The man accused of hacking into AT&T's web site and pulling out thousands of email addresses says he committed no crime and is the victim of a law-enforcement witch-hunt.
Andrew Auernheimer was arrested June 15 on charges of drug possession. The Federal Bureau of Investigation arrested him as part of an investigation, though the drug charges are local. Thus far Federal authorities have not charged him with any computer crime. Assistant U.S. Attorney for the district of New Jersey, Lee Vatan, would only say that the investigation is ongoing and that no charges have yet been filed. Auernheimer says his web site, which contained racially charged language and references to himself as a prophet, is a joke, though he says he understands it might be lost on some people. He adds that he was denied counsel for the drug charges, and that he is being investigated for exercising his free speech rights rather than any crime. A member of a group called Goatse security, Auernheimer says he committed no crime because another party, who he will not identify, gave the information about the security flaw to him. He adds that the information that was retrieved, called an ICC ID number, was not secured. Anyone who wrote a program that made a request to AT&T's web site, using an ICC ID, would get back an email address of the user. The ICC ID is a set of digits usually written on the SIM card in an iPad, but a computer can easily generate thousands of such numbers and simply make repeated requests, Auernheimer says. Auernheimer says he did not use the information for any personal gain. "The only way we used this information was to inform the public," he said. Goatse, on its web site, said AT&T was informed by a third party and Goatse made sure the security hole was patched before going public. In order to charge Auernheimer with a crime, the government has to prove that he agreed to get the information with another party, or did so himself. It would also have to prove it was done for some criminal purpose. Even if AT&T's security were lax, that wouldn't legally absolve Auernheimer. Under the law, lack of security by itself is not exculpatory for the same reason that entering an unlocked building doesn't absolve someone of trespassing. But the law for computer crime is less clear-cut. It is not clear for instance, that a company "scraping" email addresses from a major provider, such as Yahoo!, would be prosecuted for doing so if it were to publicize them. Also, read the blog of accused: http://security.goatse.fr/hypocrites-and-pharisees @ibmtimes -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
