Goatse Security, the group behind the leak of 114,000 e-mail addresses belonging to Apple iPad owners, defends its actions in response to criticism about responsible disclosure and in the face of what has now become an FBI investigation.
The group that gained access to 114,000 e-mail addresses belonging
to Apple iPad 3G owners has taken to the blogosphere to defend itself,
while the FBI has announced that it is investigating the incident.
June 9 that it had obtained the e-mail addresses using a
script that exploited
a feature on the AT&T Website.
Among the addresses revealed by the leak
were those of New York City Mayor Michael Bloomberg and numerous military
personnel and prominent corporate executives.
In response, FBI spokesperson Lindsay Godwin confirmed in an e-mail to
eWEEK that the agency was "aware of these possible computer intrusions and
has opened an investigation to address the potential cyber-threat."
The situation has touched off a debate about responsible disclosure, with
AT&T stating that Goatse Security never contacted it with the findings. In
a blog post June 10, Goatse
to the controversy about its methods by stating
that the timeline of events "speaks for itself."
The group's post said, "The Goatse Security analyst responsible for the
discovery personally verified this hole was closed Tuesday and no longer a
threat to the public before we went to Ryan Tate at Gawker with the data set
and attack details. Ryan Tate was the only one to receive our data set, and
what results from it he published were redacted to prevent the compromise of
The post continued, "All data was gathered from a public Web server
with no password," meaning it was "accessible by anyone on the Internet."
Therefore, "There was no breach, intrusion or penetration," the group
argued. "We did not contact AT&T directly, but we made sure that
someone else tipped them off and waited for them to patch" before sharing
the information with Gawker.
"This disclosure needed to be made," the group wrote. "iPad
3G users had the right to know that their e-mail addresses were potentially
public knowledge so they could take steps to mitigate the issue (like changing
their e-mail address)."
Since the iPad's launch, Apple has reportedly sold more than
2 million of the devices.