Grey-hat gets 41 months in prison for exposing iPad user’s privates
Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped splay open iPad user’s private email addresses via a flaw in ATT’s servers.
Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to ATT and undergo three years of supervised release.
“I didn’t come here today to ask for forgiveness,” Auernheimer told US District Judge Susan Wigenton, Bloomberg reports. “The Internet is bigger than any law can contain. Many, many governments that have attempted to restrict the freedoms of the Internet have ended up toppled.”
In 2010, Auernheimer found a flaw in a public-facing ATT server that could be used, via the iPad’s integrated circuit card identifier (ICC-ID), to uncover the names and email addresses of 114,067 early adopters of Apple’s 3G-equipped fondleslab. His colleague Daniel Spitler wrote a PHP script called “iPad 3G Account Slurper” to harvest the data, and then handed it over to online magazine Gawker.
The data caused huge embarrassment to ATT and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. ATT fixed the flaw, and there’s no evidence Auernheimer did anything more than highlight the sloppy coding.
His defense lawyers argued that he was accessing information on a public web server and that if this was a crime then most internet users are guilty too. This cut little ice with the presiding judge.
“While you consider yourself to be a hero of sorts, without question the evidence that came out at trial reflected criminal conduct,” Judge Wigenton said in imposing the sentence. “You’ve shown absolutely no remorse. You’ve taken no responsibility for these criminal acts whatsoever. You’ve shown no contrition whatsoever.”
Auernheimer’s colleague Spitler now looks likely to face a similar sentence after pleading guilty, andsome in the security field are warning that the verdict will have a deadening effect of flaw exposure. Former NSA programmer and now Apple-cracker and security consultant Charlie Miller said the decision was highly troublesome.
We could all go to jail for security research at any moment, and a jury would happily convict us.
— Charlie Miller (@0xcharlie) March 18, 2013
In this hack’s opinion, Auernheimer’s sentence is far too severe. You could argue that he should have submitted the flaw to ATT, waited for the problem to be fixed, and then reaped the publicity. He could also have profited from selling the flaw on the grey or black markets, but chose not to go for the money, but to get embarrassment value instead.
“My regret is being nice enough to give ATT a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time,” he said in a Reddit forum.
With no evidence of harm done, sending someone down for over three years, near-bankrupting them with fines, and setting such a long probation victim looks less like justice and more like judicial spite. ®