Goatse Security iPad Hacker Found Guilty, Faces up to Five Years in Prison
November 21, 2012 2:42 PM
comment(s) - last by
Irreverent cyber "troll" may face hard prison time for his actions, continues to fight for his innocence
A New York security "researcher" faces the prospect of spending five years behind bars and being forced to pay up to $250,000, after a federal jury of his peers
found him guilty
of cybercrimes involving his 2010 exploitation a flaw in the security of iPad service provider AT&T. He allegedly used the flaw to
expose the email address of over 100,000 individuals
I. A Leaky Hole
The story began in June 2010. Apple, Inc. (
) had just released
the first generation iPad
, a tablet computer that transformed the form factor from overlooked to
. And the service provider du jour for iPads with 3G data connectivity was AT&T, Inc. (
But AT&T's iPad support services had a relatively minor, but notable security flaw. AT&T's iPad-related servers ran a script that accepted an ICC-ID (
integrated circuit card identifiers
), an identifier unique to each device.
If sent a valid ICC-ID, the script served up the personal email of the subscriber associated with that device. AT&T had planned to use the feature to generate a slick AJAX-style response on its web applications for the iPad.
AT&T left a gaping hole in their iPad web scripts. [Image Source: DailyTech/Jason Mick]
But Andrew Auernheimer, Daniel Spitler, and other hackers with the profanely named "troll" hacker collective Goatse Security identified the vulnerability when they were probing AT&T's servers. They quickly wrote a so-called "data slurper" -- a script that performed a brute force attack, working through tables of ICC-IDs and recording the ones that received a response.
apologized for the breach
and took down the script, closing its hole.
II. Investigation, Trial Conclude in Guilty Verdict
But the damage was already done. Goatse Sec. had published its results to the blog site
, revealing parts of a data set that contained roughly
114,000 email addresses
. Among the high profile figures exposed were ABC News anchor Diane Sawyer, New York City Mayor Michael Bloomberg, and current Chicago Mayor Rahm Emanuel.
Soon after the data loss
U.S. Federal Bureau of Investigation
agents, investigating the incident, conducted a raid on the home Mr. Auernheimer who had moved from New York to a residence in Arkansas. Mr. Auernheimer, aka "weev" or "Escher Auernheimer" was arrested by federal agents on suspicion of computer crimes. Authorities also allegedly found
cocaine, LSD, and ecstasy
in his residence. Lawyers for Mr. Auernheimer contend that the raid was unnecessary and illegal. The security "researcher" has yet to face charges on the drugs found.
with one count of conspiracy to access servers without permission and one count of identity theft. These offenses -- spelled out in the Computer Fraud and Abuse Act of 1986 (
18 USC § 1030
) -- carry a maximum sentence of five years in prison and a fine of up to $250,000 USD.
Goatse Security "researcher" Andrew Auernheimer was found guilty of two counts of computer crimes and may be sentenced to up to five years in prison, pending appeal. [Image Source: AP]
Mr. Auernheimer was charged in
U.S. District Court for the District of New Jersey
, the location where his co-defendant (Daniel Spitler) was charged. Initially, federal authorities had planned to charge the two members separately, which would have resulted in a trial of Mr. Auernheimer in an Arkansas District Court. However, the case was eventually shuffled to the New Jersey District Court.
In June 2011, Mr. Spitler, aka "JacksonBrown"
to the two cybercrimes counts, in hopes of receiving a lighter sentence. He is currently awaiting sentencing.
Mr. Auernheimer has fought the charges, and the trial concluded this week with the jury finding Mr. Auernheimer guilty of both counts.
III. Appeal is Pending
The hacker's attorney, Tor Ekeland, disputes the verdict, arguing that the jury and judge misinterpreted the cybercrimes statute and the nature of Mr. Auernehimer's data grab. The hacker is currently free on bail. His attorney is appealing the case to the
3rd U.S. Circuit Court of Appeals
Mr. Auernheimer's attorney argues the guilty verdict is the result of technical ignorance on behalf of the jury. [Image Source: Steffie Keith/Flickr]
A Goatse Sec. spokesperson in a previous interview with
defended the disclosure and data grab, emphasizing that Goatse Sec. researchers did not try to profit off the emails they grabbed. The spokesperson writes:
While plenty of jokes about selling the list to Chinese spammers or using it to screw with the stock market circulated #gnaa, the truth of the matter is that disclosing this vulnerability let customers know how their data was being mishandled. As it was widely reported, the data was only released to Gawker to provide proof of the vulnerability. Considering the circumstances, it was the most ethical thing they could do.
The spokesperson, like Mr. Auernheimer's attorney, chalks the possibility of a conviction up to technical ignorance on behalf of the jury, remarking:
As for the "hacking" itself, describing the activities of GoatSec as "hacking" or "unauthorized entry" is a gross overstatement and dramatization. If you examine what actually took place, it was simply enumerating account IDs by using the API exactly as it was designed. There was no authentication to bypass, no warnings about prohibiting access or anything else of the sort. The only hope the DOJ has of prosecuting them is based on the likely technical ignorance of the jury, sad to say.
You can read my full interview with the Goatse Sec. spokesperson
This article is over a month old, voting and posting comments is disabled
11/21/2012 9:36:41 PM
This just shows how inadequately our justice system understands and handles technology cases. If I build a webservice that allows unauthenticated clients to pass in a random number and get back an e-mail address and do nothing to limit access to this webservice then a couple of things should be clear:
1. It is not possible for anyone to access my webservice in an "unauthorized" way, because my service has no concept of an "unauthorized" user. All users are authorized. Had the webservice required a password, or at least, a private-key/auth-token, that would be a different story. But that's not what happened.
2. If someone is able to use my unprotected webservice to scrape e-mail addresses, then I am responsible and liable for any identity theft that occurs, not the guy who did the scraping. I'm the one who let the personal information out into the wild by operating a public webservice that serves up e-mail addresses to unauthenticated clients.
The problem is that a major company who
should have known better
published a webservice with absolutely no security around it, not that someone eventually came along and exploited their lack of security. The ruling in this case is harmful because it does nothing to address the actual problem, and gives companies the idea that it's okay to deploy insecure webservices in the wild because the law will back them up when they inevitable get exploited. They need to secure their webservice, not lock up the guy who pointed out that their webservice had no security.
"Death Is Very Likely The Single Best Invention Of Life" -- Steve Jobs
Second Hacker in AT&T/iPad Case Seeks Plea Deal
July 29, 2011, 12:16 AM
Interview: Goatse Security on FBI Charges Following AT&T iPad Breach
January 19, 2011, 6:42 AM
Apple, AT&T Convince FBI to Charge Goatse Security
January 18, 2011, 10:31 AM
Goatse Security Researcher Arrested After FBI Raid Reveals Blow, X
June 16, 2010, 8:34 AM
AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales
June 14, 2010, 9:37 AM
Sprint Intros Free Wi-Fi Calling for Overseas Travelers
August 29, 2014, 11:30 AM
Nokia HERE Maps to Arrive on Samsung Galaxy Smartphones This October
August 29, 2014, 9:14 AM
Microsoft's Standalone Kinect 2 Goes On Sale Oct. 7 for $150
August 28, 2014, 4:33 PM
Apple Builds Not-So-Secret Secret 3-Story Tower for iPhone 6/iWatch Unveil
August 28, 2014, 3:41 PM
Intel Offers up Penny Sized 3G Modem for Smart Appliances, Etc.
August 28, 2014, 3:25 PM
T-Mobile Will Also Carry the HTC One (M8) for Windows
August 28, 2014, 2:59 PM
Most Popular Articles
Microsoft's Surface 2 Tablet Family Gets a $100 Price Cut
August 25, 2014, 1:16 AM
Owner of "Decepticon" Maserati Ordered to Appear in Court This Thursday
August 25, 2014, 7:55 AM
SpaceX Falcon 9-R Rocket Suffers Malfunction, Self-Destructs During Test Flight
August 23, 2014, 9:36 AM
LG Posts Teaser Video of Its “Round Face” G Watch R Smartwatch, Set for IFA Lauch
August 24, 2014, 2:49 PM
Windows 9: "Upgrade Now" Button Coming for Enterprise Updates, ARM Preview in H1 2015
August 26, 2014, 8:00 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information