backtop


Print 65 comment(s) - last by atlmann10.. on Jun 21 at 12:52 AM


Andrew Auernheimer's mugshot  (Source: Washington County's Sheriff's Office)
Details have not been released but some are speculating AT&T requested the raid

Andrew Auernheimer, aka "weev" or "Escher Auernheimer", masterminded Goatse Security's harvest of 114,000 iPad users' private email addresses using AT&T's wide open website.  Now Auernheimer is in prison facing felony possession charges.

Auernheimer, 24, was arrested in his home late Tuesday when police raided it.  At this point its unknown whether the raid was triggered by AT&T or was unrelated to the iPad drama.  AT&T sent an apology to customers writing that it was investigating the "malicious" "attack" by "hackers", and has since wrote that it is cooperating with the FBI in the inquiry.

What is clear was that a large amount of controlled substances, including cocaine, LSD and ecstasy, were found in Auernheimer's house.

For now Auernheimer is in jail awaiting multiple criminal possession charges.  He is currently incarcerated at Washington Country Detention Center in Fayetteville, Arkansas.

The arrest has triggered a great deal of anger against AT&T, probably partially because it reminds many of Apple's requested raid on 
Gizmodo journalist Jason Chen's house, after Chen purchased a lost iPhone 4 prototype.  Cult of Mac writes:

That’s one way of putting it. Another way of putting it is that AT&T’s security malfeasance exposed the private user details of over a hundred thousand customers, and are now busy hunting down and vilifying the benign group of security activists who alerted them to the problem before less well-meaning hacker groups could exploit the data.
While Auernheimer’s arrest for drug charges is obviously warranted by the letter of the law, it’s hard to escape the fact that the Feds shouldn’t have even been at his house. Goatse did both the public and AT&T a service by publicizing a dangerous security vulnerability before it could be maliciously exploited. They didn’t publish the exploit until AT&T had closed the hole. They insisted that any published customer records had the personal information removed first.

Indeed if the raid ends up being based on the iPad investigation, it may end up being ruled invalid, considering no charges have been filed in that investigation.  

The Goatse Security researchers point out that they went to no elaborate means to obtain the information.  AT&T's website freely provided email addresses to requests with spoofed iPad headers containing an ICC-ID number.  Spoofing is by no means illegal -- most cell phones do it to change between mobile version of sites and the full version.  And all Goatse Security did was guess numbers.

They state that they felt compelled to leak the information after Apple and AT&T still haven't fixed a gaping Safari hole on the iPad.  They revealed that hole way back in March, and nothing has been done.  The group says that if they did not approach the media with the massive amount of emails they gathered, the company would have done nothing and would continue to endanger its customers.

AT&T is currently facing more problems -- during the iPhone 4 preorder madness yesterday, it apparently exposed private information of customers by misdirecting users logging in to other peoples' accounts.  This time no "hackers" were involved.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Kinda scary
By Aikouka on 6/16/2010 11:12:10 AM , Rating: 5
Jason, this quote will reflect my problem with this ordeal:

quote:
Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained.

Source: http://gawker.com/5559346/apples-worst-security-br...

Now, I have no problem with white hat hackers attempting to help close security holes, but they shared their exploit with people who we have no idea what their end goal is. They also released the entire list of e-mail addresses and associated ICC IDs into the public. Was that even necessary to prove a point?

I have no problem with taking the finding to the media, but releasing your information? The whole point of going to the media was to show that they could get potentially private information, so if the information is private, why release it? You can easily state the severity without such measures.

Also, whether or not faking your ICC ID is alright simply because it exists within a HTTP Post request is really a very gray area. I could potentially hack your router by taking an example POST request sent to it and spamming it with the example's password field filled in with generated values until I gain access. Is this legit? I'd really hope you say no! In the example, I did nothing different as both simply alter a HTTP POST request.

Their excuse for their drastic measures seems to be that they are angry that Apple never fixed a Safari security vulnerability. That's a pretty terrible reason to release the details of the vulnerability before it's fixed and to release the information you retrieved with it.


RE: Kinda scary
By Lifted on 6/16/2010 3:30:41 PM , Rating: 2
There are many possible reasons that they shared the script with others. Why do you think it was with "bad" others?

If I was going to release this information, before putting a target on my head, I'd certainly share what I found with other white hats in order to confirm that the security hole was as wide open as I claim it to be, and I didn't not "hack" my way into AT&T's network. What is goatse to do if AT&T removes all evidence of the vulnerability and tells the FBI "There was no vulnerability. They hacked us."?

Perhaps they only said it was shared with "third parties" in order to get AT&T and their customers to take the vulnerability seriously. Since nobody knows (perhaps AT&T does - through logs) if anyone else was able to access this info before goatse, it's best to have AT&T's customers keep alert to potential fraud by stating that other people out there may have their info, and may be up to no good.


"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki