Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail

from the now-the-holes-will-be-open-longer dept

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:
"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."
While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.

Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    ltlw0lf (profile), 19 Mar 2013 @ 12:00pm

    Re: Re: Re: Re: Re: Re: Re: Re:

    Maybe the best option is to point out the problem and leave it at that.

    Normally, I'd agree with you.

    But my statement remains, that in some cases pointing out the problem isn't enough. People pointed out that the world trade center was vulnerable to airplane strikes before 9/11. People also pointed out that O-Rings were failing on the Shuttle Rocket Boosters before the Challenger incident, or pointing out that the foam used on the shuttle was tearing tiles off the shuttle before the Columbia incident. Unfortunately, in some cases, the only way to get someone to do something is when tragedy strikes. From personal experience, there were a number of times that the companies I exposed problems for ignored me until I pointed it out, along with exploit code (even after I responsibly disclosed the issue to them ahead of time.)

    Entering and copying files was totally unnecessary and what landed this douche in prison.

    And I totally agree, though the jury is still out as to whether this, or something else, landed this douche in prison.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.