Researcher Gets 41 Months in Jail for Exposing iPad Security Flaw - eSecurity Planet

Home Profile Create Page

Researcher Gets 41 Months in Jail for Exposing iPad Security Flaw - eSecurity Planet

Jared Sperli stashed this in security

Source: http://www.esecurityplanet.com/hackers/r...

Jared Sperli
5:41 PM Mar 18 2013

Stashed in: iPad!, Freedom!, Digital Age

To save this post, select a stash from drop-down menu or type in a new one:

Andrew Auernheimer, a.k.a. "Weev," has been sentenced to 41 months in prison and ordered to pay $73,162 in restitution for leveraging a security flaw in AT&T's Web site to access the e-mail addresses of 114,000 iPad owners. Auernheimer had been found guilty in November of 2012.

What's striking about Auernheimer's sentencing is that he didn't actually hack anything -- when he and Daniel Spitler (who also pleaded guilty and is currently awaiting sentencing) accessed the data in 2010, they made it clear that they had simply made use of a publicly available script on AT&T's Web site -- when provided with an iPad's ICC-ID, the script would provide the associated e-mail address.

Auernheimer and Spitler, according to Gawker, simply created a PHP script to speed up the harvesting of e-mail addresses.

But in a letter to iPad customers soon after the breach, AT&T chief privacy officer Dorothy Attwood characterized it differently. "The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses," Attwood wrote. "They then put togehter a list of these e-mails and distributed it for their own publicity."

In response to Attwood's letter, Auernheimer wrote in a June 2010 blog post, "The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."

The Electronic Frontier Foundation (EFF) today announced that it will be joining Auernheimer's legal team for his appeal. "Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," EFF senior staff attorney Marcia Hofmann said in astatement. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them."

Andrew Auernheimer, a.k.a. "Weev," has been sentenced to 41 months in prison and ordered to pay $73,162 in restitution for leveraging a security flaw in AT&T's Web site to access the e-mail addresses of 114,000 iPad owners. Auernheimer <a rel="nofollow" target="_blank" href="http://www.esecurityplanet.com/hackers/hacker-found-guilty-for-exposing-att-ipad-security-flaw.html">had been found guilty</a> in November of 2012.

What's striking about Auernheimer's sentencing is that he didn't actually hack anything -- when he and Daniel Spitler (who also pleaded guilty and is currently awaiting sentencing) <a rel="nofollow" target="_blank" href="http://www.esecurityplanet.com/news/article.php/3887086/ATT-Gaffe-Exposes-114000-iPad-EMail-Accounts.htm">accessed the data in 2010</a>, they made it clear that they had simply made use of a publicly available script on AT&T's Web site -- when provided with an iPad's ICC-ID, the script would provide the associated e-mail address.

Auernheimer and Spitler, <a rel="nofollow" target="_blank" href="http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed">according to Gawker</a>, simply created a PHP script to speed up the harvesting of e-mail addresses.

But in a <a rel="nofollow" target="_blank" href="http://www.esecurityplanet.com/news/article.php/3887526/FCC-Issues-Warning-FBI-Investigates-iPad-Breach.htm">letter to iPad customers</a> soon after the breach, AT&T chief privacy officer Dorothy Attwood characterized it differently. "The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses," Attwood wrote. "They then put togehter a list of these e-mails and distributed it for their own publicity."

In response to Attwood's letter, Auernheimer wrote in a <a rel="nofollow" target="_blank" href="http://security.goatse.fr/a-response-to-atts-letter">June 2010 blog post</a>, "The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."

The <a rel="nofollow" target="_blank" href="https://www.eff.org/">Electronic Frontier Foundation</a> (EFF) today announced that it will be joining Auernheimer's legal team for his appeal. "Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone," EFF senior staff attorney Marcia Hofmann said in a<a rel="nofollow" target="_blank" href="https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal">statement</a>. "The punishments for computer crimes are seriously off-kilter, and Congress needs to fix them."

Jared Sperli
5:41 PM Mar 18 2013

The punishments for SOME computer crimes are off-kilter.

On the other hand, whoever is doing these network attacks...

http://pandawhale.com/post/18077/real-time-network-attacks

...should have the book thrown at them.

Adam Rifkin
6:53 PM Mar 18 2013

Researcher Gets 41 Months in Jail for Exposing iPad Security Flaw - eSecurity Planet

Jared Sperli stashed this in security

You May Also Like: