"Well known" prat gets 41 months, but is it justified?

Seachmall

Article Here.

So a guy known online as "weev" was sentenced to 41 months for "hacking" AT&T's iPad registration site and stealing personal data of those who had signed up to the website.

How he went about it was quite simple. The website used GET requests to pull member information from the database and display them on a website which I'll explain for anyone who hasn't come across it before.


It's the same as how Boards displays a thread. If you look in the URL above you'll see "showthread.php?t=2056910177". The "t=2056910177" part is the GET request. It tells the Boards servers to show the thread with the ID of "2056910177". If you change those numbers you'll see different threads. However if you, for example, change the last digit to "1" you will, presumably, get a "you do not have permission to access this page" message (you won't get it if you have access to the forum that thread belongs to). This is because boards checks if you have the right permissions to read that thread.



Going back to AT&T they had a similar setup to view registered member info. They might have had a site with a page like "showmemberinfo.php?id=1". If you went to that page it would show you the details of the member with the id of 1. If you changed the id to 2 it would show you that member's details and so on.* However, unlike boards, it did not check to see if you had the right permission to view those member's details. They were available for anyone with a computer to see.


What weev did was repeatedly go to that page and increment the id by 1 and download the details.


To use a more relatable analogy (and some might disagree with this) it's like having two people.

• Person A has personal information on others which he, by law, is not allowed to give to anyone else.
• Person B knows this but also knows if he simply asks Person A he will get the information.

In this example do you think Person B is breaking the law by asking Person A for the information? Or does the responsibility fall on Person A for not protecting it appropriately? Or are they both liable?


My interpretation of it is that AT&T is solely at fault for not protecting the information. How they went about it essentially published the information into the public domain. If I set up a website that published personal details why would you be guilty of a crime simply by visiting that website? And why would you then have to pay me reparations?


Now weev is an asshat, I'd bet anyone who has heard of him before didn't do so in a good light. He's such a prick he has his own Wiki page about him being a prick. That's a pretty big achievement for someone nobody cares about. But this isn't about him being a douche.


What's your take on it? Agree or disagree? (Poll en route ADDED! Wahaay! Lets rejoice!.)


*This is a simplification of how the site was used. It actually used the iPad's ICCID number, which looks like "01010104012010462001". I believe weev guessed a range of numbers higher and lower than that number and incremented through them.

humbert

You could compare it to using a 6 character password and having someone guess it.

Sentencing on technical matters seems very very harsh. I don't think it's fair to take a sentence for downloading a single person's info and start multiplying it.

Banjo String

Misleading thread title.

Never heard of him before, and i know loads of 'prats'. Oh yeah.

Tombi!

I don't see the problem; to me he was solely in the wrong.
It's not anymore "wrong" of AT&T to muck up security.
It is wrong of weev to have attitude of "next time I won't be so nice".

Siuin

41 months, is it? So just about the same jail sentence you'd get for raping someone. Hurrah for the justice system.

Of course he's in the wrong.

wexie

Seachmall wrote: »

Article Here.

My interpretation of it is that AT&T is solely at fault for not protecting the information. How they went about it essentially published the information into the public domain. If I set up a website that published personal details why would you be guilty of a crime simply by visiting that website? And why would you then have to pay me reparations?

To stick with analogies :

You're in a car dealership and all the staff have gone out for lunch.
The key cabinet is wide open and there's a button to open the big roller doors.

Someone steals all the cars....

Is this a case of :
1) they should have protected the cars better and are solely at fault for not doing so.

or

2) the guy is a car thief and should be locked up.

If you know you're not supposed to take something, just because it's not being guarded (well) doesn't make it right, you know you're not supposed to take it (access it) and are doing so anyway.

No matter how you look at this is theft. Just because it's something so esoteric as personal data that's poorly protected online doesn't change that fact.

(Yes AT&T should definitely have protected their customers data better but the aforementioned asshat is still a thief)

Sheeps

He can't be being sentenced on just using the internet because on a technical level, that's all he was doing. It should be viewed in the same light as viewing a web page normally through the browser. If however they can prove that he intentionally bypassed security measures that were in place to be able to view the data then let him rot.

I find it to be absolutely absurd that AT&T did not implement any form of security around this. I wonder just how vulnerable this service was.

BrianG23

****ing dreadful security

Antar Bolaeisk

Whoever was responsible for the webpage should be given the 41 months for making private data freely available on the internet. Should he have done what he did, no, but the sentence is completely over the top.

a fat guy

I'm a computing student and I think a more accurate example would be letting people into your home, not letting them know that they shouldn't go into a particular room, then reporting them to the guards for doing so.

Their URI(URL) that allowed Weev to do this should have limited the path variables(the 1) in some way to stop him. And its not like the users of websites and systems don't do these things accidentally. It could be the case that, assuming Weev is the arsehole that people make him out to be, that he simply wanted an ego boost after doing this by accident.

I think it's worrying that everyone is talking moreso about Weev's sentence than the lack of security at AT&T. Seriously, Fine Gaels website had information taken from its database of users with a simple SQL statement because a comment box wasn't parsing out SQL (Treating text sent to the database just as text, stripping it of it's ability to change things).

It would be like me typing out DR0P T@BLE USERS; into the same boxes that we use to communicate on here, and boards losing every single user account it has (I have changed the "O" to a zero and the "A" to the @ symbol because I don't take chances and don't want to become the next Weev).

meoklmrk91

It takes people doing stuff like this to wake companies up, preferably I would like it peeps went to the site owner and told them about the flaw but I believe Sony were warned about vulnerabilities in their system before they were hacked and did nothing about it.

No he shouldn't have stole the info but I do think that the jail term is quite harsh, a shorter sentence would have made the point, but then sentences for stuff like this are really OTT, one only has to look at the Aaron Swartz case for evidence of that AT+T should have been doing more to protect their customers data and I think they should be fined big time for this.

grizzly

What did he do with the information? From the article it looks like he stored it on his computer and told AT&T he had it. Did he try and sell it?

P_1

It's certainly an interesting one. Without fully understanding all the details it seems that he identified a security risk. Rather then theoretically explaining the risk involved he practically demonstrated it.

It's like he say saw a big pile of lithium next to a large pool of water. Rather than saying 'hey if you drop the lithium into the water you'll get a big fire', he just dumped the lithium into the water and caused a big fire.

Seachmall

grizzly wrote: »

What did he do with the information? From the article it looks like he stored it on his computer and told AT&T he had it. Did he try and sell it?

He told Gawker.com about what he did and then let AT&T know. Don't think he tried to sell it, was just in it for the fame I'm guessing.

wexie wrote: »

To stick with analogies :

You're in a car dealership and all the staff have gone out for lunch.
The key cabinet is wide open and there's a button to open the big roller doors.

Someone steals all the cars....

Is this a case of :
1) they should have protected the cars better and are solely at fault for not doing so.

or

2) the guy is a car thief and should be locked up.

If you know you're not supposed to take something, just because it's not being guarded (well) doesn't make it right, you know you're not supposed to take it (access it) and are doing so anyway.

No matter how you look at this is theft. Just because it's something so esoteric as personal data that's poorly protected online doesn't change that fact.

(Yes AT&T should definitely have protected their customers data better but the aforementioned asshat is still a thief)

That analogy doesn't work because he didn't commit theft or deny anyone their property.

He literally went to a public website and read publicly available information.

I don't see how that act could be seen as criminal.

P_1

Seachmall wrote: »

He told Gawker.com about what he did and then let AT&T know. Don't think he tried to sell it, was just in it for the fame I'm guessing.


That analogy doesn't work because he didn't commit theft or deny anyone their property.

He literally went to a public website and read publicly available information.

I don't see how that act could be seen as criminal.

I think it could be viewed as criminal by the fact that he accessed and released information that was supposed to be controlled into an uncontrolled domain.

I'd hazard a guess that they used a similar kind of case against him that they used against torrent sites and the like.

Peanut

wexie wrote: »

Someone steals all the cars....
...
No matter how you look at this is theft. Just because it's something so esoteric as personal data that's poorly protected online doesn't change that fact.

And stealing a pick'n'mix jelly is still theft, but you wouldn't give 41 months for it.

It's interesting that the NSA snoop on huge quantities of US net traffic through AT&T funnily enough.

Seachmall

P_1 wrote: »

I think it could be viewed as criminal by the fact that he accessed and released information that was supposed to be controlled into an uncontrolled domain.

I'd hazard a guess that they used a similar kind of case against him that they used against torrent sites and the like.

True, but I'd be of the opinion that it was public domain information as soon as it was made accessible to the public with no protective measures in place. And as a result AT&T actually hold the responsibility for releasing personal details to the public.

Grayson

Weev is a racist trolling prick. But the sentence was not warranted. He didn't "hack" it. He found out a flaw. He just discovered that it was publicly available. He went to gawker and told them (to create publicity for his company) and then he went to AT&T and told them about the flaw in their system.

It's far too harsh. But the US has been far, far to tough on cybercrime. Look at Aaron Swartz or even Neil McKinnon. Swartz hadn't actually committed a crime. He had used a publicly accessible network to download articles that were in the public domain. And he was facing 37 years when he killed himself

P_1

Seachmall wrote: »

True, but I'd be of the opinion that it was public domain information as soon as it was made accessible to the public with no protective measures in place. And as a result AT&T actually hold the responsibility for releasing personal details to the public.

TBH looking at things realistically and not with a tin foil hat on, I'd say that AT&T were in the wrong for this situation but they hold too much power and influence to be held up for their mistake and thus a scapegoat who didn't have the power and influence to defend themselves was made

Sergeant

The guy sounds like a complete arsehole. I'm in favour of the odd unusually strict sentence or a conviction based on incomplete or spurious evidence. He can use the time to think about being an arsehole has done for him.

Phoebas

Grayson wrote: »

Weev is a racist trolling prick. But the sentence was not warranted. He didn't "hack" it. He found out a flaw. He just discovered that it was publicly available. He went to gawker and told them (to create publicity for his company) and then he went to AT&T and told them about the flaw in their system.

Every security flaw could potentially also be seen as confidential information being made publicly available. The only difference in this case is that the security flaw was pretty transparent to almost anyone. He did hack it; he knew he was accessing information that he shouldn't be accessing.
It was just a very easy hack.

Seachmall

Phoebas wrote: »

Every security flaw could potentially also be seen as confidential information being made publicly available. The only difference in this case is that the security flaw was pretty transparent to almost anyone. He did hack it; he knew he was accessing information that he shouldn't be accessing.
It was just a very easy hack.

"Hacking" requires at least some level of security to bypass otherwise you're simply receiving requested information.

For example, you're not hacking boards to show you this thread. It's being made available to you after you request it. Regardless if Dev actually wants you to be able to view this thread or not.

aherringterm

Personally I think that

PhlegmyMoses

Both in the wrong. AT&T for not securing their website and this guy for putting the info into the public domain. Sure, you could say that the info was already there to be seen by everyone but the reality is that only a small minority would know how to access it. Just because you can access something, doesn't mean you should. The length of the sentence seems disproportionate but he is in the wrong. The fact it was leaked to Gawker sealed his fate.

Grayson

Phoebas wrote: »

Every security flaw could potentially also be seen as confidential information being made publicly available. The only difference in this case is that the security flaw was pretty transparent to almost anyone. He did hack it; he knew he was accessing information that he shouldn't be accessing.
It was just a very easy hack.

Not really. To compare it to the physical world, he discovered a door was unlocked. So he walked in and took a couple of photo's to prove that he was there. Then showed the photo's to the owner to show how he got in.

It was barely hacking, but it certainly didn't involve breaking any of their security.

In a real world sense, it's like being convicted of breaking and entering, when all he actually did was trespass. I'll agree that what he did wasn't right, legally or morally, but it didn't warrant a prison sentence.

Grayson

PhlegmyMoses wrote: »

Both in the wrong. AT&T for not securing their website and this guy for putting the info into the public domain. Sure, you could say that the info was already there to be seen by everyone but the reality is that only a small minority would know how to access it. Just because you can access something, doesn't mean you should. The length of the sentence seems disproportionate but he is in the wrong. The fact it was leaked to Gawker sealed his fate.

But he gave them redacted information. There was nothing in it that could be damaging.

Seachmall

P_1 wrote: »

TBH looking at things realistically and not with a tin foil hat on, I'd say that AT&T were in the wrong for this situation but they hold too much power and influence to be held up for their mistake and thus a scapegoat who didn't have the power and influence to defend themselves was made

According to this article included in the list of people who's details were exposed were big military and political players (e.g. White House Chief of Staff and the Mayor of New York).

Oddly enough that article also reports weev was just the one who discovered the publicly accessible page, but he wasn't the one who downloaded the details.

hatrickpatrick

His jailing is utterly moronic. What SHOULD actually happen is AT&T getting a hefty data protection fine for doing absolutely nothing to protect their customers.
This guy did it for the craic, which is fortunate - imagine if it had been the bogeymen that are "Chinese hackers" or a rival phone network looking to spam customers?

What this guy essentially did was to blow the whistle on an unacceptably lax security system. If I were calling the shots, I'd commend him for exposing it and come down very hard on AT&T for screwing it up so ridiculously.

Phoebas

Seachmall wrote: »

"Hacking" requires at least some level of security to bypass otherwise you're simply receiving requested information.

Hacking is exploiting a weakness, and typing in a url rather than following a link is doing just that.
Similarly, a very common hack (at least used to be) is sql injection. This was commonly used by hackers by embedding a sql statement in a url query string.
If there is no security in place to prevent sql injection attacks, is sql injection not hacking?

Seachmall

Phoebas wrote: »

Hacking is exploiting a weakness, and typing in a url rather than following a link is doing just that.
Similarly, a very common hack (at least used to be) is sql injection. This was commonly used by hackers by embedding a sql statement in a url query string.
If there is no security in place to prevent sql injection attacks, is sql injection not hacking?

In the case of SQL injection you are getting the application to display information other than what was intended.

The application's design to not display that information is security in itself. Incorrectly filtering input is a flaw in that security design.

What weev, or his partner, did was simply use the page exactly as it was designed. It was designed to output user details to anyone who requested them. That's what they used it for.

It should have been designed to output user details to only those with the correct permissions.


If DeVore told you not to use boards but implemented no measures to enforce that are you hacking by typing "boards.ie" into the URL bar?

Phoebas

Grayson wrote: »

Not really. To compare it to the physical world, he discovered a door was unlocked. So he walked in and took a couple of photo's to prove that he was there. Then showed the photo's to the owner to show how he got in.

It was barely hacking, but it certainly didn't involve breaking any of their security.

If I discover a door that is locked, but the key is under the mat. Or if the lock is so badly designed that I can pick it, or the frame of the door is rotten and its easy to prise open? Aren't these all variations of the same thing?

He entered a place that he wasn't authorised to enter. He hacked his way in, albeit an incredibly easy hack.

Grayson wrote: »

In a real world sense, it's like being convicted of breaking and entering, when all he actually did was trespass. I'll agree that what he did wasn't right, legally or morally, but it didn't warrant a prison sentence.

Agreed.

Seachmall

Phoebas wrote: »

If I discover a door that is locked, but the key is under the mat. Or if the lock is so badly designed that I can pick it, or the frame of the door is rotten and its easy to prise open? Aren't these all variations of the same thing?

The first example is security through obscurity, the other two are exploiting flaws in security design.

Security through obscurity is not security.

hatrickpatrick

Phoebas wrote: »

If I discover a door that is locked, but the key is under the mat. Or if the lock is so badly designed that I can pick it, or the frame of the door is rotten and its easy to prise open? Aren't these all variations of the same thing?

He entered a place that he wasn't authorised to enter. He hacked his way in, albeit an incredibly easy hack.


Agreed.

That's a faulty analogy, he basically opened a door that wasn't locked.
That's STILL a faulty analogy, what he did was akin to reading a classified document he wasn't authorized to read, because some idiot had left it lying around on a table. And not only that, but he exposed this person's stupidity and did nothing malicious with the information.

In that scenario, he should be commended and the person who left the document lying around should have their security clearance revoked.

hmmm

If I love my home door unlocked, what should someone who notices do:
a) Let me know or
b) Enter & steal my TV to teach me a lesson

Seachmall

hmmm wrote: »

If I love my home door unlocked, what should someone who notices do:
a) Let me know or
b) Enter & steal my TV to teach me a lesson

They did a combination. They alerted a news site to what they did and then alerted AT&T to the issue.

But this thread isn't about that. It's about whether or not it should be criminal to access publicly available information if that information should not have been accessible.

Dwork

Is there any merit in mentally substituting "getting 41 months in chokey for "hacking" AT&T" - for - "Getting 41 months in chokey as karma for being an 4sshat for years and years"?

I have done this and now feel very happy with the sentence.

dutopia

Absolute negligence on AT&T's part for not protecting user's data and Weev was also wrong for illegally copying that information. Both are at fault.

Capt'n Midnight

His big crime was upsetting the wrong people.

Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to AT&T and undergo three years of supervised release.
...
The data caused huge embarrassment to AT&T and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. AT&T fixed the flaw, and there's no evidence Auernheimer did anything more than highlight the sloppy coding.
...
some in the security field are warning that the verdict will have a deadening effect of flaw exposure.

The case is been closely watched in the information security community because Auernheimer recovered the data from the AT&T website without bypassing any security controls.

if anyone wants to dig deeper
http://search.theregister.co.uk/?q=Auernheimer

Grayson

hatrickpatrick wrote: »

That's a faulty analogy, he basically opened a door that wasn't locked.
That's STILL a faulty analogy, what he did was akin to reading a classified document he wasn't authorized to read, because some idiot had left it lying around on a table. And not only that, but he exposed this person's stupidity and did nothing malicious with the information.

In that scenario, he should be commended and the person who left the document lying around should have their security clearance revoked.

With the house analogy it's more like someone locks a door. But leaves another adjacent door completly unlocked and wide open.

oppenheimer1

Capt'n Midnight wrote: »

His big crime was upsetting the wrong people.

Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to AT&T and undergo three years of supervised release.
...
The data caused huge embarrassment to AT&T and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. AT&T fixed the flaw, and there's no evidence Auernheimer did anything more than highlight the sloppy coding.
...
some in the security field are warning that the verdict will have a deadening effect of flaw exposure.

The case is been closely watched in the information security community because Auernheimer recovered the data from the AT&T website without bypassing any security controls.

if anyone wants to dig deeper
http://search.theregister.co.uk/?q=Auernheimer

No, his big crime was stealing confidential information.

hmmm

Seachmall wrote: »

But this thread isn't about that. It's about whether or not it should be criminal to access publicly available information if that information should not have been accessible.

People make mistakes. Developers make mistakes or lack training. If you come across a security hole, ideally you should report it to the developers and let them fix it. Report it to the newspapers if you're feeling vindictive.

But don't take it upon yourself to use that security hole to download sensitive information, and then claim that you were doing it as a service or to highlight shortcomings. Lots of people have gone to jail for doing just this.

Read up on "responsible disclosure".

Grayson

hmmm wrote: »

People make mistakes. Developers make mistakes or lack training. If you come across a security hole, ideally you should report it to the developers and let them fix it. Report it to the newspapers if you're feeling vindictive.

But don't take it upon yourself to use that security hole to download sensitive information, and then claim that you were doing it as a service or to highlight shortcomings. Lots of people have gone to jail for doing just this.

Read up on "responsible disclosure".

I think most people would agree that the guys a dick. Even the thread title supports that. But 41 months is a bit excessive when he didn't actually break in or use the information he gained.

I love the way they're charging him with the costs of fixing it. Almost like he broke it in the first place.

fasttalkerchat

Bebo used unsecured GET requests on photo albums too. Yes, I did creep...

Seachmall

hmmm wrote: »

People make mistakes. Developers make mistakes or lack training. If you come across a security hole, ideally you should report it to the developers and let them fix it. Report it to the newspapers if you're feeling vindictive.

But don't take it upon yourself to use that security hole to download sensitive information, and then claim that you were doing it as a service or to highlight shortcomings. Lots of people have gone to jail for doing just this.

Read up on "responsible disclosure".

But again, this thread isn't about what he should've done when he found it or who he should have contacted. It's about whether or not AT&T were the one's responsible for that information being in the public domain as they were the ones who made it publicly accessible.

Due to laziness or stupidity they made absolutely no attempts at securing the information.

Grayson wrote: »

I love the way they're charging him with the costs of fixing it. Almost like he broke it in the first place.

I think I might build a house without doors or windows so when someone walks in I can make them pay for new doors and windows

Scruffles

he is full of BS.
what he is refering to is an area of hacking known as penetration testing.
if he really was a pen tester he woud have reported the exploit as soon as he found it and moved on to find more exploits,not gather the db info and give it to a third party in the media whilst directing a lot of attention towards it and himself, he is a glorified blackhat with an overblown ego and no sense of personal responsibility-like many others whose life revolves around their internet 'cred'.

break a law and its that persons fault,its not the fault of a companies exploitable website, that is a seperate matter that shoud be dealt with at another time,it shoud not be used to mask the irresponsibility of the person taking advantage of the site.

Duggy747

He could've notified them of this incredibly stupid exploit for a company that big dealing with information like that.

Instead he downloaded the information and passed it on, of course that's going to bring heat down upon you.

Capt'n Midnight

oppenheimer1 wrote: »

No, his big crime was stealing confidential information.

The information wasn't encrypted
AFAIK No password was needed to access it.

This is something like trying to make your own mobile phone directory by ringing up random voicemail numbers and listening to the "please leave a message for Alice" greeting



Whatever about the jail time I can't understand the costs that were paid to secure the system. It wasn't fit for purpose in the first place. The company failed to protect private data. This sort of "change the URL slightly to get other customers data" has happened so many times before that it's not even security through obscurity.


Responsible disclosure is a big problem.

hatrickpatrick

Grayson wrote: »

With the house analogy it's more like someone locks a door. But leaves another adjacent door completly unlocked and wide open.

It's not really though because this wasn't on a restricted website or even a restricted area of a website, it was publicly accessible by typing in the URL.
In my book, it ceases to be a private area once it's accessible without a password. It's not like leaving the door of a house open, it's like living in a building without any doors at all.

johnmcdnl

If you got a TY student to make a website for you they'd have better security than this - really can't understand how a huge company like AT&T even end up in a situation like this.

Regardless - he knew what he was doing but the 41 months is far far too excessive. There's no way in hell it should be a crime that you can do jail time for simply typing in a URL regardless of whether or not your supposed to see that data. If there was as much as a password protecting the data then yes it's hacking but when I could go and type a random URL in and find this data how in the name of jaysus can you call it hacking.

He did know what he was doing so he's no angel in this situation and tbh if I was a user with my data compromised I'd be far more annoyed at AT&T for letting this situation arise.

Grayson

Capt'n Midnight wrote: »

Whatever about the jail time I can't understand the costs that were paid to secure the system. It wasn't fit for purpose in the first place. The company failed to protect private data. This sort of "change the URL slightly to get other customers data" has happened so many times before that it's not even security through obscurity.

Responsible disclosure is a big problem.

The same with the sony case. They had credit card information that was unencrypted and was vulnerable to a SQL injection. That's so fcuking noob.

It's scary to think so many f these companies have such bad security