AT&T hacker and internet troll 'Weev' appeals 41-month prison sentence

Filed Under: Data loss, Featured, Law & order, Security threats, Uncategorized

EFFThe Electronic Frontier Foundation on Monday filed an appeal seeking to free Andrew "Weev" Auernheimer, the hacker and self-described internet troll who exploited a hole in AT&T's publicly facing website to siphon the personal data of some 114,000 iPad owners.

Ultimately, Auernheimer was the catalyst behind AT&T fixing the gaping security hole he climbed through to get that information.

He's currently serving a 41-month sentence at the Allenwood Federal Correctional Complex in White Deer, Pennsylvania, in the US.

Auernheimer was prosecuted under what's known by many as the worst law in technology: the 18 USC § 1030(a)(2)(C) part of the Computer Fraud and Abuse Act of 1986 (CFAA).

That same law was used against Aaron Swartz, who committed suicide while facing extraordinarily severe punishments that may have included penalties of up to 35 years in prison and $1 million in fines, after he downloaded academic articles from a digital library at MIT University.

Auernheimer was sentenced in March after a court found him guilty of encouraging his co-defendant, Daniel Spitler, to collect about 114,000 email addresses through a security vulnerability on AT&T's servers.

Spitler and Auernheimer had discovered that AT&T's site would return valid email addresses for iPad 3G users if bombarded with ICC-ID codes - codes used internally to associate a SIM card with a particular subscriber.

Auernheimer and Spitler wrote a script, named the "iPad 3G Account Slurper", to leverage the security hole by bombarding AT&T's website service with thousands of requests using made-up ICC-ID codes.

Andrew "Weev" Auernheimer - WikipediaAuernheimer handed over email addresses to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.

The investigation led to Auernheimer being charged with identity theft and with felony hacking under the CFAA.

Spitler pled guilty to breaking into AT&T's systems and obtaining the email addresses of iPad users, entered into a plea agreement, and has not been sentenced.

Auernheimer pled innocent, likening his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

In its brief, the EFF argues that Auernheimer didn't violate the CFAA because visiting an unprotected, public webpage isn't "unauthorized access".

As it is, the CFAA doesn't clearly define what unauthorized access is, critics have charged.

As the EFF's Marcia Hoffman has written, prosecutors have taken advantage of that murkiness:

"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."

But even with the CFAA's hazy language around "authorization," Auernheimer couldn't be found guilty, the EFF wrote in its appeal, given that AT&T hadn't secured the email addresses:

AT&T chose not to employ passwords or any other protective measures to control access to the email addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as "theft." The company configured its servers to make the information available to everyone and thereby authorized the genreal public to view the information. Accessing the email addresses through AT&T's public website was authorized under the CFAA and therefore was not a crime.

Beyond that and a handful of other holes in Auernheimer's conviction, the EFF writes, a $73,000 fine imposed by the court to compensate AT&T for the costs of mailing notifications to affected customers was wrongly imposed, for three reasons.

atandtFirst, the government failed to prove that AT&T suffered such a loss. Second, the CFAA was never meant to include mailing costs as a loss.

Finally, there wasn't a legal requirement to notify customers of the breach, and most certainly not by mail, given that email was sufficient.

Tor Ekeland, Auernheimer's trial lawyer, said in the EFF release that the government was way out of line to use prosecution in this manner:

"Anyone who cares about the free flow of information on the internet should be concerned about this case. The government is criminalizing computer behavior that millions of Americans engage in every day. The government's reckless and myopic prosecution of Auernheimer for obtaining public information from a public website endangers that vital aspect of the internet and our national economy, which depends on the free flow of information."

I think he's absolutely right.

The CFAA is lousy law, used to punish troll-like behavior by the likes of Weev, revered internet icons pursuing research areas like Swartz, and potentially any security researcher who simply probes a publicly accessible, unprotected site.

Weev is no hero. He doesn't deserve to be compared to the likes of Swartz or white hat hackers.

What he does have in common with Swartz and any other security explorer is that CFAA can be, and was, used as a bludgeon against him.

The courts would be wise to listen to the EFF, which, as is often the case, is being a clear voice of reason.

, , , , , , , , , ,

You might like

12 Responses to AT&T hacker and internet troll 'Weev' appeals 41-month prison sentence

  1. Jerry · 293 days ago

    Don't compare Auernheimer with Schwartz. Schwartz was sincere in his actions, Auernheimer was in it for teh lulz.

  2. gerrymar · 293 days ago

    Don't compare street address with e-mail addresses you can use a phone book for street addresses. Because of people like this it' cost me money in anti-virus protection which I can put to better use. Companies have to spend this money as well and guess who they pass that cost on to. I don't think the sentence was long enough.

  3. Toney · 293 days ago

    They should send Obama and Holder and the NSA director to jail too since they sent this guy to jail under the same law.

  4. herzco · 293 days ago

    Sorry, no. If he was a hero, or even halfway decent, he would have alerted ATT when he found the flaw. Instead he gave thousands of private email addresses to Gawker. How is the defensible?

    Also, not exactly akin to "walking down the street and writing down the physical addresses of buildings" and more like banging on doors with hammers until they spring open.

    • In my opinion, it's not defensible because of his personal morality, but because the actions he took were perfectly legal under the laws used to prosecute him.

      It's kind of like going after a kid who runs down a street egging all the houses for a case of armed assault against each household affected. Sure, he handled the situation badly (by encouraging his friend to siphon the information), but he didn't actually break into anything.

      Instead of banging on doors with hammers, it's more like he told his friend to walk down the back lane and take pictures through people's open windows, then collected the pictures his friend took and sent them off to a tabloid.

      While his friend plea bargained, he argued that he hadn't done anything wrong, and was instead thrown in jail convicted of the equivalent of forced entry for the purpose of theft.

    • Rocket6 · 289 days ago

      If a company publishes private data and you happen to notice it, you are not legally obligated to alert them. It's a personal choice, and being "halfway decent" has nothing to do with the CFAA.
      It's not uncommon for companies to sue the reporters of vulnerabilities instead of actually fixing the vulnerabilities. By calling public attention to the problem, it forces the company to acknowledge and fix the problem, instead of hiding it.
      Your analogy is inappropriate and implies private property was breached. Nothing published was secured or private.

  5. The Shadow · 292 days ago

    This ^

    The EFF has jumped the shark on this case.

  6. Guest · 292 days ago

    The guy is a dummy and I do not care what happens to him, but this could be scary for a person who did report the exploit to ATT and they charged him anyway. They are using the law the wrong way to prosecute someone, guilty or not.

    • James Ford · 288 days ago

      I do not agree with you. The folks looking at these so called security sites, need "QA" or quality assurance. I would never purchase a parachute unless it has been inspected by a series of QA people. My hope is someone along the process will spot a problem, else- when I rip that cord- I'm SOL. There can be blame as apposed to blaming myself.

  7. Guest · 292 days ago

    This jerk should have been sentenced to 41 years, not 41 months. Hacking will be popular as long as there are no teeth in the anti-hacking laws. This is now epidemic. Crack down HARD on these people. Confiscate their homes and businesses and put them away for so long they forget what a computer is.

  8. Steve · 291 days ago

    AT&T just leaves this priveleged info laying around unprotected and this poor guy goes to jail for not much more than a prank.

    Where is their responsibility? They should be held accountable?.

    They have a duty to safeguard it somewhat (no, actually to the best of their abilities).

    They should be held just as accountable as the parent who lets his kid get ahold of his gun and shoot someone.

    It's ok for prism to do 10 times worse without repercussions and the parties walk free.

    Thank my lucky stars that groups like Anonymous exist so someone will hold these type of lackadaisical company attitudes to a higher standard.

  9. Zerocool · 289 days ago

    Why he would like to give the email address to Gawker at first place. What he try to achieve? He wanted to show the world he have hacked into AT&T system?

    But this issue open eye of AT&T to invest more security enforcement into their system and check vulnerability frequently, dont slack on their job.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.