We spoke online with Goatse employee "Weev" on Wednesday night and learned that the exploit was more of a threat than many think. We also asked about the motivations of the security group. Why, as reported in their recent blog post, did they destroy the list of 114,000 influential iPad subcribers after giving it to Valleywag blogger Ryan Tate?
Note: The following interview transcript was excerpted, edited and paraphrased.
SF Weekly: So who do you think is responsible, Apple or AT&T?
Weev: Both. Apple coded the hook to pass the ICC-ID to AT&T -- it's
both their failures, no question about it. Both didn't see the potential
SF Weekly: In your opinion, what would be the worst case
scenario, if this had not been exposed. Is the NYTimes right, in making
everyone shut off their 3G?
Weev: Well someone with nefarious intent could have scraped a
complete [database] of iPad 3G subscribers and emailed them all an exploit
payload and owned [a lot] of iPads or owned the influential people
harm can an email address, plus the ID of the iPad with which it is associated do? Emailing from the list of 114,000 iPad users would
increase your likelihood of reaching an iPad as opposed to any old email list, useful if you've got an exploit or hack specifically designed to infiltrate iPads; Goatse was able to scrape the email addresses and iPad IDs of
a lot of immediately recognizable people.
Someone more sinister could have used these addresses to send influencers an email with a link that, if clicked on,
could allow the hacker to take over some of the iPad. Reports from the Cansecwest security conference have shown that vulnerabilities continue to plague the iPhone and other mobile devices.
Weev: We did this as "niceguy" as we could. WSJ wrote anLater Weev implied that the person who found the iPad bug might not be able to pursue his current career if outed, hinting at the prominence of the tipster.
article that implies pretty strongly that we are criminals. We did not
publically release the dataset, we waited until we confirmed the system
was secured before we went public with technical details. I hope they
don't try to get charges pressed but if charges are pressed we will
fight it and win.
SF Weekly: Why destroy the data ethically [from your end], when Ryan Tate has a copy and is probably more vulnerable to hacking?
Weev: There's probably more of an attack surface for me than for
Tate and there's simply no more reason for me to have the data: It
served its purpose for me. I'm just like a PR agent in this scenario.
There's absolutely no reason for me to have it, the story is broken.
Hopefully nobody will press any criminal stuff.
SF Weekly: What do you mean by PR agent?
Weev: Well this wasn't my find. The dude that owned the iPad -- He doesn't wanna be named. If I said his name, you'd know it. He's
probably super easy to serve.
SF Weekly: So what are your main motivations?
Weev: Listen I'm an artist, a real one -- I don't hang my
work on some gallery wall for douchebags to gawk at. Our
motivation is to make art and to provoke human thought and to advance
the human condition. Uninterested in lawbreaking, want to make more
art. Don't need to break law to make art.
SF Weekly: Was it illegal to obtain the emails? The process of obtaining, wasn't that against the law?
Weev: Do not believe so. Regardless, I did not do it. I am just a publication agent.
SF Weekly: So if AT&T offers you a job. Will you consider?
Weev: Absolutely. Goatse security is open to contracts from anyone. We put our client's interests first.
you wouldn't want anyone else to see. Imagine your boyfriend texted his home alarm code because you accidentally set it off, and you had included his name and address in your contacts list; People in the mobile era constantly, innocently exchange sensitive information.