A US federal court in New Jersey on Tuesday found Andrew Auernheimer, a hacker and self-described internet troll, guilty of breaching AT&T to siphon off some 120,000 email addresses of iPad owners.
According to Wired, the jury took just a few hours to convict the 26-year-old man from Arkansas of one count of identity fraud and one count of conspiracy to access a computer without authorization, both of which are federal crimes.
Auernheimer expected the verdict and plans to appeal, he told his followers on Twitter.
The breach was committed in the early days of June 2010.
Prior to AT&T’s subsequent fix, when an iPad 3G communicated with the company’s website, its ICC-ID – an internal code used to associate a SIM card with a particular subscriber – was automatically displayed in plain text in the site’s URL.
Hackers discovered that each ICC-ID was connected to an iPad user’s email address and wrote a script, named the “iPad 3G Account Slurper”, to leverage the security hole.
Goatse used the slurper to bombard the AT&T website service with thousands of requests using made-up ICC-ID codes.
By flooding the website with so many made-up ICC-IDC codes, Goatse was guaranteed to hit on some genuine ones. When that happened, AT&T’s website believed the request was coming from a genuine iPad user and therefore revealed the associated email address.
Daniel Spitler, an alleged member of the Goatse Security hacking group of which Auernheimer is also a member, subsequently pled guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users.
For his part, Auernheimer pled innocent.
The fact that the breach targeted early iPad adopters of Apple’s iPad (or, at least, those who subscribed via AT&T) garnered big headlines.
One such was Gawker’s, which promoted its exclusive story, titled “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”.
The hype flew in the face of the fact that the breach merely constituted email addresses (which are, obviously, publicly disclosed every time we send an email). But it concerned Apple, and iPad, and those names get people excited.
When the breach first went public, some, including the Electronic Frontier Foundation, were quick to defend the hackers, who expressed dismay over the ensuing FBI investigation and censure from security researchers.
After all, Auernheimer told the Wall Street Journal at the time, they were just trying to help:
"We tried to be the good guys... [And drawing attention to the flaw] was the only way to get public notification."
But his claim to be acting in the service of the greater good was undercut by gleeful gloating on Internet Relay Chat (IRC), the transcripts of which can be found in the criminal complaint [PDF] filed in January 2011.
Goatse members discussed a range of actions that pushed them into the black hat region of security, such as timing the public disclosure of AT&T’s hole so as to short AT&T stock, potentially selling the email addresses to spam databases and thereby fueling “a future massive phishing operation” targeting iPad owners, and, more generally, where to drop the data set for “max lols”.
Initial press coverage including that from Gawker stated that Auernheimer and Spitler had acted responsibly in disclosing the breach to AT&T:
"Goatse Security notified AT&T of the breach and the security hole was closed.
The media, it turns out, got that bit wrong, according to the IRC transcripts.
The transcripts showed Spitler, Auernheimer and other Goatse Security members musing over just how, exactly, AT&T had gotten wind of the breach, as they pondered whether it might have been Reuters or the San Francisco Chronicle that leaked the breach.
It certainly wasn’t anybody from Goatse who called AT&T, as Auernheimer admitted to IRC correspondent “Nstyr”:
Nstyr: you DID call tech support right?
Auernheimer: totally but not really
Auernheimer: i dont [f*in] care i hope they sue me
The two go on to discuss how the next thing on their bucket list should be using the breach to pass themselves off as a legitimate security outfit:
Nstyr: you should've uploaded the list to full disclosure maybe you still can
Auernheimer: no no that is potentially criminal at this point we won
Auernheimer: we dropepd the stock price
Nstyr: I guess
Auernheimer: lets not like do anything else we [f*g] win and I get to like spin us as a legitimate security organization
Auernheimer faces up to 10 years in prison and $500,000 in fines.
In my opinion, this is not a case wherein a responsible security researcher is unfairly punished for his actions.
My view is that this is a case where the media was played like a bunch of saps and swallowed lines about good intentions.