Two hackers, Daniel Spitler and Andrew Auernheimer, credited with obtaining the email addresses of over 100,000 iPad 3G owners from a loophole in the AT&T website were both arrested yesterday by federal officials. The complaint charges Spitler and Auernheimer, who went by the online aliases “JacksonBrown” and “weev,” with Conspiracy to Access a Computer Without Authorization and Fraud in Connection with Personal Information.
AT&T has since closed the loophole, but not before Spitler and Auernheimer obtained thousands of email addressees, including the addresses of government officials, military personnel, and several Fortune 500 CEOs. Spitler and Auernheimer created a computer script called the “iPad 3G Account Slurper,” designed to mimic an iPad 3G. The script would randomly generate an iPad 3G identifier, and the AT&T server, thinking it was communicating with an actual iPad, would return information to the two hackers, including email addresses registered to the iPad 3G identifier generated by their program.
It is unclear exactly how Spitler and Auernhemier intended to use the thousands of email addresses acquired through the script. In a series of online chats attached to the complaint, and obtained by the government through an anonymous source, the two discuss using the email addresses for everything from email phishing scams to shorting AT&T stock and using the media release of their discovered hack to drive down AT&T’s stock price.
For now, the complaint does not contain any charges relating a potential shorting of the AT&T stock or other illegal uses of the email addresses obtained. At least one of the U.S. District Attorneys involved believes the pair did not use the data obtained for any illegal purposes, despite the complaint alleging the two obtained the information illegally, a subtle, yet important distinction. Any illegal use of the information could dramatically increase the potential sentences the two could receive.
Both Spitler and Auernhemier are members of the group Goatse Security, an organization allegedly devoted to finding and exploiting online security loopholes to help companies better protect their information.It is likely the two will raise two points in their defense. First, all the data gathered through the computer script was available online without any password, and therefore arguably legal. Both will likely also try and defend their actions by claiming their hack was intended to alert AT&T to the security flaw. However, this defense will be hampered by the fact neither ever contacted AT&T before releasing the story to Gawker. In fact, in one of the chats Auernheimer says “i don’t f***ing care i hope they [AT&T] sue me.”
AT&T has yet to sue Auernheimer and Spitler, so for now Auernheimer will have to settle for a federal indictment.
– Michael S. Quinlan
