3.5 Years For Trying To Improve Cyber Security And Making VIPs Look Bad

AT&T had a problem with its iPad service. We in the United States, and perhaps the world, have a problem with our “top” people in industry and government tending to be self-righteous, arrogant, and willing to use persecution to compensate for incompetence. These two problems are related. The Beast reports:

“26-year-old Andrew Auernheimer, discovered in 2010 that AT&T’s website was forking over email addresses for iPad users if a simple URL request included AT&T’s internal numbers used to identify specific iPads. He and a friend wrote a simple program that, much like a web browser, asks a publicly available server for information, and if the server responds it posts that information in a specified area. Then they hooked it up to a number randomizer and turned it lose. As it turned out, the security flaw in AT&T’s iPad portal was so severe that his little program ended up netting email addresses for folks like  former White House Chief of Staff Rham Emanuel,  New York Times Co. CEO Janet Robinson and New York Mayor Michael Bloomberg, according to Gawker, which broke the story after receiving a cache of data from a source they were unable to fully identify. Others government officials as high up as DARPA and NASA were included in the breach.”

The reason Gawker was given the information is because Auernheimer and his 26-year-old friend Daniel Spitler had gone to AT&T and told them about the security breach. AT&T did nothing. After Gawker reported the story, then the vulnerability was fixed.

Notice here that Auernheimer and Spitler had no way to confirm there really was a problem unless they actually attempted the experiment with the randomized numbers. AT&T did nothing even on that evidence; they certainly would not have cared to hear those men’s untested suppositions about the vulnerability. Nor did those men target specific individuals or use the information to hurt or exploit them. Notice also that no one obtained a forbidden password. They simply put random numbers in a publicly-accessible website.

Auernheimer is about to begin a 41-month prison term followed by three years under “supervised release.” He has been fined $71,000.00.

“Investigators ultimately obtained chat logs that feature Auernheimer and Spitler disparaging AT&T and saying they wanted to leak the information in part to promote their gray-hat hacker group Goatse Security, which has not been updated since May 2011.”

Oh, well, yes. That smoking gun totally proves Auernheimer deserves “a harder sentence than the Steubenville rapists.”

According to Wired Magazine,

“The controversial case is one of a string of highly criticized prosecutions of security researchers who have been charged with serious computer crimes under the Computer Fraud and Abuse Act, prompting calls for reform of the legislation to make clear distinctions between criminal hacking and simple unauthorized access and to protect researchers whose activities are not criminal in intent.”

If you think the ambiguity in the aptly named Computer Fraud and Abuse Act is an accident, I think you’re being dangerously naïve. And even if I grant you your naiveté, we now live in a world where every single law must be scrupulously studied and complicated to make sure no bureaucrat can use it to rob years of life from some guy who wasn’t doing anything criminal.

That’s quite a culture we have “watching” over us. Exactly how is this malfeasance of office supposed to discourage young savvy programmers from becoming hackers? What incentive do they have to use their talents productively? These prosecutors and corporate execs will be boasting at their little self-important social gatherings on how they “put away” this guy who dared expose a serious security blunder. Members of this same culture claim responsibility for protecting the nation from terrorism.

What could possibly go wrong with that?