of Goatse Security (whose name comes from an obscene internet meme) were charged yesterday at a special press
conference by the Federal Bureau of Investigations. The FBI singled out
two Goatse Sec members: Daniel "JacksonBrown" Spitler, 26, of
San Francisco and Andrew Escher "weev" Auernheimer, 25, of
"JacksonBrown" will face one count of conspiracy to access a
computer without authorization and one count of fraud and will be tried
in U.S. District Court in New Jersey. "Weev" faces the
same charges and will be tried in an Arkansas district court.
As we predicted, the charges filed
stem from the Computer Fraud Act of 1986 citing "unauthorized use"
and accusing the researchers of trying to damage AT&T financially.
We have interviewed Leon Kaiser, spokesperson for Goatse Security's parent
organization. We begin with a brief timeline of the AT&T iPad email
leak and what has happened (note this includes some information obtained from
our interview), according to Goatse Security's accounting.
I. A Timeline of What Has Happened
> Early June - Goatse Sec. members discover that iPad style AJAX
message sent to a wide open API on AT&T's website returns a users email
address when the message contains a hardware identifier matching that of the
user's iPad. Goatse Sec. attempts to contact AT&T, but is unable to
> June 9, 2010 - Goatse Sec. publicly announces their
offering partially redacted portions of the 120,000+ email addresses they
obtained. Those redacted logs are published in Valleywag, a Gawker
Media property. FBI opens an investigation into the incident.
> June 16, 2010 - Weev, one of the security researchers involved
with the breach, is arrested on drug charges. Cocaine and ecstasy
are reportedly found at his house.
> Late June - AT&T apologizes to customers for the loss
of their data and closes security hole. The company appears to have
pushed the FBI to charge the Goatse Sec. team for going public with the
> Fall 2010 - Charges against weev are dropped for
> Jan. 18, 2011 - The FBI files formal charges against weev
Note: Goatse Security never released the emails they obtained in full to anyone
in the public, or to the hacking community. The most they ever released
was a small, redacted portion of the emails, which they shared with Gawker
Media. It has been widely misreported and misinterpreted that they
released the emails to the public. These claims appear to be false.
It should be also noted that a few individuals -- including high-ranking
ones -- did have their personal email addresses exposed by
the Valleywag report.
II. The Interview
Jason Mick, DailyTech:
Bloomberg cites the FBI as calling
Goatse Security a "'a loose association' of hackers and so-called
trolls" -- how do you respond to this labeling?
Leon Kaiser, GNAA, Goatse Sec spokesperson:
"Goatse Security" is a
loosely-organized subdivision of [the GNAA (an obscenely named organization)]. There
were a small number of security researchers in the GNAA and it was decided to
create a place for those people to release any security research they had
worked on, as nobody would take the research very seriously if it was published
by the [GNAA]. We're talking about a small group only intended to be a vector
for the individuals to release their security research. In this case, they
wanted people to know how safe their personal information actually was with
To clear up some misconceptions, the GNAA is a loosely-affiliated group of
anti-blogging trolls who take their name from [a] 1992 Danish movie...
The wording the FBI use is hideously vague, so I can only assume it refers to
website defacing or DDOS attacks, neither of which GoatSec or the GNAA have had
a hand in at any point. There's never been any project within GoatSec to
"disrupt Internet service" in any form.
What kind of interaction have you had with AT&T and Apple following the
As far as I can tell from reading the news, Apple's reaction to the disclosure
was "Talk to AT&T about it." I don't know if anyone's been in
touch with Apple on behalf of GoatSec or the GNAA. I also believe that GoatSec
contact with AT&T was nonexistent after initial attempts before the
incident to alert them to the vulnerability.
Some [commenters] at DailyTech have expressed disappointment that you chose to release
the data, saying that while they respect you calling AT&T out on their poor
security, that they disagree with you hurting "innocent bystanders"
by releasing their email addresses. How do you respond to this criticism? In
your philosophy, when do you draw the line between mere disclosure of a flaw
and full disclosure of private data you obtained *using* that flaw?
There was never any "full disclosure of private data" from GoatSec.
The email addresses aggregated from AT&T's server were compiled into a list
which the following people had access to: weev, Ryan Tate, and whoever Ryan
Tate worked on his article with inside the gawker offices. The list was never
sold to the highest bidder, nor was it fully disclosed to the Internet. The
closest people outside AT&T have ever come to viewing that list is the
redacted version on the original Valleywag
While plenty of jokes about selling the list to Chinese spammers or using it to
screw with the stock market circulated #gnaa, the truth of the matter is that
disclosing this vulnerability let customers know how their data was being
mishandled. As it was widely reported, the data was only released to Gawker to
provide proof of the vulnerability. Considering the circumstances, it was the
most ethical thing they could do.
While the original Valleywag article
was pretty much perfect, the story evolved from "Large corporation
accidentally makes customer's email addresses freely available" to the one
that hit the general public's ears: "Group of notorious Internet hackers
steal your personal details, release them to the Internet at large."
Somehow, the scrutiny of the Internet fell away from AT&T and towards how
weev spends his spare time on the Internet. I guess you can attribute that to
Chinese whispers. Anyway, AT&T fixed the problem on their end. The only
thing harmed by the disclosure was the public's trust in AT&T, and with
good reason. Had it not been released to the media in the way it was, it would
have been swept under the rug and users would never have known.
We're familiar with (Andrew) Escher ("weev") Auernheimer, but not as
familiar with Daniel Spitler. What was his role in the incident, do you have
any info you can give me on him/what his handle is?
The FBI indictment has named Mr. Spitler's
online identity as "JacksonBrown". JacksonBrown is a longtime GNAA
member who weev brought over to GoatSec. He's a pretty nice guy on IRC, for
what that counts in the eyes of law enforcement. He's a scarf enthusiast.
It looks like the charges filed against your members fall under the auspice of
the Computer Fraud Act of 1986. In my original piece I call this a "ideal
blunt instrument [for the government] to legally beat hackers/security
researchers". Do you agree with this statement? How do you think the field
of computer security is affected by the seemingly vague language and arbitrary
litigation stemming from this crucial piece of legislation?
That act is clearly outdated and ill-defined; it describes a computer
accessible across state lines as being in a special class that is deserving of
extra protection under the law. Obviously this was written before the Internet
was in widespread use, and should not apply today. Unauthorized access could
apply to almost anything as well, since companies rarely give you explicit
permission to perform actions on their websites. Consequently this law can be
used to put anyone in jail that the government (or large corporations with
strong ties to law enforcement, e.g. see AT&T warrant-less wiretapping for
the FBI) is mad at.
The computer security industry and the public in general rarely benefits from
outdated, overly broad laws that can be enforced arbitrarily by those in power,
and this is a fantastic example.
As for the "hacking" itself, describing the activities of GoatSec as
"hacking" or "unauthorized entry" is a gross overstatement
and dramatization. If you examine what actually took place, it was simply
enumerating account IDs by using the API exactly as it was designed. There was
no authentication to bypass, no warnings about prohibiting access or anything
else of the sort. The only hope the DOJ has of prosecuting them is based on the
likely technical ignorance of the jury, sad to say.
The charges of conspiracy based solely on IRC logs are absurd and vaguely
Orwellian, bordering on thought-crime proven by hearsay. IRC logs are the most
easily fabricated thing in the world, not to mention flimsy as hell.
Given our nation's sad state of cybersecurity, some would argue that clever
parties like [weev and JacksonBrown] should perhaps be courted by the
government, not shuffled off to prison. Do you agree with this assessment? Do
you see a difference in how cyberoffensive powers like China interact with
their security/hacking communities of all hats, versus how the U.S. does?
I'd be cautious about evoking that old cliché of
"Show off your hacking skills and the government will hire you instead of
throwing you in jail."
The attempt to silence this sort of disclosure is not something new but it does
seem to be increasing in frequency. GoatSec and the GNAA are an easy target
because of the eccentric nature of it's members, particularly Andrew
Auernheimer. However, our private information is bought and sold by corporations
on a scale only rivaled by intelligence agencies and it's legal.
When responsible security research is stifled for fear of prosecution, it'll be
the black market that takes up the slack. It's already happening,
vulnerabilities like this are bought and sold on a daily basis, sometimes for
hundreds of thousands of dollars.
Additionally, I don't like the way the issue of "cyberoffensive"
nations are thrown around out of context. If China and America went to war,
they wouldn't draft a thousand 18 year olds who know their way around Linux and
tell them to "go on the offensive. It doesn't work like that. The next war
is going to be fought on the ground and people are going to die, no matter how
you dress up the idea of a "cyberwar". That said, the US should most
definitely concentrate it's resources on keeping it's own systems secure.
Christ, how easily did McKinnon get in?
Are you accepting donations for weev and JacksonBrown's legal defense efforts?
Not that I am aware of. What they need is
awareness and possibly the support of reputable organizations such as the EFF.
What do you think your chances in court against the FBI are? Any idea on what
kind of sentence is the FBI aiming for?
The charges seem pretty flimsy. I'm not about to
discuss the case in detail, but what I will say is that I think that they have
a good chance of winning.
What are Goatse Security's plans for the immediate future? Anything
[interesting] coming up?
GoatSec is focusing all of its efforts on
securing the freedom of all of its members.
DailyTech would like to thank Leon Kaiser and Goatse Security
for sharing their perspective with our readers.