Goatse Security logo
Nick "Rucas" Price
Goatse Security (GoatSec) is a loose-knit, nine-person grey hat hacker group that specializes in uncovering security flaws. It is a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). The group derives its name from the Goatse.cx shock site, and it chose "Gaping Holes Exposed" as its slogan. In June 2010, Goatse Security obtained the email addresses of approximately 114,000 Apple iPad users. This led to an FBI investigation and the filing of criminal charges against two of the group's members.
The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009.
In March 2010, Goatse Security discovered an integer overflow vulnerability within Apple's web browser, Safari, and posted an exploit on Encyclopedia Dramatica. They found out that a person could access a blocked port by adding 65,536 to the port number. This vulnerability was also found in Arora, iCab, OmniWeb, and Stainless. Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser. Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the Apple iPad.
AT&T/iPad email address leak
In June 2010, Goatse Security uncovered a vulnerability within the AT&T website. AT&T was the only provider of 3G service for Apple's iPad in the United States. When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the email address provided during sign-up. In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the email address field with the address provided during sign-up. Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing, on an IRC channel. Goatse Security constructed a PHP-based brute force script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID. This script was dubbed the "iPad 3G Account Slurper."
Goatse Security then attempted to find an appropriate news source to confide the leaked information with. weev attempted to contact News Corporation and Thomson Reuters executives, including Arthur Siskind, about AT&T's security problems. On June 6, 2010, weev sent emails with some of the ICC-IDs recovered in order to verify his claims. Chat logs from this period also reveal that attention and publicity may have been incentives for the group.
Contrary to what it first claimed, the group initially revealed the security flaw to Gawker Media before notifying AT&T and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws.
weev has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys". Jennifer Granick of the Electronic Frontier Foundation has also defended the tactics used by Goatse Security.
On June 14, 2010, Michael Arrington of TechCrunch awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.
The FBI then opened an investigation into the incident, leading to a criminal complaint in January 2011 and a raid on Andrew "weev" Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail on state drug charges, later dropped. After his release on bail, he broke a gag order to protest and to dispute the legality of the search of his house and denial of access to a public defender. He also asked for donations via PayPal, to defray legal costs. In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud. A co-defendant, Daniel Spitler, was released on bail.
On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization, and tweeted that he would appeal the ruling. Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."
On November 29, 2012, Auernheimer authored an article in Wired Magazine entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any zero-day exploit only to individuals who will "use it in the interests of social justice."
On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper. The judges did not address the substantive question on the legality of the site access. He was released from prison late on April 11.
In May 2011, a DoS vulnerability affecting several Linux distributions was disclosed by Goatse Security, after the group discovered that a lengthy Advanced Packaging Tool URL would cause compiz to crash.
- Tate, Ryan (2010-06-09). "AT&T Fights Spreading iPad Fear". Valleywag. Gawker Media. Retrieved 2010-10-17.
- Kaiser, Leon (2011-01-19). Interview: Goatse Security on FBI Charges Following AT&T iPad Breach (Transcript). Interview with Mick Jason. DailyTech. Retrieved 2011-01-21.
- Dowell, Andrew (2010-06-17). "Programmer Detained After FBI Search". The Wall Street Journal (Dow Jones & Company, Inc.). Retrieved 2010-10-11.
- "Team". Goatse Security. Goatse Security. 2010-06-14. Retrieved 2010-09-22.
- Chokshi, Niraj (2010-06-10). "Meet One of the Hackers Who Exposed the iPad Security Leak". The Atlantic (The Atlantic Monthly Group). Retrieved 2010-09-16.
- Keizer, Gregg (2010-06-17). "iPad hacker arrested on multiple drug charges after FBI search". Computerworld (Computerworld Inc.). Retrieved 2010-09-16.
- Mick, Jason (2010-06-14). "AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales". DailyTech (DailyTech LLC.). Retrieved 2010-09-16.
- Bilton, Nick; Wortham, Jenna (2011-01-18). "Two Are Charged With Fraud in iPad Security Breach". The New York Times (The New York Times Company). Retrieved 2011-01-21.
- "Security Researcher Acknowledgments for Microsoft Online Services". Microsoft. Retrieved 19 October 2012.
- United States District Court — District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
- "Clench, our way of saying "screw you" to SSL PKI forever". Goatse Security. Goatse Security. 2010-09-08. Retrieved 2010-10-29.
- Lawson, Nate (2010-09-08). "Clench is inferior to TLS+SRP". root labs rdist. Nate Lawson. Retrieved 2010-10-29.
- Eunjung Cha, Ariana (2010-06-12). "Apple's iPad security breach reveals vulnerability of mobile devices". Washington Post. Retrieved 6 April 2011.
- AT&T iPad 'hacker' breaks gag order to rant at cops The Register, John Leyden. July 7, 2010
- Tate, Ryan (2010-06-10). Apple's iPad Breach Raises Alarms (audio / transcript). Interview with Melissa Block. All Things Considered. National Public Radio. Retrieved 2010-09-16.
- Ragan, Steve (2010-06-10). "AT&T loses 114,000 e-mail addresses via scripting error". The Tech Herald (WOTR Limited). Retrieved 2010-09-28.
- Constantin, Lucian (2010-01-30). "Firefox Bug Used to Harass Entire IRC Network". Softpedia (Softpedia). Retrieved 2010-09-19.
- Goodin, Dan (2010-01-30). "Firefox-based attack wreaks havoc on IRC users". The Register (Situation Publishing). Retrieved 2010-09-19.
- Goodin, Dan (2010-06-09). "Security gaffe exposes addresses of elite iPaders". The Register (Situation Publishing). Retrieved 2010-09-19.
- Keizer, Gregg (2010-06-14). "AT&T 'dishonest' about iPad attack threat, say hackers". Computerworld (Computerworld Inc.). Retrieved 2010-09-18.
- Ragan, Steve (2010-06-14). "Goatse Security tells AT&T: ‘You f---ed up’". The Tech Herald (WOTR Limited). p. 2. Retrieved 2010-10-06.
- "CVE-2010-1099". National Vulnerability Database. NIST. 2010-03-24. Retrieved 2010-10-06.
- "CVE-2010-1100". National Vulnerability Database. NIST. 2010-03-24. Retrieved 2010-10-06.
- "CVE-2010-1101". National Vulnerability Database. NIST. 2010-03-24. Retrieved 2010-10-06.
- "CVE-2010-1102". National Vulnerability Database. NIST. 2010-03-24. Retrieved 2010-10-06.
- "CVE-2010-1103". National Vulnerability Database. NIST. 2010-03-24. Retrieved 2010-10-06.
- Goldman, David (2010-06-14). "Hackers say iPad has more security holes". CNNMoney.com (CNN). Retrieved 2010-09-18.
- Keizer, Gregg (2010-06-10). "'Brute force' script snatched iPad e-mail addresses". Computerworld (Computerworld Inc.). Retrieved 2010-09-18.
- Tate, Ryan (2010-06-09). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Valleywag. Gawker Media. Retrieved 2010-09-16.
- Ante, Spencer E. (2010-06-10). "AT&T Discloses Breach of iPad Owner Data". The Wall Street Journal (Dow Jones & Company, Inc.). Retrieved 2010-09-26.
- Buchanan, Matt (2010-06-09). "The Little Feature That Led to AT&T's iPad Security Breach". Gizmodo. Gawker Media. Retrieved 2010-09-22.
- Criminal Complaint. United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
- Voreacos, David (2011-01-18). "U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users". Bloomberg.com (Bloomberg L.P.). Retrieved 2011-01-21.
- McMillan, Robert (2010-12-15). "AT&T IPad Hacker Fought for Media Attention, Documents Show". PC World (PC World Communications, Inc.). Retrieved 2010-12-16.
- Foresman, Chris (2011-01-19). "Goatse Security trolls were after "max lols" in AT&T iPad hack". Ars Technica. Retrieved 2011-01-22.
- Worthen, Ben; Spencer E. Ante (June 14, 2010). "Computer Experts Face Backlash". WSJ.com.
- Leydon, John (7 July 2010). "AT&T iPad 'hacker' breaks gag order to rant at cops". The Register. Retrieved 16 February 2011.
- Arrington, Michael (14 June 2010). "We’re Awarding Goatse Security A Crunchie Award For Public Service". Tech Crunch. Retrieved 31 March 2010.
- Patterson, Ben (14 June 2010). "AT&T apologizes for iPad breach, blames hackers". Yahoo! News. Retrieved 31 March 2010.
- Tate, Ryan (June 9, 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Gawker.com (Gawker Media). Retrieved June 13, 2010.
- Emspak, Jesse; Perna, Gabriel (June 17, 2010). "Arrested Hacker's Web Site Reveals Extremist Views". International Business Times (International Business Times). Retrieved July 11, 2010.
- Dowell, Andrew (June 17, 2010). "Programmer Detained After FBI Search". The Wall Street Journal.
- "Criminal charges filed against AT&T iPad attackers — Computerworld". January 18, 2011.
- weev. "Hypocrites and Pharisees". Goatse.fr.
- Voigt, Kurt (21 January 2011). "No bail for 2nd iPad e-mail address theft suspect". MSNBC.com. Associated Press. Retrieved 15 February 2011.
- Porter, David (28 February 2011). "Suspect in iPad Data Theft Released on Bail in NJ". ABC News. Associated Press. Retrieved 2 March 2011.
- Zetter, Kim (2012-11-20). "Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com".
- "Twitter status, 3:38 PM - 20 Nov 12".
- "Twitter status, 3:32 PM - 20 Nov 12".
- Bierend, Doug (2012-11-29). "Forget Disclosure — Hackers Should Keep Security Holes to Themselves". Wired.
- Case: 13-1816 Document: 003111586090
- Kravets, David (April 11, 2014). "Appeals court reverses hacker/troll "weev" conviction and sentence". Ars Technica. Retrieved April 11, 2014.
- Hill, Kashmir (April 11, 2014). "Weev Freed, But Court Punts On Bigger 'Hacking vs. Security Research' Question". Forbes. Retrieved April 11, 2014.
- Voreacos, David (April 14, 2014). "AT&T Hacker ‘Weev’ Parties and Tweets as Case Still Looms". Bloomberg. Retrieved April 14, 2014.
- Constantin, Lucian (16 May 2011). "Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day". Softpedia. Retrieved 25 March 2014.