Slashdot Mirror

← Back to Stories (view on slashdot.org)

41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses

Posted by Soulskill on from the looked-at-a-poster-and-told-somebody-about-it dept.

In 2010, querying a public AT&T database yielded over 114,000 email address for iPad owners who were subscribed to the carrier. One of the people who found these emails, Andrew 'weev' Auernheimer, sent them to a news site to publicize AT&T's security flaw. He later ended up in court for his actions. Auernheimer was found guilty, and today he was sentenced to 41 months in prison. 'Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.' A journalist watching the sentencing said, 'I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers.'

9 of 459 comments (clear)

  1. Re:Good by 1729 · · Score: 5, Insightful

    He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.

  2. Sentencing reveals country's values by bigonese · · Score: 5, Insightful

    Two young men in steubenville rape a young women and get 1 - 2 years in jail. A man writes a script to get email address from a website and gets 3.5 years in jail. Something's not right.

    1. Re:Sentencing reveals country's values by Seumas · · Score: 5, Insightful

      It's simple. Society is sick.

      Their response to one is "Well, boys will be boys!".

      Their response to the other is "Oh my god, if they can webscrape publicly accessible information, the next thing these vial social outcasts will be doing is hax0ring into NORAD and launching nuclear warheads and initiating WWIII and I can't have that because I haven't finished watching Real Housewives, yet!"

  3. Re:Good by Mullen · · Score: 5, Insightful

    As someone else pointed out, all he did was request data from a public server and AT&T sent it to him. Also, he got 41 months for forwarding 114,000 email addresses to news site, which is overkill. Had he physically broke into an AT&T office and took the email addresses from someone's desk, he would have received less prison time.

    He should have been given community service at the most, and then got an award for exposing a flaw from AT&T.

    --
    Linux O Muerte!
  4. Re:Good by Anonymous Coward · · Score: 5, Insightful

    That. It's a flaw that AT&T never would have addressed without public pressure. Further, Mr. Auernheimer did not release private info to the public -- the news agency to which he released the then already-public information is responsible for further publicizing it.

    Bottom line: it is ludicrous-speed absurd to prosecute somebody for publicizing already public information. If a newspaper accidentally prints the names and addresses of its entire subscriber base in the classifieds, and I call them to report it, can I then be held accountable for "releasing" the information?

  5. Re:Don't understand computers? by Looker_Device · · Score: 5, Insightful

    The right thing to do, of course, would have been to contact AT&T. Had he done that, AT&T would have threatened him to keep quiet and then never fixed the flaw

    FTFY

    --
    Your political party doesn't care about your rights and only represents corporate interests.
  6. Re:Good by TemperedAlchemist · · Score: 5, Insightful

    Give away emails to demonstrate a security flaw? 41 months in prison.

    Rape, molest, and humiliate a sixteen year old girl? 12 months in prison.

    Justice.

    ---

    I love you, America.

  7. Re:Good by cayenne8 · · Score: 5, Insightful
    Even with all you said, the penalty for these 'computer crimes'....is WAY off base as far as matching punishment with crime.

    We have convicted rapists and murderers that seem to get off with lighter sentences than people that do anything that involves a computer these days, even if the results don't hurt anyone and only embarrass a company or some govt. personnel.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  8. Re:Good by Anonymous Coward · · Score: 5, Insightful

    But he didn't trespass -- he didn't break any laws or even conventions regarding the distinction between public/private property in requesting and being provided this information. If the pile of gold in your unfenced yard was on a conveyor that could be activated from the street, I think you would be hard-pressed to convince anyone that you intended the gold to remain in your yard. Likewise, spewing out customer details in response to a simple sql query to a public-facing DB server, which requires absolutely no circumvention of existing security measures, is difficult to paint as an earnest attempt to make a public/private delineation, and thereby prevent even accidental leakage.

    As has already been pointed out, the key charge here is "access[ing] a computer without authorization." Since the publicly-facing DB server was not in any sort of secured or even posted enclave, it can only be presumed that the court finds the mere act of interfacing with this system a crime for no reason other than that AT&T has established the server as "private" after-the-fact. That opens up a terrifying door in that any service provider could suddenly declare you persona non grata retroactively, and bring similar criminal charges against you. While that's certainly a leap, it's not a big one...