Jury convicts NY man in iPad data breach case
NEWARK, N.J. (AP) - A federal jury on Tuesday convicted a man of illegally gaining access to AT&T's servers and stealing more than 120,000 email addresses of iPad users including New York Mayor Michael Bloomberg and film mogul Harvey Weinstein.
Andrew Auernheimer, of New York, was convicted of identity theft and conspiracy to gain unauthorized access to computers. Each count carries a maximum prison sentence of five years.
Prosecutors said the former Fayetteville, Ark., resident was part of an online group that tricked AT&T's website into divulging email addresses including those of Bloomberg, Weinstein, then-White House chief of staff Rahm Emanuel, who's now Chicago's mayor, and other celebrities.
The group then shared the addresses with the website Gawker, which published them in redacted form accompanying a news article about the breach, prosecutors said.
A second man arrested with Auernheimer early last year, Daniel Spitler, of San Francisco, pleaded guilty that June.
At the time of the arrests, U.S. Attorney Paul Fishman said there was no evidence the men used the swiped information for criminal purposes. But authorities cautioned that it could have wound up in the hands of spammers and scam artists.
According to court papers, the men used a computer script they called the iPad3G Account Slurper to fool AT&T's servers into thinking they were communicating with an iPad. The theft of the email addresses occurred in June 2010.
Prosecutors said at the time of Auernheimer's arrest that he had bragged about the operation in a blog posting and in an interview with CNET published online after the Gawker article. Court papers also quoted him declaring in a New York Times article: "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Auernheimer, after he was charged and released on bail, had declined to comment.
iPad maker Apple Inc., based in Cupertino, Calif., referred questions to AT&T, which acknowledged a security weak spot on a website that exposed the email addresses. AT&T said the vulnerability affected only iPad users who signed up for its 3G wireless Internet service and said it had fixed the problem.
Andrew Auernheimer, of New York, was convicted of identity theft and conspiracy to gain unauthorized access to computers. Each count carries a maximum prison sentence of five years.
Prosecutors said the former Fayetteville, Ark., resident was part of an online group that tricked AT&T's website into divulging email addresses including those of Bloomberg, Weinstein, then-White House chief of staff Rahm Emanuel, who's now Chicago's mayor, and other celebrities.
The group then shared the addresses with the website Gawker, which published them in redacted form accompanying a news article about the breach, prosecutors said.
A second man arrested with Auernheimer early last year, Daniel Spitler, of San Francisco, pleaded guilty that June.
At the time of the arrests, U.S. Attorney Paul Fishman said there was no evidence the men used the swiped information for criminal purposes. But authorities cautioned that it could have wound up in the hands of spammers and scam artists.
According to court papers, the men used a computer script they called the iPad3G Account Slurper to fool AT&T's servers into thinking they were communicating with an iPad. The theft of the email addresses occurred in June 2010.
Prosecutors said at the time of Auernheimer's arrest that he had bragged about the operation in a blog posting and in an interview with CNET published online after the Gawker article. Court papers also quoted him declaring in a New York Times article: "I hack, I ruin, I make piles of money. I make people afraid for their lives."
Auernheimer, after he was charged and released on bail, had declined to comment.
iPad maker Apple Inc., based in Cupertino, Calif., referred questions to AT&T, which acknowledged a security weak spot on a website that exposed the email addresses. AT&T said the vulnerability affected only iPad users who signed up for its 3G wireless Internet service and said it had fixed the problem.
This jury was a bunch of idiots! He simply exposed a security flaw by AT&T that they refused to fix. https://www.techdirt.com/articles/20121121/09030521112/expose-blatant-security-hole-att-face-five-years-jail.shtml
So you can steel data but not share it?How come they let him go?
"But authorities cautioned that it could have wound up in the hands of spammers and scam artists."
Â
As if they don't already get this stuff all the time. Come on! Who are you trying to kid?
 @RalphCramdenÂ
Â
One should assume that if you shared a piece of data with somebody, you shared it with everybody.
Â
Our email server gets attacked quite regularly by places like Amazon-bouceback or some other email server of a popular or highly known agency. Once vulnerable, much of the data on them can become compromised.
Â
So assume that if you emailed it, spammers got it. If you sent a text message, someone intercepted it.
Â
Don't trust the companies with your data to keep it safe. That's not the primary job. YOU must keep your data safe. That means not putting all your "eggs" in one basket. Diversify your communications, don't save all your data in one place (and make backups) and for goodness sake don't leave your data "in the cloud".
Â
"The Cloud" is a way of saying no one knows where it is, including the people who "have" it (they often sub contract out storage).
Â
Â
Â
Â
 @RepomanÂ
I have data on my computer from 1988 when my wife was going to school. I back up everything in many different places. My server has two mirrored HD's in it and an external drive that is backed up nightly. I also use the cloud and have a small Mac Mini at my friends house that has 2 mirrored drive that I back up to.
Â
With Apple they own and operate iCloud and I know were both sites are. One will be in Prineville soon.
Â
I also turn off all tracking data and advertisements. On my iPhones I have opted out of iAd so that I can't be tracked.
Â
If I want to say something that might come back to haunt me I use a generic account on my laptop and go through an anonymous proxy server in eastern Europe using a fake email.
 @JamieÂ
I don't. But I spoof my IP or use an open node and don't have anything on the account on the computer I am using so they can do whatever they want to and will get nothing. Plus I use Linux and most honeypots go after Windows machines. I did have one that got my password for my email but I had no contacts or emails in there. I erase everything in the account once I am done with the session.
Â
It's like anything else in life. There are always some risks to everything.
 @RalphCramden How do you know your anonymous proxy isn't a honeypot?
 @RalphCramden  @Repoman I knew you were a smart cookie :)