After the news broke this week about two self-described hackers being arrested for allegedly breaking into AT&T’s 3G network and stealing the email addresses from over 100,000 iPad users, another member of the hacking group has taken to the internet in defense of his two friends.
Daniel Spitler of San Francisco, CA and Andrew Auernheimer of Fayettevile, AR, were arrested this week in connection with the AT&T incident, and were each charged with fraud and conspiracy to access a computer without authorization. The two, who have been called “researchers” for a group known as Goatse Security were defended on the group’s blog Wednesday by a member going by the name Rucas.
Rucas noted five points of clarification in his blog post:
- The only data gathered was a list of e-mail addresses. No real names, mailing addresses, or any associated data was breached.
- The data gathered was PUBLICLY AVAILABLE on AT&T’s web server. Any person could say “What is the e-mail address associated with ID XXXXXXXX” and the server would happily reply “firstname.lastname@example.org” or “invalid ID”. The process of doing so was simply automated using random IDs. There was no “real” hacking involved.
- Through intermediary channels, Goatse Security notified AT&T of the hole in their system and waited until it had been patched before we made our disclosure.
- Under no circumstances was the data EVER made public. It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data *HAD* been leaked and this was not a fictitious claim.
- AT&T has pressured the USDoJ and the FBI into building and prosecuting a baseless case because they care more about their own share price than their customers. Stated another way: the American government works at the behest of private corporations.
“AT&T, the FBI, and the prosecution have labelled this as a ‘malicious’ attack, directly against AT&T’s interests and their customers. This could not be farther from the truth,” Rucas claims. “The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously) – it was only disseminated to a single media outlet because we believed it was important enough to share.”
If these claims are true, AT&T has filed the case against Spitler and Auernheimer simply to save face in front of their investors, and also to set an example for anyone else who might be planning to expose security holes in their network. Maybe AT&T should take a page from major corporations who are offering rewards rather than prosecuting those who find flaws in their systems.
Clearly, the case between Goatse security and AT&T is currently a show of a starkly contrasted two-sided story. It’s now up to the courts to decide whether there was ill-intent on the part of Spitler and Auernheimer. Let’s hope that these guys get a fair trial despite AT&T’s large pocketbook.