max lols —

“Internet troll” who exploited AT&T security flaw faces 5 years in jail

Convicted of identity fraud and hacking for scraping iPad user e-mail addresses.

Timothy B. Lee - Nov 21, 2012 4:12 pm UTC

A New Jersey jury has convicted Andrew Auernheimer, a self-described Internet troll and security researcher, of identity fraud and conspiracy to access a AT&T's systems without authorization for scraping the e-mail addresses of about 120,000 iPad users from a poorly secured AT&T registration website.

Auernheimer, known online by his handle "weev," struck an upbeat tone in a post-conviction tweet. "We went in knowing there would be a guilty here," he wrote. "I'm appealing of course."

The case began in 2010, when Auernheimer and a collaborator, Daniel Spitler, discovered a security vulnerability that affected iPad owners who signed up for AT&T's 3G service. A script on AT&T's servers would accept an iPad's ICC-ID—a unique identifier embedded in the device's microSIM card—and return that user's e-mail address. Unfortunately, ICC-IDs came in a predictable range, so Auernheimer was able to guess tens of thousands of ICC-IDs and retrieve the associated e-mail addresses.

Last year, the FBI concluded that the pair had committed a felony and arrested them. Chat logs obtained by the prosecution do not paint the pair in a flattering light. They discussed, but apparently did not carry out, a variety of schemes to use the harvested data for nefarious purposes such as spamming, phishing, or short-selling AT&T's stock. Ultimately, they decided that the approach that would bring the "max lols" would be to pass the information to the media in an effort to publicly embarrass AT&T.

In an interview with CNET, Auernheimer portrayed "Goatse Security" as a legitimate security research group. But in IRC chats he seemed to regard this characterization as mere "spin."

"At this point we won. we dropepd [sic] the stock price," Auernheimer wrote after the news of the hack was reported in the media. "Let's not like do anything else we f**king win and i get to like spin us as a legitimate security organization."

Spitler decided to plead guilty and cooperate with the government, so the trial focused on Auernheimer. On Tuesday, the jury handed down a guilty verdict. Auernheimer and Spitler are now awaiting sentencing. Auernheimer faces up to five years in prison and a $250,000 fine, according to Reuters.

"We disagree with the prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act," Auernheimer's attorney Tor Ekeland told Reuters in a phone interview.

Indeed, the contours of the nation's anti-hacking law, which dates to 1986, are far from clear. We've covered the prosecution of Aaron Swartz, who faces felony hacking charges for spidering articles from an academic repository. The Swartz case and the appeal of Auernheimer's conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.

Promoted Comments

taswynArs Scholae Palatinae
jump to post

There's changing URL query strings, and then there's programmatically scraping what are obviously not meant to be forward facing endpoints.

And on top of that, there's having damning evidence of intent to misuse the data gathered.

AT&T made a mistake, and I don't think they should get away for free on it. Granted, they didn't exactly get away free on it, at least economically, although that's of little meaning to anyone whose data was exposed. Personally identifiable data like this shouldn't have been exposed.

But AT&T's mistake or even possible ethical culpability (sadly there's no legal culpability usually for anything of this nature) does not somehow negate the wrongdoing of the defendants. This is not a zero sum game.

If they were acting as legitimate security professionals, they would have done enough work to determine the nature of the breach, then notified AT&T. Instead they gathered thousands of emails, then went on to discuss ways to profit from the clearly confidential data they'd gathered. Instead of directly profiting, they went on to publish it in a way which was clearly meant (especially from their recorded conversations) to cause harm. This is essentially intentional industrial sabotage, even if they didn't gain from it monetarily.

I'm all for having privacy laws that would punish companies who do not maintain at least baseline adequate security, but you can't just ignore malfeasance by other parties at the same time. Just because one party did something wrong (in this case, AT&T) in no way negates the intentional actions of another party/parties (Auernheimer and Spitler). And so far as the law goes, what Auernheimer and Spitler did is clearly covered, even if it's a case of the particular law being overly broad and used as a blanket to cover both cases which are clearly violations of the spirit governing it and sadly also those which probably should not be prosecutable. Personally I think this was a correct application of the law: the ethics of the case seem to align with the outcome, especially taking into account intent.

726 posts | registered Jun 22, 2010
joshvArs Scholae Palatinae
jump to post

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.
Last edited by joshv on 21 Nov 2012 18:07

1096 posts | registered May 16, 2000

Promoted Comments

taswynArs Scholae Palatinae
jump to post

There's changing URL query strings, and then there's programmatically scraping what are obviously not meant to be forward facing endpoints.

And on top of that, there's having damning evidence of intent to misuse the data gathered.

AT&T made a mistake, and I don't think they should get away for free on it. Granted, they didn't exactly get away free on it, at least economically, although that's of little meaning to anyone whose data was exposed. Personally identifiable data like this shouldn't have been exposed.

But AT&T's mistake or even possible ethical culpability (sadly there's no legal culpability usually for anything of this nature) does not somehow negate the wrongdoing of the defendants. This is not a zero sum game.

If they were acting as legitimate security professionals, they would have done enough work to determine the nature of the breach, then notified AT&T. Instead they gathered thousands of emails, then went on to discuss ways to profit from the clearly confidential data they'd gathered. Instead of directly profiting, they went on to publish it in a way which was clearly meant (especially from their recorded conversations) to cause harm. This is essentially intentional industrial sabotage, even if they didn't gain from it monetarily.

I'm all for having privacy laws that would punish companies who do not maintain at least baseline adequate security, but you can't just ignore malfeasance by other parties at the same time. Just because one party did something wrong (in this case, AT&T) in no way negates the intentional actions of another party/parties (Auernheimer and Spitler). And so far as the law goes, what Auernheimer and Spitler did is clearly covered, even if it's a case of the particular law being overly broad and used as a blanket to cover both cases which are clearly violations of the spirit governing it and sadly also those which probably should not be prosecutable. Personally I think this was a correct application of the law: the ethics of the case seem to align with the outcome, especially taking into account intent.

726 posts | registered Jun 22, 2010
joshvArs Scholae Palatinae
jump to post

So, if I write a service RESTful service endpoint, /customeraccount/customerid, so that /customeraccount/001, returns some human readable account summary, and you change that URL to /customeraccount/002 and get customer #2's information, you are guilty of unauthorized access? No, I am guilty of providing unauthorized access to client data.

Suppose we change it to /customeraccount/customerid/customerpassword - for example /custumeraccount/001/passw0rd1. Now you try to get at customer #2s account, by guess their password, with a computer program - is that unauthorized access? Seems pretty clearly so.

Now suppose we use a scheme /customeraccount/customerguid - for example /customeraccount/3F2504E0-4F89-11D3-9A0C-0305E82C3301 . Now you try to get in to other accounts by guessing GUIDs. This will be even harder than the password guessing, but it seems many here at Ars would *not* consider this to be unauthorized access.

We erect electronic barriers to unathorized access, some are more effective than others. I'd argue that if the barrier is sufficiently high, such that in order to circumvent the barrier you need to use a computer, you are guilt of unauthorized access. If an unaided human can circumvent the barrier consistently in under a minute, well then I'd say that the provider of the information has not erected any sort of barrier, and that a reasonable person could assume that this is public information.
Last edited by joshv on 21 Nov 2012 18:07

1096 posts | registered May 16, 2000

Timothy B. Lee Timothy is a senior reporter covering tech policy and the future of transportation. He lives in Washington DC.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica