Goatse Security
Encyclopedia
Goatse Security is a loose-knit, nine-person grey hat
hacker group that specializes in uncovering security flaws. It is a division of the anti-blogging Internet trolling
organization known as the Gay Nigger Association of America
(GNAA). The group derives its name from the Goatse.cx
shock site
, and it chose "Gaping Holes Exposed" as its slogan
. In June 2010, Goatse Security obtained the Email addresses of approximately 114,000 Apple iPad users. This led to an FBI investigation and the filing of criminal charges against two of the group's members.
, Mozilla
blocked several ports that HTML forms would not normally have access to. In January 2010, the GNAA discovered that Mozilla's blocks did not cover port 6667, which left Mozilla browsers vulnerable to cross-protocol scripts. The GNAA crafted a JavaScript
-based exploit
in order to flood IRC channels. Although EFnet
and OFTC were able to block the attacks, Freenode
struggled to counteract the attacks. Goatse Security exposed the vulnerability, and one of its members, Andrew Auernheimer, aka "weev
," posted information about the exploit on Encyclopedia Dramatica
.
In March 2010, Goatse Security discovered an integer overflow
vulnerability within the Apple Safari
and posted an exploit on Encyclopedia Dramatica. They found out that a person could access a blocked port by adding 65,536 to the port number. This vulnerability was also found in Arora
, iCab
, OmniWeb
, and Stainless. Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser. Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the Apple iPad
.
website. AT&T was the only provider of 3G
service for Apple's iPad in the United States
. When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the Email address provided during sign-up. In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the Email address field with the address provided during sign-up. Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the Email address associated with that ICC-ID.
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing
, on an IRC channel. Goatse Security constructed a PHP
-based brute force
script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the Email address corresponding to the ICC-ID. This script was dubbed the "iPad 3G Account Slurper."
Goatse Security then attempted to find an appropriate news source to confine the leaked information with. weev attempted to contact News Corporation
and Thomson Reuters
executives, including Arthur Siskind
, about AT&T's security problems. On June 6, 2010, weev sent Emails with some of the ICC-IDs recovered in order to verify his claims. Chat logs from this period also reveal that attention and publicity may have been incentives for the group.
The tactics used by members of Goatse Security caused a significant debate regarding the proper disclosure of IT security flaws. weev has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys". Jennifer Granick
of the Electronic Frontier Foundation
has also defended the tactics used by Goatse Security.
On June 14, 2010 Michael Arrington
of TechCrunch
awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.
The FBI
then opened an investigation into the incident, leading to a criminal complaint in January 2011 and a raid on Andrew Auernheimer's
house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail on state drug charges, later dropped. After his release on bail, he broke a gag order
to protest and to dispute the legality of the search of his house and denial of access to a public defender
. He also asked for donations via PayPal
, to defray legal costs. In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud. A co-defendant, Daniel Spitler, was released on bail. As of May, 2011 he remains released on bail.
Grey hat
A grey hat, in the hacking community, refers to a skilled hacker whose activities fall somewhere between white and black hat hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities...
hacker group that specializes in uncovering security flaws. It is a division of the anti-blogging Internet trolling
Troll (Internet)
In Internet slang, a troll is someone who posts inflammatory, extraneous, or off-topic messages in an online community, such as an online discussion forum, chat room, or blog, with the primary intent of provoking readers into an emotional response...
organization known as the Gay Nigger Association of America
Gay Nigger Association of America
The Gay Nigger Association of America is an anti-blogging Internet trolling organization that takes their name from the 1992 Danish movie Gayniggers from Outer Space. They have trolled several prominent websites and Internet commentators, including members of the blogosphere, Slashdot, Wikipedia,...
(GNAA). The group derives its name from the Goatse.cx
Goatse.cx
Goatse.cx , often referred to simply as "Goatse", was originally an Internet shock site. Its front page featured a picture, entitled hello.jpg, showing a naked man stretching his anus with both hands, to approximately the width of his hand. The inside of his rectum is also clearly visible...
shock site
Shock site
A shock site is a website that is intended to be offensive, disgusting and/or disturbing to its viewers, containing materials of high shock value which is also considered distasteful and crude, and is generally of a pornographic, scatological, extremely violent, insulting, painful, profane, or...
, and it chose "Gaping Holes Exposed" as its slogan
Slogan
A slogan is a memorable motto or phrase used in a political, commercial, religious and other context as a repetitive expression of an idea or purpose. The word slogan is derived from slogorn which was an Anglicisation of the Scottish Gaelic sluagh-ghairm . Slogans vary from the written and the...
. In June 2010, Goatse Security obtained the Email addresses of approximately 114,000 Apple iPad users. This led to an FBI investigation and the filing of criminal charges against two of the group's members.
Founding
The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009.Browser vulnerabilities
In order to protect its web browser from inter-protocol exploitationInter-protocol Exploitation
Inter-protocol exploitation is a security vulnerability that takes advantage of interactions between two communication protocols, for example the protocols used in the Internet. Under this name, it was popularized in 2007 and publicly described in research of the same year...
, Mozilla
Mozilla
Mozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
blocked several ports that HTML forms would not normally have access to. In January 2010, the GNAA discovered that Mozilla's blocks did not cover port 6667, which left Mozilla browsers vulnerable to cross-protocol scripts. The GNAA crafted a JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
-based exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
in order to flood IRC channels. Although EFnet
EFnet
EFnet or Eris Free network is a major IRC network, with more than 35,000 users. It is the modern-day descendant of the original IRC network.- History :...
and OFTC were able to block the attacks, Freenode
Freenode
freenode, formerly known as Open Projects Network, is an IRC network used to discuss peer-directed projects. Their servers are all accessible from the domain name [irc://chat.freenode.net chat.freenode.net], which load balances connections by using the actual servers in rotation...
struggled to counteract the attacks. Goatse Security exposed the vulnerability, and one of its members, Andrew Auernheimer, aka "weev
Weev
Andrew Alan Escher Auernheimer 1 September 1985), also known by his pseudonym weev, is an American grey hat hacker and self-described Internet troll who has been linked to several attacks on Internet sites...
," posted information about the exploit on Encyclopedia Dramatica
Encyclopedia Dramatica
Encyclopædia Dramatica was a satirical open wiki that used MediaWiki software. Launched on December 10, 2004, it lampooned both encyclopedic topics and current events, especially those related or relevant to contemporary internet culture. It was frequently utilized by a socially fluid and dynamic...
.
In March 2010, Goatse Security discovered an integer overflow
Integer overflow
In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. For instance, adding 1 to the largest value that can be represented constitutes an integer overflow...
vulnerability within the Apple Safari
Safari (web browser)
Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...
and posted an exploit on Encyclopedia Dramatica. They found out that a person could access a blocked port by adding 65,536 to the port number. This vulnerability was also found in Arora
Arora (browser)
Arora is a free and open source lightweight cross-platform web browser. It runs on Linux, Mac OS X, Windows, FreeBSD, OS/2, Haiku, and any other platforms supported by the Qt toolkit....
, iCab
ICab
iCab is a web browser for the Macintosh by Alexander Clauss, derived from Crystal Atari Browser for Atari TOS compatible computers. It is the most recently actively developed browser for 68k-based Macintoshes that features tabbed browsing and one of a very few browsers that was still updated in...
, OmniWeb
OmniWeb
OmniWeb is a proprietary Internet web browser developed and marketed by The Omni Group. It is available exclusively for Apple Inc.'s Mac OS X operating system...
, and Stainless. Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser. Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the Apple iPad
IPad
The iPad is a line of tablet computers designed, developed and marketed by Apple Inc., primarily as a platform for audio-visual media including books, periodicals, movies, music, games, and web content. The iPad was introduced on January 27, 2010 by Apple's then-CEO Steve Jobs. Its size and...
.
AT&T/iPad e-mail address leak
In June 2010, Goatse Security uncovered a vulnerability within the AT&TAT&T
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...
website. AT&T was the only provider of 3G
3G
3G or 3rd generation mobile telecommunications is a generation of standards for mobile phones and mobile telecommunication services fulfilling the International Mobile Telecommunications-2000 specifications by the International Telecommunication Union...
service for Apple's iPad in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
. When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the Email address provided during sign-up. In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the Email address field with the address provided during sign-up. Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the Email address associated with that ICC-ID.
On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
, on an IRC channel. Goatse Security constructed a PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
-based brute force
Brute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the Email address corresponding to the ICC-ID. This script was dubbed the "iPad 3G Account Slurper."
Goatse Security then attempted to find an appropriate news source to confine the leaked information with. weev attempted to contact News Corporation
News Corporation
News Corporation or News Corp. is an American multinational media conglomerate. It is the world's second-largest media conglomerate as of 2011 in terms of revenue, and the world's third largest in entertainment as of 2009, although the BBC remains the world's largest broadcaster...
and Thomson Reuters
Thomson Reuters
Thomson Reuters Corporation is a provider of information for the world's businesses and professionals and is created by the Thomson Corporation's purchase of Reuters Group on 17 April 2008. Thomson Reuters is headquartered at 3 Times Square, New York City, USA...
executives, including Arthur Siskind
Arthur Siskind
Arthur Siskind is a lawyer and businessperson. He has been an executive director of the News Corporation since 1991. He served as their group general counsel from March 1991 until December 2004. He was succeeded by Lawrence Jacobs. Mr. Siskind remains on News Corporation’s Board of Directors...
, about AT&T's security problems. On June 6, 2010, weev sent Emails with some of the ICC-IDs recovered in order to verify his claims. Chat logs from this period also reveal that attention and publicity may have been incentives for the group.
The tactics used by members of Goatse Security caused a significant debate regarding the proper disclosure of IT security flaws. weev has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys". Jennifer Granick
Jennifer Granick
Jennifer Stisa Granick is an attorney at ZwillGen PLLC. Prior to joining ZwillGen in 2010, she held the position of Civil Liberties Director at the Electronic Frontier Foundation from 2007-2010. Prior to that, she served as the Executive Director of the Center for Internet and Society at...
of the Electronic Frontier Foundation
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
has also defended the tactics used by Goatse Security.
On June 14, 2010 Michael Arrington
Michael Arrington
J. Michael Arrington is the founder and former co-editor of TechCrunch, a blog covering the Silicon Valley technology start-up communities and the wider technology field in USA and elsewhere...
of TechCrunch
TechCrunch
TechCrunch is a web publication that offers technology news and analysis, as well as profiling of startup companies, products, and websites. It was founded by Michael Arrington in 2005, and was first published on June 11, 2005....
awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.
The FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
then opened an investigation into the incident, leading to a criminal complaint in January 2011 and a raid on Andrew Auernheimer's
Weev
Andrew Alan Escher Auernheimer 1 September 1985), also known by his pseudonym weev, is an American grey hat hacker and self-described Internet troll who has been linked to several attacks on Internet sites...
house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail on state drug charges, later dropped. After his release on bail, he broke a gag order
Gag order
A gag order is an order, sometimes a legal order by a court or government, other times a private order by an employer or other institution, restricting information or comment from being made public.Gag orders are often used against participants involved in a lawsuit or criminal trial...
to protest and to dispute the legality of the search of his house and denial of access to a public defender
Public defender
The term public defender is primarily used to refer to a criminal defense lawyer appointed to represent people charged with a crime but who cannot afford to hire an attorney in the United States and Brazil. The term is also applied to some ombudsman offices, for example in Jamaica, and is one way...
. He also asked for donations via PayPal
PayPal
PayPal is an American-based global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders....
, to defray legal costs. In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud. A co-defendant, Daniel Spitler, was released on bail. As of May, 2011 he remains released on bail.