Andrew has just finished his third month in a federal penitentiary, part of a 41 month incarceration. His crime, you ask?
He revealed to media outlets that AT&T had configured its servers to allow the harvesting of iPad owners’ unsecured email addresses.
This was an apparent violation of the Computer Fraud and Abuse Act.
Weev's conviction is a prime example of how the CFAA threatens security researchers with prison sentences for discovering security vulnerabilities.All of the information he had was readily available on public websites. Read the whole chilling tale here and here.
In 2010, Weev's co-defendant Daniel Spitler discovered AT&T configured its website to automatically publish an iPad user's e-mail address when the server was queried with a URL containing the number that matched an iPad's SIM card ID. In other words, if anyone typed in the correct URL with a correct ID number, the e-mail address associated with that account would automatically appear in the login prompt. Spitler wrote a script that attempted to emulate the IDs by entering random numbers into the URL and, as a result, ultimately collected approximately 114,000 e-mail addresses. Auernheimer sent a list of the e-mail addresses to several journalists to prove the security problem, and Gawker published a story about the vulnerability.
Although Auernheimer's actions helped motivate AT&T to fix the hole, he was rewarded with a federal indictment instead of a bounty. Federal prosecutors in New Jersey claimed that Weev and Spitler accessed data—the e-mail addresses—without authorization under the CFAA despite the fact AT&T made the information publicly available over the Internet.