It sounds an awful lot like AT&T and the FBI have just convicted someone of a crime because they exposed a security vulnerability and AT&T was embarrassed. Usually in these cases there is something more going on, but its not obvious to me that there is this time. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd.
More information is here. A bunch of IRC chat logs are included wherein the idea of committing a crime (such as insider trading) is discussed. Joking around on IRC about committing a crime is not the same thing as actually committing a crime. Its not clear to me what crime was actually committed (other than possession of narcotics). Unless there is some key fact not here in evidence I think this is going to do tremendous harm to the relationship between the law enforcement and the hacker community. Update: After some reading about this I'm not sure I agree with Robert Graham's position. I posted the following to the thread: After some consideration and reading I think there might be more of a grey area here than the framing of this post lets on. However, I am not fully aware of all of the technical details in this case, so if I am misrepresenting how this actually worked, by all means, please correct me. I agree that changing a value like "articleId=31337" in order to access data is not fraud, because the numbers are sequential and not personally identifying, so they don't constitute an access control, and changing them is not an act of deception. On the other hand, imagine a website with a value in the URL like "password=31337". Your personal password is "31337" and when you access this page it provides you with your personal data. Other people have other passwords on the system and when the value of the password field is changed to someone else's value, you get to see their data. Otherwise you get an error message. The password values are not sequential, but if you tried a large number of them you would successfully guess many active passwords. Although this would be a stupid way to design a website, I think we'd agree that writing a program to brute force guess many of these passwords and running that program on the live site would be a crime (an act of fraud), because the passwords identify the individual requesting data, so presenting someone else's password is an act of deception. Now, lets imagine a third scenario - a website with a value like "SSN=078-05-1120". If you put someone else's Social Security Number in that field, you get access to their personal data. Social Security numbers aren't sequential, but if you t... [ Read More (0.2k in body) ] |