Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw.
Courts have held that unauthorized access to a computer occurs whenever the computer owner says so, and the Department of Justice has enforced this point of view. Someone can violate the law even where there is no notice and where no password was hacked. All that is required is that a person, corporate or natural, subsequently says you don’t belong. This is precisely what happened in United States v. Auernheimer, 11-CR-470 (D.N.J.) (SDW), an important Computer Fraud and Abuse Act (CFAA) case about to be appealed to the United States Court of Appeals for the Third Circuit. This is a dangerously broad view of the Computer Fraud and Abuse Act that potentially criminalizes Google searches.
On November 20, 2012, controversial computer security researcher Andrew Auernheimer was convicted by a jury sitting in the Federal District Court for the District of New Jersey of one count of conspiracy to violate the Computer Fraud and Abuse Act (18 U.S.C. 1030(a)(2)(C)) and one count of identity theft (18 U.S. C. 1028(a)(7). The verdict has startled and alarmed many legitimate computer security researchers and it should be of concern to anyone who uses the Internet on a regular basis.
The facts are simple. In June of 2010, Andrew Auernheimer’s co-defendant Daniel Spitler discovered that AT&T’s servers were publishing email addresses of iPad subscribers on the servers authentication log in page when queried with a SIM card number that matched an existing AT&T subscriber’s SIM card number. Upon discovering this, Spitler wrote an iterative script that queried AT&T’s publicly accessible iPad servers and copied over 120,000 email addresses. No password or any type of security was ever hacked, nor was any attempt ever made to hack any password or bypass any existing security measures. In essence, what Spitler’s script did could be done by anyone with a web browser who entered in the right combination of numbers into a URL. Auernheimer immediately went to the press with this information, and emailed some of the people whose email addresses were obtained. Neither Auernheimer nor Spitler did anything else with the information. At trial there was no evidence of any harm to anyone except for the allegation that AT&T was embarrassed by its failure to protect what it claimed was confidential information. For his actions Auernheimer was convicted and now faces a maximum of ten years in federal prison and $500,000.00 in fines.
Auernheimer was sentenced to 41 months in prison followed by three years supervised release.
Ultimately, it’s hard to not to wonder if Auernheimer was charged not so much for his conduct, but for provoking AT&T’s wrath with unwelcome news. That’s what should send a deep chill down the spines of security researchers everywhere.
No matter how careful we may try to be, there’s no telling who might get angry next. How can our delicate security ecosystem survive if embarrassment becomes a crime?
Jeremy Hammond 1 year in Solitary Confinement, No Trial http://generalstrikeusa.wordpress.com/2013/03/11/jeremy-hammond-1-year-in-solitary-confinement-no-trial/
Movement to Occupy Spain http://generalstrikeusa.wordpress.com/2013/03/04/movement-to-occupy-spain/
How They Stole Your Pay/Job
More Bank BAILOUTS (How the MAFIA looted your bank) Pt.2
More BANK BAILOUTS: How the Mafia looted your bank Pt 1
Are you willing to be arrested?
Money Laundering: Follow the Hedge Funds
Shut It Down…They Won’t Listen Any Other Way
Banksters run the World
Extreme Civil Disobedience 2013
General Strike In USA
Civil Disobedience by David Byrne