backtop


Print 25 comment(s) - last by MoneyisaScam.. on Nov 30 at 7:12 PM

Irreverent cyber "troll" may face hard prison time for his actions, continues to fight for his innocence

A New York security "researcher" faces the prospect of spending five years behind bars and being forced to pay up to $250,000, after a federal jury of his peers found him guilty of cybercrimes involving his 2010 exploitation a flaw in the security of iPad service provider AT&T. He allegedly used the flaw to expose the email address of over 100,000 individuals.

I. A Leaky Hole

The story began in June 2010.  Apple, Inc. (AAPL) had just released the first generation iPad, a tablet computer that transformed the form factor from overlooked to in vogue.  And the service provider du jour for iPads with 3G data connectivity was AT&T, Inc. (T).  

But AT&T's iPad support services had a relatively minor, but notable security flaw.  AT&T's iPad-related servers ran a script that accepted an ICC-ID (integrated circuit card identifiers), an identifier unique to each device.  

If sent a valid ICC-ID, the script served up the personal email of the subscriber associated with that device.  AT&T had planned to use the feature to generate a slick AJAX-style response on its web applications for the iPad.

iPad hole
AT&T left a gaping hole in their iPad web scripts. [Image Source: DailyTech/Jason Mick]

But Andrew Auernheimer, Daniel Spitler, and other hackers with the profanely named "troll" hacker collective Goatse Security identified the vulnerability when they were probing AT&T's servers.  They quickly wrote a so-called "data slurper" -- a script that performed a brute force attack, working through tables of ICC-IDs and recording the ones that received a response.

AT&T apologized for the breach and took down the script, closing its hole.

II. Investigation, Trial Conclude in Guilty Verdict

But the damage was already done.  Goatse Sec. had published its results to the blog site Gawker, revealing parts of a data set that contained roughly 114,000 email addresses.  Among the high profile figures exposed were ABC News anchor Diane Sawyer, New York City Mayor Michael Bloomberg, and current Chicago Mayor Rahm Emanuel.

Soon after the data loss U.S. Federal Bureau of Investigation agents, investigating the incident, conducted a raid on the home Mr. Auernheimer who had moved from New York to a residence in Arkansas.  Mr. Auernheimer, aka "weev" or "Escher Auernheimer" was arrested by federal agents on suspicion of computer crimes.  Authorities also allegedly found cocaine, LSD, and ecstasy in his residence.  Lawyers for Mr. Auernheimer contend that the raid was unnecessary and illegal.  The security "researcher" has yet to face charges on the drugs found.

However, he was charged with one count of conspiracy to access servers without permission and one count of identity theft.  These offenses -- spelled out in the Computer Fraud and Abuse Act of 1986 (18 USC § 1030) -- carry a maximum sentence of five years in prison and a fine of up to $250,000 USD.

Andrew Auernheimer
Goatse Security "researcher" Andrew Auernheimer was found guilty of two counts of computer crimes and may be sentenced to up to five years in prison, pending appeal. [Image Source: AP]

Mr. Auernheimer was charged in U.S. District Court for the District of New Jersey, the location where his co-defendant (Daniel Spitler) was charged.  Initially, federal authorities had planned to charge the two members separately, which would have resulted in a trial of Mr. Auernheimer in an Arkansas District Court.  However, the case was eventually shuffled to the New Jersey District Court.

In June 2011, Mr. Spitler, aka "JacksonBrown" pled guilty to the two cybercrimes counts, in hopes of receiving a lighter sentence.  He is currently awaiting sentencing.

Mr. Auernheimer has fought the charges, and the trial concluded this week with the jury finding Mr. Auernheimer guilty of both counts.

III. Appeal is Pending

The hacker's attorney, Tor Ekeland, disputes the verdict, arguing that the jury and judge misinterpreted the cybercrimes statute and the nature of Mr. Auernehimer's data grab.  The hacker is currently free on bail.  His attorney is appealing the case to the 3rd U.S. Circuit Court of Appeals in Philadelphia.

Andrew Auernheimer
Mr. Auernheimer's attorney argues the guilty verdict is the result of technical ignorance on behalf of the jury. [Image Source: Steffie Keith/Flickr]

A Goatse Sec. spokesperson in a previous interview with DailyTech defended the disclosure and data grab, emphasizing that Goatse Sec. researchers did not try to profit off the emails they grabbed.  The spokesperson writes:

While plenty of jokes about selling the list to Chinese spammers or using it to screw with the stock market circulated #gnaa, the truth of the matter is that disclosing this vulnerability let customers know how their data was being mishandled. As it was widely reported, the data was only released to Gawker to provide proof of the vulnerability. Considering the circumstances, it was the most ethical thing they could do.

The spokesperson, like Mr. Auernheimer's attorney, chalks the possibility of a conviction up to technical ignorance on behalf of the jury, remarking:

As for the "hacking" itself, describing the activities of GoatSec as "hacking" or "unauthorized entry" is a gross overstatement and dramatization. If you examine what actually took place, it was simply enumerating account IDs by using the API exactly as it was designed. There was no authentication to bypass, no warnings about prohibiting access or anything else of the sort. The only hope the DOJ has of prosecuting them is based on the likely technical ignorance of the jury, sad to say.

You can read my full interview with the Goatse Sec. spokesperson here.

Sources: FBI, Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

This is crap...
By Iaiken on 11/21/2012 3:19:18 PM , Rating: 5
This is crap, I've seen the actual web interface and there was zero security to speak of, it was basically like this:

https://companysite/userdata/service.aspx?user=12345

Gee, that looks an awful lot like how DailyTech references it's articles. Is DT going to send me to prison for accessing their server without their permission?

http://erratasec.blogspot.de/2012/11/you-are-commi...

The ONLY reason he is going to jail is because he embarrassed a fortune 500 company who then cried foul to the FBI. Then the FBI raided his place and the prosecutor presented a twisted interpretation of the Computer Fraud & Abuse Act to the jury to make it stick.

The problem is that the new interpretation is not being applied equally, nor could it ever be. In other words, if they were to apply this newly twisted interpretation of the law equally to all people as they did to this guy, we'd all be serving 5 year terms in prison.

This will certainly go to appeal and I hope he wins, but there will still be no reprimand for the FBI or the prosecutor who presided over this travesty.




RE: This is crap...
By JasonMick (blog) on 11/21/2012 3:36:43 PM , Rating: 5
quote:
The ONLY reason he is going to jail is because he embarrassed a fortune 500 company who then cried foul to the FBI. Then the FBI raided his place and the prosecutor presented a twisted interpretation of the Computer Fraud & Abuse Act to the jury to make it stick.
My opinion :

You have got to love laws that can be interpreted so broadly that any act that's against the will of the party of interest within a certain realm can be considered a crime.

Such ambiguity, particularly when attached to penalties that carry up to 5 years in prison, is simply astounding.

It retrospect Goatse Sec. despite its general trollish offensiveness, was remarkably responsible in their disclosure. The federal prosecutors in no way (to my knowledge) sought to or were able to disprove that.

It's remarkably close to classic entrapment. Party a leaves objects out in the open, party b scoops them up and offers them (for free) to a proper authority, party b gets arrested and possibly imprisoned for 5 years.

Given such incidents, it's relatively unsurprising why the U.S. has the highest imprisonment rate per capita in the world, with roughly 1 percent of its population behind bars.

People who say the "police state" is just some kind of leftist/right-wing (your choice) propoganda, ask yourselves why the U.S.; supposedly the most "free" nation in the world imprisons more of its people than ANY other nation?

Do you think U.S. citizens are worse people then their foreign peers? Are U.S. juries really that much stupider than their foreign peers such that they convict innocent men and women at a higher rate?

Doubtful.

Maybe the hand of justice and the legal code are far less fair and well defined as federal authorities would have you believe. The grip on global wealth and power and the gauntlet of tyranny are held as one.


RE: This is crap...
By kleinma on 11/21/2012 3:57:10 PM , Rating: 2
The sad thing is though this guy did it for "fame". He knew exactly what he was doing, he knew it was wrong. Not so much the poking and prodding on the server, but certainly the release of the data. Yet he did, because he wanted the recognition in the relative community for a "look what I found" momement. He also hacked nothing, simply discovered a wide open door he could walk in and take whatever he wanted. Actual hackers must hate these guys sharing their label.

It's similar to going to a local business, and finding they are closed for the day, but realize they didn't lock the door. So you decide to walk in and take a few things. You know its wrong, there is 0 question if it is wrong, there is 0 question you are violating a law, yet you do it anyway.

Would he be going to jail if he privately disclosed the flaw to AT&T and released no data (or even better, didn't write a script to brute force data scrape once he realized what he had)?

Bottom line is he is about to discover goatse for real.


RE: This is crap...
By ClownPuncher on 11/21/2012 4:01:03 PM , Rating: 2
This ginger bearded dandy is not wanted for punk status.


RE: This is crap...
By JasonMick (blog) on 11/21/2012 4:49:08 PM , Rating: 2
quote:
So you decide to walk in and take a few things. You know its wrong, there is 0 question if it is wrong, there is 0 question you are violating a law, yet you do it anyway.
Bad analogy, in my opinion. The laws are quite clear about theft, they're relatively ambiguous about what constitutes "unauthorized access" of servers. As the above op pointed out, the access was similar to a standard URL...
quote:
Would he be going to jail if he privately disclosed the flaw to AT&T and released no data (or even better, didn't write a script to brute force data scrape once he realized what he had)?
And zero disclosure fell out of fashion in the 90s when hackers found that corporate interests weren't interested in fixing their flaws (by and large) until they were forced to by negative publicity, hence the rise of grey hat "responsible" disclosure.
quote:
The sad thing is though this guy did it for "fame".
True, what security researcher isn't publishing their findings for "fame". Every app developer publishes their apps for "fame". I'm publishing this article for "fame". Should I be imprisoned?
quote:
He knew exactly what he was doing, he knew it was wrong.
Oh rly? So you have some sort of psychic powers and have probed his brain?

How can claim to know what he thought in terms of the morality of his actions??
quote:
e also hacked nothing, simply discovered a wide open door he could walk in and take whatever he wanted. Actual hackers must hate these guys sharing their label.
Part of being a hacker is discovery. Many great hacks came due to hours of hard work that yielded remarkably simple security breaches. I have friends who were pivotal hackers in the 90s and often they gained access from something as simple as garbage diving and finding a shredded sheet with a password.

True, this is even more elementary, but a clever find is still a clever find.
quote:
It's similar to going to a local business, and finding they are closed for the day, but realize they didn't lock the door. So you decide to walk in and take a few things.
Except your analogy fails because it's fundamentally different. He didn't "take" anything. All the email addresses were still there. He didn't sabotage AT&T's servers or subvert their authentication. He made a COPY of the emails.

It would be like if you used your analogy and the person went inside and sculpted a statue that looked like the statue in your entry way. And then you charged them with "unauthorized statue copying".

Or to give another example it would be like if you were standing in front of your open window sticking your naked posterior out at all to see, and then some person came along and snapped a digital photograph -- a "copy", so to speak, of that scene.

And then they took that photo to the cops complaining of your indecency, and instead the cops charged the bystander with "unauthorized picture taking" and "likeness theft".
quote:
ou know its wrong, there is 0 question if it is wrong, there is 0 question you are violating a law, yet you do it anyway.
Again, I think you're being wildly presumptuous with your claims of what other people "think" or "know" is wrong.

This is a moral gray area, certainly, but when you paint it as black and white, you're making a weak argument.


RE: This is crap...
By kleinma on 11/21/2012 5:20:17 PM , Rating: 3
Jason, do you really think someone writing a script to pound AT&Ts servers trying every combo of device ID to get a response back and compile a list of email addresses of iPad owners was thought to be a totally innocent action, and that the person conducting the operation had no concept or thought that what they were doing was not the "right thing"?

I guess maybe you are just trying to be diplomatic here, and I am not for throwing the guy in jail (perhaps he would be better off getting a job working in IT security), but lets at least admit what is reality here: He did something he wasn't supposed to, and he knew full well he wasn't supposed to be doing it. No one needs to read his mind to know that.


RE: This is crap...
By blue_urban_sky on 11/21/2012 7:16:45 PM , Rating: 2
I wonder if you are a programmer? If I found this I would rap it in a loop (brute force) to see the extent of the problem.

Take these 2 made up headlines

Hacker steals 100,000 email addresses of iPad users.

Bloke says you can get an email address from a web service if you supply an iPad device id!!!1!

One closes a flaw in security the other makes your mother call you a 'clever' boy to her friends.

Sadly this also got the guy arrested for shaming a company.


RE: This is crap...
By rs2 on 11/21/2012 10:50:40 PM , Rating: 2
Um, no. If someone writes a webservice that takes a number and returns an e-mail address, deploys it publicly, and takes no steps to restrict access to it, then that person has done a very stupid thing. And when you notice a person who has done a very stupid thing, the responsible thing to do is to publicly call them out on it so that they fix the problem, quickly.

Otherwise you have a security leak that just sits there, and everyone knows that it's broken, and the truly nefarious people quietly mine data from the broken system and sell it to spammers in the background. And the stupid person who operates it does nothing because they're either too stupid to realize how poorly they've implemented their system, or too indifferent to care.

The only entity who has done anything wrong in this case is AT&T, for deploying that sorry excuse of a webservice in the first place. There are simple ways to secure these kinds of things, they employed none of them, and they should have known better. They should be the ones on trial, not the guy who pointed out how royally they screwed up.


RE: This is crap...
By Solandri on 11/22/2012 5:40:30 AM , Rating: 3
quote:
The only entity who has done anything wrong in this case is AT&T, for deploying that sorry excuse of a webservice in the first place.

If you leave your car door unlocked with the keys in the ignition, and the car gets stolen, then yeah it's your fault. But that doesn't mean the thief didn't commit a crime.


RE: This is crap...
By rs2 on 11/22/2012 6:22:42 AM , Rating: 3
quote:
If you leave your car door unlocked with the keys in the ignition, and the car gets stolen, then yeah it's your fault. But that doesn't mean the thief didn't commit a crime.


I agree with you 100% there. However that analogy is not directly applicable to this case. Where do you see a crime having been committed? AT&T created a service that spits out email addresses for free. They did nothing to prevent arbitrary people from accessing it. No property was stolen, and nobody was deprived access to any tangible item or intangible service.

There was no crime committed. No theft, no trespass, nothing. Unless finding strangers' email addresses is a crime now. Is it?


RE: This is crap...
By drlumen on 11/23/2012 11:42:21 AM , Rating: 1
I haven't done much research on this but if it was easy as parsing a URL then I don't see any crime there. If there was no security around the AT&T site and it was publicly accessible then that is AT&T's fault regardless of how much it was used by one person. I see any URL as a publicly available internet location. If it is/was a 'secure' site then they would not have been able to get the data as was described.

You liken it to car theft but there was nothing of real intrinsic value that was taken. I liken it more to putting a bowl of candy out on Halloween (without as much as a sign requesting to only take 1). Then getting pissed off that some one or group cleaned out the bowl. Yes, it was a dick move for them to take it and publish it but it was data that was made public by AT&T regardless of the form or function.


RE: This is crap...
By FastEddieLB on 11/21/2012 4:02:40 PM , Rating: 1
quote:
People who say the "police state" is just some kind of leftist/right-wing (your choice) propaganda,

It's not propaganda, just study history.
quote:
ask yourselves why the U.S.; supposedly the most "free" nation in the world imprisons more of its people than ANY other nation?

Because we don't execute our death row inmates any more and instead of deporting illegal aliens who commit crimes to be dealt with by their own government we lock them up in our prisons. See, it's not just our citizens who we imprison. However, this is not what defines a police state. While the United States is becoming dangerously close (some states require you by law to carry your ID on you at all times) it's not there yet, though I wonder if we'll even recognize it for what it is when we cross the line that is already blurred.


RE: This is crap...
By Samus on 11/21/2012 4:21:45 PM , Rating: 2
1/4 people imprisoned are on drug-related charges.

I would guess most countries don't imprison you for marijuana or other soft-drug related crimes. Most civilized countries in the EU simply turn a blind eye to marijuana, whether its legal or not.


RE: This is crap...
By ritualm on 11/21/2012 4:34:45 PM , Rating: 2
Wrong.
quote:
this is not what defines a police state

You already have one. It's called the Prison industry, its job is to ensure a constant flow of criminals, therefore it needs creative interpretation and implementation of existing laws in order for the industry to prosper. Refusing to legalize softcore contraband e.g. marijuana being one of the ways to accomplish that very goal.


RE: This is crap...
By kleinma on 11/21/2012 5:22:48 PM , Rating: 2
So that is why 2 states just legalized it for recreational use, 18 states legaized it for medical use, non violent prisoners are being released or having sentences shortened left and right because of over population of prisons?


RE: This is crap...
By superstition on 11/22/2012 12:57:44 AM , Rating: 2
The Hidden History of ALEC and Prison Labor
http://www.thenation.com/article/162478/hidden-his...
quote:
prison labor for the private sector was legally barred for years, to avoid unfair competition with private companies. But this has changed thanks to the American Legislative Exchange Council (ALEC), its Prison Industries Act, and a little-known federal program known as PIE

quote:
ALEC helped pioneer some of the toughest sentencing laws on the books today, like mandatory minimums for non-violent drug offenders, “three strikes” laws, and “truth in sentencing” laws. In 1995 alone, ALEC’s Truth in Sentencing Act was signed into law in twenty-five states. (Then State Rep. Scott Walker was an ALEC member when he sponsored Wisconsin's truth-in-sentencing laws and, according to PR Watch, used its statistics to make the case for the law.)

quote:
ALEC has also worked to pass state laws to create private for-profit prisons, a boon to two of its major corporate sponsors: Corrections Corporation of America and Geo Group (formerly Wackenhut Corrections), the largest private prison firms in the country. An In These Times investigation last summer revealed that ALEC arranged secret meetings between Arizona’s state legislators and CCA to draft what became SB 1070, Arizona’s notorious immigration law, to keep CCA prisons flush with immigrant detainees. ALEC has proven expertly capable of devising endless ways to help private corporations benefit from the country’s massive prison population.

That mass incarceration would create a huge captive workforce was anticipated long before the US prison population reached its peak—and at a time when the concept of “rehabilitation” was still considered part of the mission of prisons.

quote:
in 1993, when Texas State Representative and ALEC member Ray Allen crafted the Texas Prison Industries Act, which aimed to expand the PIE program. After it passed in Texas, Allen advocated that it be duplicated across the country. In 1995, ALEC’s Prison Industries Act was born.

quote:
Prison labor has already started to undercut the business of corporations that don’t use it. In Florida, PRIDE has become one of the largest printing corporations in the state, its cheap labor having a significant impact upon smaller local printers. This scenario is playing out in states across the country. In addition to Florida's forty-one prison industries, California alone has sixty. Another 100 or so are scattered throughout other states. What's more, several states are looking to replace public sector workers with prison labor. In Wisconsin Governor Walker’s recent assault on collective bargaining opened the door to the use of prisoners in public sector jobs in Racine, where inmates are now doing landscaping, painting, and other maintenance work. According to the Capitol Times, “inmates are not paid for their work

quote:
“It’s bad enough that our companies have to compete with exploited and forced labor in China,” says Scott Paul Executive Director of the Alliance for American Manufacturing, a coalition of business and unions. “They shouldn’t have to compete against prison labor here at home.


RE: This is crap...
By cubby1223 on 11/22/2012 12:19:42 PM , Rating: 2
quote:
People who say the "police state" is just some kind of leftist/right-wing (your choice) propoganda, ask yourselves why the U.S.; supposedly the most "free" nation in the world imprisons more of its people than ANY other nation?


Really? Put out private information of high-level government employees in other countries, you might be BEGGING to be placed in jail compared to the alternatives.

Second, this guy has been convicted, NOT sentenced. You're following the typical sensational activist way of presenting the news, highlighting and focusing on the maximum possible penalties allowed by the law, instead of discussing what the probable penalty may be, or even just waiting out the sentence to know for sure if he will serve jail time or not.


RE: This is crap...
By rs2 on 11/22/2012 7:07:37 PM , Rating: 2
quote:
Really? Put out private information of high-level government employees in other countries, you might be BEGGING to be placed in jail compared to the alternatives.


So your point is, other places are fascist hell-holes so who cares if we start down that same road? Brilliant!


RE: This is crap...
By Jeffk464 on 11/21/2012 11:16:19 PM , Rating: 2
He should have got a job in one of the three top banks and stole billions. He would have got a slap on the wrist.


RE: This is crap...
By superstition on 11/22/2012 12:51:33 AM , Rating: 2
I guess that would happen if his golden parachute encountered some minor turbulence.


RE: This is crap...
By superstition on 11/22/2012 1:01:29 AM , Rating: 2
Vulture Capitalism Ate Your Twinkies
http://www.thenation.com/blog/171331/vulture-capit...

Not just banksters...


"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki