Hacker group responds to AT&T, leader held by FBI
You'll remember that the not-at-all-ridiculously-named Goatse Security (GS) announced its discovery of an exploit on AT&T's website last week. They used it to get a list of email addresses belonging to iPad 3G customers. One hundred and fourteen thousand of them, in fact. AT&T representatives said that they were made aware of the hole and had it patched within a day, and explained their side of the story in the New York Times. Dorothy Attwood, a senior vice president and chief privacy officer at AT&T, said "...unauthorized computer 'hackers' maliciously exploited a function designed to make your iPad log-in process faster."
The folks at GS took umbrage at being called "malicious," and posted their own response, citing still-unpatched vulnerabilities in Mobile Safari on the iPad as evidence that Apple and AT&T are not addressing the real issues. "When we disclosed this," wrote Escher Auernheimer, "we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare...The fact remains that there was not a hint of maliciousness in our disclosure."
The FBI agrees with Auernheimer's assertion that this exploit is of national interest. So much so, CNET reports, that they raided Andrew Auernheimer's home on a warrant (we assume "Escher" is a pseudonym). They found "illicit drugs," and Auernheimer is now being held on felony charges. Let this be a lesson to you. If you plan on serving your country, get rid of the drugs first.
[via Engadget]
Share
Categories
You'll remember that the not-at-all-ridiculously-named Goatse Security (GS) announced its discovery of an exploit on AT&T's website...
Add a Comment
@David
http://digitalmedia.oreilly.com/2005/02/02/hacktv.html
A delusional idiot media whore, AND an anti-semite. Lovely.
June 16 2010 at 5:06 PM Report abuse Permalink rate up rate down ReplyHad the vulnerability just been reported everything would be fine, but by exploiting the access point, downloading personal information, and then providing the data to Gawker, this guy became a common criminal hacker and should be jailed.
June 16 2010 at 2:54 PM Report abuse Permalink rate up rate down ReplySpeaking of Erica, anybody have a pic?
Uh oh:
http://www.jewishreview.org/local/Police-question-two-men-about-threats-to-Jewish-community
Looks like Andy has more than one problem.
Oh cut the strawman tactic. The fact that the hacker is a bearded acidhead does not change the fact that AT&T screwed up with those e-mail accounts and Mobile Safari has holes. If he posted similar info on Google, Adobe or MS you'd all be up in arms protecting the "truth" from the suspiciously long arms of law enforcement.
June 16 2010 at 1:46 PM Report abuse Permalink rate up rate down ReplyVictimless crime. Free Auernheimer and go after the real problem here - AT&T.
June 16 2010 at 1:32 PM Report abuse Permalink rate up rate down ReplySeriously, this guy is an idiot (for the way he reported the breach and his general lack of PR smarts), but this wasn't a particularly sophisticated hack.
Hacker registers/logs on to AT&T site with iPad... sees that their email and/or details are being shown without any authentication, and sees the ICC-ID is being used to authenticate the user. Decides to try a few things, succeeds and ends up with a few email addresses... continues and gets 140K of them.
Probably should have stopped after a few, but seriously, this is the most amateurish kind of security hole. Just be glad the idiots at AT&T didn't decide to log you in to your account with the ICC-ID and show information like your address, or SSN.
Authentication by a unique token as a security device only works when that token is sufficiently large and random to mean just using a RNG to generate valid tokens. The ICC-ID of the device ISN'T sufficiently random to make it difficult for an attacker to guess those ids.
Maybe there needs to be a way to report this kind of stuff without relying on the company to do the right thing if you only contact them (and not have pissed off developers call the FBI or police themselves and accuse you of hacking (it's happened to people who've reported security flaws before)).
Or maybe you'd prefer people keep quiet and leave the hacking (and your information) to the black hats and trust companies like AT&T to keep your data secure!
It's Redbeard! Grower of the facial hair pirate pun.
June 16 2010 at 12:31 PM Report abuse Permalink rate up rate down ReplyI'm going to break into these hackers houses and steal a bunch of their stuff. I'll keep it for a few weeks and give it back.
It's the right thing to do, though, because it's showing how weak their home's security is. You see, if I had just pointed out how weak their security is WITHOUT stealing their stuff, it wouldn't have been as patriotic.
;)
Hot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
25 Comments