Andrew Auernheimer, also known as “Weev” was found guilty today in a federal case being tried in a in New Jersey federal court where the personal data of more than 114,000 iPad owners was harvested. The incident happened back in June 2010 in a release by Goatse Security, a division of the “Gay Niggers Association of America” – a group made famous by their web-trolling activities. Auernheimer is the former president of both groups, and had a significant run at Goatse Security which is well-known for uncovering security flaws in public. In the AT&T/iPad incident, the group discovered flaws in AT&T 3G service authentication where the email address of the user was pre-populated. This email could be then be coaxed out of the AT&T website with the ICC-ID from the iPad SIM card that comes with every iPad. A brute force PHP attack using this vulnerability revealed the cache of email addresses. Goatse Security tried to go with a confined release to news sources and caught the attention of the FBI, prompting an investigation. Weev’s house was later raided and he was held on separate state drug charges. Those charges were later dropped, but he was later incarcerated in an Oklahoma Federal Prison until he was freed on bail back in September 2011 on the computer access charges. The indictments against him were one count of conspiracy to gain unauthorized access to computers and one count of identity theft. Note that the actual information was never released, only the fact that the vulnerability was there and the information was harvested. Needless to say this has ruffled a lot of feathers as questions about policy and legal boundaries are being tested here.
TechCrunch’s Michael Arrington thought enough of the disclosure that he awarded Goatse Security a “Crunchie Award” back in 2010. In doing so, backing the stance that everything that was done was done on public systems and this exposure was essentially a service to the community.
“All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.”
The jury was sequestered for just a few house before announcing the verdict – Guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization. Weev has stated that he will appeal and has been tweeting throughout the ordeal.
Despite the act of raising public awareness of the critical flaw, prosecutors focused on delving into the reasons why the ‘hack’ and information were put together. Part of the prosecution’s case included information from an informant that turned over extensive IRC chat logs apparently disclosing Goatse Security’s intent to promote their skills- at the expense of AT&T. The implications for InfoSec could potentially be seeing a significant impact. A quick Google search turns up a number of FreeWeev type of causes and there are hopes in the security community for a successful appeal. A forthcoming statement from the InfoSec community states:
“We urgently request that these charges against Mr. Auernheimer be dropped in the interest of national security. A conviction in his case will not only have a chilling effect on researchers like us who work to secure critical infrastructure, it will inevitably lead to other systems being compromised due to the inability of security professionals, like ourselves, to even identify such vulnerabilities without running afoul of the law. Criminals operate in secret — they don’t hand their findings over to the press. Mr. Auernheimer has acted in the interest of the public, not as a criminal. “