And sometimes, it takes a Goatse…
June 24, 2010 by jschneier
Now, granted being exposed by a notorious organization like Goatse added insult to injury. But no matter how tasteless any of their site content might be, the engineers that comprise "Goatse Security" (got to love that) were spot-on in their assessment. Even so, AT&T’s senior VP for public policy and privacy, Dorothy Attwood, characterized the group as hackers who "maliciously exploited" the system to access the e-mail addresses.
Goatse Security rightfully took issue with this and called out AT&T for sloppy iPad security, pointing out that “all data was gathered from a public web server with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration…” They also noted that while it took one-hour to gather the email addresses, it took AT&T almost a week to notify customers.
Yes, Goatse Security chose to use a third-party to notify AT&T of the problem and then past the information on to Gawker Media. But, according to the group, they made sure the security breach was fixed before publicizing it, thus they acted responsibly.
Or did they? Sean Sullivan, Security Advisor at F-Secure, an anti-virus company, begs to differs. He believes a line was crossed when Goatse harvested the data, an unnecessary step that violated the privacy of iPad subscribers. But this action is precisely what nefarious individuals would have done, without the courtesy of contacting AT&T through any means.
As the FBI is now in the early stages of digging through this mess, it remains to be seen whether this is simply an object lesson for AT&T and Apple or a criminal matter. My bets are on the former. Yet, when all is said and done, the real losers are the trusting public.
Comments
Now, granted being exposed by a notorious organization like Goatse added insult to injury. But no matter how tasteless any of their site content might be, the engineers that comprise "Goatse Security" (got to love that) were spot-on in their assessment. Even so, AT&T's senior VP for public policy and privacy, Dorothy Attwood, characterized the group as hackers who "maliciously exploited" the system to access the e-mail addresses.
Goatse Security rightfully took issue with this and called out AT&T for sloppy iPad security, pointing out that all data was gathered from a public web server with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration They also noted that while it took one-hour to gather the email addresses, it took AT&T almost a week to notify customers.
Yes, Goatse Security chose to use a third-party to notify AT&T of the problem and then past the information on to Gawker Media. But, according to the group, they made sure the security breach was fixed before publicizing it, thus they acted responsibly.
Or did they? Sean Sullivan, Security Advisor at F-Secure, an anti-virus company, begs to differs. He believes a line was crossed when Goatse harvested the data, an unnecessary step that violated the privacy of iPad subscribers. But this action is precisely what nefarious individuals would have done, without the courtesy of contacting AT&T through any means.
As the FBI is now in the early stages of digging through this mess, it remains to be seen whether this is simply an object lesson for AT&T and Apple or a criminal matter. My bets are on the former. Yet, when all is said and done, the real losers are the trusting public.