A security researcher who warned AT&T about a gaping hole in how the company’s website handles data requests from iPads will spend the next 41 months in jail for hacking, a judge ruled Monday according to Wired.
The so-called “hacker,” 26-year-old Andrew Auernheimer, discovered in 2010 that AT&T’s website was forking over email addresses for iPad users if a simple URL request included AT&T’s internal numbers used to identify specific iPads. He and a friend wrote a simple program that, much like a web browser, asks a publicly available server for information, and if the server responds it posts that information in a specified area. Then they hooked it up to a number randomizer and turned it lose.
As it turned out, the security flaw in AT&T’s iPad portal was so severe that his little program ended up netting email addresses for folks like former White House Chief of Staff Rham Emanuel, New York Times Co. CEO Janet Robinson and New York Mayor Michael Bloomberg, according to Gawker, which broke the story after receiving a cache of data from a source they were unable to fully identify. Others government officials as high up as DARPA and NASA were included in the breach.
Gawker’s source turned out to be Auernheimer and co-conspirator Daniel Spitler, 26, who only went to the media after sending a warning to AT&T about the security hole. Instead of being thankful for the warning, AT&T initially did nothing. Once details leaked, however, the hole was quickly closed. It wasn’t long thereafter that Auernheimer and Spitler were both hit with criminal charges.
“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses,” AT&T alleged. “They then put together a list of these emails and distributed it for their own publicity.”
“It’s a fucking ludicrous charge,” Auernheimer told Venture Beat on Sunday. “The FBI has tried to frame me for terrorism five times, and by their own admission they’ve been surveilling me since I was 15 years old.”
Investigators ultimately obtained chat logs that feature Auernheimer and Spitler disparaging AT&T and saying they wanted to leak the information in part to promote their gray-hat hacker group Goatse Security, which has not been updated since May 2011.
“No matter what the outcome, I will not be broken,” Auerheimer wrote Monday morning. “I am antifragile.”
In the courtroom on Monday, a judge read out his sentence: 41 months in prison, three years on supervised release and $73,000 in fines.
“Auernheimer got a harder sentence than the Steubenville rapists,” tech reporter Tim Pool tweeted. “One journalist equated the prosecution of hackers to the Red Scare.”