AT&T hacker “Weev” sentenced to 41 months in prison, after obtaining the email addresses of 100,000+ iPad users

Andrew "Weev" Auernheimer - WikipediaAndrew Auernheimer, self-described internet troll and so-called “freedom fighter,” has been sent to prison for the federal crimes of obtaining the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website and disclosing them to a reporter.

Auernheimer, aka “Weev,” was sentenced on Monday to 41 months in prison followed by three years of probation. He and fellow hacker Daniel Spitler have also been ordered to pay $73,000 in restitution.

Auernheimer, 27, in 2010 found a security flaw in an AT&T server that allowed his Goatse Security hacking group to collect 114,000 email addresses belonging to iPad 3G users.

He turned over that information to the gossip site Gawker, which posted some partially redacted addresses, prompting an FBI investigation.

Email addresses. Image source: Gawker

Prior to AT&T’s subsequent fix, when an iPad 3G communicated with the company’s website, its ICC-ID – an internal code used to associate a SIM card with a particular subscriber – was automatically displayed in plain text in the site’s URL.

Goatse discovered that each ICC-ID was connected to an iPad user’s email address. Auernheimer and his fellow hacker Daniel Spitler wrote a script, named the “iPad 3G Account Slurper”, to leverage the security hole.

They then used the slurper to bombard the AT&T website service with thousands of requests using made-up ICC-ID codes.

iPad emailBy flooding the website with so many made-up ICC-IDC codes, Goatse was guaranteed to hit on some genuine ones. When that happened, AT&T’s website believed the request was coming from a genuine iPad user and therefore revealed the associated email address.

Spitler subsequently pled guilty to breaking into AT&T’s systems and obtaining the email addresses of iPad users.

Auernheimer pled innocent. Since his indictment, he’s likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.

Authorities also claim that Auernheimer sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data.

When the breach first went public, some, including the Electronic Frontier Foundation, were quick to defend the hackers, who expressed dismay over the ensuing FBI investigation and censure from security researchers.

After all, Auernheimer told the Wall Street Journal at the time, they were just trying to help:

"We tried to be the good guys... [And drawing attention to the flaw] was the only way to get public notification."

But his claim to be acting in the service of the greater good was undercut by his gleeful gloating on Internet Relay Chat (IRC), the transcripts of which can be found in the criminal complaint [PDF] filed in January 2011.

Criminal complaint PDF

According to the IRC transcripts, the media got it flat-out wrong when it swallowed Auernheimer’s claims of responsible vulnerability disclosure.

In reality, Goatse members discussed a range of actions that pushed them into the black hat region of security, such as timing the public disclosure of AT&T’s hole so as to short AT&T stock, potentially selling the email addresses to spam databases and thereby fueling “a future massive phishing operation” targeting iPad owners, and, more generally, where to drop the data set for “max lols”.

Spitler, Auernheimer and other Goatse Security members didn’t even know how AT&T had gotten wind of the breach, the IRC transcripts show, as they pondered whether it might have been Reuters or the San Francisco Chronicle that leaked the news.

In short, in my opinion, this is not a responsible security researcher who’s been unjustly sentenced. But it is still one more individual facing outrageously out-of-proportion punishment for the given crime.

Auernheimer’s sentencing is based on one charge of conspiracy to access a computer without authorization under what’s known as the worst law in technology: the 18 U.S.C. § 1030(a)(2)(C) part of the Computer Fraud and Abuse Act of 1986.

He was also found guilty of fraud in connection with personal information (18 U.S.C. § 1028(a)(7).

Aaron SwartzHis case has been compared with other highly criticized prosecutions of security researchers who’ve been charged with serious computer crimes under the CFAA, including the tragic case of Aaron Swartz.

Swartz took his own life while facing extraordinarily severe punishments, including potential penalties of up to 35 years in prison and $1 million in fines.

Security researcher Charlie Miller, for one, tweeted Monday morning that any security researcher could face the same fate as Auernheimer:

As noted by the Electronic Frontier Foundation’s Marcia Hoffman, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access”, but it doesn’t clearly explain what a lack of “authorization” actually means.

Prosecutors have taken advantage of that murkiness, Hoffman writes:

"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."

It’s not easy to feel sympathy for somebody like Auernheimer, who prompted a scuffle in the courtroom on Monday by not following instructions to hand over his tablet and who spent his last night as a free man in a rented space with his supporters, conducting an AMA (Ask Me Anything) on Reddit, during which he discussed, among other things, his favorite alcoholic beverages and factoids regarding his butt.

But he’s still facing a stupidly severe penalty in light of a victimless crime.

In my opinion, the CFAA has got to go. In its current state, it’s just got to go. It’s got to be clarified, and it’s got to be taken out of the hands of overzealous prosecutors in the US.