I've presume nothing about their intentions, and have described only their actions.
You responded to my post in which I posed a very specific question. You didn't answer it. What you did say was not pertinent to the question. And yes, I have asked Goatse the same question. No response yet. While some people use questions like mine as rhetoric to win some larger debate, I am not doing that. The question I posed is an honest one: I really want to know why a group that is supposedly concerned with information security actually sent out private data as opposed to just characterizing the exploit.
Quote:
Originally Posted by RationalTroll
I don't know you so the likelihood is slim that would ever come into question.
Now you're just playing dumb. Of course I wouldn't confide in a stranger. Unless you are a moron, and I doubt it, then of course you got my point: your sentence that I was responding to downplayed the issue of Goatse sharing the private data with a third party... something I find very objectionable.
Quote:
Originally Posted by RationalTroll
Besides, please note that I've made no claims about either the ethics or the legality of Goatse's actions. There's no shortage of such opinions here. What seemed lacking here was a few details reported elsewhere but apparently missed by some here, which I've provided.
[And blah, blah, blah]...
How many arguments are you carrying on at once? You may be confusing me with others. Go back and look at the only posts I've made on this thread. I asked one simple honest question. You responded to it with a non-answer and then made a statement to someone else that hit right on the same topic. And I called that statement into question too.
The rest of your points may be correct or incorrect. I do not care. I just can't think of any legitimate justification for the release of private data.
Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
Then go to the other posts about how this AT&T scam was done, and note that it involved an e-mail sniffing machine that costs the price of a small car. Then see where he mentions making a good living off it.
Now go back to the blog. Scroll past the racial bigotry and comments about how he is looking more like Jesus every day, and there is a POEM to the pleasures of spamming "i read spamcop ...."
Now ask yourself, do you REALLY BELIEVE that all those harvested em@ds were "destroyed"? Or that they stopped harvesting at a few em@ds just to prove a point?
What more do the Feds need? Throw him in a cell with Jason Chen! Or perhaps not, they're probably bottom buddies by now.
I would have md5'd each email address and published it to the world. Let the customers look up their own addresses to know they were affected.
I have experience with a security disclosure involving an investment bank, and given all the management resistance, slow action by the feds, etc., I can tell you that a white hat approach is not the most effective.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
I would have md5'd each email address and published it to the world. Let the customers look up their own addresses to know they were affected.
I have experience with a security disclosure involving an investment bank, and given all the management resistance, slow action by the feds, etc., I can tell you that a white hat approach is not the most effective.
+1 Inightful
The md5 suggestion is a good one.
Maybe next time Apple will partner with a carrier who employs people who think as clearly as you do about security issues.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
They may be. I've not expressed an opinion about Goatse because I feel they're not worth my attention.
What's been interesting is that most of what I wrote was overlooked in this obsession with Goatse. Let's all agree: Goaste = bad. There. Done. Now can we move on to examine the more interesting implications at play here?
Given the various roles of the players in this story, this is not a situation in which a Boolean applies, where everyone lines up neatly into little boxes of "Good" and "Bad". Even if we all agree that Apple would go in the Good box and Goaste in the Bad, what can rationally be said of AT&T?
- They've demonstrated a lax approach to establishing their security infrastructure.
- They've withheld critical information from affected customers until after it became a public embarrassment, and even then they took several days to do it.
- They have further eroded confidence in the very act in which they tried to rebuild it: their letter to their customers downplays the actual risks involved.
- Given the nature of this exposure, one cannot assume other portions of their infrastructure are any more secure.
Okay, Goastse is the devil. We got that.
But AT&T is no angel either. They are not worthy of partnership with Apple, and are not worthy of your money.
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
Yes, I stand corrected on that technicality: Goatse did not contact AT&T directly, but did make sure they were contacted privately about the matter long before it was public.
Thank you for making my point even clearer: AT&T had advance notice and did not notify affected customers in a timely manner.
It seems to me that we do not know what happened. Saying that they contacted a(n unknown) third party privately, says nothing. Who was the private party? Without knowing that, how can anyone get verification that anyone was contacted at all? Who was this private party supposed to have contacted at AT&T? A customer service rep? We don't know. If they were contacted, somehow, how do we know that it was in enough time to fix this problem?
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
Smart, as being able to hack something, and being smart, which in another sense means to have COMMON sense, are two different things.
If you knew anything about this guy, you would see that.
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
And the moon is made of green cheese. Really, it IS! I saw a video on the internet that said so. So it must be true.
If you're implying that Public Television's Frontline is supporting wacko Waco conspiracy theories, you might want to look at it again. They are rigorously fair, and in so doing they acknowledge all sides of a story. Even theories by crazies. That's a long way from supporting them. And if I recall they may have even said they were highly unlikely. That jerk in Waco brought it all on himself. The deaths of all those people were all because of his vanity and delusions. Not to mention a taste for underage sex. Hope he roasts in hell if there is one.
PS: Do you also think his long and self-acknowledged record of posting antisemitic and racist rants are a government conspiracy too?
Comments
Have you considered asking them?
I've presume nothing about their intentions, and have described only their actions.
You responded to my post in which I posed a very specific question. You didn't answer it. What you did say was not pertinent to the question. And yes, I have asked Goatse the same question. No response yet. While some people use questions like mine as rhetoric to win some larger debate, I am not doing that. The question I posed is an honest one: I really want to know why a group that is supposedly concerned with information security actually sent out private data as opposed to just characterizing the exploit.
I don't know you so the likelihood is slim that would ever come into question.
Now you're just playing dumb. Of course I wouldn't confide in a stranger. Unless you are a moron, and I doubt it, then of course you got my point: your sentence that I was responding to downplayed the issue of Goatse sharing the private data with a third party... something I find very objectionable.
Besides, please note that I've made no claims about either the ethics or the legality of Goatse's actions. There's no shortage of such opinions here. What seemed lacking here was a few details reported elsewhere but apparently missed by some here, which I've provided.
[And blah, blah, blah]...
How many arguments are you carrying on at once? You may be confusing me with others. Go back and look at the only posts I've made on this thread. I asked one simple honest question. You responded to it with a non-answer and then made a statement to someone else that hit right on the same topic. And I called that statement into question too.
The rest of your points may be correct or incorrect. I do not care. I just can't think of any legitimate justification for the release of private data.
Thompson
Goatse claims that the only copy of the data they had was given to the reporter, and their own destroyed. Any data in the wild is a result of the exposure AT&T created for themselves, not from Goatse's sharing of the data with one reporter.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
http://en.wikipedia.org/wiki/Goatse.cx - no need to, just see how the "Security Consultants" website changed itself (NSFW)
Appleinsider, along with others, is quoting Escher Auernheimer as if he might even be telling the truth.
Check out this "Full Disclosure": http://seclists.org/fulldisclosure/2009/Oct/82
for Andrew Alan Escher Auernheimer aka "Weev"
Then read his blog: http://weev.livejournal.com/
Then go to the other posts about how this AT&T scam was done, and note that it involved an e-mail sniffing machine that costs the price of a small car. Then see where he mentions making a good living off it.
Now go back to the blog. Scroll past the racial bigotry and comments about how he is looking more like Jesus every day, and there is a POEM to the pleasures of spamming "i read spamcop ...."
Now ask yourself, do you REALLY BELIEVE that all those harvested em@ds were "destroyed"? Or that they stopped harvesting at a few em@ds just to prove a point?
What more do the Feds need? Throw him in a cell with Jason Chen! Or perhaps not, they're probably bottom buddies by now.
I have experience with a security disclosure involving an investment bank, and given all the management resistance, slow action by the feds, etc., I can tell you that a white hat approach is not the most effective.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
Exactly where my sentiment was leaning.
Thompson
I would have md5'd each email address and published it to the world. Let the customers look up their own addresses to know they were affected.
I have experience with a security disclosure involving an investment bank, and given all the management resistance, slow action by the feds, etc., I can tell you that a white hat approach is not the most effective.
+1 Inightful
The md5 suggestion is a good one.
Maybe next time Apple will partner with a carrier who employs people who think as clearly as you do about security issues.
By giving the data to a so-called reporter they lost control of that data and can not confirm or prove that the emails were not released.This was reckless and very unprofessional. Destroying the data that was in their possession now proves nothing as they had already lost control of it. Once they did that they became criminals and fools, not security experts!
They may be. I've not expressed an opinion about Goatse because I feel they're not worth my attention.
What's been interesting is that most of what I wrote was overlooked in this obsession with Goatse. Let's all agree: Goaste = bad. There. Done. Now can we move on to examine the more interesting implications at play here?
Given the various roles of the players in this story, this is not a situation in which a Boolean applies, where everyone lines up neatly into little boxes of "Good" and "Bad". Even if we all agree that Apple would go in the Good box and Goaste in the Bad, what can rationally be said of AT&T?
- They've demonstrated a lax approach to establishing their security infrastructure.
- They've withheld critical information from affected customers until after it became a public embarrassment, and even then they took several days to do it.
- They have further eroded confidence in the very act in which they tried to rebuild it: their letter to their customers downplays the actual risks involved.
- Given the nature of this exposure, one cannot assume other portions of their infrastructure are any more secure.
Okay, Goastse is the devil. We got that.
But AT&T is no angel either. They are not worthy of partnership with Apple, and are not worthy of your money.
You mean buy a vowel and add two ss's?
I thought the "A" would be sufficient in this case.
Anyone seen a pic of this Andrew dude. Pathetic.
http://news.cnet.com/8301-27080_3-20007827-245.html
Ha ha hacker in jail now.
Anyone seen a pic of this Andrew dude. Pathetic.
http://news.cnet.com/8301-27080_3-20007827-245.html
A new name is needed for the combination of hillbilly and geek.
If their security is going to be as bad as Microsoft's, then it's no use paying more for their stuff.
All your base are belong to us. - NSA
I'm glad Goatse is ripping Apple a new @sshole.
....
You may have the ripper and rippee transposed ...
Ha ha hacker in jail now.
Anyone seen a pic of this Andrew dude. Pathetic.
http://news.cnet.com/8301-27080_3-20007827-245.html
Wow, a obvious set up!
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
Yes, I stand corrected on that technicality: Goatse did not contact AT&T directly, but did make sure they were contacted privately about the matter long before it was public.
Thank you for making my point even clearer: AT&T had advance notice and did not notify affected customers in a timely manner.
It seems to me that we do not know what happened. Saying that they contacted a(n unknown) third party privately, says nothing. Who was the private party? Without knowing that, how can anyone get verification that anyone was contacted at all? Who was this private party supposed to have contacted at AT&T? A customer service rep? We don't know. If they were contacted, somehow, how do we know that it was in enough time to fix this problem?
Wow, a obvious set up!
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
Smart, as being able to hack something, and being smart, which in another sense means to have COMMON sense, are two different things.
If you knew anything about this guy, you would see that.
Wow, a obvious set up!
This guy is smart enough to hack, but dumb enough to leave drugs laying around his house when he knows he's under suspicion and attention by the entire US Government?
I don't buy it and neither should anyone else.
Watch the Frontline WACO story video, it's available through Netflix, it will SHOCK YOU!!
And the moon is made of green cheese. Really, it IS! I saw a video on the internet that said so. So it must be true.
If you're implying that Public Television's Frontline is supporting wacko Waco conspiracy theories, you might want to look at it again. They are rigorously fair, and in so doing they acknowledge all sides of a story. Even theories by crazies. That's a long way from supporting them. And if I recall they may have even said they were highly unlikely. That jerk in Waco brought it all on himself. The deaths of all those people were all because of his vanity and delusions. Not to mention a taste for underage sex. Hope he roasts in hell if there is one.
PS: Do you also think his long and self-acknowledged record of posting antisemitic and racist rants are a government conspiracy too?