Hacking is really about making things better, but it’s also about causing havoc, and Andrew Auernheimer’s most infamous hack sits somewhere between the two. But according to a federal court in New Jersey, it leans in the latter direction. Yesterday it issued a guilty verdict that could land him in jail for ten years, a verdict that has already sent shockwaves through the security community.
Security experts, Internet hacktivists and even old enemies are already rallying behind Auernheimer, aka Weev, who intends to appeal the verdict. But he isn’t an easy cause to defend. His hijinks as 4chan’s troll par excellence, in the days before trolling was a household word, earned him a cover story in the New York Times Magazine, which detailed some very ugly, racist and homophobic exploits in the name of lulz.
He is, for instance, credited for a hack that temporarily removed all gay romance novels from Amazon, which he claimed had caused a billion-dollar drop in the company’s stock price, and, he told the Times, he decided to lose his name after a run-in with federal agents following a talk he gave at a San Diego hacker convention in 2007: “In the midst of an LSD-and-methamphetamine bender,” Weev “expounded on diverse topics like hacking the Firefox browser, online trade in illegal weaponry and assassination markets.” He’s the kind of hacker who can make Julian Assange look like a suburban dad.
Even the website set up in his defense, freeweev.info, begins with this candid admission: “He never takes anything seriously and generally treats life as a piece of performance art. He’s undisciplined and lazy. I can’t believe I count him amongst my acquaintances, but he’s very charming and funny at a dinner party. That doesn’t really change how gigantic of a jackass he is. As the world’s most notorious Internet troll, his ability to repulse is quite high.”
But his crime in this case—helping to poach 110,000 email addresses of early iPad adopters, using a security hole that he and a friend found—is more ambiguous. By many definitions, Weev and his associate didn’t “break in”, “unauthorized,” but found an open door. And while they had considered exploiting their score for personal gain, they acted mostly in the public interest, releasing what they found only to Gawker. In the tradition of the greyhat hack, the revelation was posed as a warning, a wake-up call about the fragile security of our technology and the deep trust we invest in it. At the time, Auernheimer was hailed as a hero—an unlikely, unsavory one—but a fighter for transparency and whistleblowing; Michael Arrington even anointed him with a TechCrunch award for public service.
Following yesterday’s verdict however, Auernheimer faces five years in prison. He’s already vowing to appeal and to continue a public campaign, if not to restore his reputation, to fight the forces that threaten to keep him quiet. As he told me by email in 2010, shortly after the FBI raided his home, “The lesson of the Spartans is one America needs to hear more: it is better to fight and be wiped out than to live subjugated to powers out to slowly destroy you.”
The hack for which Auernheimer and Daniel Spitler, 26, of San Francisco, California, were charged exploited a simple vulnerability in AT&T’s system: when the iPad was released in April 2010, Spitler discovered that a certain AT&T site would leak e-mail addresses to anyone who provided it with a ICC-ID, a number that was unique to each iPad, and to each email address connected to that iPad. He found the ICC-ID number format by examining photos of the iPad posted by gadget enthusiasts to Flickr and elsewhere (the number is also available under “Settings” on an iPad). Using a script called the “iPad 3G Account Slurper,” he mimicked iPads connecting to the web site, and, after a days-long run, ended with a massive haul of over 100,000 iPad users’ e-mail addresses.
Among their cache were an impressive list of early adopters: email addresses for Mayor Michael Bloomberg, Rahm Emanuel, Diane Sawyer of ABC News, and Col. William Eldredge, commander of the 28th Operations Group at Ellsworth Air Force Base in South Dakota, along with addresses belonging to folks at NASA, the Justice Department, the Defense Department, and the Department of Homeland Security.
Calling themselves Goatse Security—after that dirty Internet inside joke—they contacted Gawker to call public attention to the security hole. Gawker verified the list, but didn’t broadcast the emails. AT&T maintains, and chat logs verify, that the two did not contact the company directly about the vulnerability. Nor did they pursue “responsible disclosure,” by, for instance, announcing they had found the hole to a security mailing list.
What they did do, according to those IRC chat logs, which were leaked to the prosecution by an anonymous source, was discuss various unsavory and illegal things they might do with the emails, from phishing to selling them outright.
In other chats, Auernheimer mentioned the possibility of shorting the stock. But this and other approaches were not pursued; after the Gawker story, which included only blacked-out versions of the emails, Goatse received considerable media attention, and described their find as “a service to our nation”. AT&T and Apple were not pleased. The phone company notified customers by email and contacted the authorities.
Days later, Auernheimer’s house was raided by the FBI, which was acting on a search warrant. What they turned up were a cornucopia of drugs: cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals. Auernheimer, who used to run a blip.tv channel called iProphet, made no attempt to hide his drug fascination. Nor did he make any attempt to follow a gag order: Soon after his release on bail, and ever since, he’s protested what he maintains are violations of his civil rights.
In January 2011, all drug-related charges were dropped following Auernheimer’s arrest by federal authorities. He went to jail in February, and was released on bail. When Spitler pled guilty last summer, Weev maintained his innocence. His apparent malicious intent, combined with the sensitivity and the volume of data, led the jury to find Auernheimer guilty of 18 USC § 1028A, or aggravated ID theft laws, which carries a mandatory minimum of 2 years. Jail time is now a real possibility for him.
Still, the two did not reveal the email addresses to the public. And they didn’t break anything. Dan Kaminsky, who famously found and helped fix a potentially catastrophic bug in the Internet’s domain name system in 2009, wrote on Twitter, “There has to be a bright line [between illegal hacking or anything like Google is illegal. ‘No credentials required’ is that line.” If a company publishes a “White Pages” of personal information, he added, they “can’t complain if someone leafs through.”
“The law is very unclear about what ‘unauthorized’ means,” says Jeffrey Paul, a programmer and entrepreneur who has contributed to Weev’s legal defense. Paul’s homepage includes a list of the websites that he’s been banned from. “The courts are taking it in the normal sense of the term, which is to say ‘if the operator says you are unauthorized.’ That’s way too broad, and it’s simply not how the internet works.”
Indeed, by the 1986 Computer Fraud and Abuse Act, which Weev was found to have violated (see the indictment here), and which predates the web, it’s illegal to “access a computer without authorization or exceed authorized access” on any “protected computer” which includes one that is “used in interstate or foreign commerce or communication.” That would mean, as Auernheimer told the press yesterday, that “the ‘protected computer’ is any network computer. You access a protected computer every day.” He asked a rhetorical question: “Have you ever received permission from Google to go to Google?” (The act has often been criticized for its vagueness.)
When I spoke with Auernheimer by email in 2010, he said he never really intended to do anything wrong with the data. “We did this in spite of the fact that this data was worth several hundred thousand dollars on the black market (and selling it secretly would have borne us no risk),” he told me then, adding that many of the emails on the list belong to people he and his group “hate.” But he says, Goatse Security kept the public interest in mind: “Despite what I may think of many of them, they are Americans. To be an American means that when Americans are threatened by foreign powers, we put aside our differences and put America first. I would do the same thing again even after knowing what negative consequences would befall me, because the Russian mob does not need to be in control of the iPads of tens of thousands of powerful people in this country. I love America.”
Weev said that the bug was indicative of Apple’s negligence when it came to security. In the months before the attack, he claims that he and his Goatse pals had discovered a Safari integer overflow vulnerability that could allow for complete hijacking of the iPad, but that Apple didn’t release a patch until that August.
In an e-mail he wrote to the U.S. attorney’s office in New Jersey last year, Auernheimer blamed AT&T for exposing customer data. “AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders."
“The ‘flaw’ in AT&T’s system was they put material on a public web server with no password, where there is an implicit license to access it,” he told me. “They put it on the library bookshelf. There was no unauthorized access, this material was available to anyone willing to type in a URL in an address bar. There was no ‘exploitation.’” He added, “I could have taken that list and made a shitton of money off of it, or had a botnet of a couple hundred thousand iPads. Instead I did the right thing. Like everyone that does the right thing in America, I was punished for it.”
Weev continues to argue that the government’s case against him has been politically motivated. “As to why I’ve been targeted,” Weev told me in 2010, “I would like to defer to my favorite hip-hop artist, Immortal Technique.”
And if you speak about the evil that the government does
The Patriot Act’ll track you to the type of your blood
They try to frame you, and say you was tryna sell drugs
And throw a federal indictment on niggaz to show you love
After the verdict, security researchers warned of a “chilling effect." “Researchers will be more circumspect about what they’re willing to disclose,” Rob Graham, an analyst and consultant with security firm Errata Security, told Forbes. “They’ll fear that they might be the next Weev.” Jacob Appelbaum, the Wikileaks affiliate and advocate for the anonymity-focused Tor Project, wrote that “AT&T and the State are persecuting [Auernheimer] rather than admitting their own respective incompetence,” adding that the case was a “neo-classic whistleblower crackdown.”
Yesterday, after the verdict, Weev noted, “R. David Halsey from AT&T used the words, ‘there was no security bypass.’ It can’t be clearer than that. The definition of ‘unauthorized access’ has to include the bypass of security measures.”
The smoking gun may be smoking, but its aim ultimately missed the public. Instead, the hack revealed the frailty of a system that millions now use. But it also revealed something about the way that the public and the state—and telecom companies, with strong ties to law enforcement—will go after hackers, especially when they generally appear less like activists and more like trolls.
In October, Weev explained why he trolls on Australia’s SBS
Next, Auernheimer plans to lobby an appeal, and to continue bringing attention and contributions to his case, with or without the court’s consent. “I am not allowed to touch computers unless I submit them to the federal government for the installation of monitoring software,” he wrote over the summer. “Of course, I am a old Linuxbeard deliverability guy and they only have monitoring software for Microsoft Windows. Oh well.”
In that same blog post appeal to Michael Arrington to finally send him a statue for his Crunchie award—Weev described his hacking and trolling the way he once described it to me, as an “art”: “I do what I do because I enjoy making great art, not because it makes money. I’m perhaps the world’s most notorious Internet troll, and yet my technology is perhaps far less disruptive than much of yours… I am a poor country boy from Arkansas. I was born into nothing, and I had hoped to die one day with just enough to get an Airstream trailer and a Holstein cow that sat in a distant corner of my dreams. After a solid decade of federal stalking and harassment, followed by solitary confinement and beatings I have now given up hope on that.”
While Auernheimer’s behavior in the past has made internet freedom activists reluctant to come to his defense, the chorus of support is growing. Even Immunity Sec founder and former NSA security researcher Dave Aitel, who has accused Weev of once posting “rape porn” fiction about Aitel’s wife to Aitel’s own site, has grudgingly pointed out that the verdict could be dangerous for the security industry. “I think it’s fair to say the likelihood of Weev having done something that deserves some level of criminal liability is pretty high,” he wrote. “That said, this is not it. Keep in mind the data Weev collected was email addresses and names. Nothing sensitive in the slightest." He added, "It’s obvious to anyone with any technical background that the case the FBI brought against him is a travesty, and the fact that they won is even more insane,”
Paul, Weev’s supporter, insists that this is a matter not of taste but of rights. “The fact is, we need to protect all kinds of speech, even unpopular speech, from being abridged by government. We also need to protect all people, even unpopular ones, from being unfairly prosecuted for whistleblowing.”