After verdict in iPad email address case, experts say Computer Fraud and Abuse Act of 1986 needs major update
If there is a villain in the 2010 AT&T "hacking" case involving about 120,000 email addresses of iPad owners, it is not the two members of Goatse Security (GoatSec) who found a way to collect the addresses, but the telecom giant that made it possible with a gaping vulnerability that didn't even require a real hack to exploit, say security experts.
But that is not the way the legal system sees it. As of this week, the official bad guys are Daniel "JacksonBrowne" Spitler and Andrew "Weev" Auernheimer, who both stand convicted -- Spitler through a plea agreement and Auernheimer after a jury in a Newark, NJ federal court found him guilty Tuesday of conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act of 1986 (CFAA), and fraud in connection with personal information.
Auernheimer, who tweeted following the verdict, "Hey epals don't worry! We went in knowing there would be a guilty here. I'm appealing, of course," could face 10 years in prison -- five on each count.
Several security experts view that as absurd, since the two didn't even hack through any security barriers on the AT&T website, and didn't make any of the email addresses public. The only damage AT&T and iPad maker Apple suffered was embarrassment.
Spitler and Auernheimer were able to collect the addresses when they noticed a way to spoof, or impersonate, iPad owners. As Ansel Halliburton, an attorney with ComputerLaw Group wrote at TechCrunch: "If the (AT&T) website received a valid ICC-ID (Integrated Circuit Card Identifier), it would serve a login page with an iPad owner's email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners."
Spitler then wrote a program called the "Account Slurper" that tried thousands of possible ICC-ID numbers, and simply collected the email addresses on the ones that worked, yielding about 120,000 of them, including celebrities like ABC news anchor Diane Sawyer, New York Mayor Michael Bloomberg, film producer Harvey Weinstein and former White House chief of staff (now Chicago Mayor) Rahm Emanuel.
The two passed on their findings to Gawker, which ran a story on it on June 9, 2010. According to the story, GoatSec had notified AT&T and the company fixed the vulnerability before the story ran, but the company issued a statement in response to the story saying it had been informed of the problem by "a business customer," and that, "the person or group who discovered this gap did not contact AT&T."
[See also: How to hack an iPad]
Still, security experts tend to agree with Auernheimer's attorney, Tor Ekeland, who told Ansel Halliburton that the verdict should concern "any legitimate security researcher," because Auernheimer and Spitler didn't hack through any security on the AT&T website.
They also agree with Halliburton that the CFAA is hopelessly vague and outdated, since it was created before the evolution of the Web.
"Auernheimer is charged with participating in a conspiracy to violate the FAA by 'intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]...information from [a] protected computer,'" Halliburton wrote. "But what exactly does that mean?"
The language, he said, comes from a law that defines "protected computer" as either a government or bank computer, or as any computer "which is used in or affecting interstate or foreign commerce or communication."
"Maybe that worked in 1986 when not that many computers were networked in interstate commerce, but in 2012, it covers almost anything with a microprocessor."
Kevin Mitnick, once known as the world's "most wanted hacker" and now a security consultant, also said the CFAA is neither clear nor up to date. And he said as written, it is so broad that just about anybody who uses the Internet could be convicted.
"Take caller ID spoofing, which allows me to call you and display any number I want," he said. "If I spoof your number to a business, and the business answers the call with an automated system, that says, 'Hello Taylor,' because of the linkage, is that a crime? Where is the unauthorized access? Spoofing your cell phone number? I don't think so."
Mitnick said he thinks the government's case "is a joke, because anyone can be accused of unauthorized access by simply visiting a web site. How ridiculous is that?"
Support for Spitler and Auernheimer is not unanimous. One comment on the TechCrunch site from "George Schmaltz" argued that, "A 'legitimate' security researcher either finds a problem, then gets permission to conduct penetration tests or vice-versa. You don't hack a site, then present yourself as a 'white hat.'"
But Ansel Halliburton raises a number of questions that he contends weakens the government's case.
"The GoatSec's slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it," he wrote. "Who decides who is 'without authorization'? The government? The website operator? How do you know the website operator deems you to be 'without authorization'? The CFAA gives no answers."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
This story, "Experts question guilty verdict for AT&T 'hackers'" was originally published by CSO.