A federal judge has sentenced Andrew Auernheimer to 41 months in prison following his conviction last year for discovering and exploiting a weakness on the website of AT&T that allowed him and a co-conspirator to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities.
In June 2010, prosecutors said Auernheimer, also known by his online alias "weev," and Daniel Spitler, both part of the gray-hat hacker outfit Goatse Security, accessed email addresses, unique SIM card codes and integrated circuit identifiers (ICC-IDs). AT&T fixed the security hole that same month, around the time Gawker, a news and gossip blog, published an article about the breach after being tipped off by Auernheimer and Spitler.
While Spitler pleaded guilty to charges in June 2011 and awaits sentencing, Auernheimer, who is from Arkansas, decided to fight the charges in court, believing they were bogus because he didn't technically hack into anything but merely tricked a publicly available site, with the help of a script written by Spitler, into divulging the information. He didn't use any classic hacking techniques, like brute force or SQL injection. Additionally, he never sought to profit off the information he discovered, only to shame a major corporation like AT&T for poor security practices, he said.
"I did this because I despised people I think are unjustly wealthy and wanted to embarrass them," he wrote in "Ipad Hack Statement of Responsibility" for TechCrunch. "I thought this is the United States of America where we have the right to do basic arithmetic and query public web servers."
Auernheimer remained brash and attention-seeking, but principled, until the bitter end. On Sunday night, he hosted a Reddit AMA (Ask Me Anything) before heading to an all-night party with friends and supporters. Based on the AMA, it's clear he's a polarizing figure – he's a self-described internet troll who doesn't care who he offends – but despite this, most agreed that the sentence he was facing was excessive.
One person wrote: "Dear weev, I hate your guts. But I hope you don't go to prison for your, uh, disclosures. It would be a bad sign for the rest of us."
The AMA didn't do Auernheimer any favors. According to witnesses to his sentencing on Monday morning, the judge referenced the discussion three times as evidence he would commit a similar offense.
"My regret is being nice enough to give AT&T a chance to patch before dropping the data set to Gawker," Auernheimer wrote in the AMA. "I won't nearly be as nice next time."
Before he began the AMA, he explained the hack:
"In June of 2010, there was a public AT&T web server that had a URL for a public API with a number at the end of it. If you added one to this number you might see the next iPad 3G user email address. I aggregated a sample of this data and sent it to a journalist...Despite an email from AT&T stating the data was 'published', 'no security was bypassed' and 'I don't think they [the feds] have a case', the feds disagreed."
The group of victims included a number of high-profile people who were early iPad adopters, including New York Mayor Mike Bloomberg and then-White House Chief of Staff Rahm Emanuel.
Prosecutors contended that Auernheimer and Spitler were less concerned about exposing insecurity and more about promoting themselves at the expense of AT&T.
"During the data breach, Spitler and Auernheimer communicated with one another using internet relay chat, an internet instant messaging program," prosecutors said last year in a news release. "Those chats not only demonstrated that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security."
During an informal press conference held outside the federal courthouse in Newark on Monday morning, Auernheimer lambasted federal prosecutors, saying people's rights are being "ruined by wicked tyrants." He said such harsh prosecutions are disrupting innovation in the United States.
"I hope you're in my cell block, all the engineers out there," he said, according to a live video. "And I'll see you in federal prison."
Well-respected security researchers like Charlie Miller seemed to agree. Miller tweeted on Monday: "We could all go to jail for security research at any moment, and a jury would happily convict us."
The case has further fueled debate over what many believe is the broad and excessive reach of the federal anti-hacking statute known as the Computer Fraud and Abuse Act (CFAA), a conversation that entered the mainstream with the suicide death of coder and information activist Aaron Swartz in January. A number of other so-called "hacktivists," including Barrett Brown and Jeremy Hammond, are facing long prison time under the law.
Before the sentencing, Auernheimer's attorney Tor Ekeland said the CFAA "criminalizes normal computer use."
"This was actually the way they [AT&T] set up their system," he said. "This was a conscious business decision on behalf of AT&T."
Auernheimer, who reportedly asked to be taken into custody following the sentencing, and Spitler must also pay $73,000 in restitution to AT&T, and Auernheimer also must serve three years of supervised release.
His legal team has pledged to appeal, and is confident he will win based on AT&T's own investigation.
UPDATE: Digital rights watchdog, the Electronic Frontier Foundation, announced Monday that it would join Tor Ekeland and others on Auernheimer's appellate team.