Don's Pages and my Music

Saturday, June 12, 2010

Hacker defends going public with AT&T's iPad data breach (Q&A) | InSecurity Complex - CNET News

June 10, 2010 4:12 PM PDT

Hacker defends going public with AT&T's iPad data breach (Q&A)


Escher Auernheimer, aka "Weev" of Goatse Security, the group behind the disclosure of the weakness in the AT&T Web site that exposed iPad user data. (Credit: Escher Auernheimer)

A hacker involved with a highly publicized data breach is taking some flak, but he says he and his colleagues simply acted in the public's best interest.

AT&T was forced to scramble to fix a security hole in its Web site that exposed e-mail addresses of more than 100,000 iPad users this week. AT&T says it learned about the Web site flaw from an enterprise customer on Monday and that it was fixed on Tuesday. Goatse Security, the group that uncovered the security flaw, revealed the details to a blog site on Wednesday, touching off a media frenzy. The FBI now says it is investigating the breach, which exposed e-mail addresses of government officials and executives in media, finance, and technology, among others. More details are available in this FAQ.

On Thursday, CNET talked to a key member of Goatse -- Escher Auernheimer, also known as "Weev" -- about the group and what motivates them.

Q: An AT&T spokesman says you did not contact the company. Can you comment?
Auernheimer: We chose not to engage in a direct dialogue. We did not give details of the attack or the data to anyone until we verified that the hole was closed on their Web site on Tuesday. And we only gave it to Ryan Tate at Gawker Media because he agreed he would censor the ICCIDs and the e-mails so they couldn't be used to compromise anything. We did the best we could. But we did want not engage directly with AT&T in case they tried to serve us (an injunction) or something.

If you didn't contact AT&T directly, how did you contact them?
Auernheimer: That wasn't my responsibility. It was someone else's to make sure AT&T had their bases covered and that this wouldn't be exploitable by anyone else. I made sure that the (exploit) author verified that the vulnerability was closed before we went public with the data and the exploit details. That's our corporate process.

So, Goatse Security does this commercially?
Auernheimer: We have a client base that we value and we put their interest first. But if you're not on our list of clients then really the public interest comes first. We serve the public and the reason we went public with this is because people have a right to know. There are a number of serious consequences, particularly if someone had scraped this data and had say a Safari exploit...There are live zero-day (unpatched) exploits out there that I know of. How many parties have this? I don't know, but if they could scrape this data they could have a target list of people who are known vulnerable candidates to an exploit. That could be very dangerous.

So I think it was necessary to inform the public in this particular manner. I know some people are criticizing us and calling it irresponsible, but we did our best effort to be good guys about it. We waited until the hole was patched. We didn't disclose the data except to a reporter who agreed to censor the relevant bits. We felt it was in the public's best interest.

And there was no compensation from Gawker for the information?

Read more...
http://news.cnet.com/8301-27080_3-20007407-245.html

Don

No comments:

Post a Comment