AT&T hacker seeks sentencing leniency

Lawyers claim iPad 3G account hacker Andrew Auernheimer's exploits did not cause any actual damage

Andrew Auernheimer, a hacker who was convicted last November of illegally accessing emails and other data belonging to 120,000 iPad 3G owners from AT&T's networks is seeking leniency in his sentencing from the court.

In a memo filed Wednesday in United States District Court for the District of New Jersey, Auemheimer's lawyers maintained their client did not deserve to be jailed for his actions. Rather than years in prison, Auemheimer deserved only months of non-custodial probation, the memo noted.

"The sentence which the Defense suggests to the court ... would be adequate but no greater than necessary to accomplish the purposes of sentence," the memo said.

Auernheimer was found guilty last November on charges of conspiracy to access a computer without authorization and fraud in connection with personal information. Prosecutors have recommended that Auernheimer receive a sentence of 33 to 41 months when he comes up for sentencing on March 18.

Auernheimer made headlines in June 2010 when he and co-accused Daniel Spitler used an automated script they called iPad 3G Account Slurper to extract email addresses and SIM card ID numbers of more than 100,000 iPad owners from AT&T's servers. The duo claimed they carried out the exercise to demonstrate how AT&T was leaking the data via its Web site.

The data accessed by Auernheimer and Spitler included email addresses belonging to New York Mayor Michael Bloomberg, New York Times CEO Janet Robinson, ABC's Diane Sawyer, movie producer Harvey Weinstein, former White House chief of staff Rahm Emmanuel and numerous others. The data ended up being posted publicly on Gawker and other websites.

Auernheimer, and Spitler claimed they pulled the hack purely to highlight the vulnerability on AT&Ts network. Prosecutors however saw it differently.

Aurenheimer was arrested in 2011 on charges of identify theft and conspiracy to gain unauthorized access to computers.

In their complaint, prosecutors noted that Auernheimer, who used the online handle "weev," not only took credit for the breach but openly boasted about it to the media and others. They described Goatse Security, the hacker group that Auernheimer belonged to, as a group of trolls bent on disrupting services and content on the Internet.

The federal complaint against the two defendants contained numerous excerpts of interviews with the media where Aurenheimer boasted of his hacking abilities. One excerpt is from a 2008 interview with the The New York Times where Auernheimer is quoted as saying, "I hack, I ruin, I make piles of money. I make people afraid for their lives."

Prosecutors also highlighted how Auernheimer, in a video posted on his website, boasted how he had caused a one billion change in Amazon.com's market capitalization through his trolling activities. "So a billion dollars changed hands as a result of my trolling and I'm very, very glad to know such insignificant things on the Internet can have such a drastic, far reaching effects."

Prosecutors presented several chat transcripts between Auernheimer and Spitler to bolster their claim that the two hackers extracted the data to attract publicity to their activities, and to promote themselves within the hacker community and the media at large.

In Wednesday's pre-sentencing memo, Auernheimer's lawyers sought leniency on the grounds that the exploit did not cause any damage to AT&T. They noted that the two hacker had not subverted any passwords or used any malware to gain access to the data. They disputed AT&Ts claim that the incident had cost the company more than $73,000.

In their memo, Auernheimer's layers noted that the costs AT&T incurred were related to the company's duplicative efforts to notify affected iPad users of the compromise. The company had already informed the affected users by email of the incident but then needlessly followed them up with a mailed notification, they claimed.

The memo quotes an AT&T investigator as saying he believe no case existed because the breach did not involve any circumvention of AT&T's security controls. Rather it merely exploited a poorly implemented feature on AT&T's networks that allowed the data to be easily acceesed.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

This story, "AT&T hacker seeks sentencing leniency" was originally published by Computerworld.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies