Why Goatse was right to disclose iPad data leak

happygeek 2 Tallied Votes 438 Views Share

iPad users in the USA have found themselves caught up in a security gaff which saw subscriber data of some 114,000 of them exposed for anyone to see. Subscriber data such as email addresses the Integrated Circuit Card ID that authenticates them on the AT&T network. The security researchers which discovered the vulnerability ensured that AT&T were not only informed, but that it had also closed the hole down, before going public with the news. So why are they, and not the dumbass security folk at AT&T responsible for not securing that data in the first place, the ones under investigation by the FBI?

According to a Goatse spokesperson "All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word. The dataset was not disclosed until we verified the problem was fixed by the vendor". Indeed, the timeline of events could not be much clearer as far as the matter of acting responsibly goes.

The vulnerability was discovered and verified, with user data extracted as proof, and AT&T were informed via a third party. AT&T then acted to fix the vulnerability, and Goatse ensured that this fix was in place and working (meaning there was no further threat to use data) before contacting a journalist at Gawker with the story and the proof in the form of the acquired dataset. The journalist concerned, Ryan Tate, then acted with equal responsibility by redacting that information before publishing the story.

I agree fully with the Goatse spokesperson who says "iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public". If the vulnerability had not been made public in this way do you really think AT&T or Apple would be stepping up and telling those iPad users about it? I don't.

So why, pray tell, are some in the security industry shouting from the rooftops about how irresponsible Goatse has been? And why, for goodness sake, is the FBI now investigating Goatse with a view to 'possible computer intrusions' and a 'potential cyberthreat' as if Goatse are the bad guys rather than AT&T?

Seriously people, get a grip. Gawker did not, it would appear, pay Goatse for this story. The only crime here is that anyone should be investigated for actually improving the security of iPad users.

Or would you prefer that next time such a hole is found the researchers do nothing, for fear of FBI investigation, and just let the bad guys find it and exploit the data instead?

RattyUK 0 Newbie Poster

I think it would have been better to have turned it over to AT&T to fix. Not use such an obnoxious name to game the world's press into printing the word goatse - how childish. And not use a technique which has sent other people to jail.

They could have proved their point with say three bits of data - but instead they decided it was better to mine the whole lot - way to go guys - you now have 147,000 examples of hard hitting AT&T's web site as opposed to say three. Building a nice case there to send you and your crowd to jail - and as I have previously mentioned others have been sent to Jail for the same reasons.

They tried hawking it to all the main press but they turned it down - perhaps they have better legal advice than the hit-whoring Gawker.

Gawker have a huge collection of hits against Apple, meanwhile Apple is quietly building their legal case against Gawker. Nick and his crew are going to be taken out. Each of these things is a major count against them in court.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Err, Goatse did turn it over to AT&T to fix, and did so before handing the story over to the media. Indeed, it even ensured the vulnerability had been fixed properly before going public. Which kind of shoots a huge hole in the forehead of your argument, does it not?

RattyUK 0 Newbie Poster

Dear Happygeek,

If they are such good guys please answer me this:

1) How come they tried to hawk the story to all other media sources and yet they ALL turned them down?
2) How come Gawker media, who have had a bit of a running spat with Apple, decided to accept the mission and yet instead of reporting it as an AT&T gaff decided to use the headline "Apple's Worst Security Breach: 114,000 iPad Owners Exposed"
3) Why they didn't prove it with a handful of examples and yet went on to data mine 147,000 examples?

"Which kind of shoots a huge hole in the forehead of your argument, does it not?"
Er nope it just picks up one of the things I was commenting on and shoots it down. It does not cover the other points raised nor the musings of just how bad a position Gawker are now in.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

1. I have no idea who turned them down or who they offered the story to and in what order.

2. I have not commented on the Gawker handling of the story, other than to say that the data list was responsibly redacted. However, I agree Gawker should have blamed AT&T and not Apple - this has nothing to do with Goatse though, and that's what my news story and comments are about.

3. Because a handful of examples proves there is a problem, over 100,000 of them proves there is a bloody big problem.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.