Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security Apple Your Rights Online

FBI Investigating iPad E-Mail Leaks 209

CWmike writes "The Federal Bureau of Investigation has opened an investigation into the leak of an estimated 114,000 Apple iPad user e-mail addresses. Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com. Now the FBI is trying to figure out whether this was a crime. US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."
This discussion has been archived. No new comments can be posted.

FBI Investigating iPad E-Mail Leaks

Comments Filter:
  • At&T needs one. else, they will 'regulate' all of us, as they see fit.
  • No relation (Score:4, Funny)

    by Anonymous Coward on Thursday June 10, 2010 @10:00PM (#32531342)

    "The FBI is aware of these possible computer intrusions and has opened an investigation into addressing the potential cyberthreat," said Lindsay Godwin

    Fucking Nazis.

    • Re: (Score:2, Interesting)

      by penix1 ( 722987 )

      US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

      There is a problem with that l

      • Re: (Score:3, Interesting)

        by aliquis ( 678370 )

        Uhm..

        They aren't arguing that the script may not be unauthorized access because it was automatic and that only the first attempt would be illegal because they did it in person.

        They where rather arguing that visiting that page once and get an e-mail address may be something you just happen to do, but writing a script which fetches lots of e-mail address would be abusing the system / doing something you shouldn't do.

        Personally I think "they should know they are not entitled to" is very weak juridical term/cla

        • Re:No relation (Score:4, Interesting)

          by vivian ( 156520 ) on Friday June 11, 2010 @01:31AM (#32532350)

          I dont entirely disagree with you, but I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

          You could argue that the web pages were not ever intended to be accessed in the way that they were, because firstly the site's owner does not provide direct orindirect links to those pages, and secondly, the URL's used to get to the page are obviously being used as an extraordinarily weak form of secority (ie. through obscurity).

          Now that is just plan stupid on behalf of AT&T, but so is having your email password set to "12345", yet if someone accessed your email or other system you owned through by going to the login screen and guessing your password, or writng a script to try obvious passwords, it would certainly be considered hacking - because that person has not been authorized to have access to that system.

          At the end of the day, it is the courts and possibly a jury that will determine whether this is considered a hack (in the system cracking sense). Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info, and they are using a script to do the accessing in a way that is a litle similar to how password guessing programs work, I would say that this will eventually be considered a hack, by the court system.

          If the justice system court can convict a someone of murder even without an actual murder weapon, witness or definitive motive (Not thinking of a particular case, but I am sure there are plenty) , I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

          • by WNight ( 23683 )

            If you can say that about looking behind a curtain then sure, the site has been cracked.

            But the whistle-blowing far outweighs the "crime". There was a weakness, now there will be one less weakness. Had this not been caught there could have been an actual security breach.

            Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info

            But the owners of iPads have a legitimate interest in the knowledge they gained.

            I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

            Yeah, shoot the messenger and allow the pathetic AT&T to quietly remain so.

            That's a good use of court resources.

            • I feel there was a grievous crime committed here. Atrocities like this should not be able to be perpetuated. I demand immediate and the most severe punishment for all those responsible for this. AT&T should not be allowed to continue leaving sensitive and vulnerable data available for anyone who happens upon a server.
            • Re: (Score:3, Insightful)

              by Goaway ( 82658 )

              There were plenty of much more responsible ways to get that vulnerability fixed. That was clearly not the intent of the people involved, since they chose this course of action rather than a responsible one.

          • by Hatta ( 162192 )

            I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

            Do you really want to live in a world where the legality of your actions depends on the goodwill of a company such as AT&T?

            • by jc42 ( 318812 )

              Do you really want to live in a world where the legality of your actions depends on the goodwill of a company such as AT&T?

              Too late; we're already living in just such a world.

              If we weren't, we'd be reading about how the Goatse guys are being commended for their actions that benefit the general welfare.

        • So if you go on a site that has a commenting system but no captcha it's OK to spam it because it's something the site is meant to do? Anything that harms other people should be illegal. Of course we can't create laws for every possible situation so I think that the idea of "something you should know you're not supposed to do" is actually good. Everything about laws is taken too literally these days. I'd love a juridicial system where even if the law says something different, if it's clear that the accused d
          • by Pikoro ( 844299 )
            wait. by spamming a website, who got hurt? Nobody. Unless you count spraining your index finger because you had to scroll more than normal. Jeez. The web is not a physical place. Hacking someone's website does not cause physical harm. Oh, and they're just words people. "sticks and stones" and all that...
            • it wastes your time and brain cells. that is the worse thing you could do to someone. There is a very good quote in Dune about this:
              ``The convoluted wording of legalisms grew up around the necessity to hide from ourselves the violence we intend toward each other. Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. You have done violence to him, consumed his energy. Elaborate euphemisms may conceal your intent to kill, but behind any use
          • An unclear law is the first step towards totalitarianism. Who decides what is something bad? I don't find what they did to be bad. Obviously you do. Who gets to choose whether they're convicted?
            A fair justice system (mandatory condition for democracy) requires clear laws.

            And by the way, "juri" isn't who decides if what you did was bad. It decides whether you did that bad thing that's written in the law. It's very different.

            • I don't want unclear laws, I want laws that are retarded or incomplete to not be taken literally and I want more common sense to be used in courts. I also don't think that what those people did is bad, even remotely. What's the worse thing that can happen if some spammer finds your email address? You just change it and you're done.

              Also, look at the quote in my post above, it expresses some of my ideas more clearly.
              • But you said "Anything that harms other people should be illegal."

                For many people, this does harm them - not physically, of course, but as you very well referred, it'll increase spam and that can be seen as "harm".

                I want laws to say explicitly what I am or not allowed to do, not "do no harm".

      • by AHuxley ( 892839 )
        Stonewall and do a Google "As we have said before, this was a mistake".
        Our lawyers will get back to the FBI some time ..
        Equal protection and due process for all :)
    • by Spad ( 470073 ) <[slashdot] [at] [spad.co.uk]> on Friday June 11, 2010 @02:44AM (#32532622) Homepage

      The rarely seen and difficult to pull off Reverse Godwin?

  • sheesh (Score:5, Funny)

    by Izabael_DaJinn ( 1231856 ) <slashdot@i[ ]ael.com ['zab' in gap]> on Thursday June 10, 2010 @10:00PM (#32531344) Homepage Journal
    I've always had problems with my ipads leaking
  • by apparently ( 756613 ) on Thursday June 10, 2010 @10:05PM (#32531366)

    Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

    My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

    • by arkenian ( 1560563 ) on Thursday June 10, 2010 @10:09PM (#32531394)

      My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

      I'm just trying to imagine what the first story to try to describe the origin of the name will say...

    • by DJRumpy ( 1345787 ) on Thursday June 10, 2010 @10:18PM (#32531442)

      I don't know if I would call them journalists:
      Title: Apple's Worst Security Breach
      "Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the cellular-enabled tablet—could be vulnerable to spam marketing and malicious hacking."

      This is squarely AT&T's fault, yet the first paragraph implies it was "Apple Worst Security Breach". I also like how they imply that a spammer getting your e-mail address is the be-all-end-all of hacking. Really? These folks have never seen spam before? How will they venture out onto the internet without feeling exposed and dirty? Oh wait. They get a new e-mail address. *sigh*

      • by Anonymous Coward on Thursday June 10, 2010 @11:38PM (#32531860)

        If it was any other company I'd agree with you, however this is Apple, and the fact that they tightly control who sells their product and how, I would expect some kind of oversight. You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?
        They got themselves into their own self policed walled garden, now they have to deal with it. It was a security breach at a carrier inside the walled garden... deal with it.

        And yes, email addresses are valuable information. Sure, not as bad as SSNs, but would you post your email address on a billboard? Why do you think websites, companies etc keep their customer emails under lock and key? because it's a valuable information

        • Re: (Score:3, Insightful)

          You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?

          As long as Vodafone paid Apple what they agreed upon, I doubt Apple would care. Why would they?

          The security breach was with AT&T, because it was on their servers and only affected their customers.

          • by Tim C ( 15259 )

            As long as Vodafone paid Apple what they agreed upon, I doubt Apple would care. Why would they?

            Because it lowers the perceived worth of the product. People in general don't tend to think "OK, so it's X up front then Y/month for Z years, that makes it a total of X+(Y*Z)...". They see the up-front cost as being what the device costs. Sure, most will try to balance the two ("If I spend a little more now, it'll cost less per month...") but I don't think they join the dots in quite the same way.

      • I'd have to agree with you - I'm no Apple fan, however I fail to see how this is Apple's fault. Apple still has full control over their product, but they weren't the ones who had a poorly designed website that returned an email address when the request included a valid ICC-ID. That sounds like poor web security, and sounds like it was AT&T's website.

        I also fail to see how what the "Goatse" guys did is a crime. If I send a legitimate request to a website and it returns someone's email address, is it m
        • I'm of two minds about the Goatse folks being accountable. You could argue that they knew they were exploiting a weakness each time they sent this script the device ID's, but in their defense, it's rational to ask what kind of brain dead person would drop a script into the public domain knowing the information it could return while not securing said script?

          I think I would have to take the 'open garage door' approach. Although someone may leave their garage door open, it is not an open invitation to walk in

          • I see where your "Open Garage Door" approach applies, however nothing was really 'stolen.' In this case it's more like an open garage door with somebody's email address or social security number written in big letters on a wall inside the garage.

            The owner of that garage has the responsibility to keep the door closed, and prevent the information from being so easily seen.
            • I don't think that's a valid comparison. We all know what data theft is. These e-mail addresses were not sitting in some text file on the server in plain sight. The Goatse folks specifically had to send formatted data to an undocumented script to get it to return an address. I don't equate that with 'the address was written in big letters on the door'.

      • by hey! ( 33014 )

        I'm not so sure about that. Apple *requires* customers provide their email address in order to activate their iPad, then they turn the email address over to AT&T.

        Under the circumstances, Apple is morally (although probably not legally) responsible for ensuring that AT&T only use that information for appropriate purposes and take reasonable security precautions with it.

        Apple has a very simple recourse if it doesn't want to do that. It could provide every iPad with its own email address. Users coul

        • Apple doesn't really matter in the equation at all. AT&T has a responsibility to secure users personal information due to privacy laws. It really doesn't matter who gave them that information, they are legally bound to secure it. When users purchased a 3G contract WITH AT&T, they signed the agreement with AT&T as to what was allowed. I know the Apple haters are all excited, but they always gloss over that point. Apple doesn't sell 3G access. AT&T does, and the user goes into the contract dir

          • by hey! ( 33014 )

            Apple is tying its products to another vendor. It can't stand behind its products without policing the actions of its partner as far as customers for Apple products are concerned.

            It'd be different if it were just AT&T being sloppy with its email users, and *some* iPad users used AT&T mail. That'd be AT&T's problem. But the deal Apple is offering is "use AT&T's network services or don't use an iPad."

            It'd be different if Apple gave you a choice of providers, and you chose wrong.

            Like it or no

    • Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries

      My heart goes out to the poor journalists heading out to the great google in order to get their big scoop on goatse.

      Well, according the the story about the leak yesterday, the official description is 'the group is steeped in off-the-wall, 4chan-style internet culture—its name is a reference to a famous gross-out Web picture' [gawker.com] I don't see many people looking it on Google... unless your only reading /.'s summery.... I personally preferred the one description of 'a picture of a man stretching his anus to 'olympic' proportions'. Just calling it 'olympic' proportions is a bad mental image enough.

    • They are journalists, after all. I hope people are ready with their cameras to contribute to the wonderful collection of humanity that is first goatse [flickr.com] before the surprise value is lost from reading about it in the press.
    • by l00sr ( 266426 ) on Thursday June 10, 2010 @11:28PM (#32531804)

      Dare I say Reuters has figured it out, with this story image [reuters.com].

  • by Nicky G ( 859089 ) on Thursday June 10, 2010 @10:08PM (#32531384)

    No, not for revealing a potentially dangerous flaw in AT&T security. What-evs.

    I heard and read the word Goatse more today in the mainstream media than all points of my life added together, and I can only imagine how many lives were ruined by the ensuring Google searches! Hahahahahah!!!!!!!

  • by Kashell ( 896893 ) on Thursday June 10, 2010 @10:09PM (#32531390)
    These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links?

    Here, I've done your homework. Was it that hard?

    http://security.goatse.fr/blog/

    >>
    "Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us."
    >>
    • by arkenian ( 1560563 ) on Thursday June 10, 2010 @10:12PM (#32531422)

      These guys aren't hackers. They are security advisors. They are the good guys. I suppose the editors didn't bother, you know, clicking a few links? Here, I've done your homework. Was it that hard?

      I'm sorry, but googling 'goatse' was not on the list of activities I had planned for the night. I mean, seriously? This said, you have my admiration for your fortitude and thanks for the sacrifices for the cause.

      Also, really, with a name like 'goatse' most people aren't going to automatically leap to the idea of it being a white-hat group.

    • by rolfwind ( 528248 ) on Thursday June 10, 2010 @10:22PM (#32531456)

      Hacker is not a term that means you are the bad guy although it conjures the fear in the ignorant (i.e. the general public). It just meant someone who hacks.

      This was a hack.

      http://en.wikipedia.org/wiki/Hack_(technology) [wikipedia.org]

      • by blackraven14250 ( 902843 ) on Thursday June 10, 2010 @10:28PM (#32531478)
        It wasn't reconfigured or reprogrammed to change the function of the script on AT&T's website. The system was doing exactly what it was intended to do, give the iPad information as a number was given to the script. It gave the information to the wrong people, because the script was public, but that doesn't qualify. These guys didn't change anything on AT&T's side, just utilized tools that were already there.
      • Re: (Score:3, Insightful)

        by mcgrew ( 92797 ) *

        Language evolves, whether we like it or not. I used to be a gay hacker untill they changed the meaning of "gay" and "hacker", now I'm just a happy nerd.

        Changing the meaning of "hacker" only affects us, but when they changed "gay" it affected hundreds of years of song and poetry -- "Deck the Halls" for example. I have an MP3 I ripped from an old 78 with lyrics "gay as a New Year's party"; it has a completely different meaning today than it did in my dad's youth, because the meaning of the word has changed.

        We

    • Re: (Score:3, Insightful)

      by Wuhao ( 471511 )

      I have to admit, I had to ignore years of experience with Internet forums to follow a link to "goatse.fr."

    • Re: (Score:3, Informative)

      by DJRumpy ( 1345787 )

      They may have discovered it, but they didn't report it to AT&T. From TFA:

      "The person or group who discovered this gap did not contact AT&T."

      Not that 'good' in my opinion.

      • by KingSkippus ( 799657 ) on Thursday June 10, 2010 @11:25PM (#32531780) Homepage Journal

        They may have discovered it, but they didn't report it to AT&T.

        ...According to AT&T. Someone is lying. From TFA [gawker.com]:

        Goatse Security notified AT&T of the breach and the security hole was closed.

        Then later in the article:

        AT&T sent us a statement...: "The person or group who discovered this gap did not contact AT&T."

        Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground, and when choosing who to believe between AT&T and just about anyone else, I'm inclined to believe anyone else. I'd bet dollars to doughnuts that someone did indeed notify AT&T, but now they're trying to cover their ass and make it sound like they somehow proactively found the hole themselves.

        • by OverlordQ ( 264228 ) on Friday June 11, 2010 @12:43AM (#32532116) Journal

          From their 'goatse security' homepage (before they edited it)

          g0udatron[gapp]: Perl/PHP/js/c/objc/c++ pirate. m68k/z80/mips/x86 asm. series 7, series 66, series 62, series 42 licensed Texas broker. Bane of EFnet #anxiety and co-founder of the CUSSE certification track.

          Hurm, what's this CUSSE?

          Certified Unethical Security Systems Expert

          Huuuuurm?

          CUSSE Principles
                  * Keeping 0-Days Private
                  * IRC
                  * Taking down Whitehats
                  * Poor Netiquitte
                  * Hacking the Planet
                  * Ruin
                  * No Disclosure
                  * Mayhem
                  * Nobody is Safe
                  * Info is Money
                  * Destruction
                  * Only Death Saves You
                  * Conf

          Yup, they sound perfectly professional and believable.

        • Re: (Score:2, Informative)

          The guy admitted in a cnet interview that he did NOT tell AT&T for fear of them coming after him. link [cnet.com]
        • Maybe they tried to "report" it like the guy who found the iPhone 4 prototype tried to "report" it.

          Goatse: "Hello, AT&T customer service? I found a hole in your website that gives me access to iPad user email addresses."

          AT&T drone:"Huh?"
        • by mcgrew ( 92797 ) *

          Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground

          I've hel the same opinion since they bought out Cingular and my phone bill skyrocketed. I'm a happy Boost Mobile user now.

      • They may have discovered it, but they didn't report it to AT&T. From TFA:

        "The person or group who discovered this gap did not contact AT&T."

        Not that 'good' in my opinion.

        "Good" is a relative thing.
        Companies would rather have you never disclose their flaws to the public.
        OTOH, the public is at least as well served by publicly embarrassing them.

        There merits of full vs responsible/non- disclosure have been debated since the 1800s
        and if the totality of your contribution is "Not that 'good' in my opinion,"
        then you really haven't added much to the discussion.

        Think of the iPad e-mail leak as an oil spill.
        It's 'big', it's public, and it'll definitely cause changes in security to be

    • Re: (Score:3, Insightful)

      by Fartypants ( 120104 )

      These guys aren't hackers. They are security advisors. They are the good guys.

      So, if you were one of the people who had their personal email leaked, would you be thanking the good guys right now for doing it? It's sort of like if a security consultant pushed somebody through a broken railing to "demonstrate" the flaw in security. Couldn't they have just called AT&T and pointed it out? Or would that not have been rad enough?

      • Then you wouldn't know about it, so you wouldn't learn that if you want to keep your email address private, you don't give it to AT&T.

    • Here, I've done your homework. Was it that hard? http://security.goatse.fr/blog/ [goatse.fr]

      Dude, I know what's on goatse.fr [goatse.fr] - you're not going to trick me by adding a sub-domain and a directory name!

  • ole (Score:4, Funny)

    by britneys 9th husband ( 741556 ) on Thursday June 10, 2010 @10:10PM (#32531398) Homepage Journal

    AT&T needs to fix this wide, gaping hole that has been stretched open on their website before more iPad email addresses are exposed.

  • assholes (Score:5, Insightful)

    by xaoslaad ( 590527 ) on Thursday June 10, 2010 @10:14PM (#32531426)
    This country is so egregiously fucked up it isn't funny. AT&T puts 114,000+ users info on the internet and that's OK. No investigation. Someone pulls it from their site and they get hunted down like a witch.

    FUCKED! UP!
    • Re: (Score:3, Interesting)

      I think "embarrassing the FBI's (corporate) domestic surveillance wing" is the crime being investigated here.
    • It's more than that. If AT&T had wanted to, they could have put up a public API with the same info and let people use it for a fee, if they'd wanted to. Not only is what they did not illegal, but it is a legal way to make profit if they'd wanted to.
    • Well, the sentiment is alright, but isn't entering somebody's unlocked house and taking the stuff you are not supposed to take still "breaking and entering"?

      Or, better, imagine you have entered somebody's house for a party. You are assumed to enjoy food and drinks, but you are not supposed to take objects of art from the walls, are you? You are not supposed to take somebody's diary notebook from the top of the desk or somebody's addressbook...

      Depends on how are the rules written. What are the rules of using

      • Well, the sentiment is alright, but isn't entering somebody's unlocked house and taking the stuff you are not supposed to take still "breaking and entering"?

        No, it is not. In order to have breaking and entering, the house must be locked. Otherwise it's just trespassing, and in California you're not trespassing until you've been told to leave, dunno about other states. "posted keep out" signs don't mean shit unless you can't possibly fail to see one on your way onto some property.

        Depends on how are the rules written. What are the rules of using that particular website? How well are they exposed to the average user?

        Accessing accidentally exposed information is not illegal. Web-site EULAs do not trump law.

        The situation is not as black and white as many /.ers would like to see it.

        No, it's green and white. Although we do still use some black ink on our money.

    • Someone pulls it from their site and they get hunted down like a witch.

      AT&T paid good money for their legislators and regulators. They're entitled, in return, for some "protection service", aren't they?

    • by tekrat ( 242117 )

      Hey, someone puts a useless "bomb" that wouldn't have killed anyone in Times Square, and in less than a week, they've got the guy and he'll never see the light of day again.

      BP on the other hand, kills 11 people, and wipes out the entire gulf coast, and so far, the only thing that has happened is that their stock price has dropped a bit. If you're moaning because there's no justice in the world, all I gotta say is wake up and smell the coffee.

      As I've been saying for a long time now, Corporations have *more*

  • Basically - they couldn't find a way to charge for each downloaded e-mail address.

  • by manicbutt ( 162342 )

    It's not a hack, it's only indirectly related to Apple (despite Gawker's attempts to paint it otherwise), and the government email addresses that were "exposed" are public anyway. It's not difficult for me to send email to Rahm Emanuel. Goatse's brute force script isn't that interesting (see http://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/ [praetorianprefect.com]) so why are we wasting so much time on this non-story?

    • by AHuxley ( 892839 )
      "force script isn't that interesting" - Goggle is learning that too, so is MS and the US mil.
      How complex, encrypted and expensive does a backend have to be before the FBI and US law spins up?
      From Google to a UFO hunter to a telco database, it seems the US wants very flexible laws.
      Enter a mil MS network with a script its a hack, collect packets from wifi networks without permission, its a mistake, run a brute force script on a telco and its a .... ????
      Most parts of the world sorted their cyber crime law
  • Wide Hole (Score:2, Redundant)

    by codepunk ( 167897 )

    Goatse finds a "hole" wide enough to drive a truck through, oh the irony!

  • by Anonymous Coward on Thursday June 10, 2010 @11:13PM (#32531720)

    A white hat would see the hole, download a few to verify, write a script as a proof of concept and verify that the script worked, and then report the hole to AT&T. Downloading over 100,000 email addresses and sending them to the press is NOT what responsible security researchers do.

  • This isn't so simple (Score:4, Interesting)

    by tpstigers ( 1075021 ) on Thursday June 10, 2010 @11:21PM (#32531766)
    What if some of those 114,000 iPad users live in Massachusetts? http://yro.slashdot.org/story/10/04/25/1745210/Mass-Data-Security-Law-Says-Thou-Shalt-Encrypt [slashdot.org]
  • Sensible l (Score:2, Insightful)

    by Anonymous Coward
    THIS is a serious breach of privacy, and yet releasing the IPs of people accused of downloading a torrent is cool with the authorities, media, and seemingly everyone else? Do we really want to be turning to 4Chan for insight into how fucked our system is? http://i.imgur.com/LgjPH.jpg [imgur.com]
  • It always irritates me when someone refers to "goatse.cx" as "goatse". It's like they missed the whole point of the joke.

  • So now, if you get spammed, because AT&T gave out your email address for any script that asks for it, does that count against your draconian "unlimited" 2GB data-plan? How can they ALLOW you to get spammed, all the while charging you for every packet you get. Pretty double-faced of them, eh?

Pascal is not a high-level language. -- Steven Feiner

Working...