Andrew Auernheimer joins growing list of so-called hackers facing harsh justice

The 26-year-old security researcher sentenced to 41 months in prison for pulling email address from public-facing server

Add Andrew "weev" Auernheimer to the list of so-called hackers to fall victim to the feds' increasingly aggressive pursuit of cyber criminals. The 26-year-old security researcher was handed a 41-month prison sentence on one count of identity theft and one count of conspiracy to access a computer without authorization. He faced those indictments for using a program that automated Get requests to collect 114,000 iPad users' email address from a public-facing AT&T server and sharing the exploit with Gawker.

Following his jail term, he faces three years of supervised release. He is also required to pay $73,000 in restitution to AT&T.

Auernheimer and David Spitler used a scripting tool called the iPad 3G Account Slurper to pull the names and email addresses of 114,000 iPad 3G owners from AT&T's servers in June 2010. The company had linked the ICC-ID (Integrated Circuit Card ID), a serial number on the SIM card of an iPad with cellular connectivity, with the user's email address.

The email addresses he snagged from the server included those belonging to New York Mayor Michael Bloomberg, former White House Chief of Staff Rahm Emanuel, and top executives at Dow Jones, The New York Times Co., and Time Warner.

Here's how he described the deed in his own words: "In June of 2010, there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners, and I took a sample of the API output to a journalist at Gawker."

Auernheimer has maintained that he broke no laws. "Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago," he wrote in a government-required "acceptance of responsibility letter" prior to sentencing. "This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people."

Auernheimer also claimed that he was helping AT&T with its security by exposing the flaw. The company, however, said that nobody from Auernheimer's hacking group, known as Goatse Security, contacted it about the problem.

Auernheimer has likened himself to Aaron Swartz, who took his own life last January after facing 13 felony charges in a Massachusetts federal court -- including computer intrusion, wire fraud, and data theft -- stemming from allegations that he stole millions of scholarly articles and documents from an MIT subscription-based service called JSTOR. Swartz's supporters defended his actions, noting that he had a legitimate JSTOR account and thus hadn't stolen anything.

"Ivy League-educated and wealthy, Aaron dealt with his indictment so badly because he thought he was part of a special class of people that this didn't happen to," Auernheimer wrote. "I am from a rundown shack in Arkansas. I spent many years thinking people from families like his got better treatment than me. Now I realize the truth: The beast is so monstrous it will devour us all. None will be spared."

This story, "Andrew Auernheimer joins growing list of so-called hackers facing harsh justice," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies