Criminal Charges Filed Against AT&T iPad Attacker 122
Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday.
Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville.
Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."
Umm, yeah... (Score:5, Insightful)
They did switch from "Engaged" to "It's complicated" a while back; but that part didn't change...
Bogus Charges (Score:2, Insightful)
The site was exposing the information. There was no unauthorized access, writing a script to parse publicly available information is not hacking.
Anyone know what the fraud charges are?
Re:This is appropriate (Score:5, Insightful)
That's not the problem.
Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information.
THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.
It's that pesky "went public with the information" part that screwed him up.
Re:Ethical disclosure (Score:5, Insightful)
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So its like he claims: "I wanted to point out your security failures, so I opened your safe". And the federal prosecutor says: "You actually opened the safe and took the money out". While the first is possibly illegal, but let's us argue that no harm was actually done, the second is pure and simply theft.
Re:This is appropriate (Score:2, Insightful)
THAT'S the problem. Had he done this, then only sent the data to AT&T rather than publicly releasing it, they likely would be thanking him rather than trying to send him to the pokey.
To be totally honest, had he just given the information to AT&T and no one else, they most likely still would be pressing charges and taking him to court for 'hacking' their system.
Don't get me wrong, they were/are definitely lying about the whole trying to help AT&T's security thing.
Gathering the data then going public with it all without contacting AT&T is clearly not an act that is trying to help fix security problems, and this was not to help anyone except themselves.
But had they actually had only good intentions, and reported this flaw directly to AT&T instead of the public, I seriously doubt AT&T would be thanking them with anything other than criminal charges.
These days the only safe way to convince a company there is a security flaw that needs fixing would be to *anonymously* submit the data to them, with a description of the exploit(s) used, and maybe a suggestion how to go about fixing it.
You just can't attach your name to it to get credit. Corporations will still see this as a direct threat either way you go about it, and will lash back just the same.