Feeds

Weev gets 41 months in prison for exposing iPad strokers' privates

'Internet will topple governments,' defendant proclaims

Build a business case: developing custom apps

Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, has been sent down for three years and five months in the slammer after he helped leak users' private email addresses via a flaw in AT&T's servers.

Auernheimer, known online as Weev, received his sentence wearing shackles after he tried to bring a mobile phone into the courtroom. After completing his term he will have to pay over $72,000 in restitution to AT&T and undergo three years of supervised release.

"I didn't come here today to ask for forgiveness," Auernheimer told US District Judge Susan Wigenton, Bloomberg reports. "The Internet is bigger than any law can contain. Many, many governments that have attempted to restrict the freedoms of the Internet have ended up toppled."

In 2010, Auernheimer found a flaw in a public-facing AT&T server that could be used, via the iPad's integrated circuit card identifier (ICC-ID), to uncover the names and email addresses of 114,067 early adopters of Apple's 3G-equipped fondleslab. His colleague Daniel Spitler wrote a PHP script called "iPad 3G Account Slurper" to harvest the data, and then handed it over to online magazine Gawker.

The data caused huge embarrassment to AT&T and Apple, since it included the personal emails of then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, film mogul Harvey Weinstein, and several high-ranking US Army officials. AT&T fixed the flaw, and there's no evidence Auernheimer did anything more than highlight the sloppy coding.

His defense lawyers argued that he was accessing information on a public web server and that if this was a crime then most internet users are guilty too. This cut little ice with the presiding judge.

"While you consider yourself to be a hero of sorts, without question the evidence that came out at trial reflected criminal conduct," Judge Wigenton said in imposing the sentence. "You've shown absolutely no remorse. You've taken no responsibility for these criminal acts whatsoever. You've shown no contrition whatsoever."

Auernheimer's colleague Spitler now looks likely to face a similar sentence after pleading guilty, andsome in the security field are warning that the verdict will have a deadening effect of flaw exposure. Former National Security Agency (NSA) programmer and now Apple-cracker and security consultant Charlie Miller said the decision was highly troublesome.

In this hack's opinion, Auernheimer's sentence is far too severe. You could argue that he should have submitted the flaw to AT&T, waited for the problem to be fixed, and then reaped the publicity. He could also have profited from selling the flaw on the grey or black markets, but chose not to go for the money, but to get embarrassment value instead.

"My regret is being nice enough to give AT&T a chance to patch before dropping the dataset to Gawker. I won't nearly be as nice next time," he said in a Reddit forum.

With no evidence of harm done, sending someone down for over three years, near-bankrupting them with fines, and setting such a long probation victim looks less like justice and more like judicial spite. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?