In the US, hackers are the new witches

Over the pond, the US Justice Department has become so paranoid about hackers that it is bringing about a prosecution campaign which seems to take the Salem Witch trials for inspiration.

This week Andrew Auernheimer was jailed for 41 months because he dared to obtain the personal data of more than 100,000 iPad owners from AT&T’s publicly accessible website.

Let’s be clear about this, he did not hack anyone – he just visited the non-public bit of AT&T’s server and downloaded the details.

In what was later described as a witch trial, Auernheimer, 26, was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorisation after he and a colleague created a program to collect information on iPad owners that had been exposed by a security hole in AT&T’s web site.

Basically the pair wrote a program to send Get requests to the website.

It is fairly clear that neither the prosecutors knew or cared about technology and the jury was following their lead.

What was important was that they managed to get a conviction based around the Computer Fraud and Abuse Act.

This law cannot make clear distinctions between criminal hacking and simple unauthorised access and to protect researchers whose activities are not criminal in intent.

It basically means that security experts now are allowed to operate in the US only if a prosecutor does not decide to arrest them. This means that any sensible security expert will probably want to work for North Korea, where they are not likely to be arrested for helping the IT industry.

One researcher, Charlie Miller, tweeted that any security researcher could be facing the same fate as Auernheimer.

The two made no money from their hack and contacted Gawker to report the hole. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.

Auernheimer told the court that what he had done was essentially walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft. He later sent an e-mail to the US attorney’s office in New Jersey, blaming AT&T for exposing customer data, authorities say.

“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors.

“I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”

Prosecutors say that is all well and good, but they showed the court 150 pages of chat logs from an IRC channel where Spitler and Auernheimer admitted conducting the breach to tarnish AT&T’s reputation and promote themselves and Goatse Security. So this means they were doing it for some form of gain.

The prosecutor’s attitude is odd. Surely any company promoting itself by showing a need for its services should be banged up.

All this puts the US in a difficult position. On one hand the Empire is suffering from hacking attacks on companies with huge security holes. At the same time it is locking up anyone who exposes those security holes. The end result will be all the security experts will shut up about the US and give the nation over to hackers elsewhere. They will move offshore where their skills are appreciated.