Hacker Weev Free After Appeal - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
4/11/2014
03:46 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Hacker Weev Free After Appeal

Andrew "Weev" Auernheimer, who embarrassed AT&T by exposing a security flaw, had his conviction overturned by federal appeals court.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Andrew Auernheimer, better known on the Internet as "weev," has had his sentence overturned by a federal appeals court, righting what many advocacy groups regarded as an unfair conviction.

In 2010, Auernheimer and co-defendant Daniel Spitler found a way to access the email addresses of AT&T iPad owners through AT&T's website. By guessing unique hardware numbers associated with AT&T iPads and submitting those numbers to AT&T's website, the pair were able to get AT&T's servers to respond with iPad customers' email addresses. In effect, this was security through obscurity. The data was disclosed to Gawker, which published a redacted subset of the addresses and a few names of affected individuals.

AT&T issued an apology and closed the hole. In 2012, Auernheimer was tried and convicted of identify fraud and conspiracy to gain unauthorized access to computers. In March, 2013, he was sentenced to 41 months in prison.

The case against Auernheimer relied on the Computer Fraud and Abuse Act, the much maligned law used to charge Aaron Schwartz. Among other provisions, the law makes it illegal to deliberately access a computer without authorization. Critics of the law consider it to be overly broad because the statute fails to adequately define "without authorization."

[What steps do you plan to take in response to the Heartbeat bug? Read Flash Poll: Broken Heartbeat.]

Absent that definition, a prosecutor has the option to pursue felony charges against a person using a computer against the owner's wishes or when that use violates a private agreement. The US government has already brought CFAA charges against people for violating a terms of service agreement and for contravening corporate policy.

A further issue with the law is its harsh penalties: First-time offenders can be sentenced to five years in prison for accessing a computer without authorization. Were you to publish a person's home address through Twitter -- a terms of service violation -- a vindictive prosecutor could bring a CFAA charge and seek a five-year prison sentence. Other online actions that could, in theory, bring felony charges for computer abuse include: lying about your age on Facebook, posting impolite comments on The New York Times website, and misrepresenting your physical attractiveness on Craigslist.

Andrew Auernheimer, a.k.a 'weev' (Image: Wikipedia)
Andrew Auernheimer, a.k.a "weev" (Image: Wikipedia)

The appellate court granting Auernheimer's appeal did not focus on the CFAA. Rather, it found the government's decision to prosecute Auernheimer in New Jersey unacceptable.

Spitler was based in San Francisco, Calif., and Auernheimer was based in Fayetteville, Ark. The servers they accessed were located in Dallas, Texas, and Atlanta, Ga. Yet prosecutors had the trial conducted in New Jersey -- on the basis that some 4,500 New Jersey residents had had their email addresses exposed -- "to enhance the potential punishment from a misdemeanor to a felony," as the appeals court put it.

The ruling does contain a footnote to hearten those seeking to reform the CFAA: "We also note that in order to be guilty of accessing 'without authorization, or 'in excess of authorization' under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access," it reads.

Noting the absence of evidence indicating that the defendants had breached a password-based barrier, the court found that the script used to access email addresses "simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published."

Cybercriminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/14/2014 | 3:43:30 PM
Re: ATT failed
>He can't post private stuff on the internet without permission. People can sue him for $.
 
 I don't believe he did. He allegedly provided the data to Gawker, which published redacted portions.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/11/2014 | 6:12:41 PM
Re: Heartbleed coincidence
Security researchers do fear being prosecuted in some instances. It's a real problem. The law needs to be clear so that people don't have to be afraid of prosecutorial overreach. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
4/11/2014 | 6:07:15 PM
Re: convicted?
That should be "charged" not "convicted." Fixed now.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
News
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll