HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »
HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »

Expose A Blatant Security Hole In AT&T's Servers, Get 3.5 Years In Jail

from the now-the-holes-will-be-open-longer dept

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:
"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."
While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.

Filed Under: andrew auernheimer, cfaa, hacking, jailtime, research, security, weev
Companies: at&t

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    uRspqF7L (profile), 20 Mar 2013 @ 6:51pm


    the insanity of this story and so many of the responses to it on this site is a demonstration of one reason the prosecutors and judge took this case so far.

    1) so few of the commentators care at all about the actual facts of the case--they have already decided (wrongly) that there was no evidence of weev's own malicious commercial self-interest. But there was substantial evidence presented at trial that he was not trying to "expose a security hole." So any story that bends the facts this way is starting from a wrong premise. The government convincingly (to the judge and jury) showed that he was trying to profit from his access to this information;
    2) the very premise of the story--that what weev did was "expose a blatant security hole"--makes no sense on the surface. 10 or 100 email addresses would have sufficed to make that point and would have been very unlikely to produce this prosecution. 120,000 email addresses is prima facie evidence that he intended to do something far beyond "exposing a security hole";
    3) from reading biographical stories about weev, it seems entirely likely that he had done this sort of thing before to his own significant profit--he had a lot of money of unclear origin;
    4) to the commentator who compared this to looking into your neighbor's unfenced yard--that is both a frightening misunderstanding of privacy, and wrong, in that if I write down your account number on a piece of mail that I can see from the street, and then give that information to somebody else or have the intent--even the INTENT--to use it to my own profit, the fact that it was "visible" is irrelevant. It is stealing something to which I have no right--and it's stealing EVEN THOUGH I may have left the original document where it was.

    Anyone who thinks weev is a freedom fighter is reading the wrong dictionary and the wrong law code, and that so many people do (on SUCH flimsy evidence and poor reading of the actual news stories) SHOULD concern law enforcement--and those of you who portray him as a freedom fighter are ensuring that crackdown is even harsher. This sight is amazingly blinkered, but this story is exceptional even by those standards. I know it's cool to love the outlaw, whatevs, but if you love the outlaw because they break the law, you don't then get to ask for the system to go easy on them too.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.