Not thrilled that they were called 'malicious' by AT&T, Goatse Security has issued a response to AT&T's apology to customers today, according to AppleInsider.  They think both AT&T AND Apple acted irresponsibly when it came to iPad security.

On their blog today, the group said that their manipulation of AT&T's web server was done as a public service, and didn't take kindly to AT&T's comments that the group acted "maliciously" and went to "great efforts" to perform the hack.

"AT&T had plenty of time to inform the public before our disclosure.  It was not done," the group noted.  "If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by […] some other criminal organization or government."

"[The] finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails," said the group.

A member of the group, Escher Auernheimer, disclosed that the group had given up the data it obtained to one journalist, and then disposed of the original copy.  He thinks that AT&T drug its feet on alerting customers and for not being totally honest about the possible effects.

"Post-patch, disclosure should be immediate - within the hour," he notes.  "Days afterward is not acceptable.  It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability."

Auernheimer also notes Apple to be equally at fault for the flaw as well.

"It was patched on Apple's desktop Safari but has yet to be patched on the iPad," he writes.  "This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls) for spamming, exploit payloads, password bruteforce attacks and other undesirables."

"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Aurenheimer went on.  "People in critical positions have a right to completely understand the scope of vulnerability immediately."