(full site)
Fark.com

Back To Main
   Plan: 1) Hack into AT&T servers...DONE 2) Get 120,000 iPad users' emails to prove your genius...DONE 3) Get caught and convicted...DONE 4) Get offered a job by the CIA like that movie I once watched...PENDING

21 Nov 2012 09:14 AM   |   4641 clicks   |   New Europe
Add Comment
Showing 1-33 of 33 comments
Refresh
abhorrent1     
Goatse Security? LMAO

21 Nov 2012 09:20 AM
Reply
The Briny Derp     

abhorrent1: Goatse Security? LMAO


21 Nov 2012 09:22 AM
Reply
sonofslacker     
How well did that work out for Kevin Mitnick?

21 Nov 2012 09:23 AM
Reply
HindiDiscoMonster     
FTA: Auernheimer' lawyer disagreed with the "prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act"

Ummm yeah... unless AT&T hired him to do it....

unauthorized; adj.
1> not having any authority
2> without official authorization

/Perhaps the attorney needs to go back to school

21 Nov 2012 09:24 AM
Reply
LarryDan43     
Jukt Micronics is hiring.

21 Nov 2012 09:24 AM
Reply
wallywam1     
You're not a genius, subby.

21 Nov 2012 09:26 AM
Reply
wallywam1     
And I'm an idiot.

21 Nov 2012 09:26 AM
Reply
NutWrench    [TotalFark]  
US government explained that the accused used an "account slurper" that was designed to match email addresses with "integrated circuit card identifiers" for iPad users, and which conducted a "brute force" attack to extract information about those users, who accessed the Internet through AT&T's network.

Bullshiat. Any halfway competent server should eject you and log the IP after a half-dozen or so unsuccessful attempts. If they're talking about locally decrypting a short password, then that's something else.

/waits for AT&T joke.

21 Nov 2012 09:27 AM
Reply
HindiDiscoMonster     

NutWrench: US government explained that the accused used an "account slurper" that was designed to match email addresses with "integrated circuit card identifiers" for iPad users, and which conducted a "brute force" attack to extract information about those users, who accessed the Internet through AT&T's network.

Bullshiat. Any halfway competent server should eject you and log the IP after a half-dozen or so unsuccessful attempts. If they're talking about locally decrypting a short password, then that's something else.

/waits for AT&T joke.


Rethink Possible?

21 Nov 2012 09:29 AM
Reply
Digitalstrange     

HindiDiscoMonster: FTA: Auernheimer' lawyer disagreed with the "prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act"

Ummm yeah... unless AT&T hired him to do it....

unauthorized; adj.
1> not having any authority
2> without official authorization

/Perhaps the attorney needs to go back to school


except the CFAA isn't written that clearly. Everyone knows he committed the act, the lawyer is trying to push an interpretation of the law that says his clients act isn't technically covered by it. All he has to do is get a judge to buy his version. It's what you do when your client is clearly guilty.

21 Nov 2012 09:33 AM
Reply
HindiDiscoMonster     

Digitalstrange: HindiDiscoMonster: FTA: Auernheimer' lawyer disagreed with the "prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act"

Ummm yeah... unless AT&T hired him to do it....

unauthorized; adj.
1> not having any authority
2> without official authorization

/Perhaps the attorney needs to go back to school

except the CFAA isn't written that clearly. Everyone knows he committed the act, the lawyer is trying to push an interpretation of the law that says his clients act isn't technically covered by it. All he has to do is get a judge to buy his version. It's what you do when your client is clearly guilty.


aka:
4.bp.blogspot.com

21 Nov 2012 09:35 AM
Reply
vudukungfu     
Well, if you don't hire them to do your security, you deserve to get robbed again.

21 Nov 2012 09:36 AM
Reply
vudukungfu     

abhorrent1: Goatse Security? LMAO


They found a hole in the back door.

21 Nov 2012 09:37 AM
Reply
dragonchild     

NutWrench: accessed the Internet through AT&T's network.


NutWrench: Any halfway competent server should eject you and log the IP after a half-dozen or so unsuccessful attempts


Well?

21 Nov 2012 09:42 AM
Reply
bikerbob59     

wallywam1: You're not a genius, subby.


Came to say this...

21 Nov 2012 09:49 AM
Reply
lysdexic    [TotalFark]  

sonofslacker: How well did that work out for Kevin Mitnick?


Worked for that Abignale guy.

21 Nov 2012 09:50 AM
Reply
FingerlessMittens     
The register has an article on it here:http://www.theregister.co.uk/201 2/11/21/ipad_hacker_conviction/

"The case is been closely watched in the information security community because Auernheimer recovered the data from the AT&T website without bypassing any security controls."

The article contains a link to a blog post where they build the argument that what was done is little different from trying a url and seeing where it goes:

"But what are the limits of implicit authorization? Let's say you are reading a website that has "articleId=31337" at the end. You wonder what the next article is, so you go to the URL and change it "articleId=31338" and hit return. Have you "exceeded authorized access"? It's hard to say. If article "31337" is public, why not "31338"?

But in our scenario, let's say that article "31338" is a press release that is not intended to be published until tomorrow announcing the quarterly corporate earnings. While the article itself is online, a link to it won't be posted to the home page until tomorrow, so not even Google spiders can find it. Because you've gotten early access, you can make a huge profit buying/selling stocks.

Is it your fault for accessing the pre-posted financial results? Or their fault for making them accessible? What does the Computer Fraud and Abuse Act say on this matter?
"

I doubt the guy is as innocent as they claim but I equally suspect that ATT were lazy/stupid.

21 Nov 2012 10:12 AM
Reply
RockChalkH1N1     
Why does ATT have apple emails

21 Nov 2012 10:21 AM
Reply
otalicus     

NutWrench: US government explained that the accused used an "account slurper" that was designed to match email addresses with "integrated circuit card identifiers" for iPad users, and which conducted a "brute force" attack to extract information about those users, who accessed the Internet through AT&T's network.

Bullshiat. Any halfway competent server should eject you and log the IP after a half-dozen or so unsuccessful attempts. If they're talking about locally decrypting a short password, then that's something else.

/waits for AT&T joke.


I work in IT and review security logs for several hundred large and small businesses. The amount of companies(that should know better) that don't do this is staggering.

/job security I guess

21 Nov 2012 10:30 AM
Reply
BalugaJoe    [TotalFark]  
lh6.googleusercontent.com

21 Nov 2012 10:30 AM
Reply
ChicagoKev     
Proving the exploit works by grabbing a half dozen records is defensible. Publishing the exploit mechanism so anybody who is so inclined can try it for themselves is a jerky thing to do, but not unlawful.

Enumerating the entire database was unnecessary and uncalled for, as was redistribution to Gawker.

21 Nov 2012 10:45 AM
Reply
Jon iz teh kewl     
www.grayflannelsuit.net

21 Nov 2012 10:57 AM
Reply
FingerlessMittens     

ChicagoKev: Proving the exploit works by grabbing a half dozen records is defensible. Publishing the exploit mechanism so anybody who is so inclined can try it for themselves is a jerky thing to do, but not unlawful.

Enumerating the entire database was unnecessary and uncalled for, as was redistribution to Gawker.


Publishing the exploit mechanisim after informing the site is an important thing to do. Give the site time to fix the issue then release so that others can find out out the exploit and pathc thier own systems. Some will use the info for LULZ but you should work on the basis that just becuase you haven't read about it you aren't the first to find it.

The data base should have just gone to ATT to prove that the exploit worked. Didn't need to go anywhere else.

21 Nov 2012 11:15 AM
Reply
dragonchild     

FingerlessMittens: The data base should have just gone to ATT to prove that the exploit worked.


It's all speculation either way, but these sort of flaws often go unaddressed -- even with the admins informing management daily -- until it bites them in the ass. Then it was the IT guy's fault the entire time.

/ The main difference between a 20-year-old IT guy and a 30-year-old IT guy is that the latter, if still employed, has learned to document everything

21 Nov 2012 11:23 AM
Reply
Zerocyde     
He didn't hack into shiat. AT&T made the info publicly available, and when he pointed it out, he got charge under a bullshiat and archaic computer law written in 1980.

21 Nov 2012 11:52 AM
Reply
almandot     
nsbrant.files.wordpress.com

21 Nov 2012 12:02 PM
Reply
BarkingUnicorn    [TotalFark]  

HindiDiscoMonster: FTA: Auernheimer' lawyer disagreed with the "prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act"

Ummm yeah... unless AT&T hired him to do it....

unauthorized; adj.
1> not having any authority
2> without official authorization

/Perhaps the attorney needs to go back to school


Here's another attorney's explanation of this lame defense:

"Auernheimer's bigger problem, and perhaps his best shot on appeal, is that the CFAA doesn't define at all what "access[ing] a computer without authorization" means. Was GoatSec "without authorization" to send guessed ICC-IDs to the login page of AT&T's server, which it made available openly on the Internet? An important fact in the case is that the GoatSec's slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it. Who decides who is "without authorization"? The government? The website operator? How do you know the website operator deems you to be "without authorization"? The CFAA gives no answers."

Link

21 Nov 2012 12:18 PM
Reply
Clemkadidlefark     
Inside the tent pissing out

You know the rest ...

21 Nov 2012 02:22 PM
Reply
RoyBatty     
Anyone here remember fuskering?

This guy fuskered AT&T. That seems to be all he did.

Do you think your use of fusker should send you to jail? If not, why not?

21 Nov 2012 03:02 PM
Reply
GoldDude     
www.neurope.eu
I believe that moustache and beard/goatee combination is known as a "prison pussy"... open wide, sweatheart!

21 Nov 2012 06:40 PM
Reply
SoxSweepAgain     

LarryDan43: Jukt Micronics is hiring.


Reference I was looking for.

/They have a great website.

21 Nov 2012 07:50 PM
Reply
PWNtheCCP     
Ask Lulzsec how their new jobs are working out for them. Oh wait...

21 Nov 2012 10:14 PM
Reply
fluffy2097     
The stolen data was then provided to the website Gawker, which published an article refering to emails of well-known people, including ABC News anchor Diane Sawyer, New York Mayor Michael Bloomberg and current Chicago Mayor Rahm Emanuel

Ah Gawker. You are such a paragon of journalistic integrity.

21 Nov 2012 10:51 PM
Reply
Showing 1-33 of 33 comments
Refresh
This thread is closed to new comments.


Back To Main

More Headlines:
Main | Sports | Business | Geek | Entertainment | Politics | Video | FarkUs | Contests | Fark Party | Combined