iPad Account Hacker Pleads Guilty

WrongSizeGlass writes "Daniel Spitler, a member of Goatse Security, pleaded guilty today to writing the code used to steal email addresses and personal information belonging to 120,000 Apple iPad subscribers from AT&T computer servers. Spitler, who surrendered to the authorities in January, pleaded guilty to one count of conspiracy to gain unauthorized access to computers connected to the Internet and one count of identity theft. Each charge carries a maximum sentence of five years in prison."

Goatse Security?

[Rene S. Hollan]

You've got to be shitting me.

Re:Goatse Security?

[geekoid]

Security through "OMG I don't want to see that!'"

Re:

[davester666]

Well, you have to make sure some script kiddie can't just come along and change the image to Smurfette taking it from a puppie.

Re:

[interkin3tic]

Their motto seems to be "gaping holes exposed." I was not brave enough to click on the link from google...

Re:

[PopeRatzo]

Their motto seems to be "gaping holes exposed."

I was really looking forward to the Goatse Security IPO. I guess they won't get that big round of venture capital investment now.

Hard to see what can go wrong when you call your outfit "Goatse Security". I wonder if their stock exchange symbol would just be a capital "O".

Re:

[donotlizard]

Their logo may have looked a lot like this one: http://www.southernriverhockey.asn.au/images/westnet.gif [southernri...key.asn.au]

Re:

[interval1066]

OMG... is that logo a joke or what...?

Re:

[donotlizard]

Westnet are an Australian ISP: http://www.westnet.com.au/index.html [westnet.com.au]

Re:

[Hatta]

Once you start looking, it's everywhere [geekstir.com].

Re:

[Cwix]

Did you know that Audi was a corporate sponsor?
http://www.dangerousminds.net/comments/audis_unintentional_goatse/ [dangerousminds.net]

Re:

[vegiVamp]

No, and neither is this [vehicledesignsummit.be].

Re:

[ArsenneLupin]

Doubly funny. Huurwagens in Dutch may mean "vehicles to rent", but in German, it sounds more like whore-wagons (or Hesperkutschen as they'd say in Luxembourgish...)

Re:

[SleazyRidr]

Sure! They've got a website and everything! http://goatse.cx/ [goatse.cx]

(Seriously though, if you've somehow missed the joke, don't click that link!)

Get with the times

[ArsenneLupin]

goatse.cx is long dead, long live http://goatse.ragingfist.net [ragingfist.net]

Re:

[Anonymous Coward]

You've got to be shitting me.

No you're thinking Two Girls One Cup

Re:

[Hatta]

These are in fact the same people behind the GNAA.

Re:

[RyuuzakiTetsuya]

What is this, offensive lorem ipsum?

Re:

[jc42]

What is this, offensive lorem ipsum?

What most people don't realize is that that oft-quoted document isn't pseudo-Latin nonsense; it's in the little-known 6th-century east-Istrian dialect, and is an excerpt from a tale of kiddie porn. So anyone who has it on their disk is in violation of some serious anti-porn laws wherever you live. And ignorance is no excuse. If you even download it by accident, you're guilty of a crime that even the /. crowd finds abhorrent.

Re:

[Marful]

Wikipedia says: you're full of shit. [wikipedia.org]

The text is derived from sections 1.10.32–3 of Cicero's De finibus bonorum et malorum (On the Boundaries of Goods and Evils, or alternatively [About] The Purposes of Good and Evil).[3]

Care to cite your source?

Also, I think you need to re-read the pornography laws for wherever you live as, unless you live in Canada or Australia, possession of fictional portrayals of illegal sexual crimes are not the same as having physical evidence that illegal sexual crimes have been committed. Because if what you assert is true, that having possession of fictionalized events of under aged sex or pedophilia is a crime, then it sucks to own a copy of Bram Stroker's D

Re:

[RyuuzakiTetsuya]

"Lorem ipsum dolor sit amet" is from Cicero, everything afterwards IS garbage.

Re:

[GameboyRMH]

I think some people have found a way to cipher data (maybe just English or some simple coded information) into curse words and foods and are passing it through Slashdot. It would be a brilliant scheme. No need for direct contact between parties, just two dudes surfing a site's buried troll comments through Tor proxies.

Re:

[jc42]

If I leave my front door open and someone comes in and takes my TV it's stealing.

True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.

A better parallel might be if, the evening before your local garbage pickup, you put your TV out on your sidewalk or driveway, next to the street. Anyone would take this to mean "Take it; it's free". People routinely stop and drive off with such things, assuming that they're probably broken, but they plan to take them apart fo

Re:

[DJRumpy]

They were hardly just laying around.

after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com

Re:

[WNight]

Specially written queries. Oh well then, that's that.

There's no way that would mean a URL with a sequential numeric ID in it.

Re:

[WNight]

It's your fucking server. If you don't want it to send certain data, password it!

Besides, it wasn't even random.

Re:

[node 3]

Specially written queries. Oh well then, that's that.

There's no way that would mean a URL with a sequential numeric ID in it.

That's exactly what it means. Why are you acting as though that's pertinent to the issue of whether the data is meant to be publicly accessed?

Re:

[WNight]

Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever? If their server sends it, you're authorized to have it. Otherwise, it wouldn't have sent the data to you. Get it?

Passwords. They are what you use for private data. Accept no less.

Re:

[node 3]

Why are you acting like the webmaster's intent, which I'd have to be psychic to know, has any relevance whatsoever?

Um... You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.

If their server sends it, you're authorized to have it.

Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".

Otherwise, it wouldn't have sent the data to you.

You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.

Get it?

Passwords. They are what you use for private data. Accept no less.

Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both ac

Re:

[WNight]

You don't have to be psychic to assume the webmaster didn't intend anyone to be able to pull up anyone else's email address.

Why? They put it up on a public webserver without a password. That's how you share documents.

If their server sends it, you're authorized to have it.

Bullshit. That's *EXACTLY* like saying "if a door is unlocked, you're authorized to enter it".

It's nothing like that. One is a door, any door, all doors, and the other is a publicly accessible webserver. Why not mangle a car analogy next?

You don't have a right to everything you can receive. If I leave my car unlocked, with the keys in the ignition, do you think you have the right to drive it? Absolutely not.

Oh, argh!

Listen. Webservers exist to share files. If they don't want to share the file they can simply return an error message and send you on your way.

Passwords are like locks. They are meant to enforce an already existing policy. Passwords are there to keep both accidental and deliberate trespassers out. The lack of a lock does not imply permission.

That's because in the physical world there are physical signs, both metaphorical like the door being on a private house, an

Re:

[node 3]

True, but that's not a very good parallel in this case. Putting something online in a web directory is generally considered to mean that you're making it available to the public.

I think it's quite obvious that AT&T didn't intent to make the data publicly available anymore than a homeowner means to make the contents of their home publicly accessible simply by leaving the door unlocked.

And these "hackers" were quite aware of this, otherwise they wouldn't have siphoned off the email addresses and made a big fuss about it. Acting like this is somehow assumed to be public info is a farce.

Re:

[Kielistic]

They made a big fuss about it because those email addresses should not have been broadcast to anyone who asked for them. An unlocked door is not a valid analogy unless it also had a big sign that read "200 OK; Come on in!".

Re:

[node 3]

They made a big fuss because they knew what they were doing was not supposed to be allowed. This is *exactly* like entering an unlocked door and walking out with things that aren't yours.

Then they went public with "see! look what we found!" thinking that would protect them and make the initial crime ok somehow. It didn't.

This wasn't simply some web page where you inadvertently found email addresses. You had to deliberately craft a request that otherwise wouldn't happen, and was obviously not meant to be ran

Deep Thought

[iluvcapra]

Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.

Re:

[WNight]

Not really. The security breach is only a big deal because it shows how the company isn't even trying to deliver on its responsibilities, exposing some email addresses themselves is hardly the end of the world.

And no, spammers harvest email addresses all the time and the government hasn't exactly jumped at criminalizing that.

As soon as it embarrasses a big company though, it's a terrible, terrible thing, and someone must pay!

Re:

[jo_ham]

Also be careful when trying people's door handles on their home. Despite some of them possibly being unprotected by any locking mechanism, for example, if the owner is inside, if the door opens be careful what you take from the building since you may still be a criminal.

Re:

[ogl_codemonkey]

I'd consider data on the Internet with no authorisation mechanism to be 'published'. A private residence is still personal property, though.

Re:

[ogl_codemonkey]

No, that is stealing because it's real property with distinct and unambiguous ownership.

I'm saying that if your car had a keypad immobiliser, and your mechanic wrote the code on a chalkboard behind the counter where anyone who looked could see it; you can't be angry at the people who look for knowing it.

In a similar situation, often referenced on /. - it would be the mechanic (AT&T) in trouble with the customers for 'making available' the information.

Re:

[rtb61]

The big fraud here is claiming identity theft is a crime. This has always been a lie spread by credit card companies, you do not steal someone's identity they are not the victim, you defraud the sellers into believing you are someone else and based upon that they supply you product.

The seller who supplied the fraudster product is now guilty of the crime of defrauding the person's whose credit the seller has abused and the seller must now prove by burden of proof that they were tricked into applying an il

Re:

[linuxwolf69]

In some states that's called "owner assisted theft" and not looked at as seriously as someone stealing your car without your keys in it. Insurance companies won't even accept a claim on the car for "owner assisted theft".

Re:

[iluvcapra]

You're right but it's an interesting distinction. If you leave flyers with your clients email addresses hanging throughout town, and someone reads them...

I would say a GET request is fundamentally different in quality than the front door of a home and the same standard wouldn't apply, but the real question is, which car analogy is appropriate here...

Re:

[maxume]

When some jumpy person accidentally gets in a ride share pickup line and then freaks out when someone goes ahead and gets in their car.

Re:

[jo_ham]

I think it holds if the door is closed but unlocked. You have to actually go up to a house that is not your own and try the handle. That is analogous I think, so you don't know ahead of time if the door is unlocked but you know damn sure it's not your house and you have no reason to be doing that, unless you're chancing lax security.

Re:

[zigziggityzoo]

That's not the same. With a GET, I'm actually asking a server for something, and the server gives it to me, tells me no, or ignores me. This is akin to knocking on the door and asking for a cup of sugar. They say the internet is like a giant corkboard on your front door for a reason - and that we should be careful in what we should put online. So should corporations with other people's data.

Re:

[jo_ham]

By the nature of the way the internet works, you handshake with the server to initiate any transaction. You are trying to cloud the issue by saying "well the server shouldn't have responded, or said no, that makes it ok!" when my analogy is perfectly valid - the GET request is the same as you trying the door handle. It either responds by ignoring you (it just jiggles and does nothing), by being locked (it does not move) or it replies to you (the door opens). Of course the server should have said "no", and t

Re:

[calmofthestorm]

Also be sure not to look at the door handle if it's in plain view; unauthorized viewing without changing its state in any way may still be illegal because our lawmakers don't understand doorknobs.

Re:

[Solensean]

Also be sure not to look at the door handle if it's in plain view; unauthorized viewing without changing its state in any way may still be illegal because our lawmakers don't understand doorknobs.

Simply viewing the door handle *will* change its state!

Re:

[jd2112]

Also be careful when trying people's door handles on their home. Despite some of them possibly being unprotected by any locking mechanism, for example, if the owner is inside, if the door opens be careful what you take from the building since you may still be a criminal.

s/criminal/target/

Re:

[node 3]

Be careful what GET requests you make, because apparently if they're "unauthorized," despite not being protected by any authentication or session and bring happily returned by the server, you may still be a criminal.

It's not like this was some accidental GET request. It was a deliberate attempt to get at information that the "hackers" were well aware was not meant to be accessed.

Relationships

[Cidtek]

If you hire an asshole to handle your security you will end up with your taste buds in the loop.

Maybe its meant as a reminder...

[Super Dave Osbourne]

To never forget the Goatse itself may be a shitter of an organization but the people it targets may be even bigger shits.

So afraid of the links

[TheFlamingoKing]

I've been on slashdot long enough to be very afraid of clicking on any links in this post. I could live with Rick Roll security, but not this...

I don't see how this guy is guilty of anything

[Cyberllama]

The security vulnerability was literally as simple as changing one number in a url to a different one, at random. From user 2340823 to User 2347923 or whatever. When the door is wide open, you can't complain if people don't knock. It's not like he actually got into anyone's account; it's more like he just said "Hi, I'm user 2342323" and the computer said "Oh hi, John@fakeemail.com, what's your password?" and then he said "Nevermind." Nobody's account was logged in to, and nobody's personal information

Re:

[networkzombie]

So if your key works in my lock it's okay for you to come into my house? If it is not by accident it is criminal.

Re:

[Aeternitas827]

Problems I see here...

ICCIDs as sequential numbers - Untrue. 89nnnnnnnnnnnnnnnnn1 may be a valid ICCID; if it is, 89nnnnnnnnnnnnnnnnn2 will not be (where n are digits). There may be a pattern utilised, but n+1 is not a reliable method for a given known ICCID.

He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance

Re:

[Lieutenant_Dan]

He immediately alerted the media - Not the company? Sure, the public might have need or right to know, and though his intentions were more or less good, giving up details of an exploit without giving the (in this case) company a good-faith chance to fix what went wrong--thus giving the black-hat types a window to do what they will, with probably more nefarious intent--is in NO way responsible behaviour.

Fair enough. Out of courtesy one should inform the "victim"; but he's not obligated. Not ethical and al

WTF

[zer01ife]

5 years in prison? Fuck those judges.

Re:

[SeaFox]

10 years. 5 x 2 = 10 last time I checked.

Re:

[zer01ife]

No, man. I meant that he could've simply give some community service instead of losing his age, or even just work for them in order to improve "their" own security.
That's why I said "Fuck those judges"

Re:

[account_deleted]

Comment removed based on user account deletion