Hacker defends going public with AT&T's iPad data breach (Q&A)

Member of group behind the AT&T iPad-related breach of user data says they acted in the public interest.

Escher Auernheimer, aka "Weev" of Goatse Security, the group behind the disclosure of the weakness in the AT&T Web site that exposed iPad user data. Escher Auernheimer

A hacker involved with a highly publicized data breach is taking some flak, but he says he and his colleagues simply acted in the public's best interest.

AT&T was forced to scramble to fix a security hole in its Web site that exposed e-mail addresses of more than 100,000 iPad users this week. AT&T says it learned about the Web site flaw from an enterprise customer on Monday and that it was fixed on Tuesday. Goatse Security, the group that uncovered the security flaw, revealed the details to a blog site on Wednesday, touching off a media frenzy. The FBI now says it is investigating the breach, which exposed e-mail addresses of government officials and executives in media, finance, and technology, among others. More details are available in this FAQ.

On Thursday, CNET talked to a key member of Goatse -- Escher Auernheimer, also known as "Weev" -- about the group and what motivates them.

Q: An AT&T spokesman says you did not contact the company. Can you comment?
Auernheimer: We chose not to engage in a direct dialogue. We did not give details of the attack or the data to anyone until we verified that the hole was closed on their Web site on Tuesday. And we only gave it to Ryan Tate at Gawker Media because he agreed he would censor the ICCIDs and the e-mails so they couldn't be used to compromise anything. We did the best we could. But we did want not engage directly with AT&T in case they tried to serve us (an injunction) or something.

If you didn't contact AT&T directly, how did you contact them?
Auernheimer: That wasn't my responsibility. It was someone else's to make sure AT&T had their bases covered and that this wouldn't be exploitable by anyone else. I made sure that the (exploit) author verified that the vulnerability was closed before we went public with the data and the exploit details. That's our corporate process.

So, Goatse Security does this commercially?
Auernheimer: We have a client base that we value and we put their interest first. But if you're not on our list of clients then really the public interest comes first. We serve the public and the reason we went public with this is because people have a right to know. There are a number of serious consequences, particularly if someone had scraped this data and had say a Safari exploit...There are live zero-day (unpatched) exploits out there that I know of. How many parties have this? I don't know, but if they could scrape this data they could have a target list of people who are known vulnerable candidates to an exploit. That could be very dangerous.

So I think it was necessary to inform the public in this particular manner. I know some people are criticizing us and calling it irresponsible, but we did our best effort to be good guys about it. We waited until the hole was patched. We didn't disclose the data except to a reporter who agreed to censor the relevant bits. We felt it was in the public's best interest.

And there was no compensation from Gawker for the information?
Auernheimer: Absolutely not.

Did you share the information or exploit script with anyone beyond the reporter? Could it have gotten out into the hands of people with less-than-noble intentions?
Auernheimer: The script might possibly have fallen into the hands of a third party, but I doubt it. I think everybody involved was pretty responsible and I have no reason to believe that happened.

So, one of your members had an iPad and noticed this strange interaction with the AT&T Web site?
Auernheimer: He used this AT&T security maintenance app. It was part of the normal user experience that tipped him off to something that would allow him to scrape this data.

Then a script was written to do an automated brute force, right?
Auernheimer: Correct.

This type of Web site security flaw is fairly common, right?
Auernheimer: Perhaps. It's pretty egregious that AT&T would have it for such a device that probably has known exploit candidates (attack code) on, say, the Russian (underground) markets.

Could the ID numbers be used to conduct a targeted attack on the device or take control of it? Are all iPad users are affected?
Auernheimer: Theoretically it's possible. I think the worst case scenario is someone would send a Safari exploit to those e-mails and someone would click the links on their iPad...My worst case scenario is someone would have scraped this list, gone to the RBN (Russian Business Network underground market) to buy a Safari exploit, and used it to compromise American government officials and corporate officers. That would be bad. So it was in people's best interest. At least they know. At least there's a public knowledge you might be compromised. You might want to change your e-mail address associated with the iPad. The public can take steps now to protect themselves, which they would have been oblivious to before. I think that's pretty important.

Is Apple at fault at all? Should they require users to use some alternate Mac or iPad e-mail address to register a device?
Auernheimer: The real threat to me is an exploit delivered by e-mail payload and that could be resolved by a new e-mail address, of which there are plenty of free ways to get one on the Internet. Should Apple have some sort of evaluation of the security of their carriers? Should they do a business audit evaluation? Should they do Web application auditing? Probably. I think the majority of the blame rests with AT&T.

What is your group exactly? A consulting firm that companies hire to test their security?
Auernheimer: Absolutely. We accept consultancies from a number of parties and we're open to new arrangements and we enjoy doing interesting research. We have compelling stuff. We have some of the smartest people in the world on our team. I'm honored to work alongside people like Sam Hocevar. He's an image-processing (captcha-breaking) genius. Some of our people just stunt my intelligence. It's amazing the people I work with. I'm really happy to be a part of it and proud of the work we do.

How many are on your team?
Auernheimer: There are nine core members and a number of subcontractors.

Are you based in the U.S.?
Auernheimer: We aren't based anywhere. We work out of our homes and there are a couple of people in Texas. There are a couple of people in LA, one guy in France, and the rest are sort of scattered.

The name of your company has a provocative reference to a shocking site. Does that at all diminish from your credibility and reputation?
Auernheimer: (laughs) I don't think so. Our results and research speak for themselves. The last thing we publicly released--we don't disclose the majority of our work--but the integer overflow in Safari was a neat bug. And I am proud of our team and I think we do great work. If someone is offended to where they can't deal with us in a civil fashion because we say things that offend them, then they're a douche bag and we don't want to be employed by them anyway.

So, when you say you don't disclose the majority of your work, are you saying you don't tell the companies affected or the bad guys, or what?
Auernheimer: There is a cost-benefit analysis and when you find a bug, especially in certain circumstances, sometimes it's more beneficial to hold on to it, if it is in your client's best interest or somebody's best interest. So our clients are put first. Beyond that, when we aren't on somebody's dime, we put the public first. But everything has a price, and disclosure ethics certainly are something that have a price tag on them, I believe. But when it's not about money it's about public interest.

So none of your research is going to any underground markets or bad guys?
Auernheimer: Absolutely not. We love America and we love Americans and we would never help the strategic opposition to American business. Absolutely not.

There was a colorful profile of you in The New York Times...
Auernheimer: That guy flat-out lied about me multiple times, like when he said I held the cell phones of people's daughters for ransom. That is something I never claimed to do and something I never did. He didn't want to write a real story, he wanted me to fit his story...

As far as being an Internet troll and prankster, that label you can agree to?
Auernheimer: Guilty as charged on that one, for sure.

Is there anything else people should know?
Auernheimer: I think that Apple users particularly are going to be disillusioned as things go on. We're just starting to get to the point that an OS X-running machine is able to be fungibly sold. It's a fungible commodity now. And I think that Apple users now have an unrealistic expectation of protection that is going to be quickly shattered as they become a more sizable minority.