backtop


Print 24 comment(s) - last by zzeoss.. on Jan 19 at 6:36 AM


Goatse Security may finally pay the price legally for sticking its digital paws in AT&T's gaping iPad security hole.
Some members of Goatse Security reside within the U.S., others outside it

According to an update on Reuters, the FBI will hold a press conference later today to announce charges of theft of personal information and related computer crimes concerning a recent data leak from AT&T.  That means one thing -- Apple and AT&T convinced the feds to formally charge Goatse Security, the research team responsible for grabbing and posting 120,000 iPad users' emails and hardware identifiers from an almost wide-open online database.

Apple and AT&T had been pressing hard for charges for some time now, but all had been quiet on the western front.

Goatse Security, an international team of security researchers prides themselves on discovering and exploiting "gaping holes", obtained a treasure trove of emails, stored in a database, and posted redacted portions of that database back in June on Gawker.  

The info came from a
n AJAX script openly hosted on AT&T's website, which returned an email when handed a hardware identification number called a ICC-ID (integrated circuit card identifiers).  In that regard, Goatse hardly had to "hack" in a traditional sense to obtain the information as authorities are suggesting.  The only trickery at all was to make the request header look like it came from an iPad.  From there it was just a matter of making a PHP script that guessed random ICC-IDs and monitored the returned emails.

Part of what may have landed Goatse in hot water was that it posted the emails of several high profile U.S. political and military figures, including White House Chief of Staff Rahm Emanuel and New York City mayor Michael Bloomberg.  Not all of these individuals' emails obtained were ones freely shared in the public domain -- some were the kind reserved typically for official business.

Based on our prior research, some Goatse Security team members involved in the breach resided within the United States -- Escher "Weev" Auernheimer (Calif.), Christopher Abad (Calif.).  Others -- such as Sam Hocevar (France) -- reside outside the country.  The soon to be announced charges will likely focus on Auernheimer and Abad.  Mr. Auernheimer was already arrested by the FBI in the summer of 2010 on separate, unrelated drug charges.

The charges will likely come, at least in part, from violations of the Computer Fraud Act of 1986 [PDF].  That law, amended by the recent 2001 Patriot Act [PDF] to strengthen penalties for hacking government systems, includes provisions prohibiting unauthorized access of corporate systems with the intent to "defraud".  The rather vague language in the bill has provided the federal government with an ideal blunt instrument to legally beat hackers/security researchers with in the past.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Theft is theft
By Beenthere on 1/18/11, Rating: 0
RE: Theft is theft
By BarkHumbug on 1/18/2011 11:12:57 AM , Rating: 2
Why aren't you commenting on this thread?

http://www.dailytech.com/Major+Record+Labels+Force...


RE: Theft is theft
By wolrah on 1/18/2011 11:20:43 AM , Rating: 1
This isn't like that though. This is more like putting all your possessions on the front lawn and being surprised when someone sees something embarrassing. Nothing was broken in to and nothing was stolen, AT&T freely handed out personal information to anyone who asked for it.


RE: Theft is theft
By marvdmartian on 1/18/2011 11:36:00 AM , Rating: 1
They call that a "yard sale" here in the USA, don't they??


RE: Theft is theft
By vol7ron on 1/18/2011 1:44:16 PM , Rating: 2
quote:
This isn't like that though. This is more like putting all your possessions on the front lawn and being surprised when someone sees something embarrassing. Nothing was broken in to and nothing was stolen, AT&T freely handed out personal information to anyone who asked for it.


"making a PHP script that guessed random ICC-IDs"
Maybe not broken into or stolen, but impersonated.


RE: Theft is theft
By Suntan on 1/18/2011 11:43:46 AM , Rating: 2
This isn’t either of those things….

…This is like posting the private email addresses of people such as the US Chief of Staff and the Mayor of Ney York…

Seriously, feel free to hash out the legal minutia of hacking vs. investigating; stealing from someone’s house vs. stealing from their yard. But posting private info of people in that political realm is just stupid and asking for a lot of headaches from the Feds.

It’s the cyber-equivalent of trying to get your gas powered lawn mower to run while you are sitting in your livingroom. Maybe some J6P can sit behind their computer half a world away and offer you encouragement because technically nothing can go wrong… but it is still a pretty stupid thing to do.

-Suntan


RE: Theft is theft
By bah12 on 1/18/2011 11:55:08 AM , Rating: 2
See my post below, but your analogy is flawed. Even if I put my crap on the front lawn it still doesn't give a passer by the right to take it. Difficutly has nothing to do with it.
quote:
AT&T freely handed out personal information to anyone who asked for it.
No they didn't. They handed it out to an iPad that asked for it. Now it just happens that their method of ID'ing a device as an iPad was INSANELY unsecured, but the firm clearly had to disguise themselves as something they weren't so they database would respond.

IMO FBI is prudent here, charge them and let the courts decide if the simple act of falsifying ones identity to gain access to data is a crime. The simplicity of the hack is irrelevant.


RE: Theft is theft
By bah12 on 1/18/2011 11:46:14 AM , Rating: 3
quote:
In that regard, Goatse hardly had to "hack" in a traditional sense to obtain the information as authorities are suggesting. The only trickery at all was to make the request header look like it came from an iPad. From there it was just a matter of making a PHP script that guessed random ICC-IDs and monitored the returned emails.
Agreed with the OP, difficulty has nothing to do with it. Honestly DT I find this attitude childish at best. Clearly they had to imitate an iPad via the headder. Although a HUGE gaping hole no doubt, that is a far cry from openly hosted.
quote:
The info came from an AJAX script openly hosted on AT&T's website
OK not a far cry, but certainly not openly hosted.

Should ATT and Apple but strung up for this...sure...is what this firm did unethical/illegal...HELL YES! Chastising ATT/Apple for what is clearly a breach of (albeit very lame) security, clearly shows more about the DT editors bias than the actual issue here.

Charges should be brought, then let the courts decide if the act was illegal, but please keep your editorial bias out of the article. Keep your tin foil hat, childish, ATT/Apple "convinced" the FBI, opinion out of it. How can you be so completely concise and thorough about the damn penguin tags, and so utterly bias/childish here.


RE: Theft is theft
By Alexstarfire on 1/18/2011 11:59:45 AM , Rating: 2
I see it as more unethical than illegal. Sounds more like some people got pissed because their information got shown than anything else. I'm sure you'd agree that if this information hadn't been posted we probably wouldn't even have heard about this breach let alone these people getting charged over it.


RE: Theft is theft
By bah12 on 1/18/2011 12:21:13 PM , Rating: 2
Of course we wouldn't but that is not really my qualm here. I think the FBI has a duty in this case to press charges. The firm clearly impersonated an iPad. Easy to do sure, but still an impersonation. For the "net" to be a consumer friendly place these Act's and Laws were put in place to be sure people are whom they say they are. Our society has said that pretending to be something your not to steal information is illegal, this is what they did.

I just find it appalling that Mick has spun this article downplaying the actions of this firm. I don't want to come off as defending ATT/Apple but clearly this firm is not ambivalent.


RE: Theft is theft
By nevermore781 on 1/18/2011 4:37:44 PM , Rating: 2
I have changed my user agent strings in browsers for all kinds of reasons, the majority being "i want the real web site not the mobile one" and secondly for software testing. If i then use the browser to access a site that is specifically designed for my user agent, how am i breaking the law? This was a publically available server, you didnt need to login, and there was no checks and balances to ensure the browser/device accessing the site was what it should be. If anyone should be sued or prosecuted it should be the developer who made the site, the network administrator who published it to the proxy/webhost, or ATT/Apple for being negligent with their customer records. What good is this tool anyway? I see no valid support reason for a tool like this, especially one accessible from outside of an internal network.

Im not saying posting the info wasnt a bad idea, it was, but im failing to see how changing a user agent string is illegal or how accessing something on the internet is illegal.

Pretty simple rule...if you dont want the internet to know about it, dont post it to the internet.


RE: Theft is theft
By rudy on 1/18/2011 6:27:48 PM , Rating: 2
Do you think the FBI should prosecute Data mining companies which use 3rd party cookies to spy on you personal information and or collect web habits then sell that information to others?


RE: Theft is theft
By zzeoss on 1/19/2011 6:36:13 AM , Rating: 2
omg they impoersonated an iPad, how could they? Bastards!
omg my Firefox browser is impersonating an Internet Explorer browse, how could they? Bastards!


d'oh
By Smilin on 1/18/2011 10:50:06 AM , Rating: 5
Look AT&T & Apple had their heads up their butt. That means you should call them out and embarrass them, maybe get some loud PR for your security company.

BUT.. You don't go reposting that information. You're putting innocent people at risk for identity theft or worse. That is the sort of crap a criminal would do, not a reputable security company.

This seems pretty clear cut for FBI involvement. I'm not sure if or why AT&T and Apple would need to pressure them.




RE: d'oh
By MrBlastman on 1/18/2011 11:00:25 AM , Rating: 5
Ya know, that's kinda how my wife works. I can grab all I want, but if I post about it, I'm totally in hot water...


RE: d'oh
By Smilin on 1/18/2011 12:00:48 PM , Rating: 3
I know.


RE: d'oh
By heffeque on 1/18/2011 4:46:12 PM , Rating: 2
Goatse Security... what's next? Lemonparty Security?


RE: d'oh
By Smilin on 1/18/2011 4:47:43 PM , Rating: 2
Ah the random unexplained downrate.


Change the company name to
By MPE on 1/18/2011 11:11:58 AM , Rating: 5
Facebook and you should be ok.




Interesting fact
By ss284 on 1/18/2011 10:45:57 AM , Rating: 2
If you look real closely, you can see that goatse man is actually happily married.




Yellow pages, anyone?
By ians55 on 1/18/2011 1:42:04 PM , Rating: 2
It looks to me as the Yellow Pages: you guess first and last name of a person, bam-wham, you get his personal phone number. What a serious hack! :)




Rediculous
By rudy on 1/18/2011 6:28:55 PM , Rating: 2
How can an article with goatse in the title not have a goatse picture.




O..K
By brshoemak on 1/18/2011 11:41:52 AM , Rating: 1
Let me first say that I don't condone posting that kind of information online just for the sake of doing it. However...
quote:
That law, amended by the recent 2001 Patriot Act to strengthen penalties for hacking government systems, includes provisions prohibiting unauthorized access of corporate systems with the intent to "defraud"

Since when were iPads part of a government corporate system? What kind of security implementations are in place on iPads to made them capable of accessing government/corporate networks in a secure manner? Is there a remote wipe feature? If they are approved, then what the hell are people thinking?




those with money win again
By chang3d on 1/18/11, Rating: 0
"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki