Another hacker bites the dust. This morning, Andrew Auernheimer — aka "Weev" — got handed a sentence of 41 months in prison, 3 years of supervised release and a $36,500 fine. All for basically exposing a major security hole at AT&T and publicly shaming the company that hadn't ever bothered to fix it.
Back in 2010, Auernheimer and his partner Daniel Spitler, part of a team calling itself Goatse Security, hacked into a public server owned by AT&T. That server housed hundreds of thousands of email addresses of customers who owned 3G iPads. Through trial and error and some ingenuity, group members discovered they could randomly guess iPad identification numbers and then use them to extract matching email addresses from that server.
AT&T's Security Loophole, Exposed
This security loophole on AT&T's site returned email addresses associated with ICC IDs, the unique serial numbers used to track and link SIM cards on mobile devices with specific subscribers. A PHP script that automated the process ended up harvesting a whopping 114,000 email addresses. Auernheimer then sent news of the group's work as an exclusive to Gawker.
A day later in a blog post on the Goatse Security site, Auernheimer and company wrote:
I want to summarize this explicitly:
- All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration.
- The dataset was not disclosed until we verified the problem was fixed by the vendor.
- The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
We did this to help you.
By its own account, AT&T responded with "swift action" to prevent additional intrusions:
Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.
Problem solved, right? Wrong. A week later Auernheimer was arrested after the FBI raided his house. He was then charged with major computer crimes under the Computer Fraud and Abuse Act (CFAA), the same legal club prosecutors have used to go after Aaron Swartz and, last week, Reuters social editor Matthew Keys.
During the trial, AT&T admitted the server was publicly accessible, yet claimed Auernheimer's access was unauthorized. Under the CFAA, unauthorized access is a crime. But the statute's ambiguity on that score has opened the door for egregious prosecutorial overreach in this and other cases.
On Nov. 20, 2012, a jury found Auernheimer guilty of one count each of identity theft and conspiracy to violate the CFAA. Today, Auernheimer was sentenced.
Fair Or Fanning The Flames?
Supporters of Auernheimer say what he did was not a crime. Maybe it wasn't smart to expose a major vulnerability at AT&T and then rub the company's nose, but stupidity shouldn't be a federal offense. Friends and colleagues point out that the point of hacking is to gain something from it — and in this case, there was no money involved and nothing else to gain but besides a measure of celebrity.
Australian journalist and hacktivist Asher Wolf wrote a poignant piece today arguing that's it's insane to publicly tar and feather someone who spurred a company to fix a problem, even if he didn't choose the most orthodox means of doing it:
Putting Weev behind bars is pointless and tragic. Jailing the most outspoken men and women amongst our generation won’t stop the leaks, the hacks, the news revelations, the whistleblowers — and most of all it won’t stop the rage of the malcontent, dispossessed youth from eventually tumbling down upon the heads of the bureaucrats who sold us out and then tried to lock us up when we complained.
Bees To Honey
AT&T's vulnerability was basically low hanging fruit — just too easy a target for hackers to ignore. But the question of whether AT&T was asking for it is more complicated.
Sure, poor security is asking for trouble. But playing with fire will get you burned no matter how righteous and ethical you claim to be. "Our conduct doesn't happen in a vacuum," hacker Adrian Lamo — the guy who allegedly dropped a dime on Bradley Manning — wrote on Twitter today. "I don't think 3+ years is warranted for Weev, but in totality of circumstances, it's understandable."
I respect weev's reasons and even his means for their ethical consistency. But he got exactly what he planned to. He owns his outcome.— Adrian Lamo (@6) March 18, 2013
Still, this is significant time for essentially not hurting anyone, as the British journalist Laurie Penny pointed out. By comparison, the Steubenville rapists were sentenced to just one year in juvenile jail.
This isn't over. Auernheimer is appealing his conviction. And either another example will be made to hackers everywhere, or the sentence will be reduced.
At the end of the day, Weev and co. were nicer to AT&T than, say, hacker HD Moore — who published unpatched iPhone flaws and exposed another big bug in Apple's WiFi — was to Apple. But that doesn't seem to matter much in the boardrooms and courtrooms of America. In their view, all hackers are criminals.
Even many mainstream journalists think all hacking is a crime. Last night on 60 Minutes, for instance, Lara Logan basically accused Jack Dorsey's early work of bordering on just that. And even with the best of intentions, hackers' attempts to route around the system will likely never gain the benefit of the doubt with the public.
Instead, they'll just keep earning jail sentences, at least unless and until the courts — or Congress, though don't hold your breath — push back against prosecutorial overreach. And that, at least, will give them plenty of time to repent at leisure.