Assistance Requested in Identifying People who Snitched on Goatse Hack

[sickreizin 0]

Thought I'd post this community announcement here. Snitching has hurt many of the people in the hacking community, let's change that.

Taken from https://hackbloc.org/content/court-documents-case-against-goatse-hackers-reveal-use-confidential-informants

Do you know who the informant was? Contact Hackbloc Staff at staff@hackbloc.org

For those who haven't been following the story, Daniel Spitler and Andrew Auernheimer, alleged members of the computer security group Goatse have been charged with Conspiracy to Access a Computer Without Authorization and Fraud in Connection with Personal Information for their alleged role in exposing a major flaw in the way AT&T was storing the personal information of iPad users. The email addresses of many in rich and powerful circles was open to exposure including members of the White House Staff.

While the Department of Justice claims these two "hacked into" AT&T databases, the reality is that they simply queried them a number of times. On a public-facing web page, you could ask the database who was associated with which hardware ID and it would tell you.

In a court document posted on Cryptome, it's revealed that a confidential informant provided IRC chat logs to the FBI. According to the affidavit, "Approximately one month after the search of defendant Auernheimer's home, a confidential source (the "CS") contacted federal law enforcement officers and stated, among other things, that the CS routinely monitored "#dominion," one of the IRC channels used by Goatse Security members to communicate with one another. The CS also provided law enforcement officers with chat logs from the "#dominion" channel from on or about June 2, 2010 through on or about June 11, 201 O. Extending over 150 pages, those chat logs conclusively demonstrate that defendants Spitler and Auernheimer were responsible for the data breach and conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. Excerpts from the chat logs are provided below."

While there was a snitch within IRC channel, it appears that Goatse members have also offered to work with the Department of Justice "hand in hand for a stronger country" which is all somebody would need to not trust the goatse folks. Future informants against other "malicious hackers"? The idea unfortunately isn't that far-fetched.

It shouldn't be hard to figure out who this snitch was in this case given that they were idling in an IRC room for extensive periods of time. We must protect our communities against snitches who will sell their friends down the river in exchange for legal immunity, status, nationalism, or anything else. Snitching only weakens our community, divides it, and sows distrust into our relationships. Find snitches, publicly out them, and excommunicate them from our community!

A statement was posted on the goatse site which is copied below:

"On the heels of the arrest of two of Goatse Security’s researchers, I felt compelled to write a statement reiterating a few points regarding last year’s AT&T breach which I believe are important:

1. The only data gathered was a list of e-mail addresses. No real names, mailing addresses, or any associated data was breached.

2. The data gathered was PUBLICLY AVAILABLE on AT&T’s web server. Any person could say “What is the e-mail address associated with ID XXXXXXXX” and the server would happily reply “johndoe@yahoo.com” or “invalid ID”. The process of doing so was simply automated using random IDs. There was no “real” hacking involved.

3. Through intermediary channels, Goatse Security notified AT&T of the hole in their system and waited until it had been patched before we made our disclosure.

4. Under no circumstances was the data EVER made public. It was only given to Gawker Media under the condition that it would be redacted, just as proof that the data *HAD* been leaked and this was not a fictitious claim.

5. AT&T has pressured the USDoJ and the FBI into building and prosecuting a baseless case because they care more about their own share price than their customers. Stated another way: the American government works at the behest of private corporations.

AT&T, the FBI, and the prosecution have labelled this as a “malicious” attack, directly against AT&T’s interests and their customers. This could not be farther from the truth. The flaw was quite literally stumbled upon; AT&T was never targeted, and upon gathering the data, it was not sold, distributed, or used otherwise (although it certainly had the potential to be used quite maliciously) – it was only disseminated to a single media outlet because we believed it was important enough to share. Were the hole discovered by a malicious party, the data could have been easily sold to the RBN at a very high price, could have been used to target iPad owners with AT&T phishing e-mails, the e-mails could have been sent iPad trojans, or otherwise. The private discussions we had to determine the extent of the flaw will undoubtedly be twisted and redacted by the prosecution to create an appearance of malice, as these were all topics touched upon. This can be damning even though the discussion itself is not a crime.

The case is based entirely upon IRC logs, anonymously submitted, which could be completely fabricated with no method of verification. The transcripts of these logs are solely being used to create an image of malicious intent.

The fact of the matter is quite simple: AT&T put their own customers at risk through negligence, their share price dropped when this fact was exposed, and they have now co-opted the USDoJ and the FBI to attempt to shift the blame from themselves to individuals who were looking out for the public good.

In the end, regardless of how the chat logs are made to appear, the facts do not change: GoatSec researchers found a hole, made sure it was closed, and responsibly disclosed its existence."

[jeremy 2]

Dropping docs won't solve anything. What is happening to them is stupid, I agree. But snitching isn't going to change anything- a retaliation may actually make things worse.

The guys knew they could potentially face charges for what they did, and they obviously didn't do enough to protect themselves from being found. I "hacked" into all of computer hosting company's websites by downloading a database file that was hosted in a publicly accessible directory. I knew that even though this wasn't much of a "hack", with current laws, I could find myself in a lot of trouble, even though I was 15. I emailed the company's owner and the next day talked to him over the phone and recorded the phone call. He thanked me and even offered me a job. Later, he threatened legal action against me for it, but I had the recording with him thanking me for it. He didn't pursue any actions but if he had, I would have still most likely been just as guilty as those guys. Since then, I never bothered disclosing vulnerabilities without taking overly-extreme measures to protect myself.

Maybe the community should concentrate their energy on learning how to remain anonymous instead of trying to find someone for revenge.

[mSparks 187]

it's revealed that a confidential informant provided IRC chat logs to the FBI

I thought these days the FBI got regular dumps of pretty much all IRC server logs.

Mix that in with the kit they've installed in most [all?] US ISPs and there's my favorite culprit.

[PurpleJesus 12]

Dropping docs or not.. Confidential Informants shouldn't have any confidentiality.. The constitution clearly states you have the right to face your accuser in court. To me, CIs ARE accusing people, and therefore must show themselves. Too bad this isn't how it works though..

Hope your boys have some GOOD attorneys. Wonder if AT&T could be counter sued for neglect by allowing such a glaring hole to exist. Would it be any different then the city leaving a manhole uncovered and waiting for people to walk into? ethically: not really.

So from what you say.. If I generated a list of possible Email addresses someone might use, and then use FB's Friend Finder to associate them with facebook accounts.. that'd be breaking into facebook? that's totally nuts.

[mSparks 187]

There's also these guys:

http://www.phoenixintelligence.com/

[resistorX 4]

Dropping docs or not.. Confidential Informants shouldn't have any confidentiality.. The constitution clearly states you have the right to face your accuser in court. To me, CIs ARE accusing people, and therefore must show themselves. Too bad this isn't how it works though..

Hope your boys have some GOOD attorneys. Wonder if AT&T could be counter sued for neglect by allowing such a glaring hole to exist. Would it be any different then the city leaving a manhole uncovered and waiting for people to walk into? ethically: not really.

So from what you say.. If I generated a list of possible Email addresses someone might use, and then use FB's Friend Finder to associate them with facebook accounts.. that'd be breaking into facebook? that's totally nuts.

I agree with you on everything.

And yeah, that is totally nuts.

Frankly, it doesn't sound to me like the prosecution has a case. Even if a public defender were used, one would think he/she would notice this glaringly obvious fact. But I know, public defenders walk about their heads detached, so that one is lost cause before it started - I have experience in that arena, and I all I can say to the so-called 'defendants' is : If use one, you may as well call it quits.

Ah, mustn't forget the DA's role in this fiasco of what they think is a case. Where's his/her brain anyway? Ok.... so they see the facts they were presented with, and yet they go ahead with it anyway??? Ok, what drug are you using dude? Or to put it another way, "What color's the sky in your world?"

The DA thought there's a case? What case? Was he daydreaming of a 'case' of beer, mistook the two images in his/her mind, and thought, "Yeah, I see a case here."? WTF?

Thinking on this just gets me going... I can see why D.A. stands for "dumb ass". Well, it suits you fool, whoever you are.

sickreizin -

Based on what you said here, these dudes broke into nothing, therefore there's no case IMO.

I'm going with what you've said here since I haven't heard about this news and wouldn't know details myself, therefore I can only go with what you've said. So, going with what you've said here, I don't even see how directing retaliation at the snitch/snitches (if there were more than one), is even hitting the right target(s). Seems to me the issue is the D.A. Reason I say this is what I said above to PurpleJesus - if that person had their brain attached, they wouldn't have bothered pursuing it, therefore if anyone's to blame IMO it's this person.

But then again, if I'm going to go this far with my critique, I may as well continue with that thought.......

1) If the D.A. had their head attached, they'd see there's no case to pursue because no law(s) was broken. 2) The snitch, then in fact, had nothing to snitch on since no law(s) were broken. So then, why retaliate on a snitch who snitched *no law breaking* ?? I think you've missed something here......

Edit : Not that I was condoning retaliation and breaking laws, just making a point. (lest you decide to target the D.A. and what I said above ends up implicating me in some way).

Edited January 30, 2011 by resistor X

[mSparks 187]

Someone should provide, via a confidential informer, in the exact same format, the IRC logs of the DA, Judge and the CEO of AT&T that also clearly shows they engage in goatse.

Out of interest though, which one is the giver, and which one is the receiver?

Edited January 30, 2011 by mSparks

[phaedrus 9]

Dont they have logs from the chanops bots? that should at least tell them who was in chan when the bad things* were said. Do people still even have eggdrops etc doing this? I stay away from irc mostly nowadays but I always assume those silent people sitting idle are just bots...

On another note, Weev and co are already in deep, trolling round the public forums like this isnt helping their cause. Shouldnt you be doing this quietly in the background?

I dont personally believe they really did anything to warrent the crap raining down on them apart from make a ass out of some companies, but you've gotta get the judge to understand the open public bit and some of them have only just worked out how to turn a pc on, let alone undertand t'internet tubes. Not a great thing to be reliant on for your liberty.

Remember its interesting times we live in, and intent is important when talking and stuff...

*bad as in bad to be later quoted in a court as having been said