Goatse Security

Gaping Holes Exposed

On disclosure ethics

63 Comments »

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

Switch to our mobile site