walk around and peek under everyone's coat to see if they
forgot to wear pants?

~~~
scotty79
Very impolite. Criminal? Only if you check many entities and lots of them
notice and it bothers them or you check one for a long time and you bother it.
Might be harassment.

I can't see what the coat was supposed to be in AT&T case though.

------
throwaway218781
weev is a criminal. He spent many years making a living for himself by
stealing from other people. He gets to re-write this past of his because most
of his former crew are gone. weevs defenders are people who didn't know him
when he was most active (2003-2009).

This particular case is also pretty clear-cut. If you were a whitehat, why
would you retrieve so much data? Why would you give the data to someone who
was not with that company?

Reserve your sympathy for hackers who get set up by their businesses partners,
or people who aren't thieves and backstabbers. weev is just beginning to get
what he has had coming to him for ten years...

~~~
aw3c2
sources please.

~~~
kyrra
Regardless of his past, why did he pull so much information? And turning it
over to gawker seems a bit wrong. He should have contacted the company. If
they didn't do anything then he should have gone to the media.

It seems like he acted irresponsibily with the situation. It wasn't just one
misstep, it was a few.

~~~
gsibble
To be fair, I doubt most "mainstream media" (ie. CNN, WSJ, NYT, etc.) would
have noticed/cared about this information.

------
JungleGymSam
Why a sad face? Did the article not represent his crime correctly? I don't
know this person or his back story but if he committed a crime why shouldn't
he suffer the consequences?

~~~
chimeracoder
In case you're not trolling, here's a link to what's currently #2 on the front
page, which explains it well: [http://erratasec.blogspot.com/2012/11/you-are-
committing-cri...](http://erratasec.blogspot.com/2012/11/you-are-committing-
crime-right-now.html)

~~~
JungleGymSam
It's my ignorance showing so be gentle. I'm not trolling. I don't read every
link on the front page and what piques my interest may not be what piques
yours. Having said that, I will read the article you linked to.

~~~
chimeracoder
My apologies, your comment seemed more sarcastic to me when I first read it
for some reason. In any case, I hope that was helpful.

------
beatpanda
"Provided the information to Gawker" casts doubt on any criminal intent in my
mind

~~~
gwillen
Apparently they have IRC logs of him first talking about selling the
information to spammers or using it to go phishing, which makes it a little
worse.

~~~
guard-of-terra
I would have said the same thing after discovering the stash. Not because I
actually planned to do this but because the situation is bizzare and that's
some sort of humiliating humour.

~~~
jasonlotito
Couple that with how he reported it, the script he used to download the data,
and everything else he did. You can't look at each action in isolation.

------
k-mcgrady
The title of this should be changed. Actual title is:

Jury convicts NY man accused of AT&T-iPad hacking

~~~
Mithrandir
For future reference, the title was "Weev Convicted :-(".

~~~
saurik
(OK, yeah, that title was even worse. ;P)

------
bifrost
Its a travesty, Weev comitted no real crime.

~~~
zalzane
What do you mean? It says he used an account slurper and stole people's
personal information.

Should this not be a crime?

~~~
cheald
He wrote a PHP script that downloads incrementing URLs. You know, like `curl
-O <http://att.net/iccid/[0-100].xml`>

AT&T put this information on a public interface and relied on obscurity of
serial integers to protect it, then cried foul when someone crawled their
unprotected data and claimed felony unauthorized access to a computer system
because they didn't explicitly authorize him to download the contents of those
publicly-accessible pages.

This conviction is a travesty.

~~~
lambda
If I discovered that someone hadn't locked a filing cabinet, and then I rifled
through it, found a whole bunch of names and social security numbers, recorded
all of them, and then went to talk to a news organization with this list
without ever notifying the people whose filing cabinet I'd gone through, do
you think that would be OK?

Because that's pretty much the equivalent of what happened here. You say "AT&T
put this information on a public interface and relied on obscurity of serial
numbers to protect it"; this phrasing puts the blame on AT&T. Yes, they should
not have done that. But that's about equivalent to forgetting to lock a file
cabinet; it's a mistake that someone made. Weev then took advantage of that
mistake to violate the privacy of thousands of people, providing their
personal information to a news organization.

Now, I don't necessarily think that they should have been convicted of
everything they were convicted of. Unless there are facts that I haven't seen,
they haven't come anywhere close to committing identity theft. But you do have
to admit that Weev did not exactly handle this responsibly, and did invade
people's privacy.

~~~
burpee
The metaphor doesn't really hold up; it's rather like you went to the
administrative desk of AT&T 1000 times, asked the person behind the desk "Can
I please have document 001?" and they simply handed it over without questions
each of the 1000 times. That employee should have stopped handing over
documents, but it didn't.

In my opinion the crime isn't in requesting or obtaining that information,
it's in the way that he handled that information afterwards.

If he would have used it with the pure intention of showing that the system is
insecure, he would have been right and nobody would have been able to blame
him of improper conduct.

Instead he sold/handed over that information to Gawker, which is where he went
wrong in my opinion, because he took another organisation's information and
decided to put that information on the market against their will or consent.

~~~
cheald
Bingo. I think it was a dick move to go running to Gawker with it, rather than
practicing responsible disclosure. But even then, I'm having a hard time with
the idea of criminal charges for that; he didn't steal this data, AT&T happily
handed it to him. He basically ran around saying "Haha, what a moron the guy
at the administrative desk is, I just kept asking him for files and he just
kept on handing them to me". And while that's distasteful, is it criminal?

Honestly, to me, it feels like he's being run down because someone got
embarrassed, and he's being railroaded with archaic laws that can be applied
in vague and nebulous ways to make just about anyone a criminal if it's
useful.

------
hayksaakian
Were they doing it for the lolz? As far as I can tell from the article,
they're just regular criminals.

~~~
jack-r-abbit
That article's bias is showing. If that is all you read about the incident
then sure.. they are just regular criminals. But there is more to the case
than that. From what I've read elsewhere, the Feds used a bit of stretching to
make that law fit.

~~~
smsm42
Could you back it up with some other sources then? if there's more to the
case, where this more can be found?

~~~
jack-r-abbit
I can't tell if you are trolling or are actually asking me how to Google for
more info on this guy's case?

~~~
smsm42
I don't ask you how to Google. I ask you to substantiate your claims that the
article is biased and the truth is different from what is described there. If
you are convinced this is the case, it must be easy for you to provide some
evidence. Of course, you may consider this trolling and refuse to continue the
discussion. The readers would then left to judge if your bare unsubstantiated
claims are proof enough. I was assuming you wrote that comment in order to try
to convince the readers in the truth of your claims. However maybe I was
wrong.

~~~
jack-r-abbit
The article's bias is pretty evident where it referred to them as "trolls".
The only "evidence" I have that there is more to the story than what this
article said is just what I read in other articles. Sadly, I did not bookmark
any of them so I can't easily return to them to provide links to you. I'd have
to Google for them. So if you would like to read more than just this one
account, you would need to Google as well. But if you want to base your
opinion on only what you read in this one article AND what some random guy on
the Internet (me) gives you, then I won't judge you for that. Carry on.

~~~
smsm42
I think the fact that he was a known troll is just a fact. He himself called
himself a troll, one quote: "Trolling can frequently have large economic
repercussions as, as I learned when I trolled Amazon.". This is not an
evidence of bias. Of course, being a troll does not mean being a criminal, but
the fact that Auernheimer was a troll is well established and confirmed even
by himself.

The problem with Googling is that you know what to Google for to provide
evidence. I have no idea what evidence you have, so how I can Google for
evidence that only you know what it is?

~~~
jack-r-abbit
You don't Google the evidence. You Google the guy. You have his real name. You
have his online name. You have the name of his security firm. Those things
alone will provide days worth of reading material. Read some. What I read
described his actions a little more. And talked more about the vague language
in a 30 year old law. And talked about how the Feds used a very self-serving
interpretation of that language.

~~~
smsm42
I know all this. I've read his backstory, and his current story, and the court
materials, and other materials, and remain convinced that he created a tool to
circumvent AT&T access controls and downloaded private information, he
violated every standard of responsible disclosure (actually, he didn't
disclose it to AT&T at all, he went straight to the press, after doing much
more than is necessary for vulnerability demonstration), that he fully knew
this is not necessary for demonstrating the vulnerability and that he did it
for reasons of personal enjoyment and popularity, if not monetary gain. What I
did not find is any evidence that shows the decision was wrong or biased, and
so for the article. Since you were repeatedly unable to point to any evidence
yourself, I conclude your statement about it was baseless and rooted in
personal emotions, not facts. You are still welcome to provide contradicting
evidence.

~~~
jack-r-abbit
My bias comment about the original article was mostly from them calling the
guys "trolls" along with some other things that seemed to have a certain tone.
But after rereading it, most of the article is indirectly attributed to
"Prosecutors" and "the government" so I will concede that the article may not
be "biased" per se. But I maintain that there is more to the story than they
reported. And since you are determined to make me Google this all again and
point you to specific articles & "evidence" here goes...

[http://gawker.com/5559346/apples-worst-security-
breach-11400...](http://gawker.com/5559346/apples-worst-security-
breach-114000-ipad-owners-exposed) :

 _Goatse Security obtained its data through a script on AT &T's website,
accessible to anyone on the internet. When provided with an ICC-ID as part of
an HTTP request, the script would return the associated email address..._

[http://techcrunch.com/2010/06/14/were-awarding-goatse-
securi...](http://techcrunch.com/2010/06/14/were-awarding-goatse-security-a-
crunchie-award-for-public-service) :

AT&T said: _...wrote software code to randomly generate numbers that mimicked
serial numbers of the AT &T SIM card for iPad – called the integrated circuit
card identification (ICC-ID) – and repeatedly queried an AT&T web address._

<http://gawker.com/5559725/att-fights-spreading-ipad-fear> :

AT&T said: _The only information that can be derived from the ICC IDS is the
e-mail address attached to that device._

[http://gizmodo.com/5559586/should-i-worry-about-the-apple-
ip...](http://gizmodo.com/5559586/should-i-worry-about-the-apple-
ipad-%252B-att-security-breach-probably-not) :

 _The exploit was a simple script: a hacker could throw an ICC-ID at AT &T's
servers, and they would return its registered email address. ICC-ID are easily
guessable,..._

<http://security.goatse.fr/on-disclosure-ethics> :

 _We did not contact AT &T directly, but we made sure that someone else tipped
them off and waited for them to patch until we gave anything to Gawker._

 _None of us made any money off of this disclosure. We did it in public
interests._

[http://www.forbes.com/sites/andygreenberg/2011/01/18/fbis-
le...](http://www.forbes.com/sites/andygreenberg/2011/01/18/fbis-lesson-to-
alleged-ipad-hackers-dont-be-a-troll) :

 _federal agent Christian Schorle does his best to dig up evidence that
Auernheimer is less of an advocate for security and more of a full-fledged
Internet miscreant._

All of these things help shape my opinion on the matter:

1) I don't believe the data harvested is that significant. Having a list of
email address these days is practically worthless and pretty easy to get.
Having an email address matched to an iPad ID number might be a little more
useful to someone, but I fail to see how beyond some better targeted SPAM. I
was not able to find any articles about that leaked info being to blame for
any other iPad/AT&T breaches but I didn't look very hard.

2) I don't believe that any security systems were circumvented to obtain the
data. It seems to me that a wget or cURL call on a loop would have done 75% of
the work. Calling this a "hack" is kind of an insult to people who actually do
hack into secure systems. It is barely even "brute force", if at all. I would
put this in the "automated scraping" bucket.

3) I don't believe he committed a crime here. Sure, the guys seems like a bit
of a crusty wild man and possibly a bit of a douche. But thanks be to the
Earth & Stars that neither of those things are felonies. Unfortunately, it
seems they had already determined this guy was bad. And when you start a
search with your mind already made up about the results, you are almost always
going to end up at that result... no matter if it is wrong or right.

~~~
smsm42
1\. Your belief about significance of the data is immaterial - these emails
were private and were not intended for disclosure. The fact that you think
they're not that interesting does not matter - I may think the content of your
private email account is nothing of interest and will give nobody any useful
information - that still doesn't give me the right to access it.

2\. As I noted elsewhere, here the word "hack" is not used in a sense of
"cleverly use the technology" but in the sense "used computers to access
information he was not authorized to access". Unfortunately, the battle for
the former meaning agains the latter is long lost, and the press is using this
word in the latter meaning for years now. The fact that he had to write the
script which uses special algorithm based on geographic distribution of IDs
means the information was not public and he had to commit some work and apply
his own ingenuity to access it.

3\. Unauthorized access of private information is a crime. I'd rather it stay
so - otherwise I'd have to rely on a good will of people like Auernheimer to
keep my private information private. I think the consequences of this would be
very grim. The problem is not that this guy was an ass - he was an ass long
before that, and still was free to commit his jackassery. Until he crossed the
line between being jackass and committing a crime. I agree that it is not the
most heinous crime committed in the US ever - it is probably a small crime,
like petty theft or trespass - but it still is. I hope he will be punished in
accordance with the severity of the crime - not too hard, not too lightly.

~~~
jack-r-abbit
> _I agree that it is not the most heinous crime committed in the US ever - it
> is probably a small crime, like petty theft or trespass - but it still is. I
> hope he will be punished in accordance with the severity of the crime - not
> too hard, not too lightly._

But he was convicted of a felony. There is no "lightly" on a felony... only
varying degrees "You're F'ed!" Fines will be high. Even if probation/community
service is used rather than prison (yes, PRISON... not jail), the punishment
lasts for a lifetime for a felon. Many, many, many forms have a special check
box for felons.

------
tareqak
From my reading of the article, the defendant is being painted to be bigger,
scarier target so that AT&T looks like a victim instead of a corporation
failing to secure the confidential information of their customers as due
diligence demands. From the comments on this thread, the defendant did not
have intentions that were completely (as in 100%) benign. In addition, the co-
defendant pleading guilty will probably make it harder for his legal team to
prove his innocence. However, why is AT&T getting away with what basically
amounts to negligence? Specifically, AT&T failed to provide reasonable
(industry-standard) security to their users' confidential information (email
addresses and other personal data).

It says about 120,000 Apple iPad users were affected, so 120,000 counts of
negligence. My "class-action lawsuit" senses are tingling.

Edit: minor reformatting and rewording.

------
anigbrowl
Unsuccessful troll.

------
jason_slack
While I agree that his past "clouds" peoples potential judgement of him, I
can't help but wonder if it was really understood that this data was in
publicly accessible. He didn't need to work his way through backdoors and
breach what some would consider traditional security measures.

------
TallboyOne
That is an incredible beard, that must be where he draws his power from.

~~~
rhizome
This isn't Reddit.

