hacker security researchers find a hole in one of the biggest telco’s IT-systems and with a small script one of them wrote they harvest around 117000 email adresses of iPad 3G users, including high ranking officials and celebrities. They decide to share this information with news site Gawker and from there the ball starts rolling.
Fast forward to now. They both got arrested. One (the scripter, Daniel Spitler) pleaded guilty and is still awaiting sentence and the other (Andrew Auernheimer aka ‘Weev’, who found the vulnerability) just got 41 months in jail and has it is expected that he and his ‘co-researcher’ have to pay restitution in the vicinity of 73000 USD. (http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/)
Let me first start with saying that the typical hacker would possibly score very high on the autism spectrum, lacking certain empathy and not have a keen sense on where social boundaries are.
From the part of the defense in this case I’d have gone down this track: with a psych-profile. The NASA-hacker Gary McKinnon was diagnosed with aspergers syndrome and this helped in his defense against extradition to the US from the UK. (http://en.wikipedia.org/wiki/Gary_McKinnon)
Looking closer at the AT&T hack case, these hackers did two things wrong when they found the vulnerability:
1) They did not report the vulnerability to AT&T first, but to journalists.
This caused damage to AT&Ts reputation, and generally this type of action pisses off a company enough that they want to put you behind bars. (AT&T has a bad reputation already, expensive and being commercial greedy bastards with very bad customer service… but what would you expect from a telco)
I believe the vulnerability was not deliberately created by AT&T. The hackers should have reported it to AT&T first, with a proof of concept with just a few email-addresses and enough information for the AT&T developers to fix it. After it was fixed they could have published a statement together with AT&T that they fixed a privacy issue. Kudo’s for the hackers and for AT&T, cake for all!
2) Through a bit of clever scripting they tried the complete range of id-numbers to get a huge list of email-addresses (~117.000) through the vulnerability.
This is absolutely ridiculous, why do you need to check the complete range if you just need a proof of concept? Autists…. I am anxious to know what the other guy (Spitler) will get.
Looking at these actions and not taking into account that the hackers were possibly autistic… could explain the sentence. The only damage done was not to the users and/or the IT-systems, but to AT&T’s reputation. And that damage in my opinion does not compare to a prison sentence of 41 months.
This ruling could also be seen as highly counterproductive to the security of AT&T and other companies who would react in this way, and here’s why:
Ask yourself: What will an autistic guy (and other hackers who sympathize with him) learn from this?
– Simple; never report shit like this again!
It is in their nature to look for vulnerabilities, this is play/fun to them. But this ruling will likely push them to share the vulnerabilities they found on deep-web hacker forums for kudo’s (honor system) or possibly even sell them on the black market (cold hard cash). Both will end up badly for the companies, they will be attacked in the end by folks who want to do a lot more than just prove that they found a vulnerability.
I read somewhere that a remote iPhone/iPad exploit that would enable an attacker to take over that device remotely without user intervention would gross about $400.000 US on the black market? That’s right… we’re talking about serious money. Once these guys score, and get recruited by the digital crime syndicates, combined with their lack of social boundaries you could say you have a real problem.
A good defense in IT-security is done by an open defense. A good ‘responsible disclosure‘ procedure for ‘white-hat’ or ethical hackers should be published and promoted by companies like AT&T. Herein they should put out the rules of the game should vulnerabilities be found in their systems. A couple of sites and companies do this, and they get better security through this. These companies include Facebook & Google, it seems to work for them. Good read is the paper from Weis referenced on the responsible disclosure wikipedia page http://en.wikipedia.org/wiki/Responsible_disclosure