I've been traveling, and whenever I return to the office, there's always a lot of news to catch up on. I'm just now reading the details related to Gawker Media's recent security breach. Over one million Gawker/Gizmodo/Lifehacker related commenting accounts were compromised last weekend, and more than 500,000 e-mail addresses and 185,000 decrypted passwords are being shared on The Pirate Bay.
From the Wall Street Journal: "In a blog post defending Goatse Security's actions, a member of the group said it only gave the data to Gawker and later destroyed it."
In that same Goatse blog post, I was quoted as saying: "the disclosure was completely irresponsible."
Did I think the vulnerability disclosure was irresponsible?
Did I think the exploitation of the vulnerability was irresponsible?
Well, kind of, I mean, they could have bought an iPad to exploit themselves and didn't really need to harvest other people's names to make their point… but, let's say no. Even exploiting the vulnerability wasn't "completely" irresponsible.
So what was it that I though was so completely irresponsible?
It was the turning over of an unredacted dataset to Gawker Media.
Because regardless of how much Goatse Security trusted Remy Stern and Ryan Tate of Gawker/Valleywag (and I'm sure they're very trustworthy), Goatse Security never should have trusted AT&T customer information to Gawker's security infrastructure.
And so who knows now where those iPad addresses have ended up?
Hopefully they were deleted from Gawker's servers after the FBI finished their investigation.
I e-mailed Ryan Tate last June to ask how the iPad dataset was sent, encrypted or not, but I never heard back… I'm sure Ryan was busy at the time. And I'm sure he's busy now as well, but at this point, I want to know.
How and in what format was the iPad dataset sent to Gawker, and how/when was it deleted?