Hackers fire back at AT&T, say all iPads at risk to Safari hole

2

Comments

  • Reply 21 of 57
    Quote:
    Originally Posted by commun5 View Post


    Goatse Security just happens to decide not to inform AT&T, but to make sure that "someone tipped them off."



    Goatse has claimed that they did indeed contact AT&T before going to the press, which is how the hole was closed before Goatse contacted the reporter.
  • Reply 22 of 57
    shobizshobiz Posts: 207member
    Quote:
    Originally Posted by Planet Blue View Post


    Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating. Sounds like Sarah Palin whining about the ?mainstream media.? Are the blogs perfectly unbiased? Probably not; they?re blogs after all. But they aren?t anywhere close to being bad enough that one would have completely avoid them. Sometimes it?s good to read views that oppose your own.







    If Goatse Security had gone on to maliciously use the email addresses, then yeah, your analogy might be correct. However, they simply proved a problem existed and then reported it. It would be similar to the Sweden driver taking a picture of the cyclists crowding the road and giving it to the local newspaper, rather than him ramming a cyclist.



    P.S. If that anecdote is true, then seriously Mr. Driver, just chill out - why risk seriously hurting another person? At least the cyclist isn?t contributing to our lovely dependence on oil. I know cyclists get annoying, but man, maybe if we all did it more our obesity rate wouldn?t be an astounding 1/3.



    /rant





    Uhm, no it was more the like the person that hit the bike started yelling look what the bike did, it hit my car and the bike fell over on its own...
  • Reply 23 of 57
    kyle172kyle172 Posts: 64member
    Oh no the FBI is involved! All hail pigs that can fly! It's the "H" word!
  • Reply 24 of 57
    adonissmuadonissmu Posts: 1,772member
    Quote:
    Originally Posted by RationalTroll View Post


    Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.



    Of course they are saying that so they can avoid getting into legal trouble with the feds. If they really had the people's best interest at heart they would've just let ATT know about it and had them fix it and moved on to something else....rather than harvesting the information they got by the leak. Who knows they may have gotten other information that they didn't disclose. They are only out for their own best interests not to help the American people.



    There should have never been any data to destroy or distribute in the first place. The reason you don't get any data is so that if someone's data is out there you aren't on the hook when something goes wrong. Now we know they illegally cracked into ATT's database and got information out by their own admission to the tune of 114,000 people and who knows how many others information was stolen that they aren't telling us. So anyone who really could've benefited or gotten the information for devious uses now has a cover.



    I think ATT should keep milking the fee security tips while they can.
  • Reply 25 of 57
    Quote:
    Originally Posted by AdonisSMU View Post


    Of course they are saying that so they can avoid getting into legal trouble with the feds.



    Has anyone made a claim to the contrary?
  • Reply 26 of 57
    charlitunacharlituna Posts: 7,215member
    Quote:
    Originally Posted by TalkinMan View Post


    In other words...



    "You AT&T people! We did this iPad FUD attack, and you didn't immediately turn around and amplify our FUD!"



    Where's the part where this security company explains why they didn't report the problem directly to AT&T?




    Actually they say they did. Way back in March in fact. And Apple didn't fix this issue, which hasn't been proven as an issue at all, on the ipad/iphone



    In fact. from the sounds of it, there's two different things going on, which they didn't show as connection.



    One is this weird hole that allows folks to run stuff on your computer. And the other is them hacking ATT's activation server and using a program to generate a bunch of potential IP and look up the associated email address. They don't really state that they used the hole somehow to do this, if that is the case.



    Quote:

    Personally, I find it extremely suspicious that this company is using Gawker as their FUD distribution network.



    Gawker will take anything they can spin into anti-Apple talk



    Quote:
    Originally Posted by Planet Blue View Post


    Seriously, everyone saying how all the blogs are so anti-Apple these days is getting really irritating.



    It has been rather exaggerated.



    In fact there are really only 2 anti-Apple blogs. the rest is just some commentators on the blogs being anti-Apple

    The two actual blogs are Engadget, which has always been less than thrilled with Apple (or at least the 'fanboi' side of Apple). And Gawker. Gawker just seems like more because they run several departments and 3 of them (Gawker, Gizmodo and Valleywag) all mention Apple and lately a lot. Funny thing is that they used to be more praising. Or at least closer to neutral. Then they screwed themselves with Valleywags attempted tablet stunt and Gizmodo's actual phone one and are trying to bite back with the total snark. Which isn't going to help them much in the end since they set themselves up for this whole thing by bragging about what they did. If they had really stopped to think they would have planned better and not run their mouths quite so much
  • Reply 27 of 57
    mdriftmeyermdriftmeyer Posts: 7,281member
    Quote:
    Originally Posted by Sensi View Post


    Yep, it still seems applicable to the iphone, ipod and ipad version of safari. Currently only Safari desktop version was patched.





    cf. http://encyclopediadramatica.com/Safari_XPS_Attack



    Which is it?



    You rightly state Safari 5/4.1 are fixed and then include it in your list. The list doesn't even bother to cite version numbers for the other webkit based browsers as well. I don't even think some of the browsers listed [and those not listed like Shiira] have been updated for at least 9 months. Who knows if they are still focused on their solution?
  • Reply 28 of 57
    thomprthompr Posts: 1,511member
    Quote:
    Originally Posted by RationalTroll View Post


    At the Gawker article they explained that they first notified AT&T, and waited until after the hole was closed before talking with the reporter. As noted in this article, they had hoped AT&T would do right by Apple's customers and let them know of this security breach, but AT&T chose not to inform Apple's customers in a timely manner so Goatse did it for them.



    You did not answer my question.



    As far as I can see, there was no reason to actually send the collected data to a reporter. They could just as easily have described the breach and the data (but not sent it out). This is true regardless of the relative timing of other events.



    Thompson
  • Reply 29 of 57
    thomprthompr Posts: 1,511member
    Quote:
    Originally Posted by RationalTroll View Post


    Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed.



    First of all, you still haven't answered the question of why Goatse sent the data to the reporter. If their objective was as benevolent as they say, they could have achieved that without sending out the data.



    Quote:
    Originally Posted by RationalTroll View Post


    Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.



    Remind me never to confide in you if you think that telling just one other person (a reporter, no less!) couldn't possibly do any harm.



    Thompson
  • Reply 30 of 57
    tubbyteetubbytee Posts: 68member
    .....
  • Reply 31 of 57
    commun5commun5 Posts: 36member
    Quote:
    Originally Posted by RationalTroll View Post


    Goatse has claimed that they did indeed contact AT&T before going to the press, which is how the hole was closed before Goatse contacted the reporter.



    From the Goatse Security public letter, security.goatse.fr/on-disclosure-ethics:



    "We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as ?nice guy? as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it."
  • Reply 32 of 57
    masternavmasternav Posts: 442member
    Geez - aren't we all on top of stuff like this by now? Yet another wannabe set of script-kiddies pwns a 'ploit (see how kewlziam usin' web-speak ) and pulls some emails from a less-secured ATT server. Phones companies are some of the most hacked sources for data via networking exploits and backdoor hacks and we're shocked and surprised.



    The script-kiddies, publish their exploits to a notoriously skanky snark site, and then looked shocked and amazed when someone takes them more seriously than they intended.



    Look at the profile of the hit:



    They target what is one of the least secured services for ATT - the activation server for (the Apple iPads and) the New York/East Coast region - where else to have a chance to harvest some potentially high profile data?



    They pull out of their little kit "101 Scriptz So You Can Be A Kewlz Biatchin' Hackerz Too" bag one of dozens of known scripts that generate sequences and set it to run and SOO-PRIZE, SOO-PRIZE, SOO-PRIZE, they harvest a whole bunch of Ipad owner emails for the New York area. Why iPads - because it is topping the media hits right now of course, and well since they are going to take this to Gawker anyway it makes perfect sense.



    They claim to have notified ATT (you know like the guy who "found" the prototype iPhone tried to contact Apple) and then when they claim ATT didn't publically "fess-up" to the breach decided to leak it to embarass them. Oh, and then throw in some random other exploit as well just for good measure - remember we need to implicate Apple in this too - beyond the iPad exploit targets.



    Then a round of "neener-neener-neener", media frenzy Goatse get all kinds of publicity and ATT publishes their "apology" A little more "neener-neener-neener" from Goatse (WE ARE LEGIT HACKERZ OF THE LIGHT) to keep the media circus going, etc. Repeat as needed until the desired effect is achieved.



    Maybe they had a potential customer they needed to impress - maybe they needed beer money and Gawker was happy to provide. It.Doesn't.Matter.



    Voila! They have their instant fame and maybe a happy client. Or beer money. Looking at their website I'm inclined to think beer and well, other things, but hey they got exactly what they were driving for - media exposure. No one NO ONE hacks like that as a public service - they do this for the publicity - to charm a potential client, to massage egos, get some web-cred, or just piss in someone's wheaties. End of story.



    Now back to your regularly scheduled rants.

  • Reply 33 of 57
    masternavmasternav Posts: 442member
    Quote:
    Originally Posted by kyle172 View Post


    Oh no the FBI is involved! All hail pigs that can fly! It's the "H" word!



    Seriously. Back on your meds or get your cat off the friggin' keyboard!!

  • Reply 34 of 57
    jeffdmjeffdm Posts: 12,946member
    Hmmm, other than one likely offensive post, I didn't notice anyone realizing the offensive origin behind the "Goatse" name.
  • Reply 35 of 57
    masternavmasternav Posts: 442member
    Quote:
    Originally Posted by JeffDM View Post


    Hmmm, other than one likely offensive post, I didn't notice anyone realizing the offensive origin behind the "Goatse" name.



    where the various interesting associations were called out here? Priceless dude - they are the very epitome of self-righteous do-gooders. NOT.

  • Reply 36 of 57
    jeffdmjeffdm Posts: 12,946member
    Quote:
    Originally Posted by masternav View Post


    where the various interesting associations were called out here? Priceless dude - they are the very epitome of self-righteous do-gooders. NOT.





    Which thread was that again? I don't remember dealing with other AT&T hack threads, I did find what you're talking about, no memory of dealing with that thread.
  • Reply 37 of 57
    Quote:
    Originally Posted by thompr View Post


    First of all, you still haven't answered the question of why Goatse sent the data to the reporter. If their objective was as benevolent as they say, they could have achieved that without sending out the data.



    Have you considered asking them?



    I've presume nothing about their intentions, and have described only their actions.





    Quote:

    Remind me never to confide in you if you think that telling just one other person (a reporter, no less!) couldn't possibly do any harm.



    I don't know you so the likelihood is slim that would ever come into question. Besides, please note that I've made no claims about either the ethics or the legality of Goatse's actions. There's no shortage of such opinions here. What seemed lacking here was a few details reported elsewhere but apparently missed by some here, which I've provided.



    The oddest thing about the devolution of this discussion is the presumption that there are only two sides here, and that the line is drawn between AT&T vs Goatse. Like most of life, this situation is rife with subtle complexity which obviates such simplistic reductionism.



    If the law says what Goatse did is illegal, then it's illegal. There is no opinion there, and the courts will decide the matter so we needn't bother.



    More interesting to me here is Apple's partner, AT&T, and the complex relationship so many Apple fans have with it.



    If you read enough of these boards you understand that AT&T has earned a fair amount of ill will among the posters here for everything from their insufficient infrastructure investment to their bait-n-switch pricing. Indeed, a good many of Apple's most ardent fans here have pretty much demanded in these pages that Apple stop being exclusive with this vendor who appears to be coasting on that privilege.



    With this security exposure, one would think people would be even more up in arms against AT&T. Goaste's a separate matter; this security hole was an architectural decision, a very poor one, and had been in place for many months before Goatse stumbled across it.



    This leaves us with two stark realizations:



    1. We have no way of knowing how many others have had access to even more data for far longer. As the author quoted at slashdot today noted, this info can be used to track an individual to the nearest cell tower, and may be used to spoof accounts. Affected customers include members of the US Dept of State, the presidential administration, the Dept. of Defense, and some very high-level corporate executives. Read the slashdot article, and think about it.



    2. Since this was such a very poor architectural decision, how many other similarly poor decisions comprise the rest of AT&T's infrastructure?



    As we ponder those two sides of this, consider how AT&T responded: First, they made no effort to notify the affected customers until more than a week after they were given private notification of the exploit.



    Then when they finally issued their mea culpa letters today, those letters noted only that the email addresses were compromised, and made no mention of the more severe possibilities as noted in the slashdot article.



    Whether AT&T didn't include discuss those implications because they don't have the experience to realize them, or because they do but are willfully concealing them, neither speaks well for the company.



    Those who truly support Apple will demand a better choice of business partner. AT&T is simply not up to Apple's standards.
  • Reply 38 of 57
    Quote:
    Originally Posted by commun5 View Post


    From the Goatse Security public letter, security.goatse.fr/on-disclosure-ethics:



    "We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as ?nice guy? as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it."



    Yes, I stand corrected on that technicality: Goatse did not contact AT&T directly, but did make sure they were contacted privately about the matter long before it was public.



    Thank you for making my point even clearer: AT&T had advance notice and did not notify affected customers in a timely manner.
  • Reply 39 of 57
    sensisensi Posts: 346member
    Quote:
    Originally Posted by mdriftmeyer View Post


    Which is it?



    You rightly state Safari 5/4.1 are fixed and then include it in your list. The list doesn't even bother to cite version numbers for the other webkit based browsers as well. I don't even think some of the browsers listed [and those not listed like Shiira] have been updated for at least 9 months. Who knows if they are still focused on their solution?



    I am just quoting a list of browsers affected at the initial disclosure of the flaw (back in march), to answer the question asking if the ipad version of safari was also affected. I read somewhere else -sorry I have no link- that the only version of safari already patched was the desktop one, the others remaining as I speak still unpatched.
  • Reply 40 of 57
    I agree with those who say that this was more about PR stunt, Click Bait, then about Public Interest. The moment this info was shared with anyone other than ATT and or Apple, it smells of BS, PR Stunt...



    When the "reporter" is not any Legitimate News Source, but those who are known for their adversarial position vs. Apple, the motives become suspect!!!



    FBI? Sounds great, but what can FBI do against guys like that, if they are based out of foreign country! Recently CBS 60 Minutes rebroadcasted this story http://bit.ly/aq9isi where the stakes are a lot higher than in this ATT iPad Email Addresses Hack story!



    It seems to me like a lot of parties are doing their best to hurt Apple, AAPL and it's partner ATT. With Headlines like: "FTC : FTC To Open Investigation Into Apple" - the timing of it all seems too suspicions to me!



    I don't recall MSFT playing that dirty vs. Apple or vs., but these days, it seems like: anything goes!!! I only hope that it doesn't get any uglier than that, like kidnappings of Apple's execs family members in exchange for extortion etc.



    After GizmodoGate, that side is not even trying to lay low, they seem to be taunting Apple, and thus Authorities that are Investigating that stolen iPhone Prototype! Gizmodo could have used that ATT iPad Hacker Info as a Peace Offering with Apple... Instead, they chose to play even harder ball..., while FTC is trying to nail Apple on something, just to nail Apple! And it's not like Apple is BP, and hurt lives! I don't see that much scrutiny of Google! Seems suspicious to me! FUD, FUD, FUD!!!



    I guess, if things get too crazy, Apple will speak out on this, but hopefully there won't be need for that!!!



    The GizmodoGate, in retrospect, looks slimy to me:



    Yes, reporters want to be to be 1st ones to the story, but there should be some lines that must not be crossed! NY Times would never done what Gizmodo did, same with other Legitimate Media! Then there are Gizmodo's of the world who are willing to cross lines, in order to compete against the rest of the media! It is that rest of Legitimate Media who has to "throw Gizmodo and such under the bus", and stop treating them as equals who act in public interest! John Stewart, the comedian, went for the laughs, and almost defended Gizmodo, and put down Apple as a Big Brother, The Man!



    Steve Job was correct in his email reply to Gizshits, when he said something along this lines:



    I am with Apple, we create things, what DID YOU create!??



    But then again, how does one play fair, and negotiate with Terrorists like that? - nothing's sacred with that crowd!



    Gizshits wanted to create a PR stun at the expense of hurting Apple's business! And, even as they are being investigated, they are playing a victim of the powerful Apple, and all of a sudden they are involved in this ATT Hack? That way too suspicions.... I hope they are investigated to the max, and, when found guilty, they should be punished to max!!!!



    It's time for all descent people use their brains for creating the best products and the most respectful way! Those who perpetrate the garbage news on us should be treated like garbage they are!!!
Sign In or Register to comment.