iPad compromised

[Embar Angylwrath]

Normally I don't post on tech stuff too much, I'm more of a biology/chemistry guy. But this story caught my eye for this reason...

Mr. Stern said he and Valleywag editor Ryan Tate spent all night Tuesday verifying the data file from a group of computer experts that calls itself Goatse Security, which had identified the AT&T breach and sought to publicize it.

WTF? Are they for real???

http://online.wsj.com/article/SB1000142 ... Collection

[xilly]

I smell Anonymous hard at work.

[Freecare Spiritwise]

It was just run of the mill hackers. They may claim to wear white hats but that's like saying "I just robbed that bank to show how poor the security was" so that doesn't fly with me. A white hat would've kept it on the down low.

The real idiocy was with AT&T's web site being so insecure. It had a numeric unique user ID as part of the request string (URL in your browser) and it didn't take long for people to figure out that you could try other numbers and be logged in as other people.

For the web applications I create, most are for public companies and most deal with sensitive financial data. We take that shit deadly serious, and one of our slogans is "treat all user input as if it were malicious". You'd figure a ginormous company with the resources that little companies like us don't have would be following "web development best practices". Oh well, job security I guess...

[Ddrak]

You'd figure a ginormous company with the resources that little companies like us don't have would be following "web development best practices".

Uh, no. The bigger the company, the less likely the people at the programming coal face are invested in the results. In a small company if you screw up then the results are much more dire.

And it's not really "robbed the bank". At least they gave it to Gizmodo and not sold it to some random Russian mafia group. Full disclosure is a tough subject.

Dd

[Freecare Spiritwise]

Uh, no. The bigger the company, the less likely the people at the programming coal face are invested in the results. In a small company if you screw up then the results are much more dire.

I've worked for big companies that wanted to do everything right /shrug. Certainly a bigger company has the resources not to develop swiss cheese. I have to fight for the resources to do anything that's not glamorous or immediately tangible like testing, security, logging, diagnostic code, etc.

And it's not really "robbed the bank". At least they gave it to Gizmodo and not sold it to some random Russian mafia group. Full disclosure is a tough subject.

Maybe not the best analogy, and maybe their actions weren't pure evil, but I still think what they did was wrong even though I completely despise AT&T and their ilk. My daddy always said "two wrongs don't make a right".

This whole thing makes AT&T look like the good guy to many people even though they were the ones who showed reckless abandon for their customer's data.

There's at least better methods for forcing a disclosure.

[Ddrak]

There's definitely better ways of disclosing this sort of thing. Typically you give a proof-of-concept to the vendor and let them know you'll publish it in X days.

I have a pretty negative view of big companies. I guess I got the bad ones.

Dd

[Freecare Spiritwise]

I read somewhere that this "security company" waited until AT&T closed the vulnerability until making disclosure to the public. Props for doing that, but I still question their motives.

If their goal was to stick it to AT&T then they didn't do a very good job since AT&T is playing the victim and some news outlets are taking pity on them.