Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests

The New Acunetix V12 Engine

This is a pretty sad case, and one which I’m sure all of us have followed since it first started. Surprisingly it hasn’t gotten a whole lot of media attention, but then this legal precedent sticks it to the man and has some consequences regarding the infosec industry – and who would want to publicize that right?

For those not familiar with the case and what went down, what Weev did was access a publicly available API and retrieved a bunch of publicly readable data.

Yah that’s it basically, but according to the US legal system and their interpretation of the CFAA (Computer Fraud and Abuse Act) – this deserves some fairly serious jail time.

Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users’ private email addresses via a flaw in AT&T’s servers.

Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to AT&T and undergo three years of supervised release.

“I didn’t come here today to ask for forgiveness,” Auernheimer told US District Judge Susan Wigenton, Bloomberg reports. “The Internet is bigger than any law can contain. Many, many governments that have attempted to restrict the freedoms of the Internet have ended up toppled.”

In 2010, Auernheimer found a flaw in a public-facing AT&T server that could be used, via the iPad’s integrated circuit card identifier (ICC-ID), to uncover the names and email addresses of 114,067 early adopters of Apple’s 3G-equipped fondleslab. His colleague Daniel Spitler wrote a PHP script called “iPad 3G Account Slurper” to harvest the data, and then handed it over to online magazine Gawker.

The data caused huge embarrassment to AT&T and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. AT&T fixed the flaw, and there’s no evidence Auernheimer did anything more than highlight the sloppy coding.

Something else which I personally find weird about this case is that Weev didn’t even write or execute the program that did the harvesting of the ‘sensitive’ information from AT&T, it was Daniel Spitler.

So how does Auernheimer end up in the hot seat for it? For being a troll and a public figure I guess. His lawyer did try to explain that he was accessing information on a publicly available Internet server – there was no password cracking or software hacking involved.

His defense lawyers argued that he was accessing information on a public web server and that if this was a crime then most internet users are guilty too. This cut little ice with the presiding judge.

“While you consider yourself to be a hero of sorts, without question the evidence that came out at trial reflected criminal conduct,” Judge Wigenton said in imposing the sentence. “You’ve shown absolutely no remorse. You’ve taken no responsibility for these criminal acts whatsoever. You’ve shown no contrition whatsoever.”

Auernheimer’s colleague Spitler now looks likely to face a similar sentence after pleading guilty, andsome in the security field are warning that the verdict will have a deadening effect of flaw exposure. Former National Security Agency (NSA) programmer and now Apple-cracker and security consultant Charlie Miller said the decision was highly troublesome.

In this hack’s opinion, Auernheimer’s sentence is far too severe. You could argue that he should have submitted the flaw to AT&T, waited for the problem to be fixed, and then reaped the publicity. He could also have profited from selling the flaw on the grey or black markets, but chose not to go for the money, but to get embarrassment value instead.

“My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won’t nearly be as nice next time,” he said in a Reddit forum.

I guess he won’t have to serve the full sentence (if he behaves himself), but he’s still facing a fair old stretch in the slammer. It seems more like a grudge sentence than anything else, because he took no responsibility, wouldn’t apologise and has shown zero remorse.

Judges can get ticked off by such behaviour. Oh well, poor Weev – either way I’m pretty sure we haven’t heard the last of him.

Source: The Register

Posted in: Apple, Exploits/Vulnerabilities, Legal Issues, Web Hacking

, , ,

Latest Posts:

Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds. - Test SSL Security Including Ciphers, Protocols & Detect Flaws – Test SSL Security Including Ciphers, Protocols & Detect Flaws is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.

4 Responses to Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests

  1. Matt March 20, 2013 at 4:45 pm #

    Personally, even though this is ridiculous, he should have just given the judge lip service and put on an act and said he was so sorry. There is nothing wrong with standing up for your rights, BUT in prison you will have zero rights and be like a dog on a leash which is even worse in my opinion.

    Secondly, I think it’s crazy and a poor reflection on our Justice system if this guy and even Aaron Swartz get bigger prison sentences than a sex offender. Look at the Stupidville, Ohio rape case. Those little jerks each got a one year prison sentence for crimes against humanity, but some how that’s not nearly as bad as what Weev did.

    Lastly, this is seriously making me reconsider my career aspirations
    for wanting to do Pen Testing and other security related work.

  2. IHEARTAmeraica March 20, 2013 at 8:39 pm #

    America is starting down the way of the Nazi’s. Look at what Obama is doing with gun control. Look at how freedom of speech is being eroded… shall I go on? This is just an example of extremism against those who speak out and point out issues with the powers that be.

    • Mori March 21, 2013 at 10:26 am #

      So true. This is not the America I know.

  3. Salamandro March 27, 2013 at 11:43 am #

    The sentence does seem high, but let me quote F-Secure’s blog:

    “Some folks are voicing concern that Weev’s sentencing will have a “chilling effect” on security research.

    But not to worry!

    Almost all of the coverage we’ve seen really fails to consider the charge of identity fraud.

    So here’s a handy how-to guide on avoiding trouble when disclosing a security flaw:

    1. Don’t be a(n asshole) troll.
    2. When you discover a flaw, don’t abuse it. Only do enough to demonstrate the problem, no more.
    3. Don’t collect, record, and then transmit personally identifiable information (PII) belonging to other people.
    4. When contacting reporters, have them volunteer their own device IDs to demonstrate the flaw.

    Simple. “