Check out this article on these ‘Hackers’ who just got 3 years of prison and is to pay $73,000 in restitution:
This was not a hack – Andrew Aurernheimer and his colleague stumbled across a huge security whole that AT&T exposed. It is unbelievable that a company the size of AT&T would expose this information.
Here is the ‘hack’ that was perpetrated – he noticed that if you take an AT&T URL and increment the querystring variable, you can pull another users information. For instance, lets say you log into your AT&T account, and you see a URL like ‘http://www.att.com/default.aspx?ICCID=1234 which shows your profile information. Then if you go to your browser URL, and change the URL to http://www.att.com/default.aspx?ICCID=1235, you see someone else’s profile information – that is a hack? Then you spend 15 minutes writing a script which loops through and generates urls with the ICCID incremented, and parse the webpage information into a database.
Ethical? Probably not. But if you want to expose AT&T as treating customer information carelessly you could be considered a whistle blower. These guys did not profit off this information – they sent the data to the editors of a popular website (Gawker.com) to embarrass AT&T. Arguably, if you tried to sue AT&T for breach custodial conduct of your information, their lawyers would probably argue there were no damages since no harm was done to you.
However the federal government is able to get a 3 year conviction. Oh.. coincidentally…. Andrew Aurernheimer is an internet activist in the vein of Aaron Schwarz – http://en.wikipedia.org/wiki/Andrew_Auernheimer.
The government crackdown on behalf of corporate America continues. As a commenter states in the article comments: “In America, if you want your rights protected, you had best incorporate first.”.