or Connect
AppleInsider › Forums › Mobile › iPad › Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail
New Posts  All Forums:Forum Nav:

Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail

post #1 of 65
Thread Starter 
The hacker who helped to obtain and disclose more than 100,000 iPad 3G users' e-mails from AT&T in 2010 was sentenced on Monday to 41 months in prison.

Andrew Auernheimer, known by his handle "weev," is also required to share in a $73,000 restitution payment to AT&T, according to The Verge. Following his prison term, Auernheimer will also be subject to three years of supervised release.

Auernheimer
Andrew Auernheimer's booking photo, via the Washington County Detention Center.


Prior to the sentencing on Monday, he held a press conference on the steps of the courthouse where Auernheimer told the media that he was "going to jail for doing arithmetic." He was also cuffed by authorities in a struggle over his tablet.

Before the sentencing, prosecutors cited an "Ask Me Anything" he took part in on the popular user-driven news curation website Reddit. In the question-and-answer session held yesterday, Auernheimer said he would like to return to the state of Arkansas, but he doesn't believe the U.S. government would allow him because of what he described as his "extensive Militia connections."

In another post, he said his only "regret" was being "nice enough" to AT&T to allow them to patch the issue before he alerted the media site Gawker of his actions. He then warned: "I won't nearly be as nice next time."

"Weev" was originally arrested on drug charges in June of 2010. The FBI began searching for him after it was revealed that a security hole on AT&T's website led to iPad 3G users' e-mails being leaked.
post #2 of 65

What a jackass.

 

Have fun in jail.

 

Maybe he can continue doing "arithmetic" in jail, where he can mark off the days by making scratches on the wall.

 

Just prior to the judge's reading of the sentence, Auernheimer was cuffed by agents in a struggle over his tablet. Under the terms of his pre-sentence parole, Auernheimer was unable to use a computer with a keyboard. 

 

I wonder which "tablet" he was using? I would guess an Android tablet.

post #3 of 65
That's similar to Kevin Mitnick:

He was sentenced to 46 months in prison plus 22 months for violating the terms of his 1989 supervised release sentence for computer fraud.
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #4 of 65
Quote:
Originally Posted by Apple ][ View Post

I wonder which "tablet" he was using? I would guess an Android tablet.

Why do you think it was an Android tablet?
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #5 of 65
Quote:
Originally Posted by AppleInsider View Post

Prior to the sentencing on Monday, he held a press conference on the steps of the courthouse where Auernheimer told the media that he was "going to jail for doing arithmetic

I suppose Bernie Madoff could use the same excuse for cooking his accounting documents.
Quote:
"I won't nearly be as nice next time."

1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif1oyvey.gif

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #6 of 65
Quote:
Originally Posted by PhilBoogie View Post


Why do you think it was an Android tablet?

I don't know for sure, but if it was an iPad, then why wouldn't it say that in the text which I quoted?

 

The usage of the word tablet leads me to believe that there is a greater possibility that it was something like an Android tablet instead. And also, I believe that criminal, hacker types of people, the kind who are losers and likes to tinker with things instead of doing anything actually useful are more attracted to an anything goes platform, such as Android.

post #7 of 65
This is a serious injustice. He queried a publicly accessible database at AT&T and it freely gave him the email addresses. Anyone could have done it. He's paying the penalty for AT&T's own lack of security.
post #8 of 65
Quote:
Originally Posted by popnfresh View Post

This is a serious injustice. He queried a publicly accessible database at AT&T and it freely gave him the email addresses. Anyone could have done it. He's paying the penalty for AT&T's own lack of security.

That's like saying you are allowed to take money out of a companies cash register because it popped open once you paid for something, or steal a car because you found the keys on the street.

post #9 of 65
Quote:
Originally Posted by popnfresh View Post

This is a serious injustice. He queried a publicly accessible database at AT&T and it freely gave him the email addresses. Anyone could have done it. He's paying the penalty for AT&T's own lack of security.

Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T's website with ICC-IDs

 

So if you drop your ATM card on the street, and I pick it up and figure out your pin code, it's ok for me to access your account?

 

This dipshit intentionally went and stole the info of 114,000 iOS users. Yes, AT&T was lax in their security, but that is no excuse for thievery.

post #10 of 65
Quote:
Originally Posted by popnfresh View Post

This is a serious injustice. He queried a publicly accessible database at AT&T and it freely gave him the email addresses. Anyone could have done it. He's paying the penalty for AT&T's own lack of security.

Interesting argument. What do you mean by "publicly accessible"? My bank offers a "publicly accessible" user access online but you have to have the proper credentials to access that info. If someone breaks into my account and posts my personal, private info can they really use the excuse that it was accessible by the public?

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #11 of 65

I once read the internet speed is slowed down by ~30% because there is so much anti-virus, anti-spyware, etc., needed to protect us from goofballs like this.

 

See you in 4 years....dude....

post #12 of 65
Quote:
Originally Posted by Apple ][ View Post

Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T's website with ICC-IDs

 

So if you drop your ATM card on the street, and I pick it up and figure out your pin code, it's ok for me to access your account?

 

This dipshit intentionally went and stole the info of 114,000 iOS users. Yes, AT&T was lax in their security, but that is no excuse for thievery.

If he only accessed the database without actually publishing the contents then there would be no jail time, maybe even a small reward for helping AT&T plug the hole. He wanted to prove how smart he was to the world and that is what got him in trouble.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #13 of 65
This guy did what you are doing right now on this forum. For example, if you request http://forums.appleinsider.com/t/156530/ you are brought to this forum. All he did was change the number so instead he requested http://forums.appleinsider.com/t/156531/ and was returned someone else's email address. The problem is AT&T did not have any authorization protection. You did not need any username or password combination to access this. It was open to the entire internet to request at any time. 41 months in jail for requesting a link with a changed number makes no sense not did he actually hack anything. AT&T just failed to protect this list by placing some authorization check before returning the data.
post #14 of 65
He might end up wearing a 'weev' along with some lipstick.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #15 of 65
Quote:
Originally Posted by mstone View Post

If he only accessed the database without actually publishing the contents then there would be no jail time, maybe even a small reward for helping AT&T plug the hole. He wanted to prove how smart he was to the world and that is what got him in trouble.

 

Finally, someone with a rational reply to the situation.  It's amazing the knee-jerk responses I've seen in regard to this case, largely due to the fact that this guy seems to really wind people up with the things he says, and most people don't understand what he actually did.

 

The fundamental question is: does posting people's email information on the Internet warrant a sentence longer than most rapists get?  Given the effects of both actions on peoples lives when it comes down to it (a lifetime of mental anguish vs possibly more spam in people's email accounts).

 

No question the guy deserves to be punished.  But 41 months seems relatively excessive IMO.

 
Reply
 
Reply
post #16 of 65
He basically found the security hole and told AT&T what he did. I think naively he thought AT&T woud thank him and he will become a hero of some sorts, or becoming a security "expert" by handing over the e-mail list to Gawker.

I wonder if he did not hand the e-mail list to anybody, or just demonstrates the security holes, would he still be put in jail for "unauthorized access"?

I mean if he didn't tell AT&T or Gawker, he might sell the e-mail list to the highest bidder and nobody would even know.
post #17 of 65
Quote:
Originally Posted by auxio View Post

The fundamental question is: does posting people's email information on the Internet warrant a sentence longer than most rapists get?  Given the effects of both actions on peoples lives when it comes down to it (a lifetime of mental anguish vs possibly more spam in people's email accounts).

 

A rape is just one person getting violated. This guy electronically violated the info of 114,000 people. 

 

And just because some rapists might get off light, that doesn't mean that this guy's sentence was too harsh. I support the death penalty for rape, and I don't believe that this guy's sentence was too harsh.

post #18 of 65
Originally Posted by Apple ][ View Post
A rape is just one person getting violated. This guy electronically violated the info of 114,000 people. 

 

The two aren't comparable in the slightest. Not your way, not his. 

post #19 of 65
Quote:
Originally Posted by Apple ][ View Post

I don't know for sure, but if it was an iPad, then why wouldn't it say that in the text which I quoted?

The usage of the word tablet leads me to believe that there is a greater possibility that it was something like an Android tablet instead. And also, I believe that criminal, hacker types of people, the kind who are losers and likes to tinker with things instead of doing anything actually useful are more attracted to an anything goes platform, such as Android.

Says here that it wasn't a tablet, but a phone he was using when being cuffed:
http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/

"The judge handed down the sentence following a minor skirmish in the courtroom when the defendant, Andrew Auernheimer, aka Weev, was pinned and cuffed. Auernheimer was reportedly asked to hand the court a mobile phone he had with him during the hearing, and after handing it to his defense attorney instead, court agents cuffed him."

'The internet, so much info, so little to be found'

While I understand your thinking that he might be using an 'anything goes' platform, it looks like he wrote the script on a PC. Whatever model / OS that might have been...
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #20 of 65
Quote:
Originally Posted by auxio View Post

The fundamental question is: does posting people's email information on the Internet warrant a sentence longer than most rapists get?

If we're talking one account violation v. one rape incident that I don't think even Apple ][, who typically is all-or-nothing when it comes to enforcing the law, would say they should be treated the same. However, we're talking about over 100k incidences. How long is the typical imprisonment for a violent crime? I don't think 41 months to long for a violent crime, especially one that is likely pre-meditated, but let's say it's exactly on-half. Is 1/50,000th that of the rape punishment too much? Doesn't sound like it to me.

Also, what struck me are his comments about "next time." Can you imagine a rapist saying "I won't nearly be as nice next time."

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #21 of 65
Quote:
Originally Posted by PhilBoogie View Post


Says here that it wasn't a tablet, but a phone he was using when being cuffed:
http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/

"The judge handed down the sentence following a minor skirmish in the courtroom when the defendant, Andrew Auernheimer, aka Weev, was pinned and cuffed. Auernheimer was reportedly asked to hand the court a mobile phone he had with him during the hearing, and after handing it to his defense attorney instead, court agents cuffed him."

'The internet, so much info, so little to be found'

While I understand your thinking that he might be using an 'anything goes' platform, it looks like he wrote the script on a PC. Whatever model / OS that might have been...

 

My quote came from the Verge, so either Wired has it wrong or the Verge does.

 

Or maybe it was one of those phablets, and that could possibly explain the confusion, with one source calling it a phone and the other source calling it a tablet?

post #22 of 65
Originally Posted by SolipsismX View Post
Also, what struck me are his comments about "next time." Can you imagine a rapist saying "I won't nearly be as nice next time."

 

Sounds to me like someone who needs jailed for life.

 

He has stated, on the record, that he has zero intention of not performing illegal activity in the future. That's fine; now you don't even get the CHANCE to do it.

post #23 of 65
Quote:
Originally Posted by SolipsismX View Post

Also, what struck me are his comments about "next time." Can you imagine a rapist saying "I won't nearly be as nice next time."

 

Yeah, the guy definitely comes off as a douche with his comments. The judge should add to his sentence just for his douchebag comments. And you are correct, not even Apple ][ thinks that rapists and hackers should be treated the same or that their crimes are equal. 

post #24 of 65
Quote:
Originally Posted by Apple ][ View Post

 

A rape is just one person getting violated. This guy electronically violated the info of 114,000 people. 

 

And just because some rapists might get off light, that doesn't mean that this guy's sentence was too harsh. I support the death penalty for rape, and I don't believe that this guy's sentence was too harsh.

 

If you read the details, it was only email addresses (not credit card information or the like, which could be used for fraud or identity theft).

 

For sure he deserves to spend a fair bit of time thinking about what he did and why it's wrong (he clearly doesn't have an understanding of that at the moment).  And I agree on stronger sentences for rapists (though I don't believe in the death penalty, but that's a different topic).  However, ideal world aside, given the current precedents set for the measure of punishment relative to the severity of the crime in our legal system, this is a harsh sentence.

 
Reply
 
Reply
post #25 of 65
Quote:
Originally Posted by Tallest Skil View Post

 

Sounds to me like someone who needs jailed for life.

 

He has stated, on the record, that he has zero intention of not performing illegal activity in the future. That's fine; now you don't even get the CHANCE to do it.

 

At the very least, I think that he should be banned from ever using any computer device for as long as he lives. No desktop, no laptop, no tablet, no phone, not even an Apple TV. He shouldn't even be allowed to own a microwave, if it has a CPU chip inside of it.

post #26 of 65
Originally Posted by Apple ][ View Post
At the very least, I think that he should be banned from ever using any computer device for as long as he lives. No desktop, no laptop, no tablet, no phone, not even an Apple TV. He shouldn't even be allowed to own a microwave, if it has a CPU chip inside of it.

 

That's the problem. The second he's out, he'll just go to a computer cafe and buy one of his own. Letting him out does absolutely nothing. He WILL not only use computing devices, he'll own a ton of them. As many as he wants.

post #27 of 65
Quote:
Originally Posted by Tallest Skil View Post

 

That's the problem. The second he's out, he'll just go to a computer cafe and buy one of his own. Letting him out does absolutely nothing. He WILL not only use computing devices, he'll own a ton of them. As many as he wants.

He was already forbidden from using computers.

 

Under the terms of his pre-sentence parole, Auernheimer was unable to use a computer with a keyboard. 

 

That sounds very vague and they should make it stricter if he's let out in the future and is on parole.

post #28 of 65
Quote:
Originally Posted by SolipsismX View Post


If we're talking one account violation v. one rape incident that I don't think even Apple ][, who typically is all-or-nothing when it comes to enforcing the law, would say they should be treated the same. However, we're talking about over 100k incidences. How long is the typical imprisonment for a violent crime? I don't think 41 months to long for a violent crime, especially one that is likely pre-meditated, but let's say it's exactly on-half. Is 1/50,000th that of the rape punishment too much? Doesn't sound like it to me.

Also, what struck me are his comments about "next time." Can you imagine a rapist saying "I won't nearly be as nice next time."

 

Consider that a bot which scours the Internet harvesting email addresses for the purpose of spamming (or information sale) can collect far more email addresses than that in just a few hours.  In fact, it wouldn't surprise me if many such bots have harvested the exact same email addresses he did based on how easy it was to obtain them.

 

But regardless, he did what he did (harvested and published information which was not his to do so with), and shows no understanding of why that's wrong.  Hence he deserves to be punished.  However, I still hold to my original point: the punishment does not fit the crime (relative to the current precedent set for other crimes).

 
Reply
 
Reply
post #29 of 65
Quote:
Originally Posted by joelsalt View Post

That's like saying you are allowed to take money out of a companies cash register because it popped open once you paid for something, or steal a car because you found the keys on the street.

It's not even remotely like that. It's more like if you called up someone at AT&T and said "hey, give me the email addresses of all the iPad users" and they did. Yes, it's that simple.
post #30 of 65
Quote:
Originally Posted by Apple ][ View Post

 

At the very least, I think that he should be banned from ever using any computer device for as long as he lives. No desktop, no laptop, no tablet, no phone, not even an Apple TV. He shouldn't even be allowed to own a microwave, if it has a CPU chip inside of it.

 

This is where I absolutely agree with you.  Instead of lengthy prison time, where he'll likely just make connections with organized crime and become a black hat hacker when he gets out, why not just cut off his access to any device with Internet access for anything other than legitimate work (where usage would be closely monitored)?  That would be a far more effective punishment IMO.

 
Reply
 
Reply
post #31 of 65
Quote:
Originally Posted by SolipsismX View Post

Interesting argument. What do you mean by "publicly accessible"? My bank offers a "publicly accessible" user access online but you have to have the proper credentials to access that info. If someone breaks into my account and posts my personal, private info can they really use the excuse that it was accessible by the public?

He wrote a script that queried a database with a public portal. It was nothing like hacking into someone's bank account. No passwords were involved. AT&T simply gave him the email addresses the script asked for.
post #32 of 65
Quote:
Originally Posted by auxio View Post

Consider that a bot which scours the Internet harvesting email addresses for the purpose of spamming (or information sale) can collect far more email addresses than that in just a few hours.  In fact, it wouldn't surprise me if many such bots have harvested the exact same email addresses he did based on how easy it was to obtain them.

Are these other bots grabbing freely published email addresses to the internet or using subversive methods to find back doors into private areas to harvest these numbers. It sounds like arguing that a guy who breaks into a home to steal jewelry is just as guilty as someone who scores the streets after Mardi Gras looking for jewerly someone left behind on the street. They seem very different to me.
Quote:
Hence he deserves to be punished.  However, I still hold to my original point: the punishment does not fit the crime (relative to the current precedent set for other crimes).

I understand what you're saying but I think the first and second part of your comment are illogically stated. For it to be true you have to concede that precedent set for other crimes are fair and just. I don't think I could make that statement, especially if we're talking about someone doing a violent crime such as rape and getting less than 41 months.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #33 of 65
Quote:
Originally Posted by popnfresh View Post

He wrote a script that queried a database with a public portal. It was nothing like hacking into someone's bank account. No passwords were involved. AT&T simply gave him the email addresses the script asked for.

Define public portal. Meaning this was a well known site that any ICC-ID inputted that matched an account would spit back the email address? If so, then you may have a good counter-argument, but I have to wonder why his defense attorney was so inept at proving that point and why you didn't start off your comments here with better argument.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #34 of 65
Quote:
Originally Posted by Apple ][ View Post

Auernheimer and 27-year-old Daniel Spitler (who accepted a plea bargain last year) wrote a script that randomly pinged AT&T's website with ICC-IDs

So if you drop your ATM card on the street, and I pick it up and figure out your pin code, it's ok for me to access your account?

This dipshit intentionally went and stole the info of 114,000 iOS users. Yes, AT&T was lax in their security, but that is no excuse for thievery.

If you dropped your ATM card on the street, a hacker would still need your password for it to be of any use. AT&T's database didn't require anyone's password. It just handed out the email addresses when his script asked for them with ID numbers.

Auernheimer is going to appeal this ruling, and he'll probably win.
post #35 of 65
Quote:
Originally Posted by SolipsismX View Post

Define public portal. Meaning this was a well known site that any ICC-ID inputted that matched an account would spit back the email address? If so, then you may have a good counter-argument, but I have to wonder why his defense attorney was so inept at proving that point and why you didn't start off your comments here with better argument.

That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.

I agree that his attorney dropped the ball. But even the prosecution admitted that they had little understanding of how computers worked. If anything, it appears that Auernheimer was convicted because of computer illiteracy on everyone's part.
post #36 of 65
Quote:
Originally Posted by popnfresh View Post

That's exactly what happened. His script inputted ICC-IDs, and the database handed him the email addresses. It was ridiculously easy, not rocket science. AT&T deserved to be bitch-slapped over this. But instead they threw the book at Auernheimer.

OK, I can see a strong case for your point but I really you didn't present your case very well. I asked a question which you replied in post number 35 as being what happened.

If there was no actual digital "breaking and entering" I can completely side with you can auxio's comments about it being too harsh. In fact, I don't see how any jail time would be required or why this is even a criminal case if what you now present is correct.

Honestly I've done more loophole exploitations with my school's network in the form of trying to get certain internet-based services to work in a controlled environment.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #37 of 65

Mr Auernheimer is about to experience the mother-of-all-backdoor-intrusions.

 

Probably with full nine and a half inch key encryption.

 

Ouch.


Edited by GTR - 3/18/13 at 3:23pm
Smoke me a kipper. I'll be back for breakfast.
Reply
Smoke me a kipper. I'll be back for breakfast.
Reply
post #38 of 65
Quote:
Originally Posted by SolipsismX View Post

Honestly I've done more loophole exploitations with my school's network in the form of trying to get certain internet-based services to work in a controlled environment.

You had internet at school?
I’d rather have a better product than a better price.
Reply
I’d rather have a better product than a better price.
Reply
post #39 of 65
Quote:
Are these other bots grabbing freely published email addresses to the internet or using subversive methods to find back doors into private areas to harvest these numbers. It sounds like arguing that a guy who breaks into a home to steal jewelry is just as guilty as someone who scores the streets after Mardi Gras looking for jewerly someone left behind on the street. They seem very different to me.

 

Most of those bots are designed to search through online forums and listserv archives, so they'd likely have algorithms to iterate through the numbers at the end of a URL in order to quickly scan through such databases (functionally identical to what was done here).  However, I agree that the difference is the 'intent', which is where I have no qualm with lack of punishment for those who set up bots as compared to what was done here.

 

I was mainly bringing it up to combat your point of the crime being considered 100k instances of the crime when, in reality, it was one action/intent which lead to that many email addresses being harvested.  It's not like he came up with 100k ways to access that many different databases.

 

 

Quote:
I understand what you're saying but I think the first and second part of your comment are illogically stated. For it to be true you have to concede that precedent set for other crimes are fair and just. I don't think I could make that statement, especially if we're talking about someone doing a violent crime such as rape and getting less than 41 months.

 

And again, I can agree with that point.  Violent crime deserves a larger punishment.  That's what's fair and just in an ideal world.  In the real world, where legal precedent plays a major factor in sentencing, this is the typical sentence which is handed out based on what I've heard (3-5 years on average for a first offence).  The best I could do with a quick Google search to back that up was this bit of information about rape sentences in California.  8 years maximum if it's a first offence and no weapons are involved.

 
Reply
 
Reply
post #40 of 65
Quote:
Originally Posted by PhilBoogie View Post

You had internet at school?

Yes, but we called it a library back then and websites were referred to as books.

Seriously though, I wasn't clear. I mean in college courses I took for fun in the last few years.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPad
  • Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail
AppleInsider › Forums › Mobile › iPad › Hacker involved in AT&T iPad 3G e-mail breach sentenced to 41 months in jail