It seems that the US Justice Department has become too paranoid about the hackers: for instance, last week Andrew Auernheimer went to prison for 41 months after obtaining the personal information of over 100,000 iPad owners from AT&T’s publicly accessible site.
The problem is that Andrew didn’t even hack anything – all he did was visiting the non-public bit of AT&T’s server and downloading the details. During the trial, Auernheimer, 26, was ruled guilty of one count of identity fraud and one count of conspiracy to access a machine without authorization. This was when he and his fellow developed a program to gather information on iPad owners which had been exposed by a security flaw in AT&T’s site. All they did was writing a program to send Get requests to the site.
Unfortunately, neither the prosecutors nor the jury knew or cared about technology. They somehow got a conviction based around the Computer Fraud and Abuse Act, which can’t make clear distinctions between criminal hacking and simple unauthorized access. As such, the innocent researchers whose activities are not criminal in intent can’t be protected. In other words, any sensible security expert will probably want to work for North Korea, whose authorities don’t arrest people for helping the IT industry.
In the meantime, Andrew Auernheimer and his colleague made no money from their hack, but instead contacted Gawker to report the vulnerability, claiming that AT&T must be held responsible for their insecure infrastructure. In response, prosecutors showed the court 150 pages of chat logs from an IRC channel where Spitler and Auernheimer admitted conducting the breach to destroy AT&T’s reputation and promote themselves as security specialists. In other words, the “hackers” were doing it for some form of gain, and the prosecutor’s attitude is odd – should anyone promoting themselves by showing a need for their services be banged up?
This situation puts the United States in a difficult position: on one side, the country is suffering from hacking attacks on companies with security flaws, while on the other side it is locking up those who expose those flaws. As a result, all the security experts will just give up doing their job and give the nation over to hackers elsewhere, by moving to places where their skills are appreciated.