One of the hackers in the group that snatched more than 100,000 iPad owner e-mail addresses from AT&T’s servers was arrested Tuesday on felony drug charges after the FBI searched his Arkansas home.
Andrew “Escher” Auernheimer was arrested by Fayetteville, Ark., police and was booked into the Washington County Detention Center Tuesday afternoon, where he is being held on bonds totaling $3,160.
Auernheimer, 24, faces four felony charges of possession of a controlled substance and one misdemeanour drug charge.
According to CNET News, which first reported the arrest, police found drugs that included cocaine, ecstasy, LSD, and Schedule 2 and 3 pharmaceuticals when they searched his home.
Auernheimer, who also goes by the hacker nickname “weev,” is one of 10 members of Goatse Security, a hacking group that used an automated script to collect 114,000 iPad e-mail addresses from AT&T through a public feature of the carrier’s Web site.
Goatse revealed itse-mail harvesting after AT&T closed the hole, then defended its actions as “responsible disclosure” — the term given to security revelations made public only after a vendor has patched a bug.
In a letter to customers apologizing for the e-mail address disclosure, however, AT&T said the group “maliciously exploited” its Web site and promised it would “prosecute violators to the fullest extent of the law.”
In an interview with Computerworld last week, Auernheimer argued that Goatse’s attack was “ethical” and denied that they did anything illegal.
“We love America and did this in the public interest,” Auernheimer said at the time.
He noted that Goatse waited until AT&T had closed the hole before revealing its findings. “We followed the disclosure process, which is more than you can say for at least a third of security researchers,” he argued, referring to researchers who post bug details before a patch is available.
He suggested Goatse’s disclosure was a good thing for all concerned. “If someone had a Safari exploit for the iPad, for example, they could have gotten this information. It was in the public’s and AT&T customers’ interest [for the latter] to be able to mitigate this instantly.”
Rather than contact AT&T directly with what they’d uncovered, Goatse tipped off an unnamed third party, who in turn reported the design flaw to AT&T.
Goatse took that route, Auernheimer said in the interview, to prevent AT&T from stopping the group from publicizing the e-mail address exposure.
“We didn’t want an injunction [from AT&T] that would have kept us from disclosing the data. And we didn’t see the necessity of contacting AT&T directly.”
Goatse contacted several media outlets whose employees showed up on the list of e-mail addresses they’d obtained, including Fox News, Reuters and others. None responded to their messages.
Instead, Goatse contacted Gawker Media, the company that operates ValleyWag and other technology sites and blogs. “We gave the data only to Gawker,” said Auernheimer “They were the only one willing to dedicate resources to [the story].” According to Auernheimer, Gawker assigned several interns to the task of pouring over the list of 114,000 e-mail addresses.
Bloggers who have slammed Goatse over its disclosure are jealous that the group gave Gawker and ValleyWag an exclusive, Auernheimer said. “A majority of the people who have been critical are just upset that we went to Gawker with it,” he added.
Only iPad 3G owners’ ICC-ID numbers and e-mail addresses were obtained from AT&T’s servers, Auernheimer said.
The FBI, which has launched an investigation into the address acquisition, has said it is trying to decide if Goatse violated U.S. laws. But according to Auernheimer, the agency has not contacted anyone belonging to Goatse. “No, we have had no contact with law enforcement,” he said, adding that he doesn’t believe the group broke the law.
In a blog post, Auernheimer spelled out Goatse’s case. “All data was gathered from a public webserver with no password, accessible by anyone on the Internet,” he wrote. “There was no breach, intrusion, or penetration, by any means of the word.”
But Auernheimer wasn’t sure that he and the other member of Goatse would not be prosecuted. “Hopefully, we aren’t, but a [prosecutor] can get a grand jury to do anything,” he said.
Meanwhile, on Wednesday, the Fayetteville Police Department declined to comment on the charges against Auernheimer, instead referring all questions to the FBI.
Special Agent Bryan Travers of the FBI’s Newark, N.J., division confirmed that the agency had served a search warrant at Auernheimer’s home.
However, he declined to answer any other questions, including whether agents removed computers from Auernheimer’s residence.
“This remains an open investigation,” Travers said in an e-mail.
The FBI launched an investigation into the Goatse attack last week, saying then that it was trying to determine if the group broke any laws.
Another Goatse member, French hacker Sam Hocevar, said he couldn’t answer questions about Auernheimer’s arrest. “I am not a position to answer your questions, as I too am waiting for factual information,” Hocevar said in an e-mail Wednesday.
Auernheimer is no stranger to drugs, according to Brian Krebs, a former reporter for the Washington Post and now the author of the Krebs on Security blog.
In 2006, said Krebs, Auernheimer started a talk at a security conference by telling the audience that he was tripping on acid.
He has also regularly posted anti-Semitic statements on his LiveJournal blog, where he has claimed that the FCC is “Jewish-run” and that Jews “have long made a sham of the nobel [sic] prize.”
Auernheimer was arrested last March, according to a report by Fayetteville television station KHBS-TV, which noted that city police said he had given them a false name when they responded to a parking complaint.