This is a pretty sad case, and one which I’m sure all of us have followed since it first started. Surprisingly it hasn’t gotten a whole lot of media attention, but then this legal precedent sticks it to the man and has some consequences regarding the infosec industry – and who would want to publicize that right?
For those not familiar with the case and what went down, what Weev did was access a publicly available API and retrieved a bunch of publicly readable data.
Yah that’s it basically, but according to the US legal system and their interpretation of the CFAA (Computer Fraud and Abuse Act) – this deserves some fairly serious jail time.
Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users’ private email addresses via a flaw in AT&T’s servers.
Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to AT&T and undergo three years of supervised release.
“I didn’t come here today to ask for forgiveness,” Auernheimer told US District Judge Susan Wigenton, Bloomberg reports. “The Internet is bigger than any law can contain. Many, many governments that have attempted to restrict the freedoms of the Internet have ended up toppled.”
In 2010, Auernheimer found a flaw in a public-facing AT&T server that could be used, via the iPad’s integrated circuit card identifier (ICC-ID), to uncover the names and email addresses of 114,067 early adopters of Apple’s 3G-equipped fondleslab. His colleague Daniel Spitler wrote a PHP script called “iPad 3G Account Slurper” to harvest the data, and then handed it over to online magazine Gawker.
The data caused huge embarrassment to AT&T and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. AT&T fixed the flaw, and there’s no evidence Auernheimer did anything more than highlight the sloppy coding.
Something else which I personally find weird about this case is that Weev didn’t even write or execute the program that did the harvesting of the ‘sensitive’ information from AT&T, it was Daniel Spitler.
So how does Auernheimer end up in the hot seat for it? For being a troll and a public figure I guess. His lawyer did try to explain that he was accessing information on a publicly available Internet server – there was no password cracking or software hacking involved.
His defense lawyers argued that he was accessing information on a public web server and that if this was a crime then most internet users are guilty too. This cut little ice with the presiding judge.
“While you consider yourself to be a hero of sorts, without question the evidence that came out at trial reflected criminal conduct,” Judge Wigenton said in imposing the sentence. “You’ve shown absolutely no remorse. You’ve taken no responsibility for these criminal acts whatsoever. You’ve shown no contrition whatsoever.”
Auernheimer’s colleague Spitler now looks likely to face a similar sentence after pleading guilty, andsome in the security field are warning that the verdict will have a deadening effect of flaw exposure. Former National Security Agency (NSA) programmer and now Apple-cracker and security consultant Charlie Miller said the decision was highly troublesome.
In this hack’s opinion, Auernheimer’s sentence is far too severe. You could argue that he should have submitted the flaw to AT&T, waited for the problem to be fixed, and then reaped the publicity. He could also have profited from selling the flaw on the grey or black markets, but chose not to go for the money, but to get embarrassment value instead.
“My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time,” he said in a Reddit forum.
I guess he won’t have to serve the full sentence (if he behaves himself), but he’s still facing a fair old stretch in the slammer. It seems more like a grudge sentence than anything else, because he took no responsibility, wouldn’t apologise and has shown zero remorse.
Judges can get ticked off by such behaviour. Oh well, poor Weev – either way I’m pretty sure we haven’t heard the last of him.
Source: The Register
Matt says
Personally, even though this is ridiculous, he should have just given the judge lip service and put on an act and said he was so sorry. There is nothing wrong with standing up for your rights, BUT in prison you will have zero rights and be like a dog on a leash which is even worse in my opinion.
Secondly, I think it’s crazy and a poor reflection on our Justice system if this guy and even Aaron Swartz get bigger prison sentences than a sex offender. Look at the Stupidville, Ohio rape case. Those little jerks each got a one year prison sentence for crimes against humanity, but some how that’s not nearly as bad as what Weev did.
Lastly, this is seriously making me reconsider my career aspirations
for wanting to do Pen Testing and other security related work.
IHEARTAmeraica says
America is starting down the way of the Nazi’s. Look at what Obama is doing with gun control. Look at how freedom of speech is being eroded… shall I go on? This is just an example of extremism against those who speak out and point out issues with the powers that be.
Mori says
So true. This is not the America I know.
Salamandro says
The sentence does seem high, but let me quote F-Secure’s blog:
“Some folks are voicing concern that Weev’s sentencing will have a “chilling effect” on security research.
But not to worry!
Almost all of the coverage we’ve seen really fails to consider the charge of identity fraud.
So here’s a handy how-to guide on avoiding trouble when disclosing a security flaw:
1. Don’t be a(n asshole) troll.
2. When you discover a flaw, don’t abuse it. Only do enough to demonstrate the problem, no more.
3. Don’t collect, record, and then transmit personally identifiable information (PII) belonging to other people.
4. When contacting reporters, have them volunteer their own device IDs to demonstrate the flaw.
Simple. “