Get SF Weekly Newsletters

Friday, June 11, 2010

iPad Hackers: Obtaining Emails Not Illegal, We Will Fight If Charges Are Pressed

Posted By on Fri, Jun 11, 2010 at 3:24 PM

click to enlarge screen_shot_2010_06_11_at_3.15.13_pm.png
According to reports, the FBI is currently investigating the AT&T iPad leak because of the sensitive (read governmental) nature of the data revealed, and Gawker Media is now under pressure to provide information on the legality of the breach, casting Goatse Security, the hacker group that launched a thousand journalist lols and inadvertently NSFW tech news headlines ("Goatse Security claims gaping hole, etc ..."), into the spotlight.

We spoke online with Goatse employee "Weev" on Wednesday night and learned that the exploit was more of a threat than many think. We also asked about the motivations of the security group. Why, as reported in their recent blog post, did they destroy the list of 114,000 influential iPad subcribers after giving it to Valleywag blogger Ryan Tate?

Note: The following interview transcript was excerpted, edited and paraphrased.

SF Weekly: So who do you think is responsible, Apple or AT&T?

Weev: Both. Apple coded the hook to pass the ICC-ID to AT&T --  it's

both their failures, no question about it. Both didn't see the potential

for abuse.

SF Weekly: In your opinion, what would be the worst case

scenario, if this had not been exposed. Is the NYTimes right, in making

everyone shut off their 3G?

Weev: Well someone with nefarious intent could have scraped a

complete [database] of iPad 3G subscribers and emailed them all an exploit

payload and owned [a lot] of iPads or owned the influential people


click to enlarge IMAGE VIA DOMAINSHANE


harm can an email address, plus the ID of the iPad with which it is associated do? Emailing from the list of 114,000 iPad users would

increase your likelihood of reaching an iPad as opposed to any old email list, useful if you've got an exploit or hack specifically designed to infiltrate iPads; Goatse was able to scrape the email addresses and iPad IDs of

a lot of immediately recognizable people.

Someone more sinister could have used these addresses to send influencers an email with a link that, if clicked on,

could allow the hacker to take over some of the iPad. Reports from the Cansecwest security conference have shown that vulnerabilities continue to plague the iPhone and other mobile devices. 


Weev: We did this as "niceguy" as we could. WSJ wrote an

article that implies pretty strongly that we are criminals. We did not

publically release the dataset, we waited until we confirmed the system

was secured before we went public with technical details. I hope they

don't try to get charges pressed but if charges are pressed we will

fight it and win.

SF Weekly: Why destroy the data ethically [from your end], when Ryan Tate has a copy and is probably more vulnerable to hacking?

Weev: There's probably more of an attack surface for me than for

Tate and there's simply no more reason for me to have the data: It

served its purpose for me. I'm just like a PR agent in this scenario.

There's absolutely no reason for me to have it, the story is broken.

Hopefully nobody will press any criminal stuff.

SF Weekly: What do you mean by PR agent?

Weev: Well this wasn't my find. The dude that owned the iPad -- He doesn't wanna be named. If I said his name, you'd know it. He's

probably super easy to serve.

Later Weev implied that the person who found the iPad bug might not be able to pursue his current career if outed, hinting at the prominence of the tipster.

SF Weekly: So what are your main motivations?

Weev: Listen I'm an artist, a real one -- I don't hang my

work on some gallery wall for douchebags to gawk at. Our

motivation is to make art and to provoke human thought and to advance

the human condition. Uninterested in lawbreaking, want to make more

art. Don't need to break law to make art.

SF Weekly: Was it illegal to obtain the emails? The process of obtaining, wasn't that against the law?

Weev: Do not believe so. Regardless, I did not do it. I am just a publication agent.

SF Weekly: So if AT&T offers you a job. Will you consider?

Weev: Absolutely. Goatse security is open to contracts from anyone. We put our client's interests first.

The risks of security ID holes aren't just spam email -- Think of all the data on your iPhone

you wouldn't want anyone else to see. Imagine your boyfriend texted his home alarm code because you accidentally set it off, and you had included his name and address in your contacts list; People in the mobile era constantly, innocently exchange sensitive information.

Will our iPads be safer now, because of this? Despite the 4 chan-derived name and general shady Internet troll rhetoric of Goatse, yes, for the moment.

Follow us on Twitter at @alexia and @sfweekly.

  • Pin It

About The Author

Alexia Tsotsis


Subscribe to this thread:

Add a comment

Popular Stories

  1. Most Popular Stories
  2. Stories You Missed

Like us on Facebook


  • clipping at Brava Theater Sept. 11
    Sub Pop recording artists 'clipping.' brought their brand of noise-driven experimental hip hop to the closing night of 2016's San Francisco Electronic Music Fest this past Sunday. The packed Brava Theater hosted an initially seated crowd that ended the night jumping and dancing against the front of the stage. The trio performed a set focused on their recently released Sci-Fi Horror concept album, 'Splendor & Misery', then delved into their dancier and more aggressive back catalogue, and recent single 'Wriggle'. Opening performances included local experimental electronic duo 'Tujurikkuja' and computer music artist 'Madalyn Merkey.'"