Criminal Charges Filed Against AT&T iPad Attacker 122
Batblue writes "The US Department of Justice will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the US Attorney's Office, District of New Jersey announced Monday.
Daniel Spitler will be charged in US District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Andrew Auernheimer will be charged with the same counts at the US Western District Court of Arkansas, which is in Fayetteville.
Auernheimer made headlines last June when he discovered that AT&T's website was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming that he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said that nobody from Auernheimer's hacking group contacted them about the flaw."
Let's get this straight (Score:5, Interesting)
AT&T illegally gives the DOJ your phone calls, emails, messages, and other personal information in an up-to-the-second interface, and when some kid notices a security flaw the same DOJ comes after him? The public that puts up with this deserves to be treated this way.
This may scream for jury nullification or no-bill (Score:3, Interesting)
I'm going to assume for the sake of argument that the facts will prove he broke the law. If they don't the rest of this post doesn't apply to this case but it is still interesting from an academic/hypothetical perspective:
It's hard to say what is "just" in a case like this.
Is it more just to officially sanction (in the form of a guilty verdict by a jury) his behavior even though it was done with good intentions, or is it more just to officially (in the form of a non-guilty verdict or a grand jury declining to indict even if the facts prove guilt) say that it's in society's best interest that this behavior be tolerated or even encouraged in this context?
Refusal to indict or refusal to convict in the presence of proven guilt is an important part of American jurisprudence. While such events should be very rare as prosecutors should never let cases get this far, no-bills and jury nullifications "in the interest of justice" are the people's last chance to say "the application of the law in this case is unjust -or- the law itself is unjust." Assuming the law or its application is not unconstitutional or otherwise illegal, once a jury convicts the now-convicted-criminal is at the mercy of the Executive Branch for a pardon or commutation.
The sad part is neither the jury nor the grand jury will likely be allowed to see anything but the hard evidence and most or all of both groups will be too technically naive to make an informed decision as to whether it is more just to release this person or to indict and convict him.
Ethical disclosure (Score:5, Interesting)
The federal prosecutor disagrees. If you follow the link in TFA, you'll find:
So, they found a flaw, then hid their identity, and didn't contact AT&T directly, instead disclosing the flaw to a third party (who can be trusted because ...?), because they thought AT&T might react differently than how they wanted it to. This is ethical exactly how?
web browsing is illegal now? (Score:5, Interesting)
From the article:
In a blog post earlier today, Auernheimer spelled out Goatse's case. "All data was gathered from a public webserver with no password, accessible by anyone on the Internet," he wrote. "There was no breach, intrusion, or penetration, by any means of the word."
How did he do anything illegal?
Re:This is appropriate (Score:3, Interesting)
Something thats bothering me is that I can't seem to find any notion that AT&T fixed the flaw.
Now I'm willing to take their word that the guy didn't put forth much effort trying to contact them - but it seems like this court case has made it easier for them to brush the issue under the rug rather than fix.
Re:Let's get this straight (Score:4, Interesting)
We are at the point ("beyond" the point is still at the point) where we need a Wikileaks for security issues. Increasingly, it is becoming hazardous to expose weaknesses in systems and services that render personal and/or sensitive information vulnerable. We are not going to change the government or regulatory bodies' minds about what appropriate means or whose interests are of higher priority. So it is best to decide whether it is best to claim the glory of being the discoverer or implementer of the exploit or if the knowledge needs to be out there without risk to your identity being connected with it.
Stupidly, there are going to be "myspace/facebook" mentalities who will go for the fame regardless of the dangers. Personally, I would prefer to conceal my identity and get behind a wikileaks body to launder my identity from the work.