Hacker Faces Prison for Not Hacking iPad
Andrew Auernheimer, aka Weev, in a 2010 self-portrait.
CREDIT: Weev/Creative Commons
Update: Andrew Auernheimer was found guilty on two counts Nov. 20. Click here for more.
Five weeks after the release of the original 3G-enabled iPad in April 2010, Apple and AT&T suffered a massive data breach, exposing the email addresses of hundreds of thousands of early adopters.
The embarrassing breach was, in a way, one of AT&T's own making.
When a 3G iPad visited AT&T's website, the iPad transmitted a unique ID number and generated a new URL for the AT&T site, which in turn called up the user information associated with that ID number from AT&T's databases.
By the time the AT&T website loaded onto the iPad, the user would see his own email address, which he'd provided when he set up the iPad, already filled in on an AT&T webpage.
Plugging in the data
In early June, two hackers from a rogue group called Goatse Security, or GoatSec, discovered that by randomly guessing iPad IDs and plugging them into the URL, they could trick the AT&T site into coughing up customers' email addresses.
They wrote a script for a computer and harvested 114,000 addresses — without ever breaking into anything or cracking a single password.
That last detail is important. Because of the way AT&T set up the service, the email addresses were already published and publicly available, though difficult to find.
A analogy would be a webpage that no other pages link to. If you know its URL, you can find it, but otherwise the page remains hidden.
GoatSec contented that it had simply found and compiled information that was already online. And that information was dynamite.
It included the email addresses of prominent politicians and business leaders, including New York City Mayor Michael Bloomberg, ABC news anchor Diane Sawyer, entertainment mogul Harvey Weinstein and Rahm Emanuel, the current mayor of Chicago, who was at the time President Barack Obama's White House chief of staff.
After harvesting the emails, Goatsec allegedly tried to contact several people on the list who had email addresses connected to media organizations, in hopes of publicizing the case in the media, but found no takers.
AT&T said that at this point it learned of the breach from a customer, presumably one who had been contacted by Goatsec.
Publicizing the breach, but not the data
Goatsec turned to the media-gossip blog Gawker, which broke the story on June 9, 2010 after having received the full list directly from Goatsec. AT&T had already closed the security hole the previous day.
Neither GoatSec nor Gawker ever publicly released the sensitive information. Nevertheless, federal prosecutors in January 2011 charged the two GoatSec members, Andrew Auernheimer (aka "weev") and Daniel Spitler (aka "JacksonBrown"), with conspiracy to access a computer without authorization, a violation of the Computer Fraud and Abuse Act (CFAA) of 1986, and fraud.
Spitler took a plea deal in June 2011, agreeing to help the prosecution in its case against Auernheimer. Auernheimer's trial began on Nov. 13 of this year and could end before Thanksgiving.
That short window has captured the attention of Internet activists and policy hounds. The case may finally bring clarity to the CFAA, a law that many activists and experts say contains overly broad language and a serious lack of definitions.
Critics say the CFAA drags too wide of a net, punishing minor mischief-makers and shady, but ultimately helpful, bug hunters.
The CFAA makes it illegal to "access a computer without authorization or exceed authorized access ... from [a] protected computer."
That may have made sense in 1986, before the advent of the Internet, but today, it's incredibly vague.
As TechCrunch pointed out, a "protected computer," defined as any computer that affects "interstate commerce or communication," pretty much includes every device with a microprocessor and a network connection.
While that ambiguity may have gotten Auernheimer into his current situation, it could also get him out of it.
Did Auernheimer "access a computer without authorization" when he sent working URL requests to the publicly available login page? How does the law define "access?" Is it the police, AT&T or the individual iPad owners who grant authorization? It's not clear.
If the case isn't settled before Thursday, it could potentially go all the way to the Supreme Court.
So far, the Fourth and Ninth Circuit Courts of Appeal have given the law a narrow definition that would have excluded Auernheimer's actions from criminal liability. But the Fifth, Seventh and Eleventh Circuit courts allowed a broader interpretation.
Even if convicted, though, Auernheimer may still have the last move. GoatSec promised to release the keys to an encrypted "insurance file" if Auernheimer is convicted.
GoatSec said the information within is unrelated to the iPad incident, but beyond that, the contents are a mystery.
Follow Ben on Twitter @benkwx.