Two men, part of a hacker group known as Goatse Security, have been accused of breaking into servers run by AT&T in order to steal the email addresses of more than 120,000 iPad customers.
Possible victims of the hacking include New York City Mayor Michael Bloomberg, news anchor Diane Sawyer, movie mogul Harvey Weinstein, and Chicago Mayor Rahm Emanuel.
What everyone can agree on is that the two men exposed a major privacy flaw in Apple’s iPad.
AT&T, the company that provides cellular data for iPads, quickly resolved the vulnerability that led to the breach.
What is not so easy to agree on is whether what the men did was legitimate – or criminal. Prosecutors allege it was criminal and have charged the iPad hackers with two crimes.
One of the accused pleaded guilty June 23 to one count of conspiracy to gain unauthorized access to computers and one count of identity theft; he is scheduled to be sentenced September 28.
Meanwhile, the other accused hacker was indicted last week by a New Jersey grand jury over the same charges. In this video interview from last year, he said “truth triumphs in the end” and added that “the things I say have offended people, but hey, that’s America, that’s the marketplace of ideas.”
So what was their motivation? What was going through their minds? In a publicly posted letter to “clear the air” last year, the hacking group insisted that their intentions were well-intended:
“We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.”
When the hackers initially disclosed their findings, they said they did it as a service to the United States:
“People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.”
The New York Times even noted that the blame could be “leveled at both sides” since the men claimed all data was gathered from a public Web server with no password, accessible by anyone on the Internet.
While the hacking duo clearly went about this with a questionable strategy, they seem to be saying exactly what more legitimate tech outlets are warning. For example, a newly released Javelin Strategy & Research report suggests that fraud is becoming increasingly sophisticated, and with new technologies come new security challenges.
So were they simply alerting people to gaping privacy holes, or were they criminals who need to spend years behind bars?