Goatse Security

Gaping Holes Exposed

A Few Notes of Importance

7 Comments »

On the heels of the arrest of two of Goatse Security’s researchers, I felt compelled to write a statement reiterating a few points regarding last year’s AT&T breach which I believe are important:

  1. The only data gathered was a list of e-mail addresses.  No real names, mailing addresses, or any associated data was breached.
  2. The data gathered was publicly available on AT&T’s web server.  Any person could say “What is the e-mail address associated with ID XXXXXXXX” and the server would happily reply “johndoe@yahoo.com” or “invalid ID”.  The process of doing so was simply automated using random IDs.  There was no “real” hacking involved.
  3. Through intermediary channels, Goatse Security notified AT&T of the hole in their system and waited until it had been patched before we made our disclosure.
  4. Under no circumstances was the data ever made public.  It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data had been leaked and this was not a fictitious claim.
  5. AT&T has pressured the USDoJ and the FBI into building and prosecuting a baseless case because they care more about their own share price than their customers.  Stated another way: the American government works at the behest of private corporations.

AT&T, the FBI, and the prosecution have labeled this as a “malicious” attack, directly against AT&T’s interests and their customers.  This could not be farther from the truth.  The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously) – it was only disseminated to a single media outlet because we believed it was important enough to share.  Were the hole discovered by a malicious party, the data could have been easily sold to the RBN at a very high price, could have been used to target iPad owners with AT&T phishing e-mails, the e-mails could have been sent iPad trojans, or otherwise.  The private discussions we had to determine the extent of the flaw will undoubtedly be twisted and redacted by the prosecution to create an appearance of malice, as these were all topics touched upon.  This can be damning even though the discussion itself is not a crime.

The case is based entirely upon IRC logs, anonymously submitted, which could be completely fabricated with no method of verification.  These logs constitute the majority of the prosecution’s “evidence”, and are solely being used to create an image of malicious intent.

The fact of the matter is quite simple: AT&T put their own customers at risk through negligence, their share price dropped when this fact was exposed, and they have now co-opted the USDoJ and the FBI to attempt to shift the blame from themselves to individuals who were looking out for the public good.

In the end, regardless of how the chat logs are made to appear, and regardless of other questionable activities that members may have been involved in, the facts do not change: GoatSec researchers found a hole, made sure it was closed, and responsibly disclosed its existence.

–Rucas

7 Responses

Thanks, I learned something here anyhow :)

  • I have been trying to find this type of post for a while. I’m publishing a school report on this and this is going to help me. Appreciate it.

  • I don’t like Andrew Auernheimer’s philosophy. He seems to be hateful and obnoxious. But I couldn’t agree more with this article! He’s really a victim here! :s I strongly hope that he’ll be discharged, and Daniel Spitler too.

  • “Stated another way: the American government works at the behest of private corporations.”

    Kind of surprised you’re just figuring this out now.It’s been like that for almost half a century.

  • Security is an important aspect when you are on web and you should know something about it if u are new to the world of internet..You should be aware of whats going on in this field..Highly recommended for a newbie

  • Leave a Reply

    Switch to our mobile site