to an update on Reuters, the FBI
will hold a press conference later today to announce charges of theft of
personal information and related computer crimes concerning a recent data leak
from AT&T. That means one thing -- Apple and AT&T convinced the
feds to formally charge Goatse Security, the research team responsible for
grabbing and posting 120,000 iPad users' emails and hardware identifiers from
an almost wide-open online database.
Apple and AT&T had been pressing hard for charges for some time now, but
all had been quiet on the western front.
Goatse Security, an international team of security researchers prides
themselves on discovering and exploiting "gaping holes", obtained a treasure trove of emails, stored in a database, and
posted redacted portions of that database back in June on Gawker.
The info came from an AJAX script openly hosted on AT&T's website, which
returned an email when handed a hardware identification number called a ICC-ID (integrated circuit card identifiers). In
that regard, Goatse hardly had to "hack" in a traditional sense to
obtain the information as authorities are suggesting. The only trickery
at all was to make the request header look like it came from an iPad.
From there it was just a matter of making a PHP script that guessed
random ICC-IDs and monitored the returned emails.
Part of what may have landed Goatse in hot water was that it posted the emails
of several high profile U.S. political and military figures, including White
House Chief of Staff Rahm Emanuel and New York City mayor Michael Bloomberg.
Not all of these individuals' emails obtained were ones freely shared in
the public domain -- some were the kind reserved typically for official
Based on our prior research, some Goatse Security team members
involved in the breach resided within the United States -- Escher "Weev" Auernheimer (Calif.), Christopher
Abad (Calif.). Others -- such as Sam
Hocevar (France) -- reside outside the country. The soon
to be announced charges will likely focus on Auernheimer and Abad. Mr.
Auernheimer was already arrested by the FBI in the summer of
2010 on separate, unrelated drug charges.
The charges will likely come, at least in part, from violations of the Computer
Fraud Act of 1986 [PDF]. That law, amended by the recent 2001
Patriot Act [PDF] to strengthen penalties for hacking
government systems, includes provisions prohibiting unauthorized access of
corporate systems with the intent to "defraud". The rather
vague language in the bill has provided the federal government with an ideal
blunt instrument to legally beat hackers/security researchers with in the past.
quote: This isn't like that though. This is more like putting all your possessions on the front lawn and being surprised when someone sees something embarrassing. Nothing was broken in to and nothing was stolen, AT&T freely handed out personal information to anyone who asked for it.
quote: AT&T freely handed out personal information to anyone who asked for it.
quote: In that regard, Goatse hardly had to "hack" in a traditional sense to obtain the information as authorities are suggesting. The only trickery at all was to make the request header look like it came from an iPad. From there it was just a matter of making a PHP script that guessed random ICC-IDs and monitored the returned emails.
quote: The info came from an AJAX script openly hosted on AT&T's website