Internet Troll Faces 5 Years in Jail for Exploiting AT&T Security Flaw
Andrew Auernheimer, a self-described security researcher and internet troll, was convicted of identity fraud and conspiracy to access AT&T's systems without authorization. Andrew Auernheimer and his partner, Daniel Spitler, are said to have been trying to scrape email addresses from about 120,000 iPad users from a poorly secured section of AT&T's website where iPad users sign up for 3G service. A script was placed on AT&T's server to obtain an iPad's ICC-ID and then return the email address linked to that ID. These identification codes came in a predictable range, which enabled Auernheimer to guess tens of thousands of ICC-IDs and get AT&T's servers to give them the associated email addresses. After investigating, the FBI concluded they had committed a felony and arrested Auernheimer and Spitler in 2011. According to chat logs obtained by the prosecution, the pair discussed multiple schemes for which they could use the harvested information, such as spamming, phishing, or short-selling AT&T's stock. However, they decided that the way to obtain the "max lols" would be to inform the media of this bug in an attempt to shame AT&T.
A New Jersey jury recently tried Auernheimer and Spitler and handed down a guilty verdict on Tuesday. Spitler decided to cooperate with the government and pled guilty, so the trial was aimed towards Auernheimer. The two face a maximum sentence of 5 years in jail, as well as a $250,000 fine. Tor Ekland, Auernheimer's attorney, told Reuters in a phone interview that he and Auernheimer "disagree with the prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act."