To add to the fun, Steve Jobs just boasted about iPad security [gawker.com]:

The iPad breach flew in the face of Jobs' statement that Apple's policy is to seek—and force partners to seek—user permission "every time. Let them know precisely what you're going to do with their data," and let "people know what they're signing up for in plain English, repeatedly."

Ooh ooh, maybe Apple can use this as a reason to get out from ATT contract. Or... not.

AT&T needs to hire more ex-hackers. If you can't beat them, and they obviously can't, hire them!

edit: It doesn't get more basic in terms of code to not display more than one email address for any given request, 114k ? talk about a cluster...

FBI is investigating this system hack: [computerworld.com...]

Now that the Feds are involved [gawker.com] major CYA is happening:

a member of Goatse Security said "there was no illegal activity or unauthorized access" and that, from an ethical standpoint, the group was "as 'nice guy' as it gets." ... Further, the post said that the security hole was closed before the vulnerability was publicized; that the private user information gathered by the group was given only to Gawker and then destroyed;

I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.

I think they need a new definition for what defines "illegal activity" these days because they may be shocked when they read the current cyber laws.

Agreed, the problem lies with the circumvention rules.

What does circumventing mean, because there was the case where a man was on the governator's website and backed up a directory by deleting the last part of his URI giving him access to "private" files not meant for the public. Trouble was they were protected by a login screen or anything, they just weren't linked to.

He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.

So if there is no real security like in this case, can you really circumvent it? If all it takes is a little knowledge and some altering of query strings and the like I have a hard time calling that circumventing security.

maybe Apple can use this as a reason to get out from ATT contract.

and get an early termination penalty.

He said he didn't know what was in the directory he was just exploring the site. He was charged with hacking because there was no link to that directory.

Wow, that's a little scary. Does that mean I have to check each page for inbound links every time I visit in case I'm hacking?

I have some sympathy for Goatse - they haven't publicly released the email addresses and they let AT&T fix the hole before they announced it. If they were security testing an operating system for weaknesses they would be heroes - why so different for those that test for privacy weaknesses in badly built corporate sites?

In fact, I think having ethical people test big company sites for stupid security flaws should be encouraged IMHO - it's better than a bunch of underground card phreaks getting your data.

So if I decide to check out a particular website for security flaws before I sign up I can be charged with hacking. However if thy expose my private details by implementing poor security measures I have no comeback.

Really makes sense