backtop


Print 65 comment(s) - last by atlmann10.. on Jun 21 at 12:52 AM


Andrew Auernheimer's mugshot  (Source: Washington County's Sheriff's Office)
Details have not been released but some are speculating AT&T requested the raid

Andrew Auernheimer, aka "weev" or "Escher Auernheimer", masterminded Goatse Security's harvest of 114,000 iPad users' private email addresses using AT&T's wide open website.  Now Auernheimer is in prison facing felony possession charges.

Auernheimer, 24, was arrested in his home late Tuesday when police raided it.  At this point its unknown whether the raid was triggered by AT&T or was unrelated to the iPad drama.  AT&T sent an apology to customers writing that it was investigating the "malicious" "attack" by "hackers", and has since wrote that it is cooperating with the FBI in the inquiry.

What is clear was that a large amount of controlled substances, including cocaine, LSD and ecstasy, were found in Auernheimer's house.

For now Auernheimer is in jail awaiting multiple criminal possession charges.  He is currently incarcerated at Washington Country Detention Center in Fayetteville, Arkansas.

The arrest has triggered a great deal of anger against AT&T, probably partially because it reminds many of Apple's requested raid on 
Gizmodo journalist Jason Chen's house, after Chen purchased a lost iPhone 4 prototype.  Cult of Mac writes:

That’s one way of putting it. Another way of putting it is that AT&T’s security malfeasance exposed the private user details of over a hundred thousand customers, and are now busy hunting down and vilifying the benign group of security activists who alerted them to the problem before less well-meaning hacker groups could exploit the data.
While Auernheimer’s arrest for drug charges is obviously warranted by the letter of the law, it’s hard to escape the fact that the Feds shouldn’t have even been at his house. Goatse did both the public and AT&T a service by publicizing a dangerous security vulnerability before it could be maliciously exploited. They didn’t publish the exploit until AT&T had closed the hole. They insisted that any published customer records had the personal information removed first.

Indeed if the raid ends up being based on the iPad investigation, it may end up being ruled invalid, considering no charges have been filed in that investigation.  

The Goatse Security researchers point out that they went to no elaborate means to obtain the information.  AT&T's website freely provided email addresses to requests with spoofed iPad headers containing an ICC-ID number.  Spoofing is by no means illegal -- most cell phones do it to change between mobile version of sites and the full version.  And all Goatse Security did was guess numbers.

They state that they felt compelled to leak the information after Apple and AT&T still haven't fixed a gaping Safari hole on the iPad.  They revealed that hole way back in March, and nothing has been done.  The group says that if they did not approach the media with the massive amount of emails they gathered, the company would have done nothing and would continue to endanger its customers.

AT&T is currently facing more problems -- during the iPhone 4 preorder madness yesterday, it apparently exposed private information of customers by misdirecting users logging in to other peoples' accounts.  This time no "hackers" were involved.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Kinda scary
By quiksilvr on 6/16/2010 9:06:50 AM , Rating: -1
Yeah, like stealing over 100,000 of your customers' private information. What an EVIL corporation that ensures that our privacy is kept away from a drug addict hacker. BRAVO, good sir, on that wonderfully constructed criticism.


RE: Kinda scary
By JasonMick (blog) on 6/16/2010 9:13:21 AM , Rating: 5
quote:
Yeah, like stealing over 100,000 of your customers' private information. What an EVIL corporation that ensures that our privacy is kept away from a drug addict hacker. BRAVO, good sir, on that wonderfully constructed criticism.


Stealing?? Try taking what was given away.

AT&T's website freely gave email addresses if you sent it a request containing an ICC-ID number (which you could randomly guess) on a message with an iPad header. Header spoofing is absolutely legal -- a vast number of smart phone use it to switch between mobile websites and full websites.

Goatse Security went to a legitimate source -- a media network -- with this information. Considering the last issue it reported to Apple and AT&T, a gaping hole in Safari STILL hasn't been fixed, I'd say Goatse Security was justified in taking this approach.

If anything they are helping present and future iPad customers by forcing AT&T to close this route of email harvesting.


RE: Kinda scary
By thrust2night on 6/16/2010 9:55:09 AM , Rating: 5
Careful what you say Mick. You're bordering on heresy. AT&T and Jobs are watching you. Do you want your house raided? DO YOU? :D


RE: Kinda scary
By hubbabubbagum on 6/16/2010 10:08:23 AM , Rating: 2
Good point!

I hereby retract all my comments on this board and all of my IRL criticism of Apple's fascist interface-policies and frustratingly limited user-experience.

Good luck Jason Mick and may Jobs have mercy on your soul!


RE: Kinda scary
By paydirt on 6/16/2010 10:52:55 AM , Rating: 5
I love AT&T. I love Apple. I love the U.S. Government. I love AT&T. I love Apple. I love the U.S. Government. I love AT&T. I love Apple. I love the U.S. Government. I love AT&T. I love Apple. I love the U.S. Government. I love AT&T. I love Apple. I love the U.S. Government.


RE: Kinda scary
By HakonPCA on 6/16/2010 12:05:07 PM , Rating: 3
the leader is good, the leader is great...


RE: Kinda scary
By HakonPCA on 6/16/2010 12:06:02 PM , Rating: 3
or....

nah-na-nah-na-nah-na-nah-na....batman....I mean....Leader


RE: Kinda scary
By ekv on 6/16/2010 12:06:35 PM , Rating: 4
love? meh. I'm from the Gov't and I'd prefer cash. You can wire soft money to the following account ...


RE: Kinda scary
By Samus on 6/16/2010 3:44:52 PM , Rating: 5
That guys resembles more of a pothead than a coke head. The only drug of any of those that fits a "hacker profile" is LSD. The speed effect hackers seek comes in the form of energy drinks and coffee. This guy probably makes 50k a year and from the looks of it, it'd be doubtful he could afford this expensive cocktail of drugs, especially some of which metabolically conflict. Extacy is a SSRI, cocain is an MAOI, LSD we don't really know how it works, but causes brain damage in rats when taken with SSRI's.

This guy would have nervous system and possibly brain damage if he did these drugs within short periods of each other.

Leading me to believe they were planted.


RE: Kinda scary
By Shin Messiah on 6/17/2010 12:14:29 AM , Rating: 2
Well I might not speak for a lot of people, but years ago (about 5) when i was going through that phase of my life, I often mixed XTC and LSD on a fairly regular basis. Its called "candy flipping", shrooms and LSD would be "flower fliping". And yes the combined effect was the strongest I ever experienced, with out doing coke or heroin or meth outright, which I have never done. Another thing, its been known for years that various chefs cooking different batches of XTC are cut/combined with different chemicals or compounds to create experiences (or highs) that differentiate them from their competitors. Often times its cut with coke or speed or both. Sometimes heroin but not too much anymore because of the cost. I myself have tried many of these different batches before, for a period of about 4-5 years. That being said, after 4 years and change being clean, yeah i got some screws loose, but all my nuts and bolts are definitely intact. I serious doubt I have brain damage. I will also debate that LSD fits a hacker profile. If you have ever done any sort of LSD or serious hallucinogen you will quickly realize that, its almost possible to sit still for a minute or concentrate on one thing, let alone seriously trying to evade security measures (i.e. heavy problem solving skills), typing (motor skills), while simultaneously not leaving any tracks or believing that your monitor and keyboard are trying to eat you and the mouse is running up your back. So, to me LSD does not fit and coke might actually fit better. But I do agree on your first point, at worst this guy looks nothing more that an a pothead, but I digress.

And while its quite possible that the drugs were planted, as nothing really surprises in this day and age, I would like provide a different angle as to the drugs might have been there. "Security Expert" hackers or whatever an make a lot of money or little money depended what you are involved with. Its quite possible that he was investing the money "earned" into these narcotics and to turn around and making a killing on profit from the sale of them. He doesn't look like the street vendor type, but depending on the quantity of stuff that was supposedly recovered, he may have just been a distributor. Makes perfect sense if you think about it. The drugs sell themselves basically, just acquire them and the minions move it for him, while allowing him to sit in front of them screen and do what he does best. The truth may be weirder still, but given my experience in these areas, it seems like the most viable scenario. Once again just my opinion.


RE: Kinda scary
By atlmann10 on 6/21/2010 12:52:20 AM , Rating: 2
He is most likely also a chemist, while the speed type of drugs (Cocaine) found were to keep him awake! While the cut's you list are totally wrong, crystal and heroin are used often coke will not mix because of it's makeup, no matter what you were told by your dealer, or friend who claimed he knew everything.

I know a good bit about it because I used to run a promotion company and organized DJ's and venues for the parties (Raves) when they first started in the US. While I never had anything to do with the manufacture of drug's I had to know what everything did when we would have incidents at my event's (OD's) it happens pretty often when you have a few thousand people together for such a night.

Most of the information I have (While I will not say I never tried any of it), is from Medical personnel especially EMT's. Cocaine and X especially can directly kill you when or if combined. Of course most drugs can also have that effect singularly. The combination is especially dangerous of those to. As far a LSD and X back in the day was know as Trolling, Mushrooms and X were candy flipping. Of course My rave days start in the late 80's and ran largely through the 90's-2002. Where yours sound like they start in the 2000's.


RE: Kinda scary
By chiadog on 6/17/2010 12:52:08 PM , Rating: 2
Where do we line up for our Koolaid? ;o


RE: Kinda scary
By Phynaz on 6/16/10, Rating: -1
RE: Kinda scary
By SSDMaster on 6/16/2010 10:22:56 AM , Rating: 3
Yes... it is. The security hole isn't there anymore now is it?


RE: Kinda scary
By Aikouka on 6/16/10, Rating: -1
RE: Kinda scary
By problemcauser on 6/16/2010 1:46:33 PM , Rating: 5
Goatse didn't reveal the 100,000 email addresses. Revealing that they collected email addresses and how (ie. the exploit) is not the same as revealing the actual addresses, you butthole. Pay attention when you read next time.


RE: Kinda scary
By problemcauser on 6/16/2010 1:49:35 PM , Rating: 2
Also, I know I'm wrong. I just thought it would be funny to call you "butthole." I was originally going to write "butt whole." Revealing 114,000 email addresses is fine and dandy, imo, if the goal is to protect those 114,000 people and it's the only way AT&T or Apple will pay attention and LEARN to be secure with our information.


RE: Kinda scary
By MrBlastman on 6/16/2010 10:27:47 AM , Rating: 5
They could have used the information to profit off it--instead, they informed AT&T so they could fix it.

That sounds like helping to me. How is it not?

Instead, they are now being punished for it? You are the one that needs to grow up.

This just teaches everyone to abuse flaws, never do the right thing and make as much money as you can because you'll need every cent to pay your inevitable lawyer bills.


RE: Kinda scary
By tastyratz on 6/16/2010 10:18:10 AM , Rating: 2
Exactly, its not even exploiting or far enough to call white hat. Goatse revealed a huge flaw before someone who WOULDN'T reveal it to the public found it (as far as we know).

Why is it this brings to mind the movie antitrust? Anyone remember that flick?

Would my tinfoil hat gleam ever so much if I were to raise suspicion here? Does this guy have any background of drug use/abuse/sales or did he just get raided conveniently and happen to have a stash? Has he released any kind of statement in the line of innocent or guilty?


RE: Kinda scary
By AstroCreep on 6/16/2010 11:09:13 AM , Rating: 3
quote:
Goatse Security went to a legitimate source -- a media network -- with this information. ... 'd say Goatse Security was justified in taking this approach.

Fine line, my friend.
Goatse allegedly made the exploit available to interested parties unrelated to AT&T or Apple BEFORE alerting AT&T or the media of it.

It's one thing to tell AT&T then publicly say "We were able to obtain thousands of e-mail address because of a giant F-up on AT&T's website" but it's another to give the information to other groups (who may potentially malicious designs for it) before alerting AT&T.


RE: Kinda scary
By Aikouka on 6/16/2010 11:12:10 AM , Rating: 5
Jason, this quote will reflect my problem with this ordeal:

quote:
Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained.

Source: http://gawker.com/5559346/apples-worst-security-br...

Now, I have no problem with white hat hackers attempting to help close security holes, but they shared their exploit with people who we have no idea what their end goal is. They also released the entire list of e-mail addresses and associated ICC IDs into the public. Was that even necessary to prove a point?

I have no problem with taking the finding to the media, but releasing your information? The whole point of going to the media was to show that they could get potentially private information, so if the information is private, why release it? You can easily state the severity without such measures.

Also, whether or not faking your ICC ID is alright simply because it exists within a HTTP Post request is really a very gray area. I could potentially hack your router by taking an example POST request sent to it and spamming it with the example's password field filled in with generated values until I gain access. Is this legit? I'd really hope you say no! In the example, I did nothing different as both simply alter a HTTP POST request.

Their excuse for their drastic measures seems to be that they are angry that Apple never fixed a Safari security vulnerability. That's a pretty terrible reason to release the details of the vulnerability before it's fixed and to release the information you retrieved with it.


RE: Kinda scary
By Lifted on 6/16/2010 3:30:41 PM , Rating: 2
There are many possible reasons that they shared the script with others. Why do you think it was with "bad" others?

If I was going to release this information, before putting a target on my head, I'd certainly share what I found with other white hats in order to confirm that the security hole was as wide open as I claim it to be, and I didn't not "hack" my way into AT&T's network. What is goatse to do if AT&T removes all evidence of the vulnerability and tells the FBI "There was no vulnerability. They hacked us."?

Perhaps they only said it was shared with "third parties" in order to get AT&T and their customers to take the vulnerability seriously. Since nobody knows (perhaps AT&T does - through logs) if anyone else was able to access this info before goatse, it's best to have AT&T's customers keep alert to potential fraud by stating that other people out there may have their info, and may be up to no good.


RE: Kinda scary
By BioRebel on 6/16/2010 9:15:02 AM , Rating: 4
You mean revealing to the public that you're not doing your job when it comes to securing your customers information properly.


RE: Kinda scary
By MrBlastman on 6/16/10, Rating: -1
RE: Kinda scary
By hubbabubbagum on 6/16/10, Rating: 0
RE: Kinda scary
By JasonMick (blog) on 6/16/2010 9:44:21 AM , Rating: 2
quote:
So, because he did drugs you conclude that Apple did not compromise user-security?


Actually, in this case it was AT&T who left the door wide open.

If you want to h4te on Apple, you should be talking about the iPad's Safari browser which still has a flaw that allows traffic to travel on authorized ports, allowing it to be used as an attack device. The flaw was revealed in March by Goatse Security and STILL hasn't been fixed.

http://www.dailytech.com/Goatse+Reveals+Another+Ga...

Apple is primarily to blame for that one.

If you want to talk trash, get your stories straight first. :)


RE: Kinda scary
By hubbabubbagum on 6/16/2010 9:59:45 AM , Rating: 2
Oops, I thought this was about the Safari hole :D

Sorry Apple lovers!


RE: Kinda scary
By darkpuppet on 6/16/2010 10:12:30 AM , Rating: 2
Just because someone can pick your door lock doesn't make it right for them to walk in and take your stuff to prove to you that your door isn't secure.

While I wouldn't absolve AT&T for not taking better measures to secure the information, if the hackers identified a security hole, they shouldn't be walking in and taking information. Most legit security firms would first contact the companies involved and then publicize the hole... not go in, grab a tonne of information, and then publish it all to the web.

But like a lot of hackers, you have a couple of guys with an ego to feed and little common sense.


RE: Kinda scary
By SSDMaster on 6/16/2010 10:25:05 AM , Rating: 3
There was no lock to pick in this case.

AT&T left all of their stuff in front of their house by the side of the road with a "free" sign next to it.


RE: Kinda scary
By Jaybus on 6/16/2010 10:48:19 AM , Rating: 3
No. They may have left it in the front lawn, but there was no "free" sign next to it. You still don't walk onto someone's lawn and take their stuff because it isn't nailed down.

AT&T certainly screwed up, but that isn't relevant to what Goatse did. They fraudulently supplied ICC-ID numbers to obtain the e-mail addresses. That could be overlooked, had they done this a few times as proof of concept. However they did it thousands of times and destroyed any credibility that they may have had. "Because you can" is not a valid excuse for taking someone's stuff. It begs the question, "Why did Goatse take thousands of e-mail addresses when only a few would have proven the security hole?"


RE: Kinda scary
By boobo on 6/16/2010 11:06:29 AM , Rating: 2
But it wasn't "their stuff." It was their customers' stuff. They were supposed to be safe keeping it. They made their customers feel that their stuff was being kept safe and protected, all the while leaving it unguarded behind an unlocked door.

If you suspect that this is happening, checking to make sure that the door is unlocked and alerting first the company so that they would lock it and then the customers so that they would know the risk is almost a civic duty.


RE: Kinda scary
By wiz220 on 6/16/2010 11:21:01 AM , Rating: 2
Look, the POINT is that they did nothing illegal as far as the computing world goes. Most companies would have thanked them and given them jobs as consultants!


RE: Kinda scary
By darkpuppet on 6/16/2010 8:44:36 PM , Rating: 2
There are many ways to lock information down. Saying that there were no locks in place would be akin to saying that anything that's not a deadbolt isn't a lock.

They required an id to see the information they were looking for. They basically had to bruteforce it to find spammed ids that would work for them.

So the information, regardless of how flimsy the protection, was indeed behind a very basic level of protection.

And that's how things get missed. It could have just as easily been behind https or other encryption and someone could have found a way around it.

but then again... It sounds like a few of you have a big ol' chip on your shoulders...


RE: Kinda scary
By Visual on 6/16/2010 10:32:43 AM , Rating: 1
Taking your stuff would be a crime, but picking your lock, as a demo in front of you, I would not consider a crime. And I don't care what the law or you in particular think about my opinion, either.


RE: Kinda scary
By SSDMaster on 6/16/2010 11:12:48 AM , Rating: 3
Why do people keep bringing up these "locks". There's not even HTTPS involved here. (Am I wrong? I thought this was all open on the web with no security being broken.)


RE: Kinda scary
By zmatt on 6/16/2010 10:33:33 AM , Rating: 5
standard apple procedure regarding security holes is as follows

1. clamp hands firmly over ears.
2. scream LALALALALA at the top of your lungs
3. reassure users macs are omniscient and immune to all attacks.


RE: Kinda scary
By r4jd on 6/16/2010 9:55:40 AM , Rating: 1
We don't KNOW he is a drug addict, but according to (http://seclists.org/fulldisclosure/2009/Sep/174) he might be a nut and antisemitic. He has been hassled by the FBI in an investigation started over a threatening phone call to a synagogue. He got out of it and claimed the man who called was blackmailed by a rabbi, but that sounds crazy. Sounds like extreme hacker prank wars.

Either way, once you're on an FBI watch list, stop keeping drugs at your house.


RE: Kinda scary
By Jaybus on 6/16/2010 10:27:08 AM , Rating: 2
quote:
We don't KNOW he is a drug addict...

OK, drug addict and/or dealer.
quote:
Either way, once you're on an FBI watch list, stop keeping drugs at your house.

True. More likely addict than dealer, then.


RE: Kinda scary
By r4jd on 6/16/2010 11:28:11 AM , Rating: 2
I will be surprised if the numbers come out and he has more than a personal collection of drugs. I read somewhere he had 4 felonies, but any quantity of LSD, coke, or rolls is a felony in Arkansas (pretty sure).

He has been taken into FBI custody before and let off because he was "set up", and there are plenty of people that would justify planting drugs out of vengeance or frustration. He once wrote that there was a FBI agent that had it out for him. Just keep the possibility that he is innocent in mind.


RE: Kinda scary
By ekv on 6/16/2010 12:16:20 PM , Rating: 2
It does seem kind of funny/strange. A smart guy, as far as computers go at least, he jacks AT&T and knows they are hot under the collar, knows the lawyers are going to knock on the door sooner rather than later, but then keeps a felony sized stash of drugs at his residence?

Of course, if he has a rap-sheet....


RE: Kinda scary
By zmatt on 6/16/2010 10:53:39 AM , Rating: 2
I dunno, judging by his name I would say he may be jewish himself. Then again feud between members of the same religion isn't unheard of. he could be ex-jewish for all we know.


RE: Kinda scary
By Iaiken on 6/16/2010 9:58:04 AM , Rating: 3
Dear Moron,

What AT&T did was equivalent to leaving the confidential information of 100,000 customers in a public park. Was it in plain view? No, but it was in a publicly accessible area where anyone could have (and many probably did) walk away with confidential information.

In conclusion, your dumb ass need to go back to school for reading and comprehension.

Love,

Ike


"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki