FBI Nabs Alleged iPad Who's-Who Leakers
The FBI has arrested two men it believes are responsible for an incident last summer in which hackers broke into AT&T's computer systems and exposed the email addresses of over 100,000 early iPad buyers. Debate continues over whether these hackers allegedly committed a serious crime or actually helped improve AT&T's security, albeit in a somewhat unethical way.
01/19/11 10:39 AM PT
Two men who allegedly broke into AT&T's computer systems and stole the email addresses of early iPad owners were arrested Tuesday by the Federal Bureau of Investigation.
The break-in made headlines last summer because some of the 114,000 email addresses were subsequently published by the gossip website Gawker and contained some high-profile names, including New York Mayor Michael Bloomberg and former White House Chief of Staff Rahm Emanuel.
Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco were taken into custody Tuesday and charged with an alleged conspiracy to hack AT&T servers and for possession of personal subscriber information obtained from the servers, according to a statement from the office of New Jersey U.S. Attorney Paul J. Fishman. Auernheimer was arrested as he appeared in state court on an unrelated drug charge.
Both men are purported to be members of an organization called "Goatse Security," described by the FBI as a loose association of hackers and Internet trolls. Goatse did not respond before this story's deadline to a request by MacNewsWorld to comment on the case .
Aggressive Action Pledged
The arrests show that AT&T doesn't take these kinds of attacks lightly, according to the company. "We take our customers' privacy very seriously, and we cooperate with law enforcement whenever necessary to protect it," AT&T's Executive Director of Media Relations Mark Siegel told MacNewsWorld.
Apple, through spokesperson Trudy Muller, declined to comment on the case.
"One primary principle of our society is confidence in a reasonable expectation of personal privacy, which includes expectations of financial privacy, medical privacy, and privacy in our communications," said Michael B. Ward, special agent in charge of the FBI's Newark, N.J. field office.
"Unauthorized intrusions into personal privacy adversely affect individual citizens, businesses and even national security," he added. "Such intrusion cases, regardless if the motive is criminal gain or prestige among peers in the cyber-hacking world, must and will be aggressively pursued to ensure these rights are protected to the highest degree."
Hackers Performed 'Public Service'
When the break-in occurred, Goatse claimed it was exposing a security hole in AT&T's systems so the company could plug it. The company did so within 24 hours of the flaw coming to its attention, and no sensitive information -- Social Security numbers, credit card numbers and such -- was ever exposed to the hackers.
Goatse was performing a public service, one commentator said at the time of the break-in. "We don't see much hacking here, and we don't see anything really malicious," TechCrunch Founder Michael Arrington wrote on his site.
"AT&T was effectively publishing the information on the open Internet, and if there's an FBI investigation, it should be focused on them, not Goatse," he added. "The fact is that Goatse was performing a public service by discovering and publishing the vulnerability. They made the Internet slightly safer by doing so."
Arrington did not respond to a request by MacNewsWorld for comment on the arrests.
The hackers that broke into the AT&T servers weren't hardcore cyber criminals, asserted Richard Wang, manager of security software company Sophos Labs in Burlington, Mass. "They weren't on the far criminal side of the fence," he told MacNewsWorld. "They were looking for security holes rather than trying to get information to exploit and take advantage of."
He acknowledged, though, that the pair's actions didn't conform with the rulebook for ethical hacking. "The problem was trivial for them to exploit," he said. "But it wasn't necessary for them to get 114,000 addresses to prove that the security hole was there."
"They didn't contact AT&T directly; they had someone else do it," he continued. "So they weren't following the best practice of responsible disclosure, making sure the affected company knew about it and were able to put some defenses in place."
Anyone probing security flaws needs to do so prudently, cautioned Trend Mico Threat Research Manager Jamz Yaneza.
"Threat researchers and all netizens should also be very careful in doing any investigative work and never lose sight of how to walk the fine line of ethically disclosing vulnerability information in such a way as to assist rather than to aggravate the situation," he told MacNewsWorld.