NEWS FROM THE LAB - Wednesday, November 21, 2012

Free Weev. Free Weev? Posted by Sean @ 13:22 GMT

Once upon a time there was an Internet troll…


I've been following the case of Mr. Andrew "Weev" Auernheimer for nearly two and a half years. And yesterday, he was found guilty of violating the USA's Computer Fraud and Abuse Act (CFAA). Caution: you may be in violation of the CFAA at this very moment! But more on that below.

So, just what did Andrew do?

Well, back in 2010 he and a buddy (Daniel Spitler) figured out that AT&T servers linked e-mail addresses related to 3G iPad accounts using the device ICC-ID. Ask the server for a particular ICC-ID, and if it was a registered 3G model, an e-mail address came back in the reply. So they wrote a script and systematically "slurped" 120,000 addresses. They then shared those addresses with Gawker.

It became headline news.

Eventually… the FBI got involved.

Now trolls being trolls, Andrew (and Gawker) attempted to make lots of hay out of the situation in a very loud and (IMHO) stupid way. I was quoted, and re-quoted, as saying the disclosure was completely irresponsible.


A position I later clarified and modified here: Gawker's Data Disclosure.

Daniel Spitler pleaded out of court to the criminal charges brought against the two. Andrew opted to go to court. And in the years since… the world shifted beneath his feet. In the summer of 2010, Weev was a hacker and an Internet troll. Annoying but ultimately, mostly harmless.

But thanks to Anonymous and LulzSec — hackers are now enemies of the state — and therefore, well, too bad for Andrew.

Is that fair?

Personally, I don't think so.

And does it makes any sense?

Robert David Graham doesn't seem to think so. You may be in violation of the CFAA! Remember that from above? Graham wrote an excellent post regarding the vagueness of the CFAA, which was written in 1986. Anybody could potentially be guilty of CFAA violations as the law is currently written.


It's easy to find "slurping" tools.


Does using this violate the CFAA?


Bottom line: Andrew is a troll and he did something stupid, and to be frank, irresponsible. But does he deserve up to ten years in Federal prison for slurping e-mail addresses that were never even made public? (He faces two consecutive five year terms.)

What do you think?

Does Andrew �Weev� Auernheimer deserve jail time?

Read more:

MIT Technology Review: Jail Looms for Man Who Revealed AT&T Leaked iPad User E-Mails
Wired: Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data