Goatse Security

On Wednesday night, after several months of personal inactivity, a Goatse Security administrator finally realized his admin password allowed him to edit the (in)famous security blog Goatse Security. Oblivious to the fact that blogs are generally irrelevant, he and his army then proceeded to vandalize the homepage and cause incalculable damage and loss of life. When the smoke cleared from the battlefield of blogs, many an ego was mortally wounded.

The victory speech went as follows:

Dear Goatsec,

I have taken the liberty of exposing your gaping hole, and hope in doing so that I’ve given your balls a good twist. As you are a group of self-aggrandizing twats, I have also contacted the media to ensure that this incident gets the coverage it deserves.

In cracking this site, I have sent specially crafted requests to the server with my browser ID spoofed to that of an iPad. Please know that while this was not instrumental in this wondrous crack, it _WAS_ poetic in many ways. I also gave Goatsec the same warning that they gave AT&T… none at all, to patch their gaping hole.
User Accounts have been deleted, and passwords changed.

AAAAAAAAAAAAAAAAAAAAAAND THE PREVIOUS ADMIN PASSWORD IS… T2!p*uje7ru*
Props to: The FBI, OseK, MadMax, mre|666, Scratch (Isuki), Sigdie, anyone who knows what Sigdie is, Krashed (because it’ll make Bratty happy to see his name on a deface page, even if he didn’t have shit to do with it)
Fuckoff to: LoRez (FUCK YOU), weev, Apple, AT&T, MI-5, Harry Pierce, and Gay Niggers everywhere.

The previous admin password, which, as stated, was T2!p*uje7ru*, should be considered compromised. Goatse Security advises the general public never to use this password to protect their personal data again.

Big ups, Krashed;
Leon Kaiser, Head of Goatse Security Public Relations

Howdy Lee,

Originally, I was outraged by your prosecutorial efforts against me and my associates, and extremely shaken up due to the unjust search of my home, in multiple violations of the Fourth amendment. I believe that the emotional stress caused by my multiple-day solitary confinement without cause, and the accumulated effect of previous harassment by the government lead me to treat you less respectfully than I should have. However, recently I was at the law library, my usual resource for ethical guidance, and I started reading Thomas Paine. There, I experienced a revelation as to how to best proceed in dealing with your actions.

“He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself.”
– Thomas Paine, Dissertation on First Principles of Government

I’m writing to help clarify the situation in which we continue to find ourselves. It appears, despite the obvious facts surrounding the events, that you are continuing to attempt my legal prosecution. While information security experts worldwide (many of whom your department hire as expert witnesses), law analysis groups, consumer affairs groups and lay citizens continue to support me, you still investigate me for some alleged obscure criminal act. While I generally support your mission, Lee, I think you’re being lead astray by a desire for professional distinction.

I am sure that you are probably under great pressure to produce something, as evidenced by your use of quasi-legal means such as your questionable search warrant, the ensuing negative publicity for your office and name, and the growing number of people asking why you are doing this. These influences upon your judgments are of no matter; ultimately, you will be held accountable to the people for your actions. I’m sure that the strain is beginning to take a toll on your personal and professional relationships, and as I am, and always have been, a supporter of the United States’ government, I’d like to offer some friendly advice before irreparable damages from your errors spread to other aspects of the Department of Justice.

Here are the options available to you, and my advice for each:

1. Continue holding Grand Jury sessions and force an indictment.
I can in no way advise this as it will harm your professional reputation and force the Department of Justice to engage in the manufacture of evidence. Social responsibility has always been at the core of everything we do at Goatse Security, and this will be extraordinarily obvious at a trial. Goatse has done large amounts of documented work in project areas such as combating safe havens for pedophiles worldwide, protecting US infrastructure, and keeping US citizens safe from Russian and Chinese organized crime. The DoJ has also pursued these projects, quite well at times, but we should work together for a common goal instead of fighting for territory, and wasting our fiscal and legal resources. At Goatse, we do not have a large advertising budget like the DoJ and FBI; our publicity comes from citizen recognition of national stewardship and skillful work. I hope that you don’t see this as competition to your own great work in the area, but allow me to communicate that I believe that we could both do better

2. Stop this investigation.
Given the vulnerable position the DoJ is in as a result of your actions, you may be required to resign. I am very sorry for this prospect, but there are many great opportunities available for you in the private sector, and just because you will not be employed by the people at large does not mean that you will not be able to help make the country a better, safer and healthier place for us all to enjoy. We at Goatse give back, with daily volunteer work, which we are able to accomplish in our free time due to the gains we make by working in the private sector. We find this the most healthful and heartiest form of patriotism, as it not only allows total agency and freedom of choice, so that citizens can give in the ways they are most capable, but also minimizes bureaucratic costs we all bear as brothers and sisters in this great nation.

3. Publicly accept assistance from Goatse Security.
While the smear campaign your agency has launched against Goatse and myself personally may make this difficult, I’m sure that fully disclosing the rationale behind it would secure the public’s forgiveness and understanding for you and the DoJ. Lest it go unsaid, a friendly hand extended in partnership would earn Goatse’s respect and forgiveness as well. As always, we are more then happy to work with you hand in hand for a stronger country. If you are unable to do this for political reasons, we understand but we would not want you to dishonor your family or the legal education they’ve helped you attain by making choices which are wrong. AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers over the rights of shareholders.

I pray for you, Lee. I pray for you to see wisdom in your actions, and pray for you to be guided towards righteousness. I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted and your teachers, for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.

Hugs and Courage To You,
Andrew

Nate Lawson has an excellent post on his blog rightly identifying SRP as a superior solution to the Clench implementation. However, upon examination it appears that SRP is encumbered by a questionable patent situation. I would hope that Stanford would be able to release a BSD-licensed version of their SRP distribution sometime soon to enable its adoption everywhere.

Application layer authentication-inherent validation of public key integrity without the use of a trusted third party
Andrew Auernhemer and Jordan Borges.

This is the initial unveiling of the pre-alpha version of Clench, Goatse Security’s new simple password-based authentication mechanism that rids most organizations of a need to rely upon an untrustable third party to ensure against man-in-the-middle attacks.

un-tl;dr abstract: SSL is broken. Certificate authorities only exist to let the US, Chinese, Turkish, Brazilian etc etc government or Russian mob spy on you (whichever is interested first). Well, I guess they also exist to line the pockets of assholes who want $10-50 for pushing a button. Luckily, we’ve remedied this! We’ve established a way that a client, using only standard password authentication, can validate a server’s public key and ensure that no third party is listening (without the use of a trusted third party such as a certificate authority or manual fingerprint verification). Read on for a wonderfully simple hack and proof of concept code!

Biggest problem we solve: “Trusted” third parties can’t be trusted and criminals or hostile governments are free to launch man in the middle attacks. Extensive research in this area has been done by by  Marlinspike, Dan Kaminsky and Mike Zusman which you really should read.

• Exploiting web application and business logic vulnerabilities of certificate authorities allow the generation of valid certificates for arbitrary domains you do not own.
• The number of entities allowed to issue certificates is now massive and not being effectively tracked– criminal organizations outright buy certificate authorities and print certificates for arbitrary domains they do not own.
• Do you trust the Chinese government not to snoop on your traffic? What about the United States government? Your browser trusts both– either of them can snoop on your “secure” HTTPS sessions.
• EV SSL is a joke.
• Who watches the watchers?

The whole SSL architecture is broken and cannot be safely relied upon. Any system of authentication which relies on a “trusted” third party that you have no dominion over is flawed. DNSSEC is only an incremental improvement with the same underlying flaw– I may trust the ICANN, ISC, NIST, NTIA, the Department of Homeland Security, or VeriSign more than the combined ineptitude and maliciousness of every current SSL CA, but I still don’t trust them. The whole idea of a trust anchor is fallacious.

We set out to solve this problem in a way that can reconcile three realities of security:

• Users cannot effectively comprehend anything but password authentication. They don’t understand key management, and the task of getting hundreds of thousands or millions of users to install a client certificate or generate a keypair (and not accidentally reveal the private key) is a Herculean task that few IT departments want to try.
• Users cannot be trusted to manually verify fingerprints. Seriously, they just won’t. Even the ones that perceive themselves as sophisticated and security-conscious.
• The network is now many times more hostile and open to attack than the server.

So we had to create an authentication mechanism in which a user inputs only a username and password, but ends up with a session immune from man-in-the-middle attacks without the use of a trusted third party.

We looked at various authentication schemes. Of note was Livejournal’s. Being the most popular blogging site in Russia, they got user auth details jacked so many times by shady spammers jacking routes with “legitimate” certs that they stopped transmitting the hash plaintext over the wire. They give a nonce to the client and the client hashes locally and then sends the hash to the server. The other source of inspiration was the Socialist Millionaire protocol, which Off-the-Record Messaging utilizes with a shared secret to verify cryptographic fingerprints.

In almost every scenario where security is mission critical, you already have a shared secret from the outset. When an enterprise user is given their new account, or when someone sets up online banking at their bank branch they are given a temporary password. A temporary password is a shared secret, and shared secrets may be leveraged to verify fingerprint information.

Here’s how Clench works:

1. Client connects to server and sends hello.
2. Server sends hello back, along with its cert.
3. Standard Diffie-Helman key exchange happens in SSL/TLS/SSH fashion. Initial handshake is finished, cypher spec is changed, now here comes the magic:
4. Server sends client the nonce value [ Ticks since unix epoch + 16 bytes of random data ]
5. Client sends userid/username to server.
6. Client types in password, but password is not sent to server. Both sides generate a hash.
   Client generates y, a hash of  [ client password + server’s public key, as client sees it + nonce from step 4 ]
   Server generates x, a hash of [ client password + server’s own public key + nonce from step 4 ]
7. Client and server use a symmetric and fair zero-knowledge proof to verify that we both have the same hash without revealing the value of the hash to one another. Imagine a two pan scale, and a secret of a given weight of marbles in a bag. If we both place our bag of marbles on the pans at the same time, if they come to an equilibrium we will have verified our shared secret without revealing it to one another.
   • Server picks random exponents a₂ and a₃,sends client g_2a = g₁^a₂ and g_3a = g₁^a₃
   • Client picks random exponents b₂ and b₃,computes g_2b = g₁^b₂, g_3b = g₁^b₃, g₂ = g_2a^b₂ and g₃ = g_3a^b₃, picks random exponent r, computes P_b3^r and Q_b = g₁^r g₂^y, sends server g_2b, g_3b, P_b and Q_b
   • Server computes g₂ = g_2b^a₂ and g₃ = g_3b^a₃, picks random exponent s, computes P_a = g₃^s and Q_a = g₁^s g₂^x and R_a = (Q_a / Q_b)^a₃, sends client P_a, Q_a and R_a
   • Client computes R_b = (Q_a / Q_b)^b₃ and R_ab = R_a^b₃, checks whether R_ab equals (P_a / P_b), sends server R_b
   • Server computes R_ab = R_b^a₃ and checks whether R_ab equals (P_a / P_b)

   For more information on this step please see the excellent paper “A Fair and Efficient Solution to the Socialist Millionaires’ Problem“.

8. Upon successful completion of the proof, the server allows the session to proceed.

This method of authentication avoids nearly all of the current pitfalls for current authentication schemes.  Things that cannot be done against our authentication mechanism:

• Cracking a hash from the wire: No hash is revealed!
• Man in the middle attacks. Impossible– compared shared secret is incorporating the server’s public key. If there’s an attacker in the middle, client’s hash value y will be built with the wrong public key and thus will fail zero-knowledge proof comparison.
• Replay attacks. Underlying hash for proof is not revealed, and nonced anyways.
• Brute force of Socialist Millionaire protocol with a preloaded Rainbow Table: This is doubly impossible.
  1. Even if (x – y) could be extrapolated, the nonce is built with 16 bytes of random data. At least 2-3 bytes of the ticks value are hard to predict, ending up with (18 + password length) bytes of random data results in rainbow table size that is unfeasible to build.
  2. (x – y) cannot be extrapolated by brute force, as a new nonce is built for every authentication attempt, and  potentially meaningful data from (x – y) cannot be generated without multiple attempts on the same shared secret value.

This can be accomplished in either the session layer or the application layer– the latter allowing easy implementation atop current infrastructure with trivial changes to clients.

The roadmap from here.

There’s some barriers to implementation on this for HTTPS. Firstly, there needs to be a javascript function that returns the current public key (or at least the fingerprint) of the https server called to load the page in the current DOM. There also needs to be some mechanism in the GUI of the browser that can’t be mimicked by an attacker to inform the client that the current login form implements a Clench-like authentication mechanism. Because obviously an attacker can just rewrite the form if they’re MitMing and trick the user into sending plaintext.

SSH can be implemented much faster, it’d just need a PAM module.

Hey, wait a second, doesn’t the passphrase have to be stored in plaintext or as an unsalted hash on the server?

Well, possibly yes. The perception of this as being an insurmountable flaw is largely the result of fallacious decisions in SysV in 1988. They were good decisions at the time due to the fact that it was ludicrously easy to break the security of a server then. However, the network has become far more hostile than the server. There are two major ways of ensuring  the safety of a plaintext password or unsalted hash data store:

• The authenticating server needn’t actually have the password in plaintext, it merely needs access to a more device that has it. A secure hashing device can be implemented on a PIC/Atmel/Xilinx– it’s job is to generate the nonce, give it to the server with a cookie, then when the server responds back with a userid and the cookie it hashes together the nonce, the client’s password (which only the secure device has access to) and the server’s known public key, taken from a whitelist. It then passes the hash to the server. It is trivially easy to build a device in hardware which can only provide nonces, cookies and hashes and write new passwords without ever giving stored passwords up in plaintext, and disallows reprogramming to do anything otherwise. Or if not a hardware device, perhaps a grsec-hardened machine running managed code with no network stack exposed, doing a similar transaction raw over serial port or Infiniband. If my sole goal of a machine is to hash things and keep a file secure, I can confidently make it bulletproof without risk of compromise.
  The potential implementations highlighted above are in development, and will be aired at the first opportunity (provided I evade unjust imprisonment, lol).
• Make your users make two passphrases– the first of which will be stored in plaintext, to assure no MitM, the second of which will be stored shadowed as normal in case of server’s compromise. Telling grandma she needs two different passwords to use her bank account is a lot easier than teaching her to install a client certificate.

Hey, there’s no way to tell the difference between an attempt at man-in-the-middle and a mistyped password!

With a user-specified password, no. If your initial shared secret has a checksum or LUN check in it, however, the client can notify the user of a potentially mistyped password.

Okay, I’m tired of reading your shit. Where’s the codes?

Here. Enjoy, and know that a meatier paper is on its way (provided I evade unjust imprisonment long enough to do the peer review process for a journal or conference) if you want to read this in academic tripe format.

Oh look, security researcher Ron Bowes enumerated a list of all public Facebook users from data on a public Facebook webserver:
http://www.thinq.co.uk/2010/7/28/100-million-facebook-pages-leaked-torrent-site/

This action is indistinguishable from the actions of the iPad scraper. This is another case of public data aggregated perfectly legally from a public web server. The difference? Goatse Security only released this data to a single journalist, solely for the purpose of informing the public. Ron Bowes made a public BitTorrent of the data, publishing it for the entire world to abuse. Goatse acted with a higher standard of ethics than Mr. Bowes. Yet we’re pretty sure he won’t be getting his door kicked in by the feds.

AT&T’s claim that we acted maliciously is false and the warrants obtained against us through misstatements of fact are unlawful.

A while ago, someone came to me and gave me some data involving AT&T iPad customers to publicize, the full story of which I’m sure you’re all familiar with from my previous excellent blog posts. I was subsequently raided by the FBI and arrested, though I have been under gag orders and haven’t been able to discuss the details of what happened. I am now violating those gag orders because my civil liberties are being grossly violated– I have even been denied a public defense attorney on an imprisonable offense. I believe that speaking out is my only hope at being saved, and my story is important reading for anybody that uses the Internet for political speech.

The Institute of Electrical and Electronics Engineers posts on a lawfirm which did the exact same thing the author of the iPad slurper script did– incremented a numerical identifier on a public HTTP server to scrape data. They used this technique to take data from the Anthem/Blue Cross insurance company.

Was that data the law firm grabbed undefined as personal information according to any public statutes like Goatse’s? No, actually! It was medical records (protected by HIPAA) and Social Security numbers, protected by at least the privacy statues of California and Massachusetts!

Did the law firm scramble as Goatse Security did to ensure that the vendor would have the opportunity to patch the data? No! They spent as long as they could manage scraping the data, as opposed to the mere hours that the iPad slurper did in the interim while AT&T fixed the vulnerability!

Did the law firm collect and use the data solely in public interest, destroying it after it was used to notify the public of the vulnerability? No! The law firm collected the data for purposes of private monetary gain, and as far as I know still have a copy!

Has the law firm been raided by the FBI and had its property stolen without cause? No!

Has the law firm had drugs “found” (and found is in quotes for a good reason, as the drugs “found” near me were “found” in the execution of a warrant for computers only, with a landmark free speech case involving a very angry 150 billion dollar corporation in the balance) within its offices? No!

There’s also a case of a security researcher that recently found a privacy flaw in Foursquare and used it to scrape hundreds of thousands of private location updates, without the advance notification of Foursquare. Was this security researcher similarly raided by the FBI without probable cause? No. The utter hypocrisy of this case is astounding.

My actions and those of Goatse were not criminal; they were done using industry standard practices as a public service. All the actions of the original author of this exploit were not criminal. Scraping data from a public web server is an extremely common practice amongst lawyers, security researchers and journalists, not to mention web developers. I have even talked to journalists who have collected stolen credit cards to discuss the implications with the victims who are involved. Hell, if scraping data from a public webserver becomes criminal, virtually all of the content that appears on Google News or Google Blogsearch is going to send someone to jail.

The warrant was executed without probable cause, as there is no way a reasonable and educated person could believe a crime was committed.

Beyond that, my role in this was solely that of a journalist. I never took credit for the collecting of the data itself. I was a publicist and as evidenced by the way this story took off with proper seeding, I am damn good at that. I took data that someone gave me anonymously and let the world know about it in what I thought was the most efficient way possible. I am being persecuted solely because my speech has angered a large corporation. I have been threatened with indictment from the Assistant US Attorney on the case, as evidenced in these screenshots:

• screenshot 1
• screenshot 2

I have received similar threats in the past day to be prosecuted on the basis of “computer intrusion” if I do not give the prosecutor in this case the information he wants, which I do not have.

I have even been denied my right to attorney for a jailable offense, in violation of the US constitution, Gideon v. Wainright, and title 16 of Arkansas law, as evidenced by this court memorandum. It took several attempts of visiting the courthouse and begging to even get that memorandum to show you that I was even being denied an attorney.

This is a complete miscarriage of the justice system, and the perpetrators are scribes serving pharisees and hypocrites.

Why my case is important to you

My case is absolutely important to bloggers and journalists. My case involves speech, and speech alone. If I’m threatened today, you are threatened tomorrow. The ability for bloggers and journalists to blow the whistle on corporate and government misdeeds is on the line here.

If you are a website operator of any kind, my case is important to you. The idea that you could be held liable for telling people about user-generated content is a nightmare.

If you are a security professional, this case is obviously important to you. Full disclosure is important to the security community, and is the only way independent researchers can build a name and business for themselves. It is also the only way which the public can be informed and educated about risks to their safety.

If you are a proponent of civil liberties, my case is important to you. This is the first amendment on the line, and I will be first, because I have been actually exercising my right to speak freely when things are tolerable. Very soon, things in this country will be much less tolerable, and if I am sent to prison the precedent will gag your mouths as well.

If you are a fan of the lulz, my case is important to you. I am the master of the art of the spectacle, and if you would like to see more spectacles you want me to stay on the streets. Support me and I promise you dividends in lulz for all eternity.

Not the first time my civil liberties have been violated

The federal government has a long history in violating my civil liberties. In 2008, I became dissatisfied with the public dialogue on the conflict over Israel. In this debate, the first party says “we must unequivocally support Israel’s genocide of the Palestinian people, crimes against humanity and continued acts of espionage against our nation”. The other party says, “it is complicated.”

The first statement is extreme and evil. The second is just plain wrong. I decided to make some videos to balance out the dialogue which consisted largely of support for the absolutely absurd policy of the genocide of Palestinians. So I made some obviously parodic videos consisting of support of the equally absurd policy of genocide of the Jews. Which, besides being an obvious joke, were constitutionally protected speech under Brandenburg v. Ohio.

Let me elaborate on “obviously parodic”. By obviously parodic, in one of them I am wearing a luchador mask and preparing to blow up a pinata shaped like a giraffe while “American barbie did world trade center” scrolls across the frame. In another, I am commanding my “followers” (my audience who is well aware that this is a comedy show) that our faith includes a commandment of wearing temporary tattoos featuring an image of my friend’s dog. In another I am blaming Farrah Fawcett’s death by anal cancer as a result of HPV picked up from anal sex with Jews. In summation, if you took these videos at face value you are a complete idiot.

The reality that these videos were an obvious joke should only be enhanced by the fact that there is a Forbes article comparing me to Shakespeare’s puck and a Fox News article calling my rhetoric “offensive and witty detail”.

Any attempt to brand me an anti-Semite is idiotic. I have no problem with any person solely because of their Semitic descent. Take a look at my last name, “Auernheimer”. Think about the likely origins of this name for a second. Even a quick Google reveals its origins. The most famous Auernheimer of history, journalist and author Raoul Auernheimer, had his way bought from the fires of Dachau by his uncle, Theodore Herzl himself. Come on, I have curly hair and brown eyes here. The claim many “journalists” are making that I am some sort of Nazi is preposterous, but I suppose you have to resort to ad hominem when the public overwhelmingly supported me on the basis of the facts of the case.

So what did the federal government do in response to my videos?

Why, they try to cast me as a synagogue-threatening nutjob in the public eye. I have never threatened a synagogue, nor encouraged anyone else to. I would never do so. How did my name get attached to this?

Let us say, hypothetically, that you’re an FBI agent named Mueller. You have someone whose speech you want to silence. You call up a 3rd party who you have control over, likely a confidential informant absolutely beholden to you because you can put him in prison for unsatisfactory performance. You tell this informant to make threatening phone calls to a synagogue. You then posit that the person whose speech you want to chill is responsible to the victim, and have them report it to the police.

Now that your target has been accused of a terrorist act, they get your name on all the watchlists and your pals at the FBI have “justification” to:

• Have a Jewish group publish their name and license plate number in a Jewish publication associating their name with threats of violence to a synagogue, despite the fact that they never had anything to do with such threats and their constitutional right to pseudonymous communication which has been affirmed by many court precedents both appelate and supreme. This article will later be relinked to and quoted by many Jewish reporters and used against your target. Said reporters will convienently forget to publish the part that says some other dude made the threats and not your target.
• Break into their house and steal hundreds of thousands of dollars of their assets on secret warrants while they are away on vacation, never delivering them a list of stolen property or any means to verify that it happened. They will never get their stuff back. Yes, this happened to me. Yes, I called lawyers. I was told without surveillance footage or some other proof of the theft I had no real ground to stand on.
• Go to their business partners, friends and family and tell them outright lies (they said I “ran klan meetings in the desert” and “manufactured grenades”, no joke). Due to crown immunity, you can never sue the FBI for libel, no matter what they say!
• Go to the customers of their newly formed business, which they have invested all liquid capital in and tell them they are funding terrorism. They will no longer have customers.
• Hand the target items which appear to be contraband in attempts to either frame the target for crimes or put psychological pressures on him.

All this because I dared put forward some politics, religion and humor that the establishment doesn’t like. I suppose I received better than Anwar al-Awlaki, a US citizen practicing his faith who received execution orders without trial signed by our Pharoah in return for merely speaking his mind.

I put at risk and lost my business because I believed in speaking out against injustice. I could have shut up, continued receiving a six figure salary and living a pointless life based on fleecing other people. I put it all on the line because of two reasons:

1. After getting all that stuff they have us chasing after, I realized it was all a load of garbage and wasn’t a sufficient bribe to sit in my castle in the sky and watch the freedoms our forefathers fought and died for be flushed down the toilet.
2. I consider the absolute disdain our illegitimate leaders have for the Constitution the most important problem to be solved in our time.

I have empirically proven by experimentation that free speech is gravely threatened in this country. I have only spoken up for what I believe in through politics, religion and humor, the three big constitutional safeguards. Beyond that, other aspects of my speech have been lawful behavior in the service of the public. I have been endlessly persecuted by a government occupied by evil for it. They have libeled me with lies in the public forum, stolen my assets, attempted to frame me for crimes, brought false charges against me, terrorized my friends and family (including threatening my mother with rape), and intentionally destroyed my business. The agents of the federal government that attack me truly hate rule of law and the Constitution, and have hijacked federal funds to silence my speech. The founders understood the need for free speech and the marketplace of ideas. These FBI agents have shown they care little for the protections of the constitution, and should be charged with treason.

I’ve also been subject to “journalists” with a complete lack of integrity telling blatant lies about me. For example, Mattathias Schwartz claimed in the New York Times that I demanded ransom payments for the daughters of corporate executives. This came out of nowhere– I’ve never done such a thing, never claimed to do such a thing, and would do no such thing. As far as I can tell, he paid someone to say it. He didn’t want the story I gave him. It was a story of philosophy, politics and Christianity. He also was visibly distraught when I called Sigmund Freud a child molester (which he was), Israel a nation run by genocidal sociopaths, and the Federal Reserve a privately owned institution to enforce a dynastic oligopoly over credit (which it is). So he made his own story, where I was turned into some fictitious character for his benefit. The whole thing reminded me of disgraced journalist Stephen Glass (though less entertaining). It was pretty funny when it happened, but now that his lies are being used against me to a jury it isn’t as humorous.

Or consider Fast Company, which posted a picture out of context of me holding a bag of white powder. This bag of white powder was something called Piracetam. It is a perfectly legal nutritional supplement along the lines of Ginkgo Biloba– it improves memory. It was in a thread with me asking people what nutritional supplements they take. Out of context, it makes me look like a drug dealer. Such deliberate dishonesty has become a matter of course for “journalists” who have a personal dislike of me.

I’ve been subject to abuses of the system like you wouldn’t believe, and need serious help getting out of this. After I’m done, we need to work together to set up a system where these people won’t merely be punished in the next life, but this one as well.

The current nightmare, and what you can do to help

When I was made a detainee at the Washington County jail, after my phonecall two FBI agents from Newark came by and delivered a document. They stated I had 3 days to respond to said document or I would be given a new charge of contempt. The document was placed in my belongings up front, and I was promptly thrown into solitary confinement. I was not allowed to view the document to write a response to it. I was not able to contact anyone on the outside (such as my bondswoman). If she hadn’t noticed my picture in the paper and come to rescue me, I might still be in jail.

After having my money stolen and business ruined by the FBI because I dared speak my mind in a lawful manner, I am no longer in decent financial shape. I have been denied a public defender by the Fayetteville courthouse. I have had all my computers seized on a warrant which could not possibly have had probable cause, and thus am lacking the very materials I would need to take this pro se. My requests to get a copy of the secret warrant used to steal my property have been stonewalled by state and federal authorities.

As I have been denied my constitutional rights to an attorney, I need help to make the retainer for a private one. This is not a burden I can continue to bear alone. This is the sort of thing which went on before the crumbling of the Soviet Union. This tyrannical bureaucratic torture should not happen to US citizens. I do not want America to crumble, and I want to continue my work defending the United States Constitution and protecting the American people from cyberthreats. To defend myself, I need money. I’ve never needed nor asked for help before, but I am really in trouble this time. If you could spare some cash to donate, please paypal some cash to: snailcricket@gmail.com

Please write letters to your local, state and national representatives. If you happen to know any attorneys who would be willing to take this case let me know. I am at the end of my rope. My largest hope at this point is that history will record my future actions in the context of the illegal injustice that has been done to me.

June 20th, 2010 ― Goatse Security is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of its customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatse Security volunteers has been invaded, and destroyed by what was at best a blunt instrument: the raid, by force, of the Goatse Security spokesperson’s private residence.

Goatse Security, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatse Security took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief that:

• Without large numbers of compromised customers, and without the headlines that go with them, this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of its customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
• Full disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers’ privacy. Indeed, AT&T, instead of respecting its customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.

Goatse Security is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.
Goatsec is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of it’s customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatsec volunteers has been invaded, and destroyed by what was at best a blunt instrument, the raid, by force, of the head of Goatsec’s private residence.
Goatsec, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatsec took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief, that:
without large numbers of compromised customers, and without the headlines that go with them, that this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of it’s customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
Full Disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers privacy. Indeed, AT&T, instead of respecting it’s customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.
Goatsec is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.