On Tuesday the FBI arrested and charged two men in their mid-20s for their involvement in last year's attack on AT&T servers that mined over 100,000 e-mail addresses from iPad 3G owners. Andrew "weev" Auernheimer and Daniel "JacksonBrown" Spitler were taken into custody and charged in federal court with one count each of fraud and conspiracy to access a computer without authorization.

The criminal complaint filed in US District Court in the District of New Jersey has been released, which includes excerpts of some 150 pages of IRC chat logs between Auernheimer, Spitler, and other members of a self-professed "troll" group known as Goatse Security. Those chat logs, turned over to the FBI by an unnamed confidential source, reveal that the group (Auernheimer in particular) wanted to "embarrass" AT&T publicly over the security flaw they discovered and make the stock price go down in order to troll the company. Auernheimer also attempted to spin the story in the press and attempt to paint Goatse Security as a legitimate data security company, and later attempted to destroy evidence after it was announced that the FBI planned to investigate the matter.

According to the chat logs, Spitler discovered the original vulnerability in AT&T's servers, which were configured to recognize when iPads were attempting to access them. When an iPad was detected, the device would then send the device's ICCID number from its SIM card, encoded in plain text in a URL. The server would then return the e-mail address associated with the ICCID to auto-populate a username field. Spitler realized he could spoof the user agent string, supply a potentially valid ICCID number in the correct URL, and AT&T's servers would return the matching e-mail address.

In early June, Spitler discussed with the group how they might use the information. "I don't see the point unless we phish for passes even then that's boring," he wrote. Other members of the group suggested mining the e-mail addresses to sell to spammers "for thousands," or leaking the addresses to the press to "tarnish AT&T."

Auernheimer then helped Spitler refine his script to harvest a large number of valid e-mail addresses of iPad 3G users, suggesting that a huge data set would be needed to "direct market iPad accessories" or start a "future massive phishing operation," noting that the data breach would be "huge media news."

Going after "max lols"

Spitler then asked Auernheimer where they could pass on the data for "max lols" once they collected a large set. Auernheimer suggested contacting certain news sites via Facebook, but then Spitler suddenly became concerned with the legal ramifications. Auernheimer warned that Spitler "absolutely could get sued to f**k," and agreed to take over the "trolling" of AT&T himself. Spitler passed his script on to Auernheimer.

Others in the group continued to push for spamming or phishing instead of turning the information over to the press. However, one of the e-mail addresses harvested belonged to a board member from News Corp. Auernheimer sent an e-mail to the board member, suggesting that if News Corp wanted the story of how they had acquired his e-mail address from AT&T then he should have a journalist contact him.

"If a journalist in your organization would like to discuss this particular issue with us I would be absolutely happy to describe the method oftheft [sic] in more detail," Auernheimer wrote. He sent similar e-mails to the San Francisco Chronicle and Thomson Reuters using e-mail addresses obtained from Spitler's script.

Eventually the script harvested over 114,000 e-mail addresses, including those of numerous government and military officials as well as many Fortune 500 CEOs. Auernheimer contacted Gawker Media to turn over the list and give the story about how the group obtained them. Just before the story broke, the group discussed shorting AT&T stock and then using the media leak of the security issue to drive the stock price down, though the members admitted not having money to pull off such a scheme.

After the story broke on Gawker Media's Valleywag in June, Spitler began to panic, saying he had "post-troll paranoia." Another member of Goatse Security reminded Spitler that his little hack was indeed illegal, and noted that he "crossed state lines with ur packets so it's a federal crime." Auernheimer later admitted that he did not contact AT&T as he had told Gawker Media, but said, "i dont f**kin care i hope they sue me."

When another group member suggested that Auernheimer release the e-mail list to Full Disclosure, an e-mail list for releasing network security information, he declined, suggesting that doing so would be "potentially criminal." He seemed to ignore the illegality of collecting and releasing the information to Gawker Media, however.

"[A]t this point we won. we dropepd [sic] the stock price," Auernheimer wrote. "[L]et's not like do anything else we f**king win and i get to like spin us as a legitimate security organization."

Second thoughts

Spitler and Auernheimer decided to delete all the data they had collected the next day in an effort to get rid of the evidence of their involvement. However, both seemed to neglect the fact that the story had already spread and was widely reported in the media.

The FBI ended up using Goatse Security's own website to track down Auernheimer, where he bragged about coding while drunk and high. It didn't help that Auernheimer also bragged extensively online about the security breach and its material effect on AT&T's stock price. In November last year, he also sent a letter to a US attorney general in New Jersey, claiming credit for the security breach and suggesting AT&T should be prosecuted for "their negligent endangerment of United States infrastructure."

There are certainly hackers who do perform a legitimate service in an attempt to improve security, but Spitler's and Auernheimer's actions and words seem more like those of bumbling pranksters. AT&T should have done a better job of protecting the data in the first place, but the company quickly closed the security hole once it was made aware of it. Given how the group planned to turn the disclosure of the security breach into a potential profit opportunity, then, it's hard to feel sorry for them being handed federal criminal charges, each of which carry a maximum sentence of five years in prison and up to $250,000 fines.