Criminal Charges Filed Against AT&T iPad Attacker

Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday. Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville. Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."

Umm, yeah...

[fuzzyfuzzyfungus]

Uncle Sam and Ma Bell go wayyy back if you know what I mean. You don't sass the latter unless you are ready to deal with the former in a very bad mood.

They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...

Let's get this straight

[Tiger+Smile]

AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.

Ethical disclosure

[SirGarlon]

"We believe what we did was ethical," Auernheimer told Computerworld last June. "What we did was right."

The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

Rather than contact AT&T directly with what they'd uncovered, Goatse [Security] tipped off an unnamed third party, who in turn reported the design flaw to AT&T. Goatse took that route, Auernheimer said, to prevent AT&T from preventing the group from publicizing the e-mail address exposure.

So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?

Re:Ethical disclosure

[gnasher719]

The federal prosecutor disagrees. If you follow the link in TFA, you'll find:

So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.

Re:This is appropriate

[Pojut]

That's not the problem.

Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.

THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.

It's that pesky "went public with the information" part that screwed him up.

web browsing is illegal now?

[wolfgang_spangler]

From the article:
In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."

How did he do anything illegal?