March 19, 2013
iPad Hacker Sentenced To 3.5 Years, Attorney Says He Was Wrongly Convicted
Michael Harper for redOrbit.com — Your Universe Online
Last November, 26-year old Andrew Auernheimer was found guilty of identity fraud and conspiracy to access a computer without authorization. Yesterday, he was sentenced to three years and five months in prison to pay for his crimes.
Auernheimer, who is known around the web as “Weev,” is one half of what´s been called “Goatse Security,” the pair of hackers who found a hole in AT&T´s Web site and stole some private information about the earliest iPad adopters in 2010. Using a specially designed program, Auernheimer and his partner Daniel Spitter downloaded ICC-IDs, unique device identifiers, from AT&T´s Website. With these IDs, Auernheimer and Spitter were able to determine the email addresses of more than 100,000 iPad owners. These included some high profile names, such as Mayor Bloomberg, ABC´s Diane Sawyer, and several officers with the Department of Homeland Security (DHS).
"Andrew Aurenheimer knew he was breaking the law when he and his partner hacked into AT&T's servers and stole personal information from unsuspecting iPad users," said Paul Fishman, the US attorney for New Jersey, according to the Wall Street Journal.
"When it became clear that he was in trouble, he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door," remarked Fishman.
Tor Ekeland, Auerheimer´s lawyer, said he believes the court used the Computer Fraud Abuse Act wrongly to hand down the conviction.
"We fully, fully intend to appeal this case," Mr. Ekeland said.
In addition to his sentence, Auernheimer has also been ordered to pay $73,162 in restitution.
Upon Auernheimer´s sentencing, the Electronic Frontier Foundation (EFF) announced they´d be joining his appellate team in protest.
“Weev´s case shows just how problematic the Computer Fraud and Abuse Act is,” said Hanni Fakhoury, EFF´s staff attorney, in a statement. “We look forward to reversing the trial court´s decision on appeal. In the meantime, Congress should amend the CFAA to make sure we don´t have more Aaron Swartzs and Andrew Auernheimers in the future.”
Using what they called the “iPad 3G Account Slurper,” Auernheimer and Spitter gathered thousands of email addresses. The pair then reached out to Website Gawker to share the details of this security hole. They supplied the site with the email addresses and their procedure to validate what they had done.
Shortly after the Gawker story ran (entitled Apple´s Worst Security Breach: 114,000 iPad Owners Exposed), AT&T plugged the hole, saying they were alerted to this problem only after a “business customer” had brought it to their attention.
According to Wired, Auernheimer has compared his actions to walking down the street and writing down the physical addresses of the buildings. In a letter to the US attorney´s office in New Jersey, Auernheimer says AT&T should be blamed for allowing the hole to exist in the first place.
“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” wrote Auernheimer.
The prosecution used this email against Auernheimer as well as some public statements he had made on popular site Reddit about this case.
“My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won´t nearly be as nice next time,” Auernheimer concluded.