Sophos Cloud Optix
Andrew Auernheimer, self-described internet troll and so-called “freedom fighter,” has been sent to prison for the federal crimes of obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website and disclosing them to a reporter.
Auernheimer, aka “Weev,” was sentenced on Monday to 41 months in prison followed by three years of probation. He and fellow hacker Daniel Spitler have also been ordered to pay $73,000 in restitution.
Auernheimer, 27, in 2010 found a security flaw in an AT&T server that allowed his Goatse Security hacking group to collect 114,000 email addresses belonging to iPad 3G users.
He turned over that information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.
Prior to AT&T’s subsequent fix, when an iPad 3G communicated with the company’s website, its ICC-ID – an internal code used to associate a SIM card with a particular subscriber – was automatically displayed in plain text in the site’s URL.
Goatse discovered that each ICC-ID was connected to an iPad user’s email address. Auernheimer and his fellow hacker Daniel Spitler wrote a script, named the “iPad 3G Account Slurper”, to leverage the security hole.
They then used the slurper to bombard the AT&T website service with thousands of requests using made-up ICC-ID codes.
By flooding the website with so many made-up ICC-IDC codes, Goatse was guaranteed to hit on some genuine ones. When that happened, AT&T’s website believed the request was coming from a genuine iPad user and therefore revealed the associated email address.
Spitler subsequently pled guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users.
Auernheimer pled innocent. Since his indictment, he’s likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.
Authorities also claim that Auernheimer sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data.
When the breach first went public, some, including the Electronic Frontier Foundation, were quick to defend the hackers, who expressed dismay over the ensuing FBI investigation and censure from security researchers.
After all, Auernheimer told the Wall Street Journal at the time, they were just trying to help:
"We tried to be the good guys... [And drawing attention to the flaw] was the only way to get public notification."
But his claim to be acting in the service of the greater good was undercut by his gleeful gloating on Internet Relay Chat (IRC), the transcripts of which can be found in the criminal complaint [PDF] filed in January 2011.
According to the IRC transcripts, the media got it flat-out wrong when it swallowed Auernheimer’s claims of responsible vulnerability disclosure.
In reality, Goatse members discussed a range of actions that pushed them into the black hat region of security, such as timing the public disclosure of AT&T’s hole so as to short AT&T stock, potentially selling the email addresses to spam databases and thereby fueling “a future massive phishing operation” targeting iPad owners, and, more generally, where to drop the data set for “max lols”.
Spitler, Auernheimer and other Goatse Security members didn’t even know how AT&T had gotten wind of the breach, the IRC transcripts show, as they pondered whether it might have been Reuters or the San Francisco Chronicle that leaked the news.
In short, in my opinion, this is not a responsible security researcher who’s been unjustly sentenced. But it is still one more individual facing outrageously out-of-proportion punishment for the given crime.
Auernheimer’s sentencing is based on one charge of conspiracy to access a computer without authorization under what’s known as the worst law in technology: the 18 U.S.C. § 1030(a)(2)(C) part of the Computer Fraud and Abuse Act of 1986.
He was also found guilty of fraud in connection with personal information (18 U.S.C. § 1028(a)(7).
His case has been compared with other highly criticized prosecutions of security researchers who’ve been charged with serious computer crimes under the CFAA, including the tragic case of Aaron Swartz.
Swartz took his own life while facing extraordinarily severe punishments, including potential penalties of up to 35 years in prison and $1 million in fines.
Security researcher Charlie Miller, for one, tweeted Monday morning that any security researcher could face the same fate as Auernheimer:
As noted by the Electronic Frontier Foundation’s Marcia Hoffman, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access”, but it doesn’t clearly explain what a lack of “authorization” actually means.
Prosecutors have taken advantage of that murkiness, Hoffman writes:
"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."
It’s not easy to feel sympathy for somebody like Auernheimer, who prompted a scuffle in the courtroom on Monday by not following instructions to hand over his tablet and who spent his last night as a free man in a rented space with his supporters, conducting an AMA (Ask Me Anything) on Reddit, during which he discussed, among other things, his favorite alcoholic beverages and factoids regarding his butt.
But he’s still facing a stupidly severe penalty in light of a victimless crime.
In my opinion, the CFAA has got to go. In its current state, it’s just got to go. It’s got to be clarified, and it’s got to be taken out of the hands of overzealous prosecutors in the US.
Eh, if you can't get ahold of the guys stealing hundreds of millions of dollars via Zeus, then grab the guys who are small time, highlighting ineptitude in the business community and causing inconsequential losses, and then beat them up out of frustration.
Sounds like a plan.
Query a server, get some email addresses, 3 1/2 years in jail. What?!?!
What harm was caused to the people who's email addresses were obtained that would justify a man sitting in jail for 3 1/2 years.
Another guy killed himself recently because he was facing a decade in jail over posting some documents online. This stuff needs to change.
The Swartz case is completely different, and there was no malice involved in his crime. Swartz accessed JSTOR online articles which are protected by valid authorization (A subscription bought by Harvard for over a Million dollars a year), and violated the terms and conditions of the account by downloading as many articles as possible through a script he wrote. For most online journal systems this is more then enough to get your account suspended (the whole University) if not removed. The PACER document sharing was referred to the FBI but there were no charges brought forward for it.
The massive problem with this example, is that the law cites access "Without Authorization". There was no authorization required, all you had to do was feed a machine some numbers and it would give you some information back without attempting to authorize who or what you were. It wouldn't be dissimilar to charging someone with stealing information for punching in a frequency on a radio and listening to what the station was sending them back.
"What harm was caused to the people who's email addresses were obtained that would justify a man sitting in jail for 3 1/2 years. " Excellent question, Phil, especially considering that AT&T will eventually sell the same email addresses as a regular part of doing business.
But I'm wondering why this guy is getting jail time while Google admittedly gathered much more than just email addresses — they also gathered passwords, web histories, and other data with their Street View vehicles in the United States between 2008 and 2010, and they only received a $7 million fine. (For a company with $48 billion cash on hand, $7 million is a VERY small fine). Why aren't any Google executives going to prison? This (along with LIBOR and other corporate schemes) seems to mean that if you hide behind a corporate shield and get caught doing these types of crimes you will only pay a fine rather than go to prison. (Yes, I know one or two people went to prison for the LIBOR scam but they were merely scapegoats; 99.99% got off without any penalty.) And I realize that the court records say this made fun of the incident, etc.. but that doesn't change the facts of the Google case, which is a MUCH more serious breech. They accessed private citizens computers; and passwords and "other data"?
That's why it's better to refer to it as a "court system" rather than a "justice system".
jury nullification – bad laws can be dismissed. look it up – fija.org It's about the only way to deal with unjust laws or bad interpretation of those laws