Get SF Weekly Newsletters

Friday, June 11, 2010

iPad Hackers: Obtaining Emails Not Illegal, We Will Fight If Charges Are Pressed

Posted By on Fri, Jun 11, 2010 at 3:24 PM


click to enlarge Screen_shot_2010_06_11_at_3.15.13_PM.png
According to reports, the FBI is currently investigating the AT&T iPad leak because of the sensitive (read governmental) nature of the data revealed, and Gawker Media is now under pressure to provide information on the legality of the breach, casting Goatse Security, the hacker group that launched a thousand journalist lols and inadvertently NSFW tech news headlines ("Goatse Security claims gaping hole, etc ..."), into the spotlight.


We spoke online with Goatse employee "Weev" on Wednesday night and learned that the exploit was more of a threat than many think. We also asked about the motivations of the security group. Why, as reported in their recent blog post, did they destroy the list of 114,000 influential iPad subcribers after giving it to Valleywag blogger Ryan Tate?

Note: The following interview transcript was excerpted, edited and paraphrased.

SF Weekly: So who do you think is responsible, Apple or AT&T?

Weev: Both. Apple coded the hook to pass the ICC-ID to AT&T --  it's

both their failures, no question about it. Both didn't see the potential

for abuse.



SF Weekly: In your opinion, what would be the worst case

scenario, if this had not been exposed. Is the NYTimes right, in making

everyone shut off their 3G?



Weev: Well someone with nefarious intent could have scraped a

complete [database] of iPad 3G subscribers and emailed them all an exploit

payload and owned [a lot] of iPads or owned the influential people

first.


click to enlarge IMAGE VIA DOMAINSHANE

What

harm can an email address, plus the ID of the iPad with which it is associated do? Emailing from the list of 114,000 iPad users would

increase your likelihood of reaching an iPad as opposed to any old email list, useful if you've got an exploit or hack specifically designed to infiltrate iPads; Goatse was able to scrape the email addresses and iPad IDs of

a lot of immediately recognizable people.

Someone more sinister could have used these addresses to send influencers an email with a link that, if clicked on,

could allow the hacker to take over some of the iPad. Reports from the Cansecwest security conference have shown that vulnerabilities continue to plague the iPhone and other mobile devices. 


 



Weev: We did this as "niceguy" as we could. WSJ wrote an

article that implies pretty strongly that we are criminals. We did not

publically release the dataset, we waited until we confirmed the system

was secured before we went public with technical details. I hope they

don't try to get charges pressed but if charges are pressed we will

fight it and win.

SF Weekly: Why destroy the data ethically [from your end], when Ryan Tate has a copy and is probably more vulnerable to hacking?



Weev: There's probably more of an attack surface for me than for

Tate and there's simply no more reason for me to have the data: It

served its purpose for me. I'm just like a PR agent in this scenario.

There's absolutely no reason for me to have it, the story is broken.

Hopefully nobody will press any criminal stuff.

SF Weekly: What do you mean by PR agent?



Weev: Well this wasn't my find. The dude that owned the iPad -- He doesn't wanna be named. If I said his name, you'd know it. He's

probably super easy to serve.

Later Weev implied that the person who found the iPad bug might not be able to pursue his current career if outed, hinting at the prominence of the tipster.
 

SF Weekly: So what are your main motivations?



Weev: Listen I'm an artist, a real one -- I don't hang my

work on some gallery wall for douchebags to gawk at. Our

motivation is to make art and to provoke human thought and to advance

the human condition. Uninterested in lawbreaking, want to make more

art. Don't need to break law to make art.

SF Weekly: Was it illegal to obtain the emails? The process of obtaining, wasn't that against the law?

Weev: Do not believe so. Regardless, I did not do it. I am just a publication agent.

SF Weekly: So if AT&T offers you a job. Will you consider?

Weev: Absolutely. Goatse security is open to contracts from anyone. We put our client's interests first.


The risks of security ID holes aren't just spam email -- Think of all the data on your iPhone

you wouldn't want anyone else to see. Imagine your boyfriend texted his home alarm code because you accidentally set it off, and you had included his name and address in your contacts list; People in the mobile era constantly, innocently exchange sensitive information.

Will our iPads be safer now, because of this? Despite the 4 chan-derived name and general shady Internet troll rhetoric of Goatse, yes, for the moment.

Follow us on Twitter at @alexia and @sfweekly.

  • Pin It

About The Author

Alexia Tsotsis

Comments

Subscribe to this thread:

Add a comment

Popular Stories

  1. Most Popular Stories
  2. Stories You Missed

Like us on Facebook

Slideshows

  • San Francisco Street Food Festival 2014
    The San Francisco Street Food Festival was another success this year. Dozens of vendors with original, unheard-of creations, such as deep fried mac and cheese on a stick, black pea paste pancakes, and Korean quesadillas. Then there was the comfort foods we've grown accustomed to, like creme bruleé, shrimp rolls, and pound cake. Photographs by Mabel Jimenez.
  • Paul McCartney @ Candlestick Park
    Thursday, August 15th marks the last concert at Candlestick Park. Who better to close out the venue than Sir Paul McCartney. Photographs by Sugarwolf.