Two hackers have been arrested in connection with hacking into AT&T's database of email addresses connected with the Apple iPads.
Andrew Auernheimer and Daniel Spitler were charged with conspiracy to access a computer without authorization and fraud in connection with personal information. Both are federal crimes and could mean prison for either or both defendants. Auernheimer was arrested previously on June 15 in Arkansas on drug charges, though they have nothing to do with this complaint.
Auernheimer and Spitler are both members of a group called Goatse Security, which publicized the vulnerability of iPads to having their email addresses detected via AT&T's web site back in June. The group then publicized many addresses, among which were those for people such as former White House chief of staff Rahm Emmanuel.
The hack involved getting an ICC ID number, a set of digits usually written on the SIM card in an iPad. Anyone who wrote a program that made a request to AT&T's web site, using an ICC ID, would get back an email address of the user. A computer can easily generate thousands of such numbers and simply make repeated requests. The vulnerability has since been fixed. The complaint says AT&T suffered damages, spending $73,000 to fix the security hole.
In the complaint, the government says that Auernheimer claimed credit for the hack, or at least publicizing it. Spitler, the complaint says, was chatting back in June about the benefits of mining email addresses, among them the ability to span the users. The complaint also details chats between Auernheimer, who used the name weev at the time.
The two also discussed their doubts about the legality of the data breach. Spitler, in his chat, says sry dunno how legal this is or if they could sue for damages and Auernheimer answers, absolutely may be legal risk yeah, mostly civil you absolutely could get sued to f---.
The security breach was released first to the Gawker web site. The complaint says that as the media picked it up, Auernheimer and Spitler discussed destroying evidence, demonstrating that they knew their acts could be illegal.
The government now has to make the case that the security breach and the hack were done for some criminal purpose. Under the law, lack of security by itself is not exculpatory for the same reason that entering an unlocked building doesn't absolve someone of trespassing.
But the law for computer crime is less clear-cut. It is not clear for instance, that a company scraping email addresses from a major provider, such as Yahoo!, would be prosecuted for doing so if it were to publicize them.