Goatse Security

In the wake of recent events, Goatse Security has released an encrypted “insurance” file. Admittedly, it’s not as groundbreaking as the Wikileaks insurance, but we don’t intend to release the key until after a verdict has been passed on both weev and JacksonBrown.  We encourage all to download and share this file. Blog about it, upload it to your favourite bittorrent tracker, keep it on your FTP, whatever! We’d like to make clear that it’s nothing to do with AT&T, nor is it the supposed “email list” that was deleted a long time ago.

Direct link: http://security.goatse.fr/media/goatseinsurance.aes256
Bittorrent:   http://security.goatse.fr/media/goatseinsurance.torrent
MD5:           b25852056cf86c9aeb42b229ed5752cd

Additionally, we intend to start collecting funds for weev’s and JacksonBrown’s defense fund within the next day or so. Thank you to everyone who has contacted us over the past few days for showing an interest in their trial, and thank you to everyone who continues to raise awareness of their plight. weev would probably appreciate people to pray for him. We don’t know about JacksonBrown, but it’s the thought that counts.

~Murdox

GNAA President

(By the way, don’t expect too much activity on the GoatseSecurity twitter until weev comes back).

On the heels of the arrest of two of Goatse Security’s researchers, I felt compelled to write a statement reiterating a few points regarding last year’s AT&T breach which I believe are important:

1. The only data gathered was a list of e-mail addresses.  No real names, mailing addresses, or any associated data was breached.
2. The data gathered was publicly available on AT&T’s web server.  Any person could say “What is the e-mail address associated with ID XXXXXXXX” and the server would happily reply “johndoe@yahoo.com” or “invalid ID”.  The process of doing so was simply automated using random IDs.  There was no “real” hacking involved.
3. Through intermediary channels, Goatse Security notified AT&T of the hole in their system and waited until it had been patched before we made our disclosure.
4. Under no circumstances was the data ever made public.  It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data had been leaked and this was not a fictitious claim.
5. AT&T has pressured the USDoJ and the FBI into building and prosecuting a baseless case because they care more about their own share price than their customers.  Stated another way: the American government works at the behest of private corporations.

AT&T, the FBI, and the prosecution have labeled this as a “malicious” attack, directly against AT&T’s interests and their customers.  This could not be farther from the truth.  The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously) – it was only disseminated to a single media outlet because we believed it was important enough to share.  Were the hole discovered by a malicious party, the data could have been easily sold to the RBN at a very high price, could have been used to target iPad owners with AT&T phishing e-mails, the e-mails could have been sent iPad trojans, or otherwise.  The private discussions we had to determine the extent of the flaw will undoubtedly be twisted and redacted by the prosecution to create an appearance of malice, as these were all topics touched upon.  This can be damning even though the discussion itself is not a crime.

The case is based entirely upon IRC logs, anonymously submitted, which could be completely fabricated with no method of verification.  These logs constitute the majority of the prosecution’s “evidence”, and are solely being used to create an image of malicious intent.

The fact of the matter is quite simple: AT&T put their own customers at risk through negligence, their share price dropped when this fact was exposed, and they have now co-opted the USDoJ and the FBI to attempt to shift the blame from themselves to individuals who were looking out for the public good.

In the end, regardless of how the chat logs are made to appear, and regardless of other questionable activities that members may have been involved in, the facts do not change: GoatSec researchers found a hole, made sure it was closed, and responsibly disclosed its existence.

–Rucas

Today, Jan. 18th, Andrew Auernheimer and Daniel Spitler were brought
into custody on the basis of a federal criminal complaint of a highly
dubious and unsettling nature. The complaint alleges that the two were
responsible for gross crimes of conspiracy to hack computers and
fraud. Let's examine the government's case.

The gist of what supposedly transpired is this: in the summer of 2010,
Spitler created a PHP script to harvest email addresses of people who
purchased a 3G iPad. This was accomplished very simply, because AT&T
had set up a web service that would match a given ICC-ID (SIM card
serial number) to an email address. This was to make the sign-up
process for people who just purchased their new iPads easier, since it
would pre-fill their email address in the registration form. Due to
sloppiness on the part of AT&T web engineers, there was no rate
limiting, user agent checking or any other mechanism to prevent
someone from simply taking a random ICC-ID and adding one to it, over
and over (the FBI calls this "hacking"). Since AT&T's ICC-IDs were
more or less sequential, assembling a list of email addresses was
quite straightforward.

The only information that could have been gleaned from this process
was ICC-IDs (which are totally useless) linked to email addresses
(which are not private information). That's all. The only reason we
are even hearing about this is because Andrew is a clever fellow who
likes to make very embellished and sensational claims as a form of
ironic humor, and he was able to convince some people in the media to
make a big deal about the whole situation. This made AT&T look bad,
and their customers concerned, both of which outcomes are to be
expected.

Apparently, it seems making AT&T lose face is a heinous offense,
justifying seven months of investigation by the FBI and many, many
grand jury sessions at great taxpayer expense. Several people were
raided by federal and state agents to search for evidence relating to
the email harvesting. The FBI engaged in standard harassment practices
and blanket subpoenas to pursue their case, refused to allow
Auernheimer to see his warrant (claiming "national security" concerns)
and intimidated his girlfriend and potential employers. There is
certainly a history of AT&T doing favors for the FBI (warrant-less
wiretapping for example). I am not saying there is evidence of a grand
conspiracy here, but it looks an awful lot as though AT&T was mad and
got their FBI pals to make the lives of Auernheimer and Spitler
unpleasant.

The criminal complaint charges the two with illegally accessing AT&T's
computers which are classified as "protected computers" under USC
title 18, 1030(e)(2). This law written in 1986 defines a "protected
computer" (implying greater penalties) as one that is accessible
across state lines, which would now include any machine hooked up to
the internet. The servers are described as having been "fooled into
believing that they were communicating with an actual iPad 3G and
wrongly granted the Account Slurper access to AT&T's servers". No
access was granted or requested, no machines were "fooled" (whatever
that means), and the machines were already accessible from anyone with
an internet connection because they were web servers. They say this
was accomplished without authorization from AT&T, even though that
point means nothing since all "legitimate" users were not granted
explicit authorization either.

In fact, when you examine the facts presented in the criminal
complaint, it's amazing that the DOJ would even waste their time with
a case with a flimsy house of cards presented as evidence.

The complaint cites news articles quoting Andrew's fantastical
hyperbole about the security group's actions. There are
well-documented cases of the media believing all sorts of ridiculous
computer security tripe and publishing it without fully comprehending
what they are writing about. If the FBI is going off of such stories
and respected news outlets such as a blog devoted to publishing gossip
on Silicon Valley, one really wonders how informed they are. I imagine
they know what they are doing, but include it anyway because it makes
their case look stronger to the poor judge who's time is being
wasted. Also cited is Andrew's LiveJournal, to which I must say "LOL"
("LOL" and its variants stand for laughing out loud, notes the
complaint in one of many hilarious footnotes).

They go on to bring up past interviews in which Andrew, undoubtedly
under the influence of powerful narcotics at the time, makes up absurd
shit to see how much the clueless reporter will print. Anyone who is
at all familiar with Andrew or similar persons can immediately
recognize the quotes as ironic bullshitting, but the media and FBI are
hopelessly out of the loop when it comes to such things and actually
take his statements at face value. His past statements such as "I want
everyone off the internet" are apparently used to imply his guilt in
the present.

The Goatsec website is mentioned as stating Auernheimer among other
things as writing "Ruby while living in SF SoMa" which is a dig at
Spitler's homosexuality which became a topic during the grand jury
trial, although it is couched in so many layers of in-jokes to make
such a statement impenetrable by most people, which is true of almost
all statements that are quoted in the complaint.


IRC LOGS:

The only actual "evidence" presented of wrongdoing in the entire
complaint is "150 pages" of IRC logs provided by a confidential
source. Perhaps they are relying on the fact that the jury will
consist of people who have no idea what IRC is or why one should not
treat what is basically a text file from an anonymous source on the
internet as the basis for locking someone up for 10 years.

Unbelievably, the FBI actually subpoenaed Goatsec member "Rucas the
Earthworm" to appear before a grand jury in New Jersey to defend
himself for advising people to throw their computers in the river,
accusing him of advising people to destroy evidence.

The rest of the complaint is filled with hearsay and non-facts with a
number of downright fabrications. In one footnote, the agent preparing
the report notes that "the phrase 'D8' means to be deeply involved in
an activity or to perform an activity to the fullest extent possible."
Since "D8" is just a frowny face on its side, one can only conclude
that this and other facts are being made up wholesale.

The criminal charges being levied against Spitler and Auernheimer are
disconcerting for a number of reasons; most notably the concept of
charging someone with conspiracy on the basis of IRC logs. As
explained earlier, IRC logs are hardly difficult to make up, alter or
attribute to other persons. To say nothing of the very idea of
conspiracy as a crime itself. The fact that the conspiracy charge is
thrown in usually indicates that the prosecution doesn't actually have
any hard evidence of a real crime being committed, so they resort to
trying to pin thought-crime charges on their victims instead. It is
not my intention to be alarmist, but all citizens of any country
should be greatly concerned when corporations are able to get law
enforcement to arbitrarily enforce overly broad laws to silence and
punish anyone they deem an annoyance.

Thanks for reading,
Jason Gates