Search This Blog

Tuesday, March 19, 2013

US hacker Andrew Auernheimer given three-year jail term for AT&T breach


Andrew Auernheimer, the online activist convicted of federal crimes for obtaining email addresses of iPad users from AT&T's website, was sentenced to nearly three and a half years in prison on Monday

At a district court in Newark, New Jersey, Auernheimer, 27, was also ordered to pay over $73,000 in damages to AT&T and to serve three years supervised probation after his release.

In November, he was found guilty of one count of identify fraud and one of conspiracy to access a computer without authorisation.

Three years ago, Auernheimer, whose online name is "weev", found a security breach in AT&T's website, allowing him and his company, Goatse Security, to access thousands of email addresses of iPad users. He gave them to a Gawker journalist in what he said was an effort to expose the company's security flaws.

Gawker posted redacted material online, writing that the material "exposed the most exclusive email list on the planet", including the addresses of Michael Bloomberg, the New York mayor, and then-White House chief of staff Rahm Emanuel. An FBI investigation followed.

Auernheimer's prosecution, under the Computer Fraud and Abuse Act, was being closely watched by critics of the US government's harsh line on hackers.

His sentence on Monday comes after a massive outcry following the suicide of free information activist Aaron Swartz in January. Swartz's was facing multiple charges and a prosecution that his supporters said was excessive.

Last week, federal prosecutors charged Matthew Keys, the deputy social media editor for Reuters, with helping the hacker group Anonymous attack the website of his former employer.

Keys and Swartz were also charged under the Computer Fraud and Abuse Ac, which many have said is too broad. Critics of the prosecutions say they are being bought by over-zealous prosecutors using outdated and flawed statutes. One lawmaker has tabled an amendment to the CFAA called "Aaron's law" aimed at stopping such prosecutions.

A lawyer for the Electronic Frontier Foundation, a digital rights group, described Auernheimer's sentence as "excessive" and said they would support his appeal.

Hanni Fakhouri, a staff attorney with the EFF, said: "It's excessive to say the least. The prosecution was excessive because he did not hack into anything. He obtained information from a public information website. It would be like me going into the Guardian website and copying information and emailing it to someone else."

Fakhouri said the law was misinterpreted and said: "We hope on appeal to get the sentence thrown out.

"We don't believe authorised access was exceeded. By virtue of the fact that the information was publicly available and they were not breaking into anything, there wasn't anything to indicate he did not have authorised access."

In an interview with the Guardian in January, Auernheimer said: "When you publish something, you don't have the right to whine and moan and cry: 'He's breaking and entering. That's what AT&T and the federal government are claiming. It's a dishonest and seditious claim."

He said the idea that what he did amounted to a felony was "ludicrous".

In a pre-sentence memo, Auernheimer's lawyers said he should only receive six months probation because AT&T's security was to lax that no special skill was needed to collect ipad customer's email addresses. It also highlighted comments made by one AT&T investigator who said that he "circumvented no security".

US attorney Paul Fishman described Auenheimer's reasoning that he was trying to expose security flaws in AT&T's website as a "fiction." Fishman said in a statement: "Andrew Auernheimer knew he was breaking the law when he and his partner hacked into AT&T's servers and stole personal information from unsuspecting iPad users.

"When it became clear that he was in trouble, he concocted the fiction that he was trying to make the internet more secure, and that all he did was walk in through an unlocked door. The jury didn't buy it, and neither did the court in imposing sentence upon him today."

David Velazquex, the FBI acting special agent in charge of the investigation, said Auernheimer's "self-serving cyber attack" was carried out to promote his business. He said his conviction and sentence signified the "continued and growing efforts of the US attorney's office and the FBI in investigating and prosecuting computer hacking and intellectual property crimes."

Auernheimer's co-defendant, Daniel Spitler, 27, of San Francisco, California, previously pleaded guilty to the same charges and is awaiting sentencing.

No comments:

Post a Comment