In June of 2010 there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners, and I took a sample of the API output to a journalist at Gawker.

I did this because I despised people I think are unjustly wealthy and wanted to embarass them. I thought this is the United States of America where we have the right to do basic arithmetic and query public webservers.

I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.

I left the Aaron Swartz memorial tonight emotionally exhausted. Here is a guy who was beloved by many of my close friends, whose suffering and miseries I have shared in kind. I’ll never forget when the Secret Service started following me. My lover at the time and I treated it like a game, spending our days ditching surveillance in the best ways possible: speedboats, helicopters, club bouncers.

Over time, this has become less and less of a game. It soon became clear that I could not be both an activist and a capitalist. I quit my six figure job at the time because the former was more important to me. Then one day, everything changed. FBI agents tried to frame me for terrorism in 2008. Twice. They ruined my career, my relationship, my life. Nobody believed that I could be a terrorist so now they try to libel me as an identity thief.

Lawrence Lessig said of Aaron’s indictment that the prosecutor Ortiz was “either an idiot, or a liar.” I know this feeling all too well.

One of my prosecutors, Michael Martinez, claimed that our querying a public webserver was criminal because “it isn’t like going to ESPN and checking your sports team’s scores.”

The facts: AT&T admitted, at trial, that they “published” this data. Their words. Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago. This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people. People with “disruptive” startups, this is your fair warning: They are coming for you next.

The other one of my prosecutors, Zach Intrater, said that a comment I made about Goatse Security, my information security working group, starting a certification process to declare systems “goatse tight” was evidence of my intent to personally profit. For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.

I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.

Ivy league educated and wealthy, Aaron dealt with his indictment so badly because he thought he was part of a special class of people that this didn’t happen to. I am from a rundown shack in Arkansas. I spent many years thinking people from families like his got better treatment than me. Now I realize the truth: The beast is so monstrous it will devour us all. None will be spared.

So now I stare at a form that the government wants me to fill out before sentencing labelled “acceptance of responsibility” and wonder what I can possibly fill in this slot. This letter is it.

I accept my responsibility, and hope you do too, of dismantling this terrible empire so that this can’t happen to anyone.

This is the difference between the prosecutors and FBI agents and I. They wish me utterly destroyed, and have been hounding me for years of my life. They have been surveilling me, by their own admission, since I was 15. You know what I wish for? A world where no man may abridge the liberty of another. Not me, not you, not the FBI, not federal prosecutors. I actually hope they have fulfilling lives, and come to realize the mistake of treating our Constitution like toilet paper.

This is a country where if you express ideas that federal agents don’t like you, you will be beaten, imprisoned, or killed. I accept my responsibility for offending seditious thugs, liars and tyrants. I say this is the duty of all decent citizens left.

God bless.

Andrew Auernheimer

Okay, that's one side.

Now how about the other?

Ah, okay, here's the other side:
=============
NEWARK, N.J. – A federal jury today convicted the head of a self-described “security research” hacking group of breaching AT&T’s servers, stealing e-mail addresses and other personal information belonging to approximately 120,000 Apple iPad users, and disclosing that information to an Internet magazine, U.S. Attorney Paul J. Fishman announced.

Andrew Auernheimer, 27, of New York, was convicted of both counts of a Superseding Indictment: Conspiracy to access AT&T’s servers without authorization and disclose that information to a reporter at Gawker magazine, and possession and transfer of means of identification for more than 120,000 iPad users. Auernheimer was tried before U.S. District Judge Susan D. Wigenton in Newark federal court. His co-conspirator, Daniel Spitler, 27, of San Francisco, Calif., previously pleaded guilty to the same charges and is awaiting sentencing.

According to documents filed in this case and the evidence at trial:

The iPad is a touch-screen tablet computer, developed and marketed by Apple Computers Inc., which allows users to, among other things, access the Internet and send and receive electronic mail. Since its introduction in January 2010, AT&T has provided iPad users with Internet connectivity via AT&T’s 3G wireless network. During the registration process for subscribing to the network, a user is required to provide an e-mail address, billing address, and password.

Prior to mid-June 2010, AT&T automatically linked an iPad 3G user’s e-mail address to the Integrated Circuit Card Identifier (“ICC-ID”), a number unique to the user’s iPad, when he or she registered. Every time a user accessed the AT&T website, the ICC-ID was recognized and the e-mail address was automatically populated for faster, user-friendly access to the site. AT&T kept the ICC-IDs and associated e-mail addresses confidential.

At that time, when an iPad 3G communicated with AT&T’s website, its ICC-ID was automatically displayed in the Universal Resource Locator, or “URL,” of the AT&T website in plain text. Seeing this, and discovering that each ICC-ID was connected to an iPad 3G user e-mail address, hackers wrote a script termed the “iPad 3G Account Slurper” and deployed it against AT&T’s servers.

The Account Slurper attacked AT&T’s servers for several days in early June 2010, and was designed to harvest as many ICC-ID/e-mail address pairings as possible. It worked by mimicking the behavior of an iPad 3G so that AT&T’s servers would be deceived into granting the Account Slurper access. Once deployed, the Account Slurper used a process known as a “brute force” against the servers, randomly guessing at ranges of ICC-IDs. An incorrect guess was met with no additional information, while a correct guess was rewarded with an ICC-ID/e-mail pairing for a specific, identifiable iPad 3G user.

From June 5, 2010, through June 9, 2010, the Account Slurper stole for its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings for iPad 3G customers.

Immediately following the theft, the hacker-authors of the Account Slurper provided the stolen e-mail addresses and ICC-IDs to the website Gawker, which published the stolen information in redacted form, along with an article concerning the breach. The article indicated that the breach “exposed the most exclusive email list on the planet,” and named a number of famous individuals whose emails had been compromised, including Diane Sawyer, Harvey Weinstein, New York Mayor Michael Bloomberg, and then-White House Chief of Staff Rahm Emanuel. The article also stated that iPad users could be vulnerable to spam marketing and malicious hacking. A group calling itself “Goatse Security” was identified as obtaining the subscriber data.

Goatse Security is a so-called “security research” group, comprised of Internet hackers, to which both Spitler and Auernheimer belonged.

During the data breach, Spitler and Auernheimer communicated with one another using Internet Relay Chat, an Internet instant messaging program. Those chats not only demonstrated that Spitler and Auernheimer were responsible for the data breach, but also that they conducted the breach to simultaneously damage AT&T and promote themselves and Goatse Security. As the data breach continued, so too did the discussions between Spitler, Auernheimer, and other Goatse Security members about the best way to take advantage of the breach and associated theft. On June 10, 2010, immediately after going public with the breach, Spitler and Auernheimer discussed destroying evidence of their crime.

Each count on which Auernheimer was convicted is punishable by a maximum potential penalty of five years in prison and a fine of $250,000.

U.S. Attorney Fishman credited special agents of the FBI, under the direction of Special Agent in Charge Michael B. Ward in Newark, with the investigation leading to the charges. He also thanked special agents of the FBI, under the direction of Special Agent in Charge Valerie Parlave in Little Rock, Ark., and the U.S. Attorney’s Office for the Western District of Arkansas, under the direction of U.S. Attorney William Conner Eldridge.

The government is represented by Executive Assistant U.S. Attorney Michael Martinez and Assistant U.S. Attorney Zach Intrater of the Computer Hacking and Intellectual Property Section of the U.S. Attorney’s Office Economic Crimes Unit.

12-408

Defense counsel: Tor Ekeland, Brooklyn, NY
==========
http://www.justice.gov/usao/nj/Press/files/Auernheimer,%20Andrew%20Verdict%20News%20Release.html

I remember when there was a hack for microsft webserver in that you just put a period at the end of a url that ends with with at the time microsfts IIS three letter prefix.


Doing so it lets your view server side code along with any passwords that my pass along any requests.



It was fun to copy them then run it on my own web server.