Security researcher Andrew 'weev' Auernheimer was today sentenced to 41 months in prison and immediately remanded to custody for his role in Goatse Security's collection and disclosure of 114,000 AT&T iPad users' emails in 2010. In November, Auernheimer was found guilty on one count of identity fraud and one count of conspiracy to access a computer without authorization. Following his release from prison, Auernheimer will be subject to three years of supervised release. Auernheimer and co-defendant Daniel Spitler were also ordered to pay $73,000 in restitution to AT&T. (Spitler pled guilty in 2011.) The pre-sentencing report prepared by prosecutors recommended four years in federal prison for Auernheimer.
"I'm going to jail for doing arithmetic."
Before his sentencing, Auernheimer held a press conference on the courthouse steps, where he read John Keats' The Fall of Hyperion and told the assembled crowd, "I'm going to jail for doing arithmetic." Just prior to the judge's reading of the sentence, Auernheimer was cuffed by agents in a struggle over his tablet. Under the terms of his pre-sentence parole, Auernheimer was unable to use a computer with a keyboard. Asked for the device, Auernheimer tried to hand it to attorney Tor Ekeland, and was returned to the courtroom five minutes later in shackles.
Auernheimer has claimed that his prosecution is politically motivated, but his controversial, often reactionary politics and talent for infuriating others with his real and feigned beliefs have gained him few allies. On the night before sentencing, he participated in a Reddit AmA ("Ask Me Anything") where, characteristically, he and the Reddit community took turns provoking and teasing each other. For example, when asked about his plans after his release from prison, Auernheimer replied:
I am running for Congress there is a function called congressional immunity in our Constitution that allows you to drop information on the floor of the Congress or in the Federal Register and you cannot be sued for libel and they cannot hold a grand jury for evidence of criminal activity if I get to be elected to the house then I can drop hacks on the floor of Congress and be completely immune for doing so
In January, Auernheimer told The Verge that he hoped to received the maximum sentence possible, so that "people will rise up and storm the decks." Reached by The Verge via Twitter direct message moments before his sentencing, Auernheimer responded to the question "how are you feeling?" with one word: "great."
"I hope they give me the maximum, so people will rise up and storm the decks."
In 2010, Auernheimer and 27-year-old Daniel Spitler took advantage of a hole in AT&T's iPad user database, which offered access to its iPad 3G users' email addresses when a relevant ICC-IDD (the number that authenticates a SIM card to AT&T) was entered into a web panel. The duo created a script that randomly queried AT&T's website with ICC-IDs, amassing hundreds of thousands of addresses. Chat logs cited in court show Auernheimer and Spitler discussing using the script for a phishing operation or "lulz" before Auernheimer argues for giving the information to Gawker. On the night before his sentencing, Auernheimer said on Reddit that his only regret was being nice to AT&T by giving them time to patch the flaw, adding that he "won't nearly be as nice next time."
Because Auernheimer didn't illegally access a private server and he wasn't able to gain a list of user passwords — which was confirmed during testimony — the case has drawn much interest from security researchers and online activists. On Twitter, independent journalist Tim Pool wrote, "I felt like I was watching a witch trial as prosecutors admitted they didn't understand computers." After the sentencing, Ekeland noted that the courts are split on what constitutes "unauthorized access" under the CFAA. Auernheimer has promised to appeal.
Tim Carmody contributed to this report.