A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.
The Whole Story: Hacker penetrates T-Mobile systems
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
No he did not. A cracker did that.
Victor.
Sure he did. Hackers write software, and software can be used to crack system – so he’s a hacker.
Its the basic principle of OO design: inheritance.
The script kiddies who use code written by hackers to crack a system are not themselves hackers.
Read it again, he just used a password, from what I hear it was some simple javascript error in the site that allowed him to get the password
Good shit dude.
Screw court, they should fire the incompetent network people at T-Mobile and give that man a job.
Push & Click Hackers
Point is this has gone on for a year and T-Mobile took that long to figure out there was a breach in security and possibly fix the hole. Now I’m very glad that i didn’t subscribe to them back last summer like I was contemplating doing. Now, seeing their security staff seems rather ineffective, I doubt I ever will. Question is, will T-Mobile now cover it up and not inform all their customers that their private information was compromised and take steps to protect themselves? Or will they let it slide and sweep it under the floor like most corporations do?
“T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. ”
But not only that, the company line is that “no one is available to comment on the matter.”
So despite the laws in California, T-Mobile is not going to come clean. Do you REALLY want this company handling your wireless communications?
Definitely something to think about before sending them next month’s payment!
Seems like it’s long past time for corporations to own up to their security mistakes and keep their customers informed when their private data has been compromised. More than just California needs such laws, because it’s obvious the corporations aren’t going to do the right thing without being forced into it.
Why are there still so many people arguing about the definition of “hacker”?
http://www.catb.org/~esr/hacker-emblem/
/begin rant
I think the guy was a dumbass to think he could get away with it. Truth is, you *never* truely know who your chatting with. Wether it’s the real person on the other end or someone listening in. Plus he was connecting in from some motel/hotel in SoCal using (presumably his) CC, and signing in under his real name. Plus using the other parties’ proxy. The list goes on.
On a personal level, this is why I hate the fact companies collect/store/buy/sell/trade private info. On top of those reasons, you got to worry about cats like this guy stealing that same cherished info.
It’d be nice not to have to worry about someone else using my identity, I have enough problems. I get looked at wierd because I pay cash for *everything*… what’s this world coming to?
/end rant
I digress.
Isn’t the Secret Service the ones who are supposed to be protecting things like credit card abuse and stuff like that.
Wouldn’t you think they would have used a secure channel when ever protected information was being transfered.
All I can say is booo! Need to get some better secuity controls! Thanks for protecting nothing.
The secret service found their documents being circulated in IRC and started trying to figure out how. I believe it was the secret service that told T-Mobile their system was breached. I didn’t read all of the article though.
And since when does ESR, or any other social misfit, get to define words for the entire population?
The widely accepted definition of hacker will stick because millions more people use it. Geeks like you can jump up and down all you want about the difference between a hacker and a cracker. No one normal is taking much notice and behaving that way sends others a very bad impression of your mental health.
That guy is such a player, keeping it on the hush for so long.
Hiliarious but true, Matt.
Now back to your regularily scheduled rambling:
What disappoints me the most about this article is the fact that it mentioned that a Secret Service agent was apparently using T-Mobile to transmit such sensative information.
Seriously, what the fuck? Doesn’t the government have some kind of special communication junk for sensative intelligence lewt? Why would someone from the Secret Service EVER use a civilian communication’s system for work?!
Seriously, I mean, the Sidekick is a pretty cool gadget, but give me a break, what was he smoking?
This is the kinda crap that makes my hairline recede!
Hacker is, and always will be, a creative programmer. Society can see it the other way, but those who matter (those in IT security) know differently. Those who matter know that when I say I hacked a program I mean I edited it in a creative way.
I will continue to advertise myself as a hacker-in-training. Those who feel I crack computers, well… I probably could crack their computers, but I don’t, and them thinking I could makes life easier for me. They walk softly around me.
To sum it up:
Hacker to the majority; Cracker to those who matter.
-Preston
T-Mobile provide the worst mobile service in the UK (IMO), so it doesn’t surprise me that any other part of the company isn’t up to scratch.
Vanity is their biggest thread.They all get caught because of it.Don’t know who i despise most, the snitch or the cracker.I guess both.
Don’t mess with the government or the big guys, they’ll get you. I’m not sure if he’ll be punished as an example for others, like they did with Mitnick.
What worries me is, how many companies are routinely compromised and their sensitive info copied and sold in the black market without them ever knowing or, at least, willing to admit?
the law needs to reflect the need to punish those organisations which hold private data and which don’t execute a sufficient level of security. the law is wrong to place all the emphasis on the lone attacker. the greater crime is that of T-Mobile.
punishment to lax security
Morally speaken you have a point there.Such firms deserve to be hacked if they realy are that ignorant about security.Technically speaken according to the law,if i would leave my car keys in the ignition and some dude drives away with my car without my knowing that’s a felony,it’s that simple.The law has some lines within that describes some actions as being computer crime.There are a lot of people who use their advanced knowledge for a greater community and could theoretically hack the planet most likely without being caught yet they have some etics and don’t do that.Some occupy the grey lines,those should be in my opinion be rewarded for their actions when they don’t cause any harm or jeapardize economy or peoples jobs.The problem is who can realy distinguish,what’s allowed and what isn’t.
In the mean time the same goverment hires hackers to steal information for national security,bust criminals etc.
Preston: you mention you -could- hack into their boxes if you wanted, since you defined yourself as a creative programmer, I guess you experienced exploit programming and learnt how volatile such codes were, unless you did months of development on it for adapting it to numerous OS and architectures.
In that sense, hackers are really talentuous programmers. If you didnt try such things, then you’re intrusion technique is likely to be programming-free, and thats where the definition of a hacker stops in my opinion.
I would define a cracker by someone who crack software for removing their protection, which is the commonly admitted definition for the whole online community.
The difference between a hacker and a cracker that was made in one of the replies is just one more bull that media used for mainstream non-internet peoples comprehension.
The difference between a hacker and a cracker that was made in one of the replies is just one more bull that media used for mainstream non-internet peoples comprehension.
Than what is the difference other than a hacker makes things and a cracker breaks things?
I think every hacker is a cracker and vice versa if they can program in at least 5 programming languages as fluent as the compiler self,is extremely social,math,science gifted,and can be compared with the best programmers in the world.Takes his/her targets at random if he/she wants to.Has never posted to whatever mailinglist no matter how difficult the problem at hand was,other than to share knowledge.
Very interesting, informative, and shocking story. Thanks Eugenia.
i can’t believe there’s an argument defining the terms… a hacker is someone who cuts down wheat, and a cracker is a small piece of starchy flat bread, usually with salt on it.
Seriously though, a talented programmer? I would simply consider BOTH of them one who capitalizes on weak security. They don’t invent anything, they simply exploit the weakness of security, be it a fool who uses a simple password or blabs it at free will, or someone who examines software for weaknesses.
There is no lock that can not be opened, otherwise it’s a wall, not a lock. By that fact alone every single password scheme and verification scheme can not be totally secure. All you can do is make it difficult to break in for most people (and of course as the govt does, punish the $hit out those you catch.)
The fact that a Secret Service agent used an insecure communications medium to transmit sensitive data should mean that he be fired immediately. I can not imagine a more rediculous action. Banks are more secure than that, doctor’s offices are more secure than that.
Right now, the only thing that secret service guy is probably servicing is oil changes at a gas station.
Technically speaken according to the law,if i would leave my car keys in the ignition and some dude drives away with my car without my knowing that’s a felony,it’s that simple.
I don’t really understand your point. Are you saying that companies who have computers with sensative customer info that gets hacked shouldn’t be punished, only the cracker? In this case, the only way you could make the analogy work is if you had some sort of vallet parking service and you were leaving other people’s cars in the parking unlocked with the keys in the ignition.
IMHO, these companies need to be accountable when they get hacked and somebody ends up with hundreds of social security or credit card numbers.
this is a better entry for the word hacker: http://ftp.gnu.org/savannah/files/faifes/a2881.html
I work at T-Mobile. The company’s side of things is a bit different than what the article implies.
T-Mobile found out in October 03 and blocked further access. The company then informed the Secret Service. Following Secret Service guidelines, the affected customers (only 400) were notified. No problems were reported by those customers.
At least that is the official story sent to employees. It’s up to you to believe whether they are telling the truth. I do.
One thing I notice is that T-Mobile seems to be playing this off, like only 400 customers were involved so it’s no big deal. IMHO, it’s a really big deal if you happen to be one of those 400, so when you say ‘only 400’, you’re making it sound more trivial than it is.
“At least that is the official story sent to employees. It’s up to you to believe whether they are telling the truth. I do.”
You are a model employee! Good for you!
Now… stop being part of the problem and think for yourself.
The analogy wasn’t the one i had originally in mind.Someone can’t be punished for being careless with his/her own property (the car analogy).Morally there has been some negligence.Technically there’s no law that forbids negligence behaviour with property that’s your own,unless what is written down in the law is violated.However the insurance company will think an act otherwise.
To the point, in this case the situation is much alike.Somebody will get fired and that’s about it.
IMHO, these companies need to be accountable when they get hacked and somebody ends up with hundreds of social security or credit card numbers.
What can you do?The’re a lot of unrevealed vulnerabillities laying around to be discovered at any time.As i noticed the kid exploited some failure in a javascript,made by a third party manufacturer?,in-house made by some clumsy programmer/webmaster?The most in sight act is the one of the cracker who penetraded the T-mobile network and apparantly traded the gained data.It would have been a different case when they had ignored the vulnerabillity discovered by a hacker who warned the company and a few days later the company got dooped.Who says they haven’t done enough security wise?Who can say he uses 100 % bug/flaw/vunerabillity free code?That secret service clown most likely got his punishment and that’s it.If everything would be more standardized and enforced there would be less havoc.
If the Secret Service is concerned about their email getting read, perhaps they should use PGP or a similar solution?