(1/3) I was warned there'll be consequences for my giving the 1 Verge interview, & breaking my 6-year silence on w**v. Soon, I'll find out.
(2/3) I'm relieved his *current* conviction is now vacated/he's being freed; he should never have been charged/imprisoned for THAT. But...
(3/3) 99% sure he'll NEVER be charged w/ his *actual* (lesser) crimes against unimportant individuals, & he'll be tech media darling again.
They just didn't think anybody would try to figure out the right URL. Going back to the lock-on-the-door analogy, they hid their valuables in an unlocked, open room that was at the end of a mile-long maze, and assumed nobody could would map that maze and try to take things for which they have no legal right to possess and in a manner that comes close to violating law.
AT&T built a service by which you can lookup email addresses. In order to look up an email address, you provide a long number (something like 1234567890987654321). Each number has a single email address associated with it. The idea is that a person's iPad could connect to this service on behalf of its owner, and lookup an email address using the randomly-assigned number it already had. AT&T didn't require any sort of key to use the service, and didn't require that anyone agree to any terms in order to use it. Access to this service was (and was intended to be) public.
Normally, you get a number when you buy an iPad. If you can guess other numbers (which aren't, by the way, secrets - they're basically randomly assigned), you can use this service to look up email addresses associated with them. Again, you're just calling a public service that turns numbers into email addresses. weev guessed a whole bunch of numbers, and got a bunch of email addresses.
That's it. He did not break the service in any sense. He did not make the service return information it wasn't designed to return.
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n)  of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(c) The punishment for an offense under subsection (a) or (b) of this section is—
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State
The relevant facts are fairly simple and not in dispute. Apple, Inc. introduced the first iPad, a tablet computer, in 2010. Customers who purchased the version that had the capability to send and receive data over cellular networks (commonly referred to as “3G”) had to purchase a data contract from AT&T, Inc. (“AT&T”), which at the time was the exclusive provider of data services for this version of the iPad. Customers registered their accounts with AT&T over the Internet on a website that AT&T controlled. In the registration process, customers were assigned a user identifier (“user ID”) and created a password — login credentials that they would need in order to access their accounts through AT&T’s website in the future. The user ID assigned to each customer was that customer’s email address.
AT&T decided to make it easier for customers to log into their accounts by pre-populating the user ID field on the login screen with their email addresses. To do this, AT&T programmed its servers to search for an iPad user’s Integrated Circuit Card Identifier (“ICC-ID”) when a user directed her browser to AT&T’s general login web page (AT&T’s “URL”). An ICC-ID is the unique nineteen-or twenty-digit number that identifies an iPad’s Subscriber Identity Module, commonly known as a SIM Card. The SIM Card is the computer chip that allows iPads to connect to cellular data networks.
If AT&T’s servers recognized the ICC-ID as associated with a customer who had registered her account with AT&T, then AT&T’s servers would automatically redirect the customer’s browser away from the general login URL to a different, specific URL. That new specific URL was unique for every customer and contained the customer’s ICC-ID in the URL itself. Redirecting the customer’s browser to the new specific URL told AT&T’s servers which email address to populate in the user ID field on the login page. This shortcut reduced the amount of time it took a customer to login to her account because, with her user ID already populated, she had to enter only her password.
Daniel Spitler, Auernheimer’s co-conspirator, discovered this feature of AT&T’s login process. Although he did not own an iPad, he purchased an iPad SIM Card, hoping to install it on another computing device and then take advantage of the unlimited cellular data plan that AT&T offered for $30 per month. At first, he did not know how to register his SIM Card, so he downloaded the iPad operating system onto his computer, decrypted it, and browsed through the operating system’s code to try to find a way to register it. In the course of doing so, he came across AT&T’s registration URL. He noticed that one of the variables in the registration URL was a field requiring an ICC-ID.
Spitler then directed his computer’s web browser to the registration URL and inserted his iPad’s ICC-ID in the requisite place. AT&T’s servers were programmed only to permit browsers that self-identified as iPad browsers to access the registration URL. This required him to change his browser’s user agent. A user agent tells a website what kind of browser and operating system a user is running, so servers that someone is attempting to access can format their responses appropriately.
After changing his browser’s user agent to appear as an iPad, Spitler was able to access the AT&T login page. He noticed that his email address was already populated in the login field and surmised that AT&T’s servers had tied his email address to his ICC-ID. He tested this theory by changing the ICC-ID in the URL by one digit and discovered that doing so returned a different email address. He changed the ICC-ID in the URL manually a few more times, and each time the server returned other email addresses in the login field.
Spitler concluded that this was potentially a noteworthy security flaw. He began to write a program that he called an “account slurper” that would automate this process. The account slurper would repeatedly access the AT&T website, each time changing the ICC-ID in the URL by one digit. If an email address appeared in the login box, the program would save that email address to a file under Spitler’s control.
Spitler shared this discovery with Auernheimer, whom he knew through Internet-based chat rooms but had never met in person. Auernheimer helped him to refine his account slurper program, and the program ultimately collected 114,000 email addresses between June 5 and June 8, 2010. Its method—guessing at random—is called a “brute force” attack, a term of art in the computer industry referring to an inefficient method of simply checking all possible numbers.
While Spitler’s program was still collecting email addresses, Auernheimer emailed various members of the media in order to publicize the pair’s exploits. Some of those media members emailed AT&T, which immediately fixed the breach. One of the media members contacted by Auernheimer was Ryan Tate, a reporter at Gawker, a news website. Tate expressed interest in publishing Auernheimer’s story. To lend credibility to it, Auernheimer
shared the list of email addresses with him. Tate published a story on June 9, 2010 describing AT&T’s security flaw, entitled “Apple’s Worst Security Breach: 114,000 iPad Owners exposed.”
But I think it was clearly wrong, and immoral. He knew the data he was accessing was not _supposed_ to be public. If someone accidentally dropped their medical papers and I walk by, there is nothing stopping me from reading their personal information, sure. But that doesn't mean I don't know its wrong to.
But it was still not his information to determine what to do with it. Because he found it, he isn't an arbiter of what he can do with it. It is still someone else's property. You can legally leave your property in a public place, unsecured (say, a bike) and people still can't take it.
« Older The Persian Version... | Writer David Dickerson tells t... Newer »
This thread has been archived and is closed to new comments
Buy a Shirt