Andrew Auernheimer, one of the men behind a 2010 incident where account information for 114,000 iPad owners on AT&T's network was stolen, has been sentenced to 41 months in prison and must pay US$73,000 in restitution. Mr. Auernheimer's co-defendant, Daniel Spitler, will be paying part of the restitution, as well.
Mr. Auernheimer and Mr. Spitler managed to download user names, email addresses and SIM card identifier codes in 2010 using PHP code that requested the information from an openly available script on the AT&T website. The men claimed to be part of a group called "Goatse Security."
Andrew Auernheimer to serve almost 3.5 years in jail for AT&T iPad hack
The group gave the list to Gawker, which is the parent company for the tech-related website Gizmodo. They claimed the list included the names and email addresses for politicians, military officials, and company CEOs. Gizmodo published a snippet from the list online to back up the Goatse Security claims.
AT&T spokesperson Mark Siegel told The Mac Observer at the time that it learned of the incident through a business customer, adding "This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses."
Mr. Auernheimer was arrested shortly after the incident on drug-related charges in Arkansas by FBI agents. The Federal agents found cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals during a warrant-based search of his home.
In early 2011, Mr. Auernheimer and Mr. Spitler were hit with Federal charges for fraud and conspiracy to access a computer without authorization, sending them down the path that eventually led to Monday's sentencing. Mr. Spitler pled guilty in 2011.
While there doesn't seem to be any doubt that the men were involved in the incident, whether or not they actually hacked AT&T's computers, or gained access without authorization, could be seen as something of a grey area. The script they accessed was openly available and routinely used to help link iPads to their owner's accounts. They way the men used the script, however, fell outside of its intended scope since it was never meant to be a tool for gathering user names and email addresses en masse.
The two never accessed private servers in the incident, and in the sense that most people mean "hack," never hacked into the AT&T computers. Instead of breaking into AT&T's servers, they wrote code that randomly generated SIM card numbers and presented those to the public server. If the card number matched AT&T's database, the server returned the matching user name and email address.
Mr. Auernheimer said he felt his prosecution was politically motivated, and told The Verge,
I hope they give me the maximum, so people will rise up and storm the decks.
There were questions as to what constitutes unauthorized access, meaning did the use of PHP to request user information qualify, or did the men need to work their way into servers that weren't open to the public. The trial pushed journalist Tim Pool to comment on Twitter, "I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers."
Which raises the question as to whether or not the sentence is appropriate. Mr. Auernheimer will spend nearly 3.5 years in prison, followed by three years of supervised release, and a $73,000 fine for which he's partially responsible. For comparison, two juveniles were recently sentenced to a year in jail for their involvement in the rape of a 16 year old girl in Steubenville, Ohio -- a crime that seems to be far more serious.
Mr. Auernheimer has already been remanded into custody to start serving his sentence, and he plans to appeal the ruling. Before his sentencing hearing, he told people outside the courthouse, "I'm going to jail for doing arithmetic."
While Mr. Auernheimer's statement is technically true, it's all about how he used arithmetic. He did build a list of customer names and email addresses that AT&T never intended to be public, and he used hand-rolled PHP code to help get as much as he could from the servers.
Whether or not the punishment is fitting for the crime, however, is what's up for debate now. The prosecution no doubt feels the sentencing is appropriate, while Mr. Auernheimer thinks he's a scapegoat. With his plan to appeal, Mr. Auernheimer will likely stay in the public eye while the courts decide if what he did really does warrant a sentence that spans more than six years.