In June 2010, Andrew Auernheimer did something very stupid.
Auernheimer, a self-confessed internet troll who used the internet handle “Weev”, and fellow members of the Goatse Security hacking group (don’t Google it, trust me..), found a weakness in AT&T’s systems.
That weakness meant that the hacking group were able to discover the personal email addresses of more than 100,000 iPad 3G owners.
What was dumb was that Auernheimer didn’t inform AT&T, but instead bombarded the phone company’s website with thousands of requests using made-up ICC-ID codes (an internal code used to associate a SIM card with a particular subscriber).
By flooding the site with so many made-up ICC-ID codes, some were bound to relect a genuine one, and when this happened the website believed them to be a genuine iPad user and revealed the associated email address.
People who had their personal addresses exposed included New York Mayor Michael Bloomberg, ABC News anchor Diane Sawyer and Rahm Emanuel, the White House chief of staff at the time.
The fact that famous people had their details exposed made a big story with an iPad security angle even more attractive to the media – and Auernheimer hawked details of the “hack” to various media agencies, before settling with Gawker.
Gawker reported that Goatse Security had informed AT&T of the breach, and the security flaw had been fixed. That wasn’t true, as IRC transcripts later proved.
Those IRC discussions between different members of the Goatse Security group played an important part in the prosecution’s case against Auernheimer, as they showed the group discussing how the addresses could potentially be sold to spammers for a “future massive phishing operation” targeting iPad owners.
They even briefly discussed how it would be possible to profit financially if AT&T’s stock price fell due to the bad publicity…
…and clearly showed that they knew what they were doing might be considered illegal.
A jury subsequently found Auernheimer guilty of one charge of conspiracy to access a computer without authorisation, and he was sentenced last year to 41 months in prison followed by three years of probation. He and his fellow hacker Daniel Spitler were also ordered to pay $73,000 in restitution.
There was uproar on the internet at the severity of Auernheimer’s sentence, with many arguing that he had not actually *broken* AT&T’s systems, and that the telephone company had made the data accessible on the public internet to anyone who visited the correct URL with the right parameters.
Remember – AT&T’s servers were not hacked, and no passwords were broken.
Should Auernheimer have been given a stiff 41 month federal prison sentence? Probably not. It certainly feels like a very stiff punishment to me, and out-of-proportion for what he and his hacking buddies did. But that doesn’t necessarily make Auernheimer a hero.
The latest news in this ongoing story is that the Electronic Frontier Foundation (EFF) has filed an appeal to free Andrew “Weev” Auernheimer, arguing that the government’s prosecution under the Computer Fraud & Abuse Act (CFAA) was flawed.
"The government set out to make an example of Auernheimer," EFF Staff Attorney Hanni Fakhoury said. "But the only message this sends to the security-research community is that if you discover a vulnerability, you could go to jail for sounding the alarm."
Sounding the alarm? That’s a funny way for the EFF to describe it. If I see a house is on fire, should I ring up the local TV station or try to warn the people in the house first?
Auernheimer was stupid for not responsibly informing AT&T of the flaw, rather than trying to make a name for his Goatse Security group in the media, and this case has exposed how vague language used in the Computer Fraud & Abuse Act could be abused by prosecutors.
But AT&T were even more dumb for creating a system that could serve up customers’ email addresses to anyone – without requiring a username or password.
No-one comes out of this case smelling good. The challenge now is for security researchers to act more responsibly in future, for companies to better protect sensitive customer data, and for the legislators to tighten up the wording of their computer crime laws.