A New Jersey jury has convicted Andrew Auernheimer, a self-described Internet troll and security researcher, of identity fraud and conspiracy to access a AT&T's systems without authorization for scraping the e-mail addresses of about 120,000 iPad users from a poorly secured AT&T registration website.

Auernheimer, known online by his handle "weev," struck an upbeat tone in a post-conviction tweet. "We went in knowing there would be a guilty here," he wrote. "I'm appealing of course."

The case began in 2010, when Auernheimer and a collaborator, Daniel Spitler, discovered a security vulnerability that affected iPad owners who signed up for AT&T's 3G service. A script on AT&T's servers would accept an iPad's ICC-ID—a unique identifier embedded in the device's microSIM card—and return that user's e-mail address. Unfortunately, ICC-IDs came in a predictable range, so Auernheimer was able to guess tens of thousands of ICC-IDs and retrieve the associated e-mail addresses.

Last year, the FBI concluded that the pair had committed a felony and arrested them. Chat logs obtained by the prosecution do not paint the pair in a flattering light. They discussed, but apparently did not carry out, a variety of schemes to use the harvested data for nefarious purposes such as spamming, phishing, or short-selling AT&T's stock. Ultimately, they decided that the approach that would bring the "max lols" would be to pass the information to the media in an effort to publicly embarrass AT&T.

In an interview with CNET, Auernheimer portrayed "Goatse Security" as a legitimate security research group. But in IRC chats he seemed to regard this characterization as mere "spin."

"At this point we won. we dropepd [sic] the stock price," Auernheimer wrote after the news of the hack was reported in the media. "Let's not like do anything else we f**king win and i get to like spin us as a legitimate security organization."

Spitler decided to plead guilty and cooperate with the government, so the trial focused on Auernheimer. On Tuesday, the jury handed down a guilty verdict. Auernheimer and Spitler are now awaiting sentencing. Auernheimer faces up to five years in prison and a $250,000 fine, according to Reuters.

"We disagree with the prosecutors' interpretation of what constitutes unauthorized access to a computer under the Computer Fraud and Abuse Act," Auernheimer's attorney Tor Ekeland told Reuters in a phone interview.

Indeed, the contours of the nation's anti-hacking law, which dates to 1986, are far from clear. We've covered the prosecution of Aaron Swartz, who faces felony hacking charges for spidering articles from an academic repository. The Swartz case and the appeal of Auernheimer's conviction may give us a clearer picture of how far you can go before a harmless prank becomes a federal felony.