On June 14th, 2010, Michael Arrington awarded a Crunchie to two members of Goatse Security via a blog post for discovering, publishing and trying to fix a pretty egregious security flaw that they discovered on AT&T’s public website.
Ansel Halliburton, a contributing TechCrunch writer from ComputerLaw Group, explained what happened in this TechCrunch post:
GoatSec found that when a user visited the site from an iPad, the user’s email address was pre-populated. AT&T accomplished this by using a unique number associated with the hardware in individual 3G iPads, called ICC-IDs. If the website received a valid ICC-ID, it would serve a login page with an iPad owner’s email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners. GoatSec wrote an “account slurper” script that tried thousands of possible ICC-ID numbers and recorded the email addresses the website leaked – ultimately getting more than 100,000 of them.
After talking about what to do with the vulnerability and the list of email addresses, GoatSec eventually decided to take it to the media, as they had done with other vulnerabilities they’d discovered in the past. Gawker published the story on June 9, 2010, along with blacked-out snapshots of the list of email addresses. The next day, GoatSec’s members agreed to delete their copies of the email address list. The full list never leaked to the public. Gawker got a lot of traffic, the press went nuts briefly, AT&T issued a lame apology for its lame vulnerability and disabled the pre-filling “feature,” and the FBI started an investigation.
A lot has happened between the time of that initial blog post and now. In January 2011, a case was filed against two Goatsec members, Andrew Auernheimer (aka “weev”) and Daniel Spitler (aka “JacksonBrown”). Daniel took a plea deal and is helping with the case against Andrew. Andrew was convicted on November 20th, 2012 and is awaiting his sentencing. While he waits to find out if he will face two consecutive five year terms, Andrew is forcing himself to live in an austere and cold environment to prepare himself for prison. He sadly cut himself off from his loved ones already. He doesn’t want things to be good. He wants prison to be nice in comparison to what he’s putting himself through now.
Andrew and his attorney plan on appealing his sentencing and taking this case as far as they can go, with the ultimate goal of not only his freedom, but overturning the Computer Fraud and Abuse Act that is sorely outdated as it was formed in the 80s. In the video interview I do with Andrew, he mentions that he’s fighting primarily for his freedom, which makes sense, but I’ve talked to him and I know he’s also fighting for every one of you. For this, I think of Andrew as an American hero. He didn’t fall. He didn’t take a plea. He’s fighting to destroy something terribly bad and we all benefit from his fight.
Think what you want about Andrew and his version of performance art, aka trolling, but stop and think for a minute about what this case means for you, our children or startups. This case ultimately means that it could be illegal to access public URLs. Kids are curious. Engineers are curious. Google’s a bit more than curious. Andrew losing this case is catastrophic for web tinkerers and sets very bad ground for future cases to come.
Before going to jail, Andrew’s bucket list of what he wanted was the Crunchie that TechCrunch awarded to him. He was awarded that statue for public service and typically there’s a whole process around being awarded a Crunchie. You are usually nominated by the public, voted on by the public and presented your award in an Oscars style award ceremony where you give an acceptance speech, wave your giant Gorilla in the air and then celebrate with everyone during an after party. Goatse’s Crunchie was special. The voting polls for the Crunchies were closed by months, the party was over and the next Crunchies award ceremony was over a half a year away. So, sadly, the actual physical award fell through the cracks for a while. We’ve corrected that mistake and Andrew was finally awarded his Crunchie at the New York TechCrunch office and he gave his acceptance speech, which is towards the end of our interview.
I think you will enjoy it. In his speech, Andrew mentions the Founders Fund Manifesto. It is worth reading if you haven’t seen it yet. Also, if you are moved by this case and you believe the Computer Fraud and Abuse Act should be challenged, I urge you to donate to Andrew’s legal defense fund. His attorney has donated much of his time and they have fought this case long and hard with little to no money. Andrew barely found the money to buy a suit to wear to court so he could look presentable. Anything and everything helps.