At some point the creators need to bear responsibility.
I think eventually this will/should change to being an "attractive nuisance" type issue.
Paris, for obvious reasons.
A San Francisco man has admitted writing the code that plucked personal data of 120,000 early iPad adopters from servers AT&T had left wide open to the attack. Daniel Spitler, 26, pleaded guilty in federal court in New Jersey to one count each of identity theft and conspiracy to gain unauthorized access to internet-connected …
This sort of thing seems crazy to me, surely there are over web debs/general coders out there who like to stress test other peoples sites or applications not with any specific evil intention but just to see if there the security is as good as it should be.
If I found that sort of hole then I'd definitely do a proof of concept and spider crawl some of the data available.
Don't see how doing so should end up with your receiving 5 years in jail though
I'm with you on this. I like to go round testing other people's front doors and windows for vulnerabilities and if I manage to get in I like to read anything personal that I find in there and take pictures of the contents of their underwear drawer and show them to all my friends.
I don't see how doing so should end up with my receiving 5 years in jail either.
In this case what he did was enter without permission and then copy some of the private information held within the 'house'.
Now I'm not saying you wouldn't be pursued for finding an exploit and proving you could get shell access, or downloading an innocuos part of the database, but that's not what happened here.
FWIW assuming there was no ill-use of the data I'm not sure pursuing them is really the right thing to do. But then, whether we've got the skillset or not you can't just go accessing (supposedly) non-public areas of other people's servers without permission.
To use your analogy, if I noticed one of your windows is unlocked/opened and climb through it may not necessarily be a crime, but you're hardly going to be happy about it are you? I do plenty of pen testing but _only_ with permission.
At the end of the day if you try to see if a server is vulnerable and manage to gain access, the difference between breaking the CMA and not is whether or not that access was authorised. You can argue about the right or wrongs of the status quo, but the fact remains that to do so _is_ illegal.
Obv this happened on the otherside of the pond, so won't be the CMA but I'd imagine their equivalent works the same way
The ICCID found by Goatse can be easily translated to an IMSI [1] which opens a massive hole via SS7 hacking.
Not that long ago you could use this to "to retrieve the subscriber’s full name, phone number, and approximate location relative to the nearest cell tower." [2]
[1] http://blog.vodun.org/2010/06/at-is-wrong-about-ipad-breach-i-have.html
[2] http://www.dfinews.com/news/ipad-data-breach-opens-new-vulnerabilities
Why aren't AT&T and apple being prosecuted for failing to care for the data enough and letting it in a leakable state, hoarding it in the first place, and, oh, not merely failing to disclose the problem when brought to their attention but dragging their feet at fixing it too?
For they clearly cannot be trusted with this long list of Higly Sensitive Names[tm]. Nevermind undue convertability of ICCID into IMSI. And who is to blame for the shamefully shoddy state of SS7 security, anyway?
I don't particularly like these shockblog fanciers and they did set themselves up for the fall, but that doesn't mean they should be the (only) ones to take it. Sheesh.
This was AT&T's subscriber list - and their website leaking - why bring Apple into it?
The shoddy state of SS7 security is because it was never designed for security, but a bit like the IPv4 it's so widely used no one can move to something better. It's current state is also convenient for intelligence organisations so I guess there's no government mandated rush.
But you'd never guess that.
As for "known" holes.
Well if they are *known* this suggests big red flags in the manual along the lines of "Review *all* administration settings dealing with this and the code that handles them"
It's not bugs that annoy me.
It's people tripping up over the *same* bugs. over and over again.
If there is no evidence that anyone was victimised or suffered damages as a result of this "hack" how can charges be brought about, other than a large fine for AT&T for overlooking a elementary level of care in securing this data.
It is suspicious that someone would want to collect all of that data, but unless it can be proven that the data has been publicised or sold or used for phishing attacks or that there was evidence of a motive to do so, the data can be deleted and the situation sorted out amicably rather than a 5 year prison stint and massive fine. It assumes that the perpetrator's intent was malign.
I hope penetration testers go to prison for life! Which coincidentally if AT&T has bothered to put out cash for they could have avoided this debacle altogether... Whose fault?
>>"Trying a car door, finding it unlocked,...does wander somewhat past the sign marked "Idle Curiosity "
Indeed.
Though it seems to me that if someone was trying numerous possible IDs to find one that worked, it's more like playing with a combination lock until it opens than just finding a door unlocked.
That may be OK if you're in an environment where that might be acceptable, but people playing with other people's systems should remember that they don't get to set the rules, whatever they and their mates might think is fair and acceptable behaviour, and however well-intentioned they may tell themselves they're being.
If someone's simply interested in improving security, they could quite easily stop after maybe accessing a handful of accounts and publicise the problem or notify the relevant people.
Carrying on to access as many accounts as possible seems more like someone hoping to maximise bragging rights, and that comes with a definite risk of seeming less well-meaning the further one goes, as well as potentially annoying increasing numbers of people who may bite back.
On the valet service that parked the car and left it unlocked... Ok this could go on and on. If the hacker has distributed the list of information to anyone other than AT&T or the authorities then yes I agree he should be sentenced for putting that list of people in potential future risk. If he has used the data for his own ills he should be sentenced also. If however he has done none of these then on what grounds is he being charged?
Hackers are needed, you may not understand them and you may paint them all with the criminal brush but that isn't necessarily the case. Hackers highlight security holes in systems that would not get picked up otherwise. There are legitimate companies out there that do this kind of testing, however, they cost money and not all businesses are equally motivated to enlist these services.
Individual hackers often find what is overlooked, in their spare time because they can. Determining whether this is a criminal case or not boils down to what they do after the hack and not the hack itself.
> And yet no action take on the valet service that parked the car and left it unlocked...
The valet service hasn't done anything illegal. The owner of the car could take civil action against the valet service in the same way that the 120,000 victims could take civil action against AT&T. The authorities have no legal standing to take any civil action on behalf of the 120,000 victims.
The person entering the car would still be committing an illegal act, the same way the hackers have committed an illegal act.
Its not illegal to have faulty locks on your car.
Its not illegal to have faulty locks on your house.
Its not illegal to have a bug in a web application.
It is illegal to exploit the faulty locks on a car and break in.
It is illegal to exploit the faulty locks on a house and break in.
It is illegal to exploit the faulty web application and "break in".
Jail them all.
>>"It may not be illegal to have faulty locks on your house or car, but I wouldn't expect an insurance company to pay out for any losses you incur as a result of having faulty locks"
Unless there's something in the policy about a required level of security to be maintained at all times, I would expect most home insurance policies to pay out.
The house analogy is a bit dubious anyway - in normal use, frequently doors/windows are left unlocked or even open while not being explicitly guarded, with people occupied elsewhere in the house (or garden), upstairs windows may often be left open while the occupants are asleep, non-faulty locks are often not desperately hard to open, better locks often don't /prevent/ access, but merely make it more difficult/noisier, etc.
And define 'faulty' - does that include a lock that was supposed to be fine at the time it was purchased, but which is now openable by people with a particular set of new tools?
> Individual hackers often find what is overlooked, in their spare time because they can. Determining whether this is a criminal case or not boils down to what they do after the hack and not the hack itself.
So you are saying it should be perfectly legal for anybody to attempt to, or to actually hack, into any system they want to, and there should be no legal consequences for either the hack or the attempt.
Live by the sword, die by the sword. What's your IP address? I want to hack into your computers and read everything personal you have there. All your emails, all your browsing history, your photographs, home movies, your bank account details, credit card statements, stored passwords, everything. There will be no need to notify your bank, credit card companies or anybody you might have had dealings with that I could scam in your name. There is no need to change passwords on any websites you might access. Honest. I wont do anything with the information, trust me, I'm a hacker.
>>"Giving carte blanche and relying on the greyhat to know whats safe to try and what isn't really doesn't sound like the greatest of ideas to me"
Not only that, but having anything short of deliberate wanton damage or data theft legalised would make nastier activity easier and safer - if it was legal to break into property and rifle through the contents and only illegal to vandalise stuff or take things away with you, that'd make it harder to get people for doing the more unpleasant things, since they'd be free to root around anywhere they felt like, and decide whether to steal or wreck stuff without risking any kind of sanction even if caught, right up to the point they ran off with some piece of loot.
It's up to the property owner to decide what kind of activity they consider as being forgivable curiosity, and what is an unforgivable intrusion.
And as for your point about the unwiseness of relying on the greyhat to define what's safe, that'd be the case even if they basically understood what they were doing, but vastly more so if they were just some kid using a tool they didn't really comprehend to attack a system they didn't know.
The underlying bug was not really an insecure direct object reference. That would require that the user was authorized in the first place. No ATT/iPad user was authenticated and then authorized to get their email address at this stage. This was the problem. AT&T should have required authentication before sending any personal information. They did not. Because AT&T didn't require any authentication they could not be sure who they were authorizing to receive the email address associated with an ICC-ID. AT&T just blindly authorized anyone with an iPad user agent and any valid ICC-ID. Therefore, one should not be able to argue that they were unauthorized or exceeded authorization as per the CFAA. I'll bet that Spitler will not get any prison time, otherwise he would have been crazy to agree to that plea deal.