Members of Goatse Security (whose name comes from an obscene internet meme) were charged yesterday at a special press conference by the Federal Bureau of Investigations.  The FBI singled out two Goatse Sec members: Daniel "JacksonBrown" Spitler, 26, of San Francisco and Andrew Escher "weev" Auernheimer, 25, of Fayetteville, Arkansas.

"JacksonBrown" will face one count of conspiracy to access a computer without authorization and one count of fraud and will be tried in U.S. District Court in New Jersey.  "Weev" faces the same charges and will be tried in an Arkansas district court.

As we predicted, the charges filed stem from the Computer Fraud Act of 1986 citing "unauthorized use" and accusing the researchers of trying to damage AT&T financially.

We have interviewed Leon Kaiser, spokesperson for Goatse Security's parent organization.  We begin with a brief timeline of the AT&T iPad email leak and what has happened (note this includes some information obtained from our interview), according to Goatse Security's accounting.

I. A Timeline of What Has Happened

> Early June - Goatse Sec. members discover that iPad style AJAX message sent to a wide open API on AT&T's website returns a users email address when the message contains a hardware identifier matching that of the user's iPad.  Goatse Sec. attempts to contact AT&T, but is unable to reach AT&T
> June 9, 2010 - Goatse Sec. publicly announces their findings, offering partially redacted portions of the 120,000+ email addresses they obtained.  Those redacted logs are published in Valleywag, a Gawker Media property.  FBI opens an investigation into the incident.
> June 16, 2010 - Weev, one of the security researchers involved with the breach, is arrested on drug charges.  Cocaine and ecstasy are reportedly found at his house.
> Late June - AT&T apologizes to customers for the loss of their data and closes security hole.  The company appears to have pushed the FBI to charge the Goatse Sec. team for going public with the vulnerability
> Fall 2010 - Charges against weev are dropped for unspecified reasons.
> Jan. 18, 2011 - The FBI files formal charges against weev and JacksonBrown.

Note: Goatse Security never released the emails they obtained in full to anyone in the public, or to the hacking community.  The most they ever released was a small, redacted portion of the emails, which they shared with Gawker Media.  It has been widely misreported and misinterpreted that they released the emails to the public.  These claims appear to be false.  It should be also noted that a few individuals -- including high-ranking ones -- did have their personal email addresses exposed by the Valleywag report.

II. The Interview

Jason Mick, DailyTech: 
Bloomberg cites the FBI as calling Goatse Security a "'a loose association' of hackers and so-called trolls" -- how do you respond to this labeling?

Leon Kaiser, GNAA, Goatse Sec spokesperson:
"Goatse Security" is a loosely-organized subdivision of [the GNAA (an obscenely named organization)]. There were a small number of security researchers in the GNAA and it was decided to create a place for those people to release any security research they had worked on, as nobody would take the research very seriously if it was published by the [GNAA]. We're talking about a small group only intended to be a vector for the individuals to release their security research. In this case, they wanted people to know how safe their personal information actually was with AT&T.

To clear up some misconceptions, the GNAA is a loosely-affiliated group of anti-blogging trolls who take their name from [a] 1992 Danish movie... 

The wording the FBI use is hideously vague, so I can only assume it refers to website defacing or DDOS attacks, neither of which GoatSec or the GNAA have had a hand in at any point. There's never been any project within GoatSec to "disrupt Internet service" in any form.

JM@DT: 
What kind of interaction have you had with AT&T and Apple following the
incident?

LK@GNAA:
As far as I can tell from reading the news, Apple's reaction to the disclosure was "Talk to AT&T about it." I don't know if anyone's been in touch with Apple on behalf of GoatSec or the GNAA. I also believe that GoatSec contact with AT&T was nonexistent after initial attempts before the incident to alert them to the vulnerability.

JM@DT: 
Some [commenters] at DailyTech have expressed disappointment that you chose to release the data, saying that while they respect you calling AT&T out on their poor security, that they disagree with you hurting "innocent bystanders" by releasing their email addresses. How do you respond to this criticism? In your philosophy, when do you draw the line between mere disclosure of a flaw and full disclosure of private data you obtained *using* that flaw? 

LK@GNAA:  
There was never any "full disclosure of private data" from GoatSec. The email addresses aggregated from AT&T's server were compiled into a list which the following people had access to: weev, Ryan Tate, and whoever Ryan Tate worked on his article with inside the gawker offices. The list was never sold to the highest bidder, nor was it fully disclosed to the Internet. The closest people outside AT&T have ever come to viewing that list is the redacted version on the original Valleywag posting.

While plenty of jokes about selling the list to Chinese spammers or using it to screw with the stock market circulated #gnaa, the truth of the matter is that disclosing this vulnerability let customers know how their data was being mishandled. As it was widely reported, the data was only released to Gawker to provide proof of the vulnerability. Considering the circumstances, it was the most ethical thing they could do.

While the original Valleywag article was pretty much perfect, the story evolved from "Large corporation accidentally makes customer's email addresses freely available" to the one that hit the general public's ears: "Group of notorious Internet hackers steal your personal details, release them to the Internet at large." Somehow, the scrutiny of the Internet fell away from AT&T and towards how weev spends his spare time on the Internet. I guess you can attribute that to Chinese whispers. Anyway, AT&T fixed the problem on their end. The only thing harmed by the disclosure was the public's trust in AT&T, and with good reason. Had it not been released to the media in the way it was, it would have been swept under the rug and users would never have known.

JM@DT:
We're familiar with (Andrew) Escher ("weev") Auernheimer, but not as familiar with Daniel Spitler. What was his role in the incident, do you have any info you can give me on him/what his handle is?

LK@GNAA:
The FBI indictment has named Mr. Spitler's online identity as "JacksonBrown". JacksonBrown is a longtime GNAA member who weev brought over to GoatSec. He's a pretty nice guy on IRC, for what that counts in the eyes of law enforcement.  He's a scarf enthusiast.

JM@DT:
It looks like the charges filed against your members fall under the auspice of the Computer Fraud Act of 1986. In my original piece I call this a "ideal blunt instrument [for the government] to legally beat hackers/security researchers". Do you agree with this statement? How do you think the field of computer security is affected by the seemingly vague language and arbitrary litigation stemming from this crucial piece of legislation?

LK@GNAA:
That act is clearly outdated and ill-defined; it describes a computer accessible across state lines as being in a special class that is deserving of extra protection under the law. Obviously this was written before the Internet was in widespread use, and should not apply today. Unauthorized access could apply to almost anything as well, since companies rarely give you explicit permission to perform actions on their websites. Consequently this law can be used to put anyone in jail that the government (or large corporations with strong ties to law enforcement, e.g. see AT&T warrant-less wiretapping for the FBI) is mad at.

The computer security industry and the public in general rarely benefits from outdated, overly broad laws that can be enforced arbitrarily by those in power, and this is a fantastic example.

As for the "hacking" itself, describing the activities of GoatSec as "hacking" or "unauthorized entry" is a gross overstatement and dramatization. If you examine what actually took place, it was simply enumerating account IDs by using the API exactly as it was designed. There was no authentication to bypass, no warnings about prohibiting access or anything else of the sort. The only hope the DOJ has of prosecuting them is based on the likely technical ignorance of the jury, sad to say.

The charges of conspiracy based solely on IRC logs are absurd and vaguely Orwellian, bordering on thought-crime proven by hearsay. IRC logs are the most easily fabricated thing in the world, not to mention flimsy as hell.

JM@DT:
Given our nation's sad state of cybersecurity, some would argue that clever parties like [weev and JacksonBrown] should perhaps be courted by the government, not shuffled off to prison. Do you agree with this assessment? Do you see a difference in how cyberoffensive powers like China interact with their security/hacking communities of all hats, versus how the U.S. does?

LK@GNAA:
I'd be cautious about evoking that old cliché of "Show off your hacking skills and the government will hire you instead of throwing you in jail."

The attempt to silence this sort of disclosure is not something new but it does seem to be increasing in frequency. GoatSec and the GNAA are an easy target because of the eccentric nature of it's members, particularly Andrew Auernheimer. However, our private information is bought and sold by corporations on a scale only rivaled by intelligence agencies and it's legal.

When responsible security research is stifled for fear of prosecution, it'll be the black market that takes up the slack. It's already happening, vulnerabilities like this are bought and sold on a daily basis, sometimes for hundreds of thousands of dollars.

Additionally, I don't like the way the issue of "cyberoffensive" nations are thrown around out of context. If China and America went to war, they wouldn't draft a thousand 18 year olds who know their way around Linux and tell them to "go on the offensive. It doesn't work like that. The next war is going to be fought on the ground and people are going to die, no matter how you dress up the idea of a "cyberwar". That said, the US should most definitely concentrate it's resources on keeping it's own systems secure. Christ, how easily did McKinnon get in?

JM@DT:
Are you accepting donations for weev and JacksonBrown's legal defense efforts?

LK@GNAA:
Not that I am aware of. What they need is awareness and possibly the support of reputable organizations such as the EFF.

JM@DT:
What do you think your chances in court against the FBI are? Any idea on what kind of sentence is the FBI aiming for?

LK@GNAA:
The charges seem pretty flimsy. I'm not about to discuss the case in detail, but what I will say is that I think that they have a good chance of winning.

JM@DT:
What are Goatse Security's plans for the immediate future? Anything [interesting] coming up?

LK@GNAA:
GoatSec is focusing all of its efforts on securing the freedom of all of its members.

Editors Note:
DailyTech would like to thank Leon Kaiser and Goatse Security for sharing their perspective with our readers.