The decision handed down by a federal judge in a Newark, New Jersey courtroom on Monday to sentence Andrew Auernheimer (aka “Weev”) to 41 months in prison and a $70,000 fine set a dangerous legal precedent. It also sent a warning shot to tens of thousands of IT professionals who might be inclined to take note of a glaring web site vulnerability or an exploitable security hole in a piece of software.
True, it's easy not to like Auernheimer, the 27 year-old “marketer,” “hacker” and “visionary.” As a member of the group Goatse Security, Weev was the epitome of what lawyers call the “unsympathetic defendant” -- callous, arrogant and ravenous for attention. In interviews with leading publications like The New York Times and CNET, he bragged about his online exploits and made clear that there was no purpose to the work other than his own amusement.
The government’s criminal complaint makes ample note of these, including an August, 2008 interview with The New York Times, where Auernheimer is quoted saying "I hack, I ruin, I make piles of money. I make people afraid for their lives. Trolling is basically Internet eugenics.”
Not to put too fine a point on it, but Weev was an Internet troll who took great delight in humiliating his victims - whether they be individuals or multinational corporations. But what was his crime? The government said it was “hacking” AT&T’s web site. The truth is that Weev and his accomplice used a poorly designed AT&T web site feature to collect the e-mail addresses of more than a hundred thousand AT&T customers who were iPad 3G users. That list included VIPs in the U.S. government, the media and entertainment industries.
Weev has contended that he was merely trying to “help” AT&T fix it's sites, all the while making public and private statements that made that argument hard to swallow.
For example, IRC chat logs obtained by the government make clear that, upon learning of the vulnerability from fellow Goatse member Daniel Spitler (aka “Jacksonbrowne”), Weev’s first thought was about using it to get some media attention for himself and Goatse.
“loool thats hilarious HILARIOUS oh man now this is big media news ... is it scriptable?”
In successfully prosecuting him under the Computer Fraud and Abuse Act (CFAA), however, the U.S. government created a lot more problems for society than it solved by taking Weev out of circulation for a few years.
For one thing, their case against him puts a legal shield in front of wealthy corporations that choose not to use due care with their customers’ data, while punishing anyone who has the temerity to point it out. The data collected by Weev and his accomplices was, after all, publicly accessible through an API (application program interface) that AT&T published and that was accessible from their web page.
Through all the hyperbole and the talk of embarrassing AT&T, Weev and his accomplices have been clear on the fact that they never hacked AT&T - they merely scraped customer data from a site using a feature AT&T itself created. In his first mention of the “hack,” Spitler sums it up this way “if you enter valid ICCIDs in this website you can get iPad subscriber email addresses.” It’s important to note that he doesn’t think much of that vulnerability at the time - e-mail addresses aren’t much of a catch, anyway. “I don’t see the point unless we phish for passes even then that's boring,” he’s quoted as saying in an IRC chat.
True, AT&T didn’t intend to enable anyone to download a list of all it's iPad customers. But they didn’t explicitly try to prevent that from happening, either. Rather, they assumed the ICCIDs - the unique identifiers that Apple used for each device - would be too complex for anyone to figure out how to generate on their own when, in fact, it wasn’t complex at all. AT&T was, in short, lazy - or incompetent. Or both. Its customers’ data was put at risk, and needlessly so.
As we know, vulnerabilities in poorly crafted, web-facing applications like that are..well...everywhere. Responsible security researchers and other right minded citizens, upon finding such gaping holes, don’t usually run to the media about it, as Weev did. Responsible security researchers disclose it privately to the company and give them the opportunity to fix it before publicizing their find - if they publicize it at all.
But now? It’s not unreasonable to assume that even a well meaning researcher will think twice about making any mention of a security hole, for fear of being labeled a malicious hacker and finding him or herself in a mess of legal trouble. Last month, we wrote about how the Obama Administration was carving out a huge loophole for commercial software publishers even as it talked up the need for better protections for critical infrastructure. Windows can’t count as critical infrastructure, even if the Windows based HMI system that manages a power plant is.
Now, by sanctioning poor application development and criminalizing what many would consider consumer advocacy, federal prosecutors have created a potent legal protection for shoddy business practices who might otherwise face scrutiny for failing to live up to pledges to protect their customers. That’s a loss for all of us that will be felt long after Weev is back on the streets.