The two hackers arrested in connection with hacking into AT&T's database of iPad 3G email addresses will have a tough time proving they weren't acting maliciously, according to at least one legal expert.
Andrew Auernheimer and Daniel Spitler were charged with conspiracy to access a computer without authorization and fraud in connection with personal information. Both are federal crimes and could mean prison for either or both defendants.
The crux of the government's case is that the two acted maliciously for personal gain, either financial or to boost their reputations.
Alex Muentz, an attorney who lectures at Temple University who writes extensively about the law and hacking, said the chat logs in the charge sheet are pretty ugly and would likely demolish any defense that they were white hat hackers, just trying to highlight very real security vulnerabilities (known as vulns in the trade).
In fact, I'd call this 'hacking while douchebag,' he said. Their statements can be used to show fraudulent intent.
Auernheimer and Spitler are both members of a group called Goatse Security, which publicized the vulnerability of iPads to having their email addresses detected via AT&T's web site back in June. The group then publicized many addresses, among which were those for people such as former White House chief of staff Rahm Emmanuel.
In the complaint, the government says that Auernheimer claimed credit for the hack, or at least publicizing it. Spitler, the complaint says, was chatting back in June about the benefits of mining email addresses, among them the ability to span the users. The complaint also details chats between Auernheimer, who used the name weev at the time.
The hack involved getting an ICC ID number, a set of digits usually written on the SIM card in an iPad. Anyone who wrote a program that made a request to AT&T's web site, using an ICC ID, would get back an email address of the user. A computer can easily generate thousands of such numbers and simply make repeated requests. The vulnerability has since been fixed. The criminal complaint says AT&T suffered damages, spending $73,000 to fix the security hole.
The chat logs the prosecutors have so far released show Spitler and Auernheimer discussing their doubts about the legality of the data breach. Spitler, in his chat, says sry dunno how legal this is or if they could sue for damages and Auernheimer answers, absolutely may be legal risk yeah, mostly civil you absolutely could get sued to f---.
The security breach was released first to the Gawker web site. The complaint says that as the media picked it up, Auernheimer and Spitler discussed destroying evidence, demonstrating that they knew their acts could be illegal. The chat is as follows:
Auernheimer: i would like get rid of your shit like are we gonna do anything else with this data?
Spitler: No should I toss it?
Auernheimer: i dont think so either might be best to toss
Spitler: yeah, I dont really give a f--- about it the troll is done
Auernheimer: yes we emerged victorious
Spitler: script is going byebye too
When the email addresses were first released, a number of bloggers and even Auernheimer himself highlighted the fact that the security at AT&T was lax. But under the law, lack of security by itself is not exculpatory for the same reason that entering an unlocked building doesn't absolve someone of trespassing.
All this doesn't mean a slam-dunk case for the government. The law for computer crime is not always so clear-cut. While the prosecutors might well be able to demonstrate that Spitler and Auernheimer were both acting for a fraudulent purpose, it still leaves open the legal question of what other companies do with email addresses they gather. It is not clear for instance, that a company scraping email addresses from a major provider, such as Yahoo!, would be prosecuted for doing so if it were to publicize them.