If there is a villain in the 2010 AT&T "hacking" case involving about 120,000 email addresses of iPad owners, it is not the two members of Goatse Security (GoatSec) who found a way to collect the addresses, but the telecom giant that made it possible with a gaping vulnerability that didn't even require a real hack to exploit, say security experts.
But that is not the way the legal system sees it. As of this week, the official bad guys are Daniel "JacksonBrowne" Spitler and Andrew "Weev" Auernheimer, who both stand convicted -- Spitler through a plea agreement and Auernheimer after a jury in a Newark, NJ federal court found him guilty Tuesday of conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act of 1986 (CFAA), and fraud in connection with personal information.
Auernheimer, who tweeted following the verdict, "Hey epals don't worry! We went in knowing there would be a guilty here. I'm appealing, of course," could face 10 years in prison -- five on each count.
Several security experts view that as absurd, since the two didn't even hack through any security barriers on the AT&T website, and didn't make any of the email addresses public. The only damage AT&T and iPad maker Apple suffered was embarrassment.
Spitler and Auernheimer were able to collect the addresses when they noticed a way to spoof, or impersonate, iPad owners. As Ansel Halliburton, an attorney with ComputerLaw Group wrote at TechCrunch: "If the (AT&T) website received a valid ICC-ID (Integrated Circuit Card Identifier), it would serve a login page with an iPad owner's email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners."
Spitler then wrote a program called the "Account Slurper" that tried thousands of possible ICC-ID numbers, and simply collected the email addresses on the ones that worked, yielding about 120,000 of them, including celebrities like ABC news anchor Diane Sawyer, New York Mayor Michael Bloomberg, film producer Harvey Weinstein and former White House chief of staff (now Chicago Mayor) Rahm Emanuel.
The two passed on their findings to Gawker, which ran a story on it on June 9, 2010. According to the story, GoatSec had notified AT&T and the company fixed the vulnerability before the story ran, but the company issued a statement in response to the story saying it had been informed of the problem by "a business customer," and that, "the person or group who discovered this gap did not contact AT&T."
Still, security experts tend to agree with Auernheimer's attorney, Tor Ekeland, who told Ansel Halliburton that the verdict should concern "any legitimate security researcher," because Auernheimer and Spitler didn't hack through any security on the AT&T website.
Sign up for CIO Asia eNewsletters.