Print 65 comment(s) - last by atlmann10.. on Jun 21 at 12:52 AM

Andrew Auernheimer's mugshot  (Source: Washington County's Sheriff's Office)
Details have not been released but some are speculating AT&T requested the raid

Andrew Auernheimer, aka "weev" or "Escher Auernheimer", masterminded Goatse Security's harvest of 114,000 iPad users' private email addresses using AT&T's wide open website.  Now Auernheimer is in prison facing felony possession charges.

Auernheimer, 24, was arrested in his home late Tuesday when police raided it.  At this point its unknown whether the raid was triggered by AT&T or was unrelated to the iPad drama.  AT&T sent an apology to customers writing that it was investigating the "malicious" "attack" by "hackers", and has since wrote that it is cooperating with the FBI in the inquiry.

What is clear was that a large amount of controlled substances, including cocaine, LSD and ecstasy, were found in Auernheimer's house.

For now Auernheimer is in jail awaiting multiple criminal possession charges.  He is currently incarcerated at Washington Country Detention Center in Fayetteville, Arkansas.

The arrest has triggered a great deal of anger against AT&T, probably partially because it reminds many of Apple's requested raid on 
Gizmodo journalist Jason Chen's house, after Chen purchased a lost iPhone 4 prototype.  Cult of Mac writes:

That’s one way of putting it. Another way of putting it is that AT&T’s security malfeasance exposed the private user details of over a hundred thousand customers, and are now busy hunting down and vilifying the benign group of security activists who alerted them to the problem before less well-meaning hacker groups could exploit the data.
While Auernheimer’s arrest for drug charges is obviously warranted by the letter of the law, it’s hard to escape the fact that the Feds shouldn’t have even been at his house. Goatse did both the public and AT&T a service by publicizing a dangerous security vulnerability before it could be maliciously exploited. They didn’t publish the exploit until AT&T had closed the hole. They insisted that any published customer records had the personal information removed first.

Indeed if the raid ends up being based on the iPad investigation, it may end up being ruled invalid, considering no charges have been filed in that investigation.  

The Goatse Security researchers point out that they went to no elaborate means to obtain the information.  AT&T's website freely provided email addresses to requests with spoofed iPad headers containing an ICC-ID number.  Spoofing is by no means illegal -- most cell phones do it to change between mobile version of sites and the full version.  And all Goatse Security did was guess numbers.

They state that they felt compelled to leak the information after Apple and AT&T still haven't fixed a gaping Safari hole on the iPad.  They revealed that hole way back in March, and nothing has been done.  The group says that if they did not approach the media with the massive amount of emails they gathered, the company would have done nothing and would continue to endanger its customers.

AT&T is currently facing more problems -- during the iPhone 4 preorder madness yesterday, it apparently exposed private information of customers by misdirecting users logging in to other peoples' accounts.  This time no "hackers" were involved.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Kinda scary
By darkpuppet on 6/16/2010 10:12:30 AM , Rating: 2
Just because someone can pick your door lock doesn't make it right for them to walk in and take your stuff to prove to you that your door isn't secure.

While I wouldn't absolve AT&T for not taking better measures to secure the information, if the hackers identified a security hole, they shouldn't be walking in and taking information. Most legit security firms would first contact the companies involved and then publicize the hole... not go in, grab a tonne of information, and then publish it all to the web.

But like a lot of hackers, you have a couple of guys with an ego to feed and little common sense.

RE: Kinda scary
By SSDMaster on 6/16/2010 10:25:05 AM , Rating: 3
There was no lock to pick in this case.

AT&T left all of their stuff in front of their house by the side of the road with a "free" sign next to it.

RE: Kinda scary
By Jaybus on 6/16/2010 10:48:19 AM , Rating: 3
No. They may have left it in the front lawn, but there was no "free" sign next to it. You still don't walk onto someone's lawn and take their stuff because it isn't nailed down.

AT&T certainly screwed up, but that isn't relevant to what Goatse did. They fraudulently supplied ICC-ID numbers to obtain the e-mail addresses. That could be overlooked, had they done this a few times as proof of concept. However they did it thousands of times and destroyed any credibility that they may have had. "Because you can" is not a valid excuse for taking someone's stuff. It begs the question, "Why did Goatse take thousands of e-mail addresses when only a few would have proven the security hole?"

RE: Kinda scary
By boobo on 6/16/2010 11:06:29 AM , Rating: 2
But it wasn't "their stuff." It was their customers' stuff. They were supposed to be safe keeping it. They made their customers feel that their stuff was being kept safe and protected, all the while leaving it unguarded behind an unlocked door.

If you suspect that this is happening, checking to make sure that the door is unlocked and alerting first the company so that they would lock it and then the customers so that they would know the risk is almost a civic duty.

RE: Kinda scary
By wiz220 on 6/16/2010 11:21:01 AM , Rating: 2
Look, the POINT is that they did nothing illegal as far as the computing world goes. Most companies would have thanked them and given them jobs as consultants!

RE: Kinda scary
By darkpuppet on 6/16/2010 8:44:36 PM , Rating: 2
There are many ways to lock information down. Saying that there were no locks in place would be akin to saying that anything that's not a deadbolt isn't a lock.

They required an id to see the information they were looking for. They basically had to bruteforce it to find spammed ids that would work for them.

So the information, regardless of how flimsy the protection, was indeed behind a very basic level of protection.

And that's how things get missed. It could have just as easily been behind https or other encryption and someone could have found a way around it.

but then again... It sounds like a few of you have a big ol' chip on your shoulders...

RE: Kinda scary
By Visual on 6/16/2010 10:32:43 AM , Rating: 1
Taking your stuff would be a crime, but picking your lock, as a demo in front of you, I would not consider a crime. And I don't care what the law or you in particular think about my opinion, either.

RE: Kinda scary
By SSDMaster on 6/16/2010 11:12:48 AM , Rating: 3
Why do people keep bringing up these "locks". There's not even HTTPS involved here. (Am I wrong? I thought this was all open on the web with no security being broken.)

"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki