I am not defending AT&T. I think they should be heavily fined and hopefully someone go to jail. I also think that someone who exploited the hole should also be sent to jail and heavily fined. The only people I am defending are the ones who had their information stolen. ... In my view the problem was caused by both Weev and AT&T they both should be prosecuted. What do you think?
Jail I believe should be for violent offenders exclusively, jail time for accessing something, even millions of times is ridiculous. If he obtained protected information (cardholder data, SSNs) maybe, but if it isn't "protected" (say an email, first and last name, type of phone etc.) or doesn't come with any terms, it's fair game and the blame for the boring disclosure resides solely with the company since each request was authenticated by them. We have far too many people in Jail as it is. We're the world leader's in incarcerations and it's a dirty ass privatized business which I don't want to support when we can put these people to work, and fines do a wonderful job along with some community service. If that's the case Google needs to go to jail for indexing, and bing too since bing fed itself off of google. There was no exploit, this was the system operating as intended, supply it with an IMEI and get info. You want someone in jail for randomly trying publicly accessible page, incrementally, much like what google does with google maps mapping vehicles. Why isn't this illegal, it's occurring on public roads, too!? They make copies of the data accessible at these locations, or to use your words, they "steal the information" (addresses are personally identifiable information, but also public).
There are some authentications that do not use user/password. For example, Paypal Payflow uses a signature which is a single long number that identifies that account and gives authorization for access. It is a single number somewhat like an IMEI.
Authentication is a fuzzy thing, quick google returned: Authentication is the act of confirming the truth of an attribute of a datum or entity. By entering the IMEI this satiated the authentication, pretty shitty authentication. "Yup, address is good!". In regards to the paypal thing, btw paypal isn't a bank in the majority of the countries they do business in. In order to obtain this signature you need to create an account though, which requires a few pieces of information something an IMEI doesn't require. The signature seems like a token and is part of an authentication scheme, not simply a (terrible) username. The first 8 digits of the IMEI are assigned to manufacturers and made public (pretty good for something "private"!), and Apple, for instance, tends to do 'batch' naming for the rest, so if you have one iPhone IMEI you can guess all the others from that batch just by incrementing. That's a terrible authentication idea there, lou.
That is one URL and not millions of different URLs.
So if each person (in a large pool of say 250k) accesses one URL, with an IMEI that was generated, it's cool? Rape is cool the first time around then too, eh? This conflicts with below :P
Yes, if the IMEI does not belong to you or you have not been authorized by the owner to use it.
Why would I need permission since they can be derived? It's not something that's secret, or is protected, or has any expectation of privacy, it's even broadcast (to the carrier). Otherwise sites like this http://www.imei.info/ wouldn't exist. Think they burn all of those "passwords"?
Don't you see how this is very different from trying millions of different password combinations? One of the precepts of law is intent. It is pretty easy to show no intent when typing in a few incorrect characters. It is easy to show intents when you create a script that generates millions of possible IMEIs and spams a server with them.
I asked this specifically to nail down what an IMEI number is. An IMEI is not a password or a username any more than using a credit card number or social security number is. Unlike SSNs or CC#s it's an identifier for a device which doesn't even identify an owner in many cases (see prepays). These are similar to VINs on cars. How is it illegal to generate and try different combinations of this series of numbers, especially since portions of these numbers are public knowledge, on a website that is/was publicly accessible without any terms of use or limitations imposed by the operators for any clients which request info using a valid IMEI?