Government // Cybersecurity
News
4/11/2014
03:46 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Hacker Weev Free After Appeal

Andrew "Weev" Auernheimer, who embarrassed AT&T by exposing a security flaw, had his conviction overturned by federal appeals court.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Andrew Auernheimer, better known on the Internet as "weev," has had his sentence overturned by a federal appeals court, righting what many advocacy groups regarded as an unfair conviction.

In 2010, Auernheimer and co-defendant Daniel Spitler found a way to access the email addresses of AT&T iPad owners through AT&T's website. By guessing unique hardware numbers associated with AT&T iPads and submitting those numbers to AT&T's website, the pair were able to get AT&T's servers to respond with iPad customers' email addresses. In effect, this was security through obscurity. The data was disclosed to Gawker, which published a redacted subset of the addresses and a few names of affected individuals.

AT&T issued an apology and closed the hole. In 2012, Auernheimer was tried and convicted of identify fraud and conspiracy to gain unauthorized access to computers. In March, 2013, he was sentenced to 41 months in prison.

The case against Auernheimer relied on the Computer Fraud and Abuse Act, the much maligned law used to charge Aaron Schwartz. Among other provisions, the law makes it illegal to deliberately access a computer without authorization. Critics of the law consider it to be overly broad because the statute fails to adequately define "without authorization."

[What steps do you plan to take in response to the Heartbeat bug? Read Flash Poll: Broken Heartbeat.]

Absent that definition, a prosecutor has the option to pursue felony charges against a person using a computer against the owner's wishes or when that use violates a private agreement. The US government has already brought CFAA charges against people for violating a terms of service agreement and for contravening corporate policy.

A further issue with the law is its harsh penalties: First-time offenders can be sentenced to five years in prison for accessing a computer without authorization. Were you to publish a person's home address through Twitter -- a terms of service violation -- a vindictive prosecutor could bring a CFAA charge and seek a five-year prison sentence. Other online actions that could, in theory, bring felony charges for computer abuse include: lying about your age on Facebook, posting impolite comments on The New York Times website, and misrepresenting your physical attractiveness on Craigslist.

Andrew Auernheimer, a.k.a 'weev' (Image: Wikipedia)
Andrew Auernheimer, a.k.a "weev" (Image: Wikipedia)

The appellate court granting Auernheimer's appeal did not focus on the CFAA. Rather, it found the government's decision to prosecute Auernheimer in New Jersey unacceptable.

Spitler was based in San Francisco, Calif., and Auernheimer was based in Fayetteville, Ark. The servers they accessed were located in Dallas, Texas, and Atlanta, Ga. Yet prosecutors had the trial conducted in New Jersey -- on the basis that some 4,500 New Jersey residents had had their email addresses exposed -- "to enhance the potential punishment from a misdemeanor to a felony," as the appeals court put it.

The ruling does contain a footnote to hearten those seeking to reform the CFAA: "We also note that in order to be guilty of accessing 'without authorization, or 'in excess of authorization' under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access," it reads.

Noting the absence of evidence indicating that the defendants had breached a password-based barrier, the court found that the script used to access email addresses "simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hho927
50%
50%
hho927,
User Rank: Moderator
4/14/2014 | 7:16:56 PM
Re: ATT failed
We all know his intention was (fame) at others' casualties.

He's still responsible for it. He can't give the list to somebody else and has that third party post the list and claimed 'I didn't do it'. Ofcourse he knew the website is going to publish that list.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/14/2014 | 3:43:30 PM
Re: ATT failed
>He can't post private stuff on the internet without permission. People can sue him for $.
 
 I don't believe he did. He allegedly provided the data to Gawker, which published redacted portions.
hho927
50%
50%
hho927,
User Rank: Moderator
4/14/2014 | 3:04:43 PM
ATT failed
Clearly when they(ATT) didn't do "black box testing". They have to 'catch' bad inputs in their codes. It's ATT responsiblity.

The court got it right, Weev didn't hack. He didn't illegally access any system. He entered bad inputs and got outputs. There was no illegal activity.

However, He's irresponsible. He can't post private stuff on the internet without permission. People can sue him for $.
InsideStoryBook
50%
50%
InsideStoryBook,
User Rank: Apprentice
4/14/2014 | 2:05:28 AM
Weev is a raving anti-semite
I felt a kinship with this guy considering I fought the Feds on ridiculous charges and wound up with a 30 month sentence. Those feelings quickly vanished when I learned on Twitter he believes the Jews are responsible for 9/11, Heartbleed and made up the Holocaust.

If you want to know the truth about our "justice" system and the pathetic state of our prisons go to www-inside-story-book.com
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
4/12/2014 | 3:41:42 PM
Re: Heartbleed coincidence
This has a lot to do with how this data was leaked. I'm sure that being exposed on Gawker was a PR nightmare for AT&T in this instance. This guy obviously found a hole that could cause the comapny a lot of problems, and the issue at hand could have been exploited in some pretty bad ways. 

Security researchers are doing good things, I just don't think that organziations like to see data exposed in subversive ways. There needs to be some protections, however, for sure. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/11/2014 | 6:12:41 PM
Re: Heartbleed coincidence
Security researchers do fear being prosecuted in some instances. It's a real problem. The law needs to be clear so that people don't have to be afraid of prosecutorial overreach. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/11/2014 | 6:07:15 PM
Re: convicted?
That should be "charged" not "convicted." Fixed now.
coding123
100%
0%
coding123,
User Rank: Apprentice
4/11/2014 | 4:52:25 PM
Heartbleed coincidence
I find it interesting that in a lot of these "HACKER" labelings it seems almost as if there are people in authoritative positions that have control over (or are part of) law enforcement are simply "hating on" certain individuals simply because of how they look.

 

If you think about it, this case is not dissimilar to the heartbleed issue. Should we now prosecute the researchers from Google that revealed heartbleed? Wouldn't that be the fair thing to do?

They say that law/justice is blind - but it actually isn't because people decide to implement it WHEN they want. If we enacted every law on the books for everyone equally - we'd all be in prison (even the people in the government).
anon7694469560
50%
50%
anon7694469560,
User Rank: Apprentice
4/11/2014 | 4:26:53 PM
convicted?
was aaron schwartz "convincted," or merely charged with the statute used to convict this "weev" gentleman?
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.