The story should begin with the concluding paragraph of a criminal complaint filed against Lance Moore in the United States District Court, New Jersey

…on or about June 25, 2011, the computer hacking group LulzSec publicized that they had obtained the AT&T Confidential Information and re-circulated it on the Internet

The start of the complaint takes the reader through the leak step-by-step.

1. Convergys, a “relationship management services” company with more than 70,000 employees hired Moore in August 2010 to be a contractor at an AT&T Mobility customer care call center.
2. Moore’s responsibility was “answering calls from AT&T Mobility customers, and troubleshooting their problems”.
3. Moore was granted access to Convergys and AT&T, including VPN.
4. AT&T was alerted on April 16, 2011 to information anonymously posted to Fileape.com that “had been stored on AT&T’s secured servers, which are protected computers as defined in Title 18, United States Code, Section 1030(e)(2).” The value of the leaked information to AT&T “exceeded $5,000”.
5. AT&T reviewed their network egress data and found a system IP that accessed Fileape.com on April 10. The system was associated with 19 Convergys contractors
6. AT&T compared the list of 19 Convergys contractor names to the authentication records on the AT&T Mobility Server that stored the confidential data. Moore’s used his account to access the data “shortly before that same information was uploaded to Fileape.com.
7. AT&T reviewed their network egress data again for Moore’s username. Just before the data was uploaded to Fileape.com, his user account searched Google for “uploading files, file hosting, and uploading zip files”. His username also accessed Fileape.com and pastebin.com “multiple occasions following the April 10, 2011”.
8. AT&T then reviewed the contractor time records from Convergys and found Moore was “present and working” at the times highlighted in the investigation.
9. AT&T questioned Moore. He denied leaking the information and confirmed he was aware of security policy — he had not shared access.

It seems fairly straightforward, but paragraph 17 of the complaint is really the key to the case.

Based on interviews of witnesses in this case, MOORE was authorized to access various portions of the AT&T’s network during the course of his employment, but his access of the AT&T Confidential Information, and subsequent release of the same, exceeded his authorization.

To put it simply, he was not authorized to access the information, but the systems authorized him to access the information.

It’s like he walked though an unlocked door, which of course does not excuse or exonerate Moore, but it brings to light the vulnerability of AT&T data to a call-center contractor.

This information…included thousands of spreadsheets, Microsoft Word documents, Microsoft PowerPoint presentations, image files, PDF files, applications, and other files…related to its 4G network and LTE (“Long Term Evolution”) mobile broadband network, among other topics.”

It’s a story that boils down role-based access control failures, but it’s also a simple log review story about an ISP tracking the use of an internal non-technical user.

With all the log review data in mind it’s unclear why the complaint ends with a vague nod to LulzSec. Although AT&T might take the position that damages are higher when a famous personality circulates stolen information, they could also be trying to deflate the fame of Lulzsec by calling out their association to Moore’s simplistic breach — a combination of “criminal’s are dumb” and “don’t blame the victim” arguments.

It makes sense for them to openly take this position for such a simplistic breach vector because it does not involve regulated information (e.g. PII or EHR). What does AT&T have to lose from challenging the authority of LulzSec to question their or anyone else’s security practices? In other words, had the data been regulated, AT&T might face fines or other sanctions from standards set by a regulator. Instead, they appear to take aim at the philosophy of unauthorized and anonymous access now associated with LulzSec.

The changelog and notes on the libsndfile overflow reveal that the fix was rushed and details of the severity are not yet decided.

> > could provided a specially-crafted PAF audio file, which once opened by
> > a local, unsuspecting user in an application, linked against libsndfile,
> > could lead to that particular application crash (denial of service),
I agree with everything up to here.

> > or, potentially arbitrary code execution with the privileges of the
> > user running the application.
but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Insightful and humorous thoughts on development. His argument is to not blame the tool, blame the tool users…

Yesterday I tried to cut my steak with a spoon and that goddam spoon sucked-ass. Why the hell would anybody ever use a spoon for anything? They are completely useless!

[…]

People tend to inaccurately think that ‘potentially shippable software‘ means just build some shit and see what happens. Not the case.

BART has just posted a job listing for Executive Staff Assistant, Independent Police Auditor. The BART Police obviously are generating a lot of demand for independent audits, having killed at least two people recently.

Despite changing chiefs (following last year’s killing) the department is now facing the same heavy criticism from the public. They are accused of taking too long to explain events and details from this past July 3rd, when an officer shot and killed a man 25 seconds after confronting him.

One of the complaints I see is that a 250-member police force has been unapproachable and even refused witness testimony.

Some of the cops began asking if anyone had seen the shooting, she said.

Hollero said she told one police officer that she had, but she said it didn’t seem like the officer was interested in following up. She left the station without giving an interview to police.

In the days since, Hollero called the San Francisco Police Department, which is investigating the shooting, to report what she saw. She reached an officer Wednesday morning; when she identified herself as a witness to the shooting on Sunday, she said the officer asked, “What shooting are you referring to?”

When she told him, he answered that “this is sounding like a BART issue” and said she should call the BART tip line but he didn’t have the number. Hollero said that she then called BART [tip line: 510-464-7040], but only got an answering machine.

The auditor role appears designed to help with that and other important functions for running investigations such as processing and releasing information to the public more quickly.

5. Screens incoming calls, responds to questions and complaints from the general public or from departments; provides information based on knowledge of existing policies, procedures, programs, or services; reviews and investigates problems, and recommends appropriate action or referral; prepares summary reports as required.

6. Obtains essential information from complainants, witnesses, and others, including over the phone, in-person, or through written or electric correspondence, necessary for the Office of the Independent Police Auditor to initiate an investigation.

7. Receives visitors to the Office of the Independent Police Auditor, including members of the public and individuals from other BART departments, and determines how to address their requests, inquiries, etc.

8. Independently composes, compiles and prepares correspondence, reports and documents; reviews finished materials for completeness, accuracy and compliance with District policies and procedures.

I’ll let you draw your own conclusions from the released surveillance video.

What jumps out to me is the police draw and fire bullets yet the video indicates other passengers are not far away and that they sense no serious/station threat. They leave the area calmly without pause to assess the danger, which could explain why there have been no amateur videos or photos released.

The official police report says the victim raised a large knife above his head but he is too far away to be seen in the video.

The victim also is said to have broken a glass bottle near the more experienced officer, who then slipped and fell on the liquid. The knife may have been threatening but the sound/visual of a bottle being broken and an officer slipping and falling down sounds far more likely to have been what spooked the less experienced officer into firing his gun. Audio would certainly help…

The only audio so far is a recording of the officer with only 18 months experience calmly reporting that he (officer #41) has just fired shots at a man with a knife and needs a code 3 ambulance (emergency response).

Interesting to note the similarities in the Oscar Grant and Charles Hill investigations. Both were holidays (New Years 2009 and 4th of July 2011), both were late night reports of drunk and disorderly conduct, and both involved officers with less than two years experience firing bullets instead of their taser (although it’s not clear yet whether the officer firing bullets in the latest case was the one carrying a taser)