Login

Security researcher found guilty of conspiracy and identity fraud in 'hackless' AT&T iPad hack

weev (pinguino flickr)

The trial surrounding Goatse Security’s 2010 collection and disclosure of AT&T iPad users’ emails has come to a close — one that again calls into question the legitimacy of the 1986 Computer Fraud and Abuse Act. 27-year-old Andrew Auernheimer, who goes by the name "weev" online, was found guilty in a New Jersey court on one count of identity fraud and one count of conspiracy to access a computer without authorization. That means the defendant is facing two consecutive five-year felonies for his online exploits. But what makes the case significant is that Auernheimer cracked no codes, stole no passwords, or in any way "broke into" AT&T’s customer database — something company representatives confirmed during testimony.

Back in 2010, AT&T was making its iPad 3G users’ email addresses available to anyone with the associated ICC-ID — a unique number that authenticates the user’s SIM card to AT&T. According to chat transcripts posted by Wired, Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T's website with ICC-IDs, harvesting the email addresses it spit out. In the end, the two compiled a list of about 114,000 users, allegedly including people like Michael Bloomberg, Rahm Emanuel, and Diane Sawyer, before contacting Gawker in June to report their findings. By this time AT&T had already fixed the security hole.

"Have you ever received permission from Google to go to Google?"

The 1986 Computer Fraud and Abuse Act, which Auernheimer was found to have violated, predates the web and contains language that is frequently criticized for being unintelligibly vague in an era of ubiquitous networked computers. The Act makes it illegal to "access a computer without authorization or exceed authorized access" on any "protected computer" — for instance, one that is "used in interstate or foreign commerce or communication." TechNews Daily reports that while the jury was deliberating, Auernheimer said to the press, "the ‘protected computer’ is any network computer. You access a protected computer every day," before asking rhetorically, "have you ever received permission from Google to go to Google?"

"The 'protected computer' is any network computer."

Despite the guilty verdicts, Auernheimer remained upbeat, reportedly saying the jury’s decision was largely due to the general population’s comparative computer illiteracy, and telling his Twitter followers that he planned to appeal the case. Following the verdict, Auernheimer stressed, "R. David Halsey from AT&T used the words, ‘there was no security bypass.’ It can’t be clearer than that. The definition of ‘unauthorized access’ has to include the bypass of security measures."

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.