Goatse Security: Difference between revisions
m →AT&T/iPad email address leak: Fixing links to disambiguation pages, replaced: News Corporation → News Corporation |
Maxeto0910 (talk | contribs) redundant and obvious Tags: Visual edit Mobile edit Mobile web edit Advanced mobile edit |
||
(52 intermediate revisions by 32 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Hacker group}} |
|||
{{Use mdy dates|date=December 2018}} |
{{Use mdy dates|date=December 2018}} |
||
{{Infobox organization |
{{Infobox organization |
||
| name = Goatse Security<br /><small>aka GoatSec<ref name="valleywag1"/><ref name="dailytech2"/></small> |
| name = Goatse Security<br /><small>aka GoatSec<ref name="valleywag1"/><ref name="dailytech2"/></small> |
||
| image = Goatse Security Logo.png |
| image = Goatse Security Logo.png |
||
| image_border = |
| image_border = |
||
| size = 180px |
| size = 180px |
||
| alt = <!-- alt text; see [[WP:ALT]] --> |
| alt = <!-- alt text; see [[WP:ALT]] --> |
||
| caption |
| caption = Logo |
||
| map = <!-- optional --> |
| map = <!-- optional --> |
||
| msize = <!-- map size, optional, default 250px --> |
| msize = <!-- map size, optional, default 250px --> |
||
| malt = <!-- map alt text --> |
| malt = <!-- map alt text --> |
||
| mcaption = <!-- optional --> |
| mcaption = <!-- optional --> |
||
| map2 = |
| map2 = |
||
| abbreviation = |
| abbreviation = |
||
| |
| predecessor = |
||
| |
| successor = |
||
⚫ | |||
| successor = |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | | membership = [[weev|Andrew "weev" Auernheimer]]<ref name="goatsecmembers1"/><ref name="theatlantic1"/><br />[[Sam Hocevar]]<ref name="goatsecmembers1"/><ref name="computerworld1"/><ref name="dailytech1"/><br />Daniel Spitler<ref name="goatsecmembers1"/><ref name="nytimes1"/><br />Leon Kaiser<ref name="dailytech2"/><ref name="goatsecmembers1"/><br />Nick "Rucas" Price<ref name="goatsecmembers1" /><ref name="microsoftonline" /><ref name="complaint" /> |
||
⚫ | |||
| language = <!-- official languages --> |
|||
⚫ | | membership = [[weev]]<ref name="goatsecmembers1"/><ref name="theatlantic1"/><br />[[Sam Hocevar]]<ref name="goatsecmembers1"/><ref name="computerworld1"/><ref name="dailytech1"/><br />Daniel Spitler<ref name="goatsecmembers1"/><ref name="nytimes1"/><br />Leon Kaiser<ref name="dailytech2"/><ref name="goatsecmembers1"/><br />Nick "Rucas" Price<ref name="goatsecmembers1" /><ref name="microsoftonline" /><ref name="complaint" /> |
||
| |
| general = <!-- Secretary General --> |
||
| |
| leader_title = Origin |
||
⚫ | |||
| leader_title = Origin |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
| main_organ = <!-- gral. assembly, board of directors, etc --> |
|||
⚫ | |||
| |
| parent_organization = <!-- if one --> |
||
| budget = |
|||
| parent_organization = <!-- if one --> |
|||
| |
| num_staff = |
||
| |
| num_volunteers = |
||
| slogan = |
|||
| num_volunteers = |
|||
⚫ | |||
| slogan = Gaping Holes Exposed<ref name="thetechherald1"/> |
|||
| remarks = |
|||
⚫ | |||
| |
| former name = |
||
| former name = |
|||
}} |
}} |
||
⚫ | '''Goatse Security''' ('''GoatSec''') was a loose-knit, nine-person<ref name="washpost" /> [[grey hat]]<ref name="Kirsch">{{cite journal |last1=Kirsch |first1=Cassandra |title=The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law |journal=Northern Kentucky Law Review |date=2014 |volume=41 |page=386 |url=http://www.academia.edu/download/36926435/8-Kirsch_v2.pdf }}{{dead link|date=July 2022|bot=medic}}{{cbignore|bot=medic}}</ref> [[hacker group]]<ref name="Leyden"/> that specialized in uncovering security flaws.<ref name="onlinewsj1"/><ref name="npr1"/> It was a division of the anti-blogging [[Troll (Internet)|Internet trolling]] organization known as the [[Gay Nigger Association of America]] (GNAA).<ref name="dailytech2"/> The group derives its name from the [[Goatse.cx]] [[shock site]],<ref name="theatlantic1"/> and it chose "Gaping Holes Exposed" as its [[slogan]].<ref name="thetechherald1"/> The website has been abandoned without an update since May 2014.<ref>{{Cite web |url=http://security.goatse.fr/compiz-denial-of-service-vulnerability |title=Compiz vulnerability « Goatse Security |access-date=October 15, 2019 |archive-date=July 24, 2019 |archive-url=https://web.archive.org/web/20190724180836/http://security.goatse.fr/compiz-denial-of-service-vulnerability |url-status=dead }}</ref> |
||
⚫ | |||
⚫ | '''Goatse Security''' ('''GoatSec''') |
||
In June 2010, Goatse Security obtained the [[email addresses]] of approximately 114,000 Apple iPad users. This led to an [[FBI]] investigation and the filing of criminal charges against two of the group's members. |
In June 2010, Goatse Security obtained the [[email addresses]] of approximately 114,000 Apple iPad users. This led to an [[FBI]] investigation and the filing of criminal charges against two of the group's members. |
||
==Founding== |
==Founding== |
||
The GNAA had several security researchers within its membership. According to Goatse Security spokesperson |
The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009.<ref name="dailytech2"/><ref name="onlinewsj1"/> |
||
==Discovery of browser vulnerabilities== |
==Discovery of browser vulnerabilities== |
||
Line 65: | Line 64: | ||
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including [[phishing]], on an IRC channel.<ref name="nytimes1"/><ref name="complaint1"/><ref name="bloomberg1"/> Goatse Security constructed a [[PHP]]-based [[Brute force attack|brute force]] script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID.<ref name="computerworld3"/><ref name="gizmodo1"/> This script was dubbed the "iPad 3G Account Slurper."<ref name="bloomberg1"/> |
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including [[phishing]], on an IRC channel.<ref name="nytimes1"/><ref name="complaint1"/><ref name="bloomberg1"/> Goatse Security constructed a [[PHP]]-based [[Brute force attack|brute force]] script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID.<ref name="computerworld3"/><ref name="gizmodo1"/> This script was dubbed the "iPad 3G Account Slurper."<ref name="bloomberg1"/> |
||
Goatse Security then attempted to find an appropriate news source to |
Goatse Security then attempted to find an appropriate news source to disclose the leaked information, with Auernheimer attempting to contact [[News Corporation (1980–2013)|News Corporation]] and [[Thomson Reuters]] executives, including [[Arthur Siskind]], about AT&T's security problems.<ref name="pcworld1"/> On June 6, 2010, Auernheimer sent emails with some of the ICC-IDs recovered in order to verify his claims.<ref name="complaint1"/><ref name="pcworld1"/> Chat logs from this period also reveal that attention and publicity may have been incentives for the group.<ref name="arstechnica1"/> |
||
Contrary to what it first claimed, the group initially revealed the security flaw to [[Gawker Media]] ''before'' notifying AT&T<ref name="arstechnica1"/> and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws.<ref name=wsj14>{{cite news |title=Computer Experts Face Backlash |first=Ben |last=Worthen |author2=Spencer E. Ante |newspaper=WSJ.com |date=June 14, 2010 |url=https://www.wsj.com/articles/SB10001424052748703885104575303032919382858?mod=WSJ_hpp_sections_tech }}</ref> |
Contrary to what it first claimed, the group initially revealed the security flaw to [[Gawker Media]] ''before'' notifying AT&T<ref name="arstechnica1"/> and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws.<ref name=wsj14>{{cite news |title=Computer Experts Face Backlash |first=Ben |last=Worthen |author2=Spencer E. Ante |newspaper=WSJ.com |date=June 14, 2010 |url=https://www.wsj.com/articles/SB10001424052748703885104575303032919382858?mod=WSJ_hpp_sections_tech }}</ref> |
||
Auernheimer has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys".<ref name=wsj14/><ref name=tr>{{cite news|last=Leydon|first=John|title=AT&T iPad 'hacker' breaks gag order to rant at cops|url=https://www.theregister.co.uk/2010/07/07/ipad_hack_follow_up/|access-date=February 16, 2011|newspaper=The Register|date=July 7, 2010}}</ref> [[Jennifer Granick]] of the [[Electronic Frontier Foundation]] has also defended the tactics used by Goatse Security.<ref name=wsj14/> |
|||
On June 14, 2010, [[Michael Arrington]] of [[TechCrunch]] awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.<ref name=tc>{{cite news|last=Arrington|first=Michael|title= |
On June 14, 2010, [[Michael Arrington]] of [[TechCrunch]] awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.<ref name=tc>{{cite news|last=Arrington|first=Michael|title=We're Awarding Goatse Security A Crunchie Award For Public Service|url=https://techcrunch.com/2010/06/14/were-awarding-goatse-security-a-crunchie-award-for-public-service/|access-date=March 31, 2010|newspaper=Tech Crunch|date=June 14, 2010}}</ref><ref name=yn>{{cite news|last=Patterson|first=Ben|title=AT&T apologizes for iPad breach, blames hackers|url=https://news.yahoo.com/s/ytech_gadg/20100614/tc_ytech_gadg/ytech_gadg_tc2564|access-date=March 31, 2010|newspaper=Yahoo! News|date=June 14, 2010}}</ref> |
||
The [[Federal Bureau of Investigation|FBI]] then opened an investigation into the incident,<ref>{{cite news |first=Ryan |last=Tate |
The [[Federal Bureau of Investigation|FBI]] then opened an investigation into the incident,<ref>{{cite news |first=Ryan |last=Tate |title=Apple's Worst Security Breach: 114,000 iPad Owners Exposed |url=http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed |newspaper=[[Gawker.com]] |publisher=[[Gawker Media]] |date=June 9, 2010 |access-date=June 13, 2010 |url-status=dead |archive-url=https://web.archive.org/web/20100612222852/http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed |archive-date=June 12, 2010 }}</ref> leading to a criminal complaint in January 2011<ref name="complaint">United States District Court — District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011</ref> and a raid on Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail<ref>{{cite news |first1=Jesse |last1=Emspak |first2=Gabriel |last2=Perna |title=Arrested Hacker's Web Site Reveals Extremist Views |url=http://www.ibtimes.com/articles/29267/20100617/goatse-hacker-blog-shows-extremist-views.htm |newspaper=[[International Business Times]] |publisher=[[International Business Times]] |date=June 17, 2010 |access-date=July 11, 2010 |archive-date=March 6, 2020 |archive-url=https://web.archive.org/web/20200306210500/https://www.ibtimes.com/articles/29267/20100617/goatse-hacker-blog-shows-extremist-views.htm |url-status=dead }}</ref> on state drug charges,<ref>{{cite news |title=Programmer Detained After FBI Search |first=Andrew |last=Dowell |newspaper=The Wall Street Journal |date=June 17, 2010 |url=https://www.wsj.com/articles/SB10001424052748704198004575310634055906968?mod=WSJ_PersonalTechnology_LEFTTop }}</ref> later dropped.<ref name="Charges">{{cite news|title=Criminal charges filed against AT&T iPad attackers — Computerworld|date=January 18, 2011|url=http://www.computerworld.com/s/article/9205403/Criminal_charges_filed_against_AT_T_iPad_attackers|access-date=April 18, 2011|archive-date=October 10, 2012|archive-url=https://web.archive.org/web/20121010212917/http://www.computerworld.com/s/article/9205403/Criminal_charges_filed_against_AT_T_iPad_attackers|url-status=dead}}</ref> After his release on bail, he broke a [[gag order]] to protest and to dispute the legality of the search of his house and denial of access to a [[public defender]]. He also asked for donations via [[PayPal]], to defray legal costs.<ref name="Leyden">[https://www.theregister.co.uk/2010/07/07/ipad_hack_follow_up/ AT&T iPad 'hacker' breaks gag order to rant at cops] [[The Register]], John Leyden. July 7, 2010</ref><ref>{{cite web|title=Hypocrites and Pharisees|url=http://security.goatse.fr/hypocrites-and-pharisees|publisher=Goatse.fr|author=weev|access-date=April 18, 2011|archive-date=May 24, 2017|archive-url=https://web.archive.org/web/20170524100145/http://security.goatse.fr/hypocrites-and-pharisees|url-status=dead}}</ref> In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud.<ref name="Charges" /> A co-defendant, Daniel Spitler, was released on bail.<ref name=msnbc>{{cite news|last=Voigt|first=Kurt|title=No bail for 2nd iPad e-mail address theft suspect|url=http://www.nbcnews.com/id/41196595|access-date=February 15, 2011|newspaper=MSNBC.com|date=January 21, 2011|agency=Associated Press}}{{dead link|date=August 2024|bot=medic}}{{cbignore|bot=medic}}</ref><ref name=bailtime>{{cite news|last=Porter|first=David|title=Suspect in iPad Data Theft Released on Bail in NJ|url=https://abcnews.go.com/Technology/wireStory?id=13023509|access-date=March 2, 2011|newspaper=ABC News|date=February 28, 2011|agency=Associated Press}}</ref> |
||
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization,<ref>{{cite news|url=https://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/|title=<nowiki>Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com</nowiki> | first=Kim | last=Zetter|date=November 20, 2012}}</ref> and [[Twitter|tweeted]] that he would appeal the ruling.<ref>{{cite web | url=https://twitter.com/rabite/status/271004620816539648 | title=Twitter status, 3:38 PM - 20 Nov 12}}</ref> Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."<ref>{{cite web | url=https://twitter.com/apilosov/status/271003102084202496 |
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization,<ref>{{cite news|url=https://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/|title=<nowiki>Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com</nowiki> | first=Kim | last=Zetter|date=November 20, 2012}}</ref> and [[Twitter|tweeted]] that he would appeal the ruling.<ref>{{cite web | url=https://twitter.com/rabite/status/271004620816539648 | title=Twitter status, 3:38 PM - 20 Nov 12}}</ref> Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."<ref>{{cite web | url=https://twitter.com/apilosov/status/271003102084202496 |
||
| title=Twitter status, 3:32 PM - 20 Nov 12}}</ref> |
| title=Twitter status, 3:32 PM - 20 Nov 12}}</ref> |
||
On November 29, 2012, Auernheimer authored an article in [[Wired Magazine]] entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any [[Zero-day attack|zero-day exploit]] only to individuals who will "use it in the interests of social justice."<ref>{{cite |
On November 29, 2012, Auernheimer authored an article in [[Wired Magazine]] entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any [[Zero-day attack|zero-day exploit]] only to individuals who will "use it in the interests of social justice."<ref>{{cite magazine | url=https://www.wired.com/opinion/2012/11/hacking-choice-and-disclosure/ |
||
| title=Forget Disclosure — Hackers Should Keep Security Holes to Themselves | |
| title=Forget Disclosure — Hackers Should Keep Security Holes to Themselves | magazine=Wired | first=Doug | last=Bierend | date=November 29, 2012}}</ref> |
||
On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper.<ref>[http://pdfserver.amlaw.com/nlj/auernheimer-op-usca3.pdf Case: 13-1816 Document: 003111586090]</ref><ref name=ArsTech>{{cite news|last=Kravets|first=David|title=Appeals court reverses hacker/troll "weev" conviction and sentence|url=https://arstechnica.com/tech-policy/2014/04/appeals-court-reverses-hackertroll-weev-conviction-and-sentence/| |
On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper.<ref>[http://pdfserver.amlaw.com/nlj/auernheimer-op-usca3.pdf Case: 13-1816 Document: 003111586090]</ref><ref name=ArsTech>{{cite news|last=Kravets|first=David|title=Appeals court reverses hacker/troll "weev" conviction and sentence|url=https://arstechnica.com/tech-policy/2014/04/appeals-court-reverses-hackertroll-weev-conviction-and-sentence/|access-date=April 11, 2014|newspaper=[[Ars Technica]]|date=April 11, 2014}}</ref> The judges did not address the substantive question on the legality of the site access.<ref name=Frbz>{{cite news|last=Hill|first=Kashmir|title=Weev Freed, But Court Punts On Bigger 'Hacking vs. Security Research' Question|url=https://arstechnica.com/tech-policy/2014/04/appeals-court-reverses-hackertroll-weev-conviction-and-sentence/|access-date=April 11, 2014|newspaper=[[Forbes]]|date=April 11, 2014}}</ref> He was released from prison late on April 11.<ref name=BBerg>{{cite news|last=Voreacos|first=David|title=AT&T Hacker 'Weev' Parties and Tweets as Case Still Looms|url=https://www.bloomberg.com/news/2014-04-14/at-t-hacker-weev-wants-indictment-tossed-after-prison-release.html|access-date=April 14, 2014|newspaper=[[Bloomberg L.P.|Bloomberg]]|date=April 14, 2014}}</ref> |
||
==Other accomplishments== |
==Other accomplishments== |
||
In May 2011, a [[Denial of service|DoS]] vulnerability affecting several [[Linux]] distributions was disclosed by Goatse Security, after the group discovered that a lengthy [[Advanced Packaging Tool]] URL would cause [[compiz]] to crash.<ref name=softpedia>{{cite web|first= Lucian |last=Constantin|title=Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day|url=http://news.softpedia.com/news/Dangerous-Linux-Denial-of-Service-Vulnerability-Disclosed-as-0-Day-200668.shtml| |
In May 2011, a [[Denial of service|DoS]] vulnerability affecting several [[Linux]] distributions was disclosed by Goatse Security, after the group discovered that a lengthy [[Advanced Packaging Tool]] URL would cause [[compiz]] to crash.<ref name=softpedia>{{cite web|first= Lucian |last=Constantin|title=Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day|url=http://news.softpedia.com/news/Dangerous-Linux-Denial-of-Service-Vulnerability-Disclosed-as-0-Day-200668.shtml|access-date=March 25, 2014|date=May 16, 2011|publisher=Softpedia}}</ref> |
||
In September 2012, Goatse Security was credited by [[Microsoft]] for helping to secure their online services.<ref name="microsoftonline" /> |
In September 2012, Goatse Security was credited by [[Microsoft]] for helping to secure their online services.<ref name="microsoftonline" /> |
||
Line 92: | Line 91: | ||
|30em |
|30em |
||
|refs= |
|refs= |
||
<ref name="arstechnica1">{{cite news |title=Goatse Security trolls were after "max lols" in AT&T iPad hack |first=Chris |last=Foresman |url=https://arstechnica.com/apple/news/2011/01/goatse-security-trolls-were-after-max-lols-in-att-ipad-hack.ars |newspaper=[[Ars Technica]] |date=January 19, 2011 | |
<ref name="arstechnica1">{{cite news |title=Goatse Security trolls were after "max lols" in AT&T iPad hack |first=Chris |last=Foresman |url=https://arstechnica.com/apple/news/2011/01/goatse-security-trolls-were-after-max-lols-in-att-ipad-hack.ars |newspaper=[[Ars Technica]] |date=January 19, 2011 |access-date=2011-01-22}}</ref> |
||
<ref name="bloomberg1">{{cite news |title=U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users |first=David |last=Voreacos |url=https://www.bloomberg.com/news/2011-01-18/u-s-to-announce-charges-on-alleged-hack-into-at-t-servers-via-ipad-users.html |newspaper=[[Bloomberg.com]] |date=January 18, 2011 |publisher=[[Bloomberg L.P.]] | |
<ref name="bloomberg1">{{cite news |title=U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users |first=David |last=Voreacos |url=https://www.bloomberg.com/news/2011-01-18/u-s-to-announce-charges-on-alleged-hack-into-at-t-servers-via-ipad-users.html |newspaper=[[Bloomberg.com]] |date=January 18, 2011 |publisher=[[Bloomberg L.P.]] |access-date=2011-01-21}}</ref> |
||
<ref name="cnnmoney1">{{cite news |title=Hackers say iPad has more security holes |first=David |last=Goldman |newspaper=[[CNNMoney.com]] |date=June 14, 2010 |url= |
<ref name="cnnmoney1">{{cite news |title=Hackers say iPad has more security holes |first=David |last=Goldman |newspaper=[[CNNMoney.com]] |date=June 14, 2010 |url=https://money.cnn.com/2010/06/14/technology/att_ipad_hack/ |publisher=[[CNN]] |access-date=2010-09-18}}</ref> |
||
<ref name="complaint1">[http://www.ibtimes.com/articles/102701/20110119/case-against-ipad-hackers.htm Criminal Complaint] {{webarchive|url=https://web.archive.org/web/20110125171737/http://www.ibtimes.com/articles/102701/20110119/case-against-ipad-hackers.htm |date=January 25, 2011 }}. United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011</ref> |
<ref name="complaint1">[http://www.ibtimes.com/articles/102701/20110119/case-against-ipad-hackers.htm Criminal Complaint] {{webarchive|url=https://web.archive.org/web/20110125171737/http://www.ibtimes.com/articles/102701/20110119/case-against-ipad-hackers.htm |date=January 25, 2011 }}. United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011</ref> |
||
<ref name="computerworld1">{{cite news |title=iPad hacker arrested on multiple drug charges after FBI search |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 17, 2010 |url=http://www.computerworld.com/s/article/9178158/iPad_hacker_arrested_on_multiple_drug_charges_after_FBI_search |publisher=Computerworld Inc. | |
<ref name="computerworld1">{{cite news |title=iPad hacker arrested on multiple drug charges after FBI search |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 17, 2010 |url=http://www.computerworld.com/s/article/9178158/iPad_hacker_arrested_on_multiple_drug_charges_after_FBI_search |publisher=Computerworld Inc. |access-date=2010-09-16}}</ref> |
||
<ref name="computerworld2">{{cite news |title=AT&T 'dishonest' about iPad attack threat, say hackers |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 14, 2010 |url=http://www.computerworld.com/s/article/9178027/AT_T_dishonest_about_iPad_attack_threat_say_hackers |publisher=Computerworld Inc. | |
<ref name="computerworld2">{{cite news |title=AT&T 'dishonest' about iPad attack threat, say hackers |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 14, 2010 |url=http://www.computerworld.com/s/article/9178027/AT_T_dishonest_about_iPad_attack_threat_say_hackers |publisher=Computerworld Inc. |access-date=2010-09-18}}</ref> |
||
<ref name="computerworld3">{{cite news |title='Brute force' script snatched iPad e-mail addresses |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 10, 2010 |url=http://www.computerworld.com/s/article/9177921/_Brute_force_script_snatched_iPad_e_mail_addresses |publisher=Computerworld Inc. | |
<ref name="computerworld3">{{cite news |title='Brute force' script snatched iPad e-mail addresses |first=Gregg |last=Keizer |newspaper=[[Computerworld]] |date=June 10, 2010 |url=http://www.computerworld.com/s/article/9177921/_Brute_force_script_snatched_iPad_e_mail_addresses |publisher=Computerworld Inc. |access-date=2010-09-18}}</ref> |
||
<ref name="dailytech1">{{cite news |title=AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales |first=Jason |last=Mick |newspaper=[[DailyTech]] |date=June 14, 2010 |url=http://www.dailytech.com/ATT+Apologizes+to+iPad+Customers+We+Reveal+Hackers+Locales/article18699.htm |publisher=DailyTech LLC. | |
<ref name="dailytech1">{{cite news |title=AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales |first=Jason |last=Mick |newspaper=[[DailyTech]] |date=June 14, 2010 |url=http://www.dailytech.com/ATT+Apologizes+to+iPad+Customers+We+Reveal+Hackers+Locales/article18699.htm |publisher=DailyTech LLC. |access-date=2010-09-16 |archive-date=August 20, 2010 |archive-url=https://web.archive.org/web/20100820002034/http://www.dailytech.com/ATT+Apologizes+to+iPad+Customers+We+Reveal+Hackers+Locales/article18699.htm |url-status=dead }}</ref> |
||
<ref name="dailytech2">{{cite interview |last=Kaiser |first=Leon |interviewer=Mick Jason |title=Interview: Goatse Security on FBI Charges Following AT&T iPad Breach |url=http://www.dailytech.com/Interview+Goatse+Security+on+FBI+Charges+Following+ATT+iPad+Breach/article20693.htm |type=Interview: Transcript |work=[[DailyTech]] |date=January 19, 2011 | |
<ref name="dailytech2">{{cite interview |last=Kaiser |first=Leon |interviewer=Mick Jason |title=Interview: Goatse Security on FBI Charges Following AT&T iPad Breach |url=http://www.dailytech.com/Interview+Goatse+Security+on+FBI+Charges+Following+ATT+iPad+Breach/article20693.htm |type=Interview: Transcript |work=[[DailyTech]] |date=January 19, 2011 |access-date=2011-01-21 |archive-url=https://web.archive.org/web/20140331112332/http://www.dailytech.com/Interview+Goatse+Security+on+FBI+Charges+Following+ATT+iPad+Breach/article20693.htm |archive-date=March 31, 2014 |url-status=dead |df=mdy-all }}</ref> |
||
<ref name="gizmodo1">{{cite web |url=https://gizmodo.com/5559686/ |title=The Little Feature That Led to AT&T's iPad Security Breach |author=Buchanan, Matt |date=June 9, 2010 |work=[[Gizmodo]] |publisher=[[Gawker Media]] | |
<ref name="gizmodo1">{{cite web |url=https://gizmodo.com/5559686/ |title=The Little Feature That Led to AT&T's iPad Security Breach |author=Buchanan, Matt |date=June 9, 2010 |work=[[Gizmodo]] |publisher=[[Gawker Media]] |access-date=2010-09-22}}</ref> |
||
<ref name="goatsecclench1">{{cite web |url=http://security.goatse.fr/clench-our-way-of-saying-screw-you-to-ssl-pki-forever |title=Clench, our way of saying "screw you" to SSL PKI forever |
<ref name="goatsecclench1">{{cite web |url=http://security.goatse.fr/clench-our-way-of-saying-screw-you-to-ssl-pki-forever |title=Clench, our way of saying "screw you" to SSL PKI forever |date=September 8, 2010 |work=Goatse Security |access-date=2010-10-29 |archive-date=September 11, 2010 |archive-url=https://web.archive.org/web/20100911101013/http://security.goatse.fr/clench-our-way-of-saying-screw-you-to-ssl-pki-forever |url-status=dead }}</ref> |
||
<ref name="goatsecmembers1">{{cite web |url=http://security.goatse.fr/members |title=Team |
<ref name="goatsecmembers1">{{cite web |url=http://security.goatse.fr/members |title=Team |date=June 14, 2010 |work=Goatse Security |access-date=2010-09-22 |archive-date=September 30, 2010 |archive-url=https://web.archive.org/web/20100930155830/http://security.goatse.fr/members |url-status=dead }}</ref> |
||
<ref name="npr1">{{cite interview |last=Tate |first=Ryan |
<ref name="npr1">{{cite interview |last=Tate |first=Ryan |interviewer=[[Melissa Block]] |title=Apple's iPad Breach Raises Alarms |date=June 10, 2010 |type=Interview: audio / transcript |work=[[All Things Considered]] |publisher=[[National Public Radio]] |url=https://www.npr.org/templates/story/story.php?storyId=127747618 |access-date=2010-09-16}}</ref> |
||
<ref name="nvd1">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1099 |title=CVE-2010-1099 |
<ref name="nvd1">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1099 |title=CVE-2010-1099 |date=March 24, 2010 |work=[[National Vulnerability Database]] |publisher=[[NIST]] |access-date=2010-10-06}}</ref> |
||
<ref name="nvd2">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1100 |title=CVE-2010-1100 |
<ref name="nvd2">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1100 |title=CVE-2010-1100 |date=March 24, 2010 |work=[[National Vulnerability Database]] |publisher=[[NIST]] |access-date=2010-10-06}}</ref> |
||
<ref name="nvd3">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1101 |title=CVE-2010-1101 |
<ref name="nvd3">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1101 |title=CVE-2010-1101 |date=March 24, 2010 |work=[[National Vulnerability Database]] |publisher=[[NIST]] |access-date=2010-10-06}}</ref> |
||
<ref name="nvd4">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1102 |title=CVE-2010-1102 |
<ref name="nvd4">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1102 |title=CVE-2010-1102 |date=March 24, 2010 |work=[[National Vulnerability Database]] |publisher=[[NIST]] |access-date=2010-10-06}}</ref> |
||
<ref name="nvd5">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1103 |title=CVE-2010-1103 |
<ref name="nvd5">{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1103 |title=CVE-2010-1103 |date=March 24, 2010 |work=[[National Vulnerability Database]] |publisher=[[NIST]] |access-date=2010-10-06}}</ref> |
||
<ref name="nytimes1">{{cite news |title=Two Are Charged With Fraud in iPad Security Breach |first1=Nick |last1=Bilton |first2=Jenna |last2=Wortham |url=https://www.nytimes.com/2011/01/19/technology/19ipad.html |newspaper=[[The New York Times]] |date=January 18, 2011 | |
<ref name="nytimes1">{{cite news |title=Two Are Charged With Fraud in iPad Security Breach |first1=Nick |last1=Bilton |first2=Jenna |last2=Wortham |url=https://www.nytimes.com/2011/01/19/technology/19ipad.html |newspaper=[[The New York Times]] |date=January 18, 2011 |access-date=2011-01-21}}</ref> |
||
<ref name="onlinewsj1">{{cite news |title=Programmer Detained After FBI Search |first=Andrew |last=Dowell |newspaper=[[The Wall Street Journal]] |date= June 17, 2010 |url=https://www.wsj.com/articles/SB10001424052748704198004575310634055906968 |publisher=[[Dow Jones & Company, Inc.]] | |
<ref name="onlinewsj1">{{cite news |title=Programmer Detained After FBI Search |first=Andrew |last=Dowell |newspaper=[[The Wall Street Journal]] |date= June 17, 2010 |url=https://www.wsj.com/articles/SB10001424052748704198004575310634055906968 |publisher=[[Dow Jones & Company, Inc.]] |access-date=2010-10-11}}</ref> |
||
<ref name="onlinewsj2">{{cite news |title=AT&T Discloses Breach of iPad Owner Data |first=Spencer E. |last=Ante |newspaper=[[The Wall Street Journal]] |date= June 10, 2010 |url=https://www.wsj.com/articles/SB10001424052748704575304575297210807737710 |publisher=[[Dow Jones & Company, Inc.]] | |
<ref name="onlinewsj2">{{cite news |title=AT&T Discloses Breach of iPad Owner Data |first=Spencer E. |last=Ante |newspaper=[[The Wall Street Journal]] |date= June 10, 2010 |url=https://www.wsj.com/articles/SB10001424052748704575304575297210807737710 |publisher=[[Dow Jones & Company, Inc.]] |access-date=2010-09-26}}</ref> |
||
<ref name="pcworld1">{{cite news |title=AT&T IPad Hacker Fought for Media Attention, Documents Show |first=Robert |last=McMillan |url=https://www.pcworld.com/article/213858/atandt_ipad_hacker_fought_for_media_attention_documents_show.html |newspaper=[[PC World (magazine)|PC World]] |publisher=PC World Communications, Inc. |date=December 15, 2010 | |
<ref name="pcworld1">{{cite news |title=AT&T IPad Hacker Fought for Media Attention, Documents Show |first=Robert |last=McMillan |url=https://www.pcworld.com/article/213858/atandt_ipad_hacker_fought_for_media_attention_documents_show.html |newspaper=[[PC World (magazine)|PC World]] |publisher=PC World Communications, Inc. |date=December 15, 2010 |access-date=2010-12-16 }}{{Dead link|date=August 2023 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> |
||
<ref name="root1">{{cite web |url=http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/ |title=Clench is inferior to TLS+SRP |author=Lawson, Nate |date=September 8, 2010 |work=root labs rdist |publisher=Nate Lawson | |
<ref name="root1">{{cite web |url=http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/ |title=Clench is inferior to TLS+SRP |author=Lawson, Nate |date=September 8, 2010 |work=root labs rdist |publisher=Nate Lawson |access-date=2010-10-29}}</ref> |
||
<ref name="softpedia1">{{cite news |title=Firefox Bug Used to Harass Entire IRC Network |first=Lucian |last=Constantin |newspaper=[[Softpedia]] |date=January 30, 2010 |url=http://news.softpedia.com/news/Firefox-Bug-Used-to-Harass-an-Entire-IRC-Network-133613.shtml |publisher=Softpedia | |
<ref name="softpedia1">{{cite news |title=Firefox Bug Used to Harass Entire IRC Network |first=Lucian |last=Constantin |newspaper=[[Softpedia]] |date=January 30, 2010 |url=http://news.softpedia.com/news/Firefox-Bug-Used-to-Harass-an-Entire-IRC-Network-133613.shtml |publisher=Softpedia |access-date=2010-09-19}}</ref> |
||
<ref name="theatlantic1">{{cite news |title=Meet One of the Hackers Who Exposed the iPad Security Leak |first=Niraj |last=Chokshi |newspaper=[[The Atlantic]] |date=June 10, 2010 |url=https://www.theatlantic.com/technology/archive/2010/06/meet-one-of-the-hackers-who-exposed-the-ipad-security-leak/57969/ |publisher=The Atlantic Monthly Group | |
<ref name="theatlantic1">{{cite news |title=Meet One of the Hackers Who Exposed the iPad Security Leak |first=Niraj |last=Chokshi |newspaper=[[The Atlantic]] |date=June 10, 2010 |url=https://www.theatlantic.com/technology/archive/2010/06/meet-one-of-the-hackers-who-exposed-the-ipad-security-leak/57969/ |publisher=The Atlantic Monthly Group |access-date=2010-09-16}}</ref> |
||
<ref name="theregister1">{{cite news |title=Firefox-based attack wreaks havoc on IRC users |first=Dan |last=Goodin |newspaper=[[The Register]] |date=January 30, 2010 |url=https://www.theregister.co.uk/2010/01/30/firefox_interprotocol_attack/ |publisher=Situation Publishing | |
<ref name="theregister1">{{cite news |title=Firefox-based attack wreaks havoc on IRC users |first=Dan |last=Goodin |newspaper=[[The Register]] |date=January 30, 2010 |url=https://www.theregister.co.uk/2010/01/30/firefox_interprotocol_attack/ |publisher=Situation Publishing |access-date=2010-09-19}}</ref> |
||
<ref name="theregister2">{{cite news |title=Security gaffe exposes addresses of elite iPaders |first=Dan |last=Goodin |newspaper=[[The Register]] |date=June 9, 2010 |url=https://www.theregister.co.uk/2010/06/09/ipad_security_breach/ |publisher=Situation Publishing | |
<ref name="theregister2">{{cite news |title=Security gaffe exposes addresses of elite iPaders |first=Dan |last=Goodin |newspaper=[[The Register]] |date=June 9, 2010 |url=https://www.theregister.co.uk/2010/06/09/ipad_security_breach/ |publisher=Situation Publishing |access-date=2010-09-19}}</ref> |
||
<ref name="valleywag1">{{cite web |url=http://valleywag.gawker.com/5559725/att-fights-spreading-ipad-fear |title=AT&T Fights Spreading iPad Fear |author=Tate, Ryan |date=June 9, 2010 |work=[[Valleywag]] |publisher=[[Gawker Media]] | |
<ref name="valleywag1">{{cite web |url=http://valleywag.gawker.com/5559725/att-fights-spreading-ipad-fear |title=AT&T Fights Spreading iPad Fear |author=Tate, Ryan |date=June 9, 2010 |work=[[Valleywag]] |publisher=[[Gawker Media]] |access-date=2010-10-17 |url-status=dead |archive-url=https://web.archive.org/web/20100715192351/http://valleywag.gawker.com/5559725/att-fights-spreading-ipad-fear |archive-date=July 15, 2010 }}</ref> |
||
<ref name="thetechherald1">{{cite news |title=AT&T loses 114,000 e-mail addresses via scripting error |first=Steve |last=Ragan |newspaper= |
<ref name="thetechherald1">{{cite news |title=AT&T loses 114,000 e-mail addresses via scripting error |first=Steve |last=Ragan |newspaper=The Tech Herald |date=June 10, 2010 |url=http://www.thetechherald.com/article.php/201023/5716/AT&T-loses-114-000-e-mail-addresses-via-scripting-error |publisher=WOTR Limited |access-date=2010-09-28 |archive-url=https://web.archive.org/web/20111118060903/http://www.thetechherald.com/article.php/201023/5716/AT%26T-loses-114-000-e-mail-addresses-via-scripting-error |archive-date=November 18, 2011 |url-status=dead }}</ref> |
||
<ref name="thetechherald2-2">{{cite news |title=Goatse Security tells AT&T: |
<ref name="thetechherald2-2">{{cite news |title=Goatse Security tells AT&T: 'You f---ed up' |first=Steve |last=Ragan |newspaper=The Tech Herald |date=June 14, 2010 |url=http://www.thetechherald.com/article.php/201024/5734/Goatse-Security-tells-AT&T-You-f-ed-up?page=2 |publisher=WOTR Limited |page=2 |access-date=2010-10-06 |archive-url=https://web.archive.org/web/20111003144128/http://www.thetechherald.com/article.php/201024/5734/Goatse-Security-tells-AT%26T-You-f-ed-up?page=2 |archive-date=October 3, 2011 |url-status=dead }}</ref> |
||
<ref name="valleywag2">{{cite web |url=http://valleywag.gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed |title=Apple's Worst Security Breach: 114,000 iPad Owners Exposed |author=Tate, Ryan |date=June 9, 2010 |work=[[Valleywag]] |publisher=[[Gawker Media]] | |
<ref name="valleywag2">{{cite web |url=http://valleywag.gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed |title=Apple's Worst Security Breach: 114,000 iPad Owners Exposed |author=Tate, Ryan |date=June 9, 2010 |work=[[Valleywag]] |publisher=[[Gawker Media]] |access-date=2010-09-16 |url-status=dead |archive-url=https://web.archive.org/web/20100726062820/http://valleywag.gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed |archive-date=July 26, 2010 }}</ref> |
||
<ref name="washpost">{{cite news|last=Eunjung Cha|first=Ariana|title=Apple's iPad security breach reveals vulnerability of mobile devices|url=https://www.washingtonpost.com/wp-dyn/content/article/2010/06/11/AR2010061106239.html| |
<ref name="washpost">{{cite news|last=Eunjung Cha|first=Ariana|title=Apple's iPad security breach reveals vulnerability of mobile devices|url=https://www.washingtonpost.com/wp-dyn/content/article/2010/06/11/AR2010061106239.html|newspaper=Washington Post|access-date=April 6, 2011|date=June 12, 2010}}</ref> |
||
<ref name="microsoftonline">{{cite web|title=Security Researcher Acknowledgments for Microsoft Online Services|url=https://technet.microsoft.com/en-us/security/cc308575|publisher=Microsoft| |
<ref name="microsoftonline">{{cite web|title=Security Researcher Acknowledgments for Microsoft Online Services|url=https://technet.microsoft.com/en-us/security/cc308575|publisher=Microsoft|access-date=October 19, 2012}}</ref> |
||
}} |
}} |
||
==External links== |
==External links== |
||
⚫ | |||
* {{official website|http://security.goatse.fr/}} |
* {{official website|http://security.goatse.fr/}} |
||
Line 134: | Line 134: | ||
[[Category:Hacker groups]] |
[[Category:Hacker groups]] |
||
[[Category:Computer security organizations]] |
[[Category:Computer security organizations]] |
||
[[Category:Organizations established in 2009]] |
Latest revision as of 07:05, 29 November 2024
Formation | December 2009[3] |
---|---|
Purpose | Hacking |
Membership | Andrew "weev" Auernheimer[4][5] Sam Hocevar[4][6][7] Daniel Spitler[4][8] Leon Kaiser[2][4] Nick "Rucas" Price[4][9][10] |
Products | Clench[11][12] |
Website | security |
Goatse Security (GoatSec) was a loose-knit, nine-person[13] grey hat[14] hacker group[15] that specialized in uncovering security flaws.[3][16] It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA).[2] The group derives its name from the Goatse.cx shock site,[5] and it chose "Gaping Holes Exposed" as its slogan.[17] The website has been abandoned without an update since May 2014.[18]
In June 2010, Goatse Security obtained the email addresses of approximately 114,000 Apple iPad users. This led to an FBI investigation and the filing of criminal charges against two of the group's members.
Founding
[edit]The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009.[2][3]
Discovery of browser vulnerabilities
[edit]In order to protect its web browser from inter-protocol exploitation, Mozilla blocked several ports that HTML forms would not normally have access to. In January 2010, the GNAA discovered that Mozilla's blocks did not cover port 6667, which left Mozilla browsers vulnerable to cross-protocol scripts. The GNAA crafted a JavaScript-based exploit in order to flood IRC channels. Although EFnet and OFTC were able to block the attacks, Freenode struggled to counteract the attacks. Goatse Security exposed the vulnerability, and one of its members, Andrew Auernheimer, aka "weev," posted information about the exploit on Encyclopedia Dramatica.[19][20][21]
In March 2010, Goatse Security discovered an integer overflow vulnerability within Apple's web browser, Safari, and posted an exploit on Encyclopedia Dramatica.[22] They found out that a person could access a blocked port by adding 65,536 to the port number.[23][24] This vulnerability was also found in Arora,[25] iCab,[26] OmniWeb,[27] and Stainless.[28] Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser.[22][29] Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the Apple iPad.[22][29]
AT&T/iPad email address leak
[edit]In June 2010, Goatse Security uncovered a vulnerability within the AT&T website.[30][31] AT&T was the only provider of 3G service for Apple's iPad in the United States at the time.[32] When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the email address provided during sign-up.[30][33] In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the email address field with the address provided during sign-up.[30][33] Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.[30][33]
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing, on an IRC channel.[8][34][35] Goatse Security constructed a PHP-based brute force script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID.[30][33] This script was dubbed the "iPad 3G Account Slurper."[35]
Goatse Security then attempted to find an appropriate news source to disclose the leaked information, with Auernheimer attempting to contact News Corporation and Thomson Reuters executives, including Arthur Siskind, about AT&T's security problems.[36] On June 6, 2010, Auernheimer sent emails with some of the ICC-IDs recovered in order to verify his claims.[34][36] Chat logs from this period also reveal that attention and publicity may have been incentives for the group.[37]
Contrary to what it first claimed, the group initially revealed the security flaw to Gawker Media before notifying AT&T[37] and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws.[38]
Auernheimer has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys".[38][39] Jennifer Granick of the Electronic Frontier Foundation has also defended the tactics used by Goatse Security.[38]
On June 14, 2010, Michael Arrington of TechCrunch awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.[40][41]
The FBI then opened an investigation into the incident,[42] leading to a criminal complaint in January 2011[10] and a raid on Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail[43] on state drug charges,[44] later dropped.[45] After his release on bail, he broke a gag order to protest and to dispute the legality of the search of his house and denial of access to a public defender. He also asked for donations via PayPal, to defray legal costs.[15][46] In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud.[45] A co-defendant, Daniel Spitler, was released on bail.[47][48]
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization,[49] and tweeted that he would appeal the ruling.[50] Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."[51]
On November 29, 2012, Auernheimer authored an article in Wired Magazine entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any zero-day exploit only to individuals who will "use it in the interests of social justice."[52]
On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper.[53][54] The judges did not address the substantive question on the legality of the site access.[55] He was released from prison late on April 11.[56]
Other accomplishments
[edit]In May 2011, a DoS vulnerability affecting several Linux distributions was disclosed by Goatse Security, after the group discovered that a lengthy Advanced Packaging Tool URL would cause compiz to crash.[57]
In September 2012, Goatse Security was credited by Microsoft for helping to secure their online services.[9]
References
[edit]- ^ Tate, Ryan (June 9, 2010). "AT&T Fights Spreading iPad Fear". Valleywag. Gawker Media. Archived from the original on July 15, 2010. Retrieved October 17, 2010.
- ^ a b c d Kaiser, Leon (January 19, 2011). "Interview: Goatse Security on FBI Charges Following AT&T iPad Breach". DailyTech (Interview: Transcript). Interviewed by Mick Jason. Archived from the original on March 31, 2014. Retrieved January 21, 2011.
- ^ a b c Dowell, Andrew (June 17, 2010). "Programmer Detained After FBI Search". The Wall Street Journal. Dow Jones & Company, Inc. Retrieved October 11, 2010.
- ^ a b c d e "Team". Goatse Security. June 14, 2010. Archived from the original on September 30, 2010. Retrieved September 22, 2010.
- ^ a b Chokshi, Niraj (June 10, 2010). "Meet One of the Hackers Who Exposed the iPad Security Leak". The Atlantic. The Atlantic Monthly Group. Retrieved September 16, 2010.
- ^ Keizer, Gregg (June 17, 2010). "iPad hacker arrested on multiple drug charges after FBI search". Computerworld. Computerworld Inc. Retrieved September 16, 2010.
- ^ Mick, Jason (June 14, 2010). "AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales". DailyTech. DailyTech LLC. Archived from the original on August 20, 2010. Retrieved September 16, 2010.
- ^ a b Bilton, Nick; Wortham, Jenna (January 18, 2011). "Two Are Charged With Fraud in iPad Security Breach". The New York Times. Retrieved January 21, 2011.
- ^ a b "Security Researcher Acknowledgments for Microsoft Online Services". Microsoft. Retrieved October 19, 2012.
- ^ a b United States District Court — District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
- ^ "Clench, our way of saying "screw you" to SSL PKI forever". Goatse Security. September 8, 2010. Archived from the original on September 11, 2010. Retrieved October 29, 2010.
- ^ Lawson, Nate (September 8, 2010). "Clench is inferior to TLS+SRP". root labs rdist. Nate Lawson. Retrieved October 29, 2010.
- ^ Eunjung Cha, Ariana (June 12, 2010). "Apple's iPad security breach reveals vulnerability of mobile devices". Washington Post. Retrieved April 6, 2011.
- ^ Kirsch, Cassandra (2014). "The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law" (PDF). Northern Kentucky Law Review. 41: 386.[dead link ]
- ^ a b AT&T iPad 'hacker' breaks gag order to rant at cops The Register, John Leyden. July 7, 2010
- ^ Tate, Ryan (June 10, 2010). "Apple's iPad Breach Raises Alarms". All Things Considered (Interview: audio / transcript). Interviewed by Melissa Block. National Public Radio. Retrieved September 16, 2010.
- ^ Ragan, Steve (June 10, 2010). "AT&T loses 114,000 e-mail addresses via scripting error". The Tech Herald. WOTR Limited. Archived from the original on November 18, 2011. Retrieved September 28, 2010.
- ^ "Compiz vulnerability « Goatse Security". Archived from the original on July 24, 2019. Retrieved October 15, 2019.
- ^ Constantin, Lucian (January 30, 2010). "Firefox Bug Used to Harass Entire IRC Network". Softpedia. Softpedia. Retrieved September 19, 2010.
- ^ Goodin, Dan (January 30, 2010). "Firefox-based attack wreaks havoc on IRC users". The Register. Situation Publishing. Retrieved September 19, 2010.
- ^ Goodin, Dan (June 9, 2010). "Security gaffe exposes addresses of elite iPaders". The Register. Situation Publishing. Retrieved September 19, 2010.
- ^ a b c Keizer, Gregg (June 14, 2010). "AT&T 'dishonest' about iPad attack threat, say hackers". Computerworld. Computerworld Inc. Retrieved September 18, 2010.
- ^ Ragan, Steve (June 14, 2010). "Goatse Security tells AT&T: 'You f---ed up'". The Tech Herald. WOTR Limited. p. 2. Archived from the original on October 3, 2011. Retrieved October 6, 2010.
- ^ "CVE-2010-1099". National Vulnerability Database. NIST. March 24, 2010. Retrieved October 6, 2010.
- ^ "CVE-2010-1100". National Vulnerability Database. NIST. March 24, 2010. Retrieved October 6, 2010.
- ^ "CVE-2010-1101". National Vulnerability Database. NIST. March 24, 2010. Retrieved October 6, 2010.
- ^ "CVE-2010-1102". National Vulnerability Database. NIST. March 24, 2010. Retrieved October 6, 2010.
- ^ "CVE-2010-1103". National Vulnerability Database. NIST. March 24, 2010. Retrieved October 6, 2010.
- ^ a b Goldman, David (June 14, 2010). "Hackers say iPad has more security holes". CNNMoney.com. CNN. Retrieved September 18, 2010.
- ^ a b c d e Keizer, Gregg (June 10, 2010). "'Brute force' script snatched iPad e-mail addresses". Computerworld. Computerworld Inc. Retrieved September 18, 2010.
- ^ Tate, Ryan (June 9, 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Valleywag. Gawker Media. Archived from the original on July 26, 2010. Retrieved September 16, 2010.
- ^ Ante, Spencer E. (June 10, 2010). "AT&T Discloses Breach of iPad Owner Data". The Wall Street Journal. Dow Jones & Company, Inc. Retrieved September 26, 2010.
- ^ a b c d Buchanan, Matt (June 9, 2010). "The Little Feature That Led to AT&T's iPad Security Breach". Gizmodo. Gawker Media. Retrieved September 22, 2010.
- ^ a b Criminal Complaint Archived January 25, 2011, at the Wayback Machine. United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
- ^ a b Voreacos, David (January 18, 2011). "U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users". Bloomberg.com. Bloomberg L.P. Retrieved January 21, 2011.
- ^ a b McMillan, Robert (December 15, 2010). "AT&T IPad Hacker Fought for Media Attention, Documents Show". PC World. PC World Communications, Inc. Retrieved December 16, 2010.[permanent dead link ]
- ^ a b Foresman, Chris (January 19, 2011). "Goatse Security trolls were after "max lols" in AT&T iPad hack". Ars Technica. Retrieved January 22, 2011.
- ^ a b c Worthen, Ben; Spencer E. Ante (June 14, 2010). "Computer Experts Face Backlash". WSJ.com.
- ^ Leydon, John (July 7, 2010). "AT&T iPad 'hacker' breaks gag order to rant at cops". The Register. Retrieved February 16, 2011.
- ^ Arrington, Michael (June 14, 2010). "We're Awarding Goatse Security A Crunchie Award For Public Service". Tech Crunch. Retrieved March 31, 2010.
- ^ Patterson, Ben (June 14, 2010). "AT&T apologizes for iPad breach, blames hackers". Yahoo! News. Retrieved March 31, 2010.
- ^ Tate, Ryan (June 9, 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Gawker.com. Gawker Media. Archived from the original on June 12, 2010. Retrieved June 13, 2010.
- ^ Emspak, Jesse; Perna, Gabriel (June 17, 2010). "Arrested Hacker's Web Site Reveals Extremist Views". International Business Times. International Business Times. Archived from the original on March 6, 2020. Retrieved July 11, 2010.
- ^ Dowell, Andrew (June 17, 2010). "Programmer Detained After FBI Search". The Wall Street Journal.
- ^ a b "Criminal charges filed against AT&T iPad attackers — Computerworld". January 18, 2011. Archived from the original on October 10, 2012. Retrieved April 18, 2011.
- ^ weev. "Hypocrites and Pharisees". Goatse.fr. Archived from the original on May 24, 2017. Retrieved April 18, 2011.
- ^ Voigt, Kurt (January 21, 2011). "No bail for 2nd iPad e-mail address theft suspect". MSNBC.com. Associated Press. Retrieved February 15, 2011.[dead link ]
- ^ Porter, David (February 28, 2011). "Suspect in iPad Data Theft Released on Bail in NJ". ABC News. Associated Press. Retrieved March 2, 2011.
- ^ Zetter, Kim (November 20, 2012). "Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com".
- ^ "Twitter status, 3:38 PM - 20 Nov 12".
- ^ "Twitter status, 3:32 PM - 20 Nov 12".
- ^ Bierend, Doug (November 29, 2012). "Forget Disclosure — Hackers Should Keep Security Holes to Themselves". Wired.
- ^ Case: 13-1816 Document: 003111586090
- ^ Kravets, David (April 11, 2014). "Appeals court reverses hacker/troll "weev" conviction and sentence". Ars Technica. Retrieved April 11, 2014.
- ^ Hill, Kashmir (April 11, 2014). "Weev Freed, But Court Punts On Bigger 'Hacking vs. Security Research' Question". Forbes. Retrieved April 11, 2014.
- ^ Voreacos, David (April 14, 2014). "AT&T Hacker 'Weev' Parties and Tweets as Case Still Looms". Bloomberg. Retrieved April 14, 2014.
- ^ Constantin, Lucian (May 16, 2011). "Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day". Softpedia. Retrieved March 25, 2014.