It sounds an awful lot like AT&T and the FBI have just convicted someone of a crime because they exposed a security vulnerability and AT&T was embarrassed. Usually in these cases there is something more going on, but its not obvious to me that there is this time. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd.
More information is here. A bunch of IRC chat logs are included wherein the idea of committing a crime (such as insider trading) is discussed. Joking around on IRC about committing a crime is not the same thing as actually committing a crime. Its not clear to me what crime was actually committed (other than possession of narcotics). Unless there is some key fact not here in evidence I think this is going to do tremendous harm to the relationship between the law enforcement and the hacker community. Update: After some reading about this I'm not sure I agree with Robert Graham's position. I posted the following to the thread: After some consideration and reading I think there might be more of a grey area here than the framing of this post lets on. However, I am not fully aware of all of the technical details in this case, so if I am misrepresenting how this actually worked, by all means, please correct me. I agree that changing a value like "articleId=31337" in order to access data is not fraud, because the numbers are sequential and not personally identifying, so they don't constitute an access control, and changing them is not an act of deception. On the other hand, imagine a website with a value in the URL like "password=31337". Your personal password is "31337" and when you access this page it provides you with your personal data. Other people have other passwords on the system and when the value of the password field is changed to someone else's value, you get to see their data. Otherwise you get an error message. The password values are not sequential, but if you tried a large number of them you would successfully guess many active passwords. Although this would be a stupid way to design a website, I think we'd agree that writing a program to brute force guess many of these passwords and running that program on the live site would be a crime (an act of fraud), because the passwords identify the individual requesting data, so presenting someone else's password is an act of deception. Now, lets imagine a third scenario - a website with a value like "SSN=078-05-1120". If you put someone else's Social Security Number in that field, you get access to their personal data. Social Security numbers aren't sequential, but if you tried to guess them you would easily get lots of successful hits. Nevertheless, they are personally identifying. I think writing a program to brute force guess Social Security numbers in such a website would be more akin to the password guessing scenario than the articleId guessing scenario - it would be fraud. Furthermore, as best I understand it, the SSN scenario is similar to what happened in this case. The values guessed were subscriber ID numbers. Again, I'm not 100% clear on the facts of this case, so please correct me if you think that I'm mischaracterizing this or if there are important technical details that lead to a different interpretation. Having said all of that, I think there is another ingredient here, which is "intent to defraud." I don't see any evidence of that here. Wired magazine published some IRC chat logs where people were joking about committing a crime, but joking about committing a crime is not the same thing as actually committing a crime. As a security researcher, its obvious that my SSN website example is a bad design, but it might be hard to convince people at AT&T of that fact. They might argue that it would be hard to guess valid numbers or that their systems would detect any attempt to do so. It may have been impossible to demonstrate that this was a real vulnerability without actually performing the attack and going to the press with it. I think, ultimately, it should be illegal to commit actual attacks without authorization in order to demonstrate that a computer security vulnerability is real. However, sometimes there is no alternative. There is such a thing a prosecutorial discretion, and shooting the messenger in a case like this sets a bad precedent in my view. Errata Security: You are committing a crime right now |