WASHINGTON – Andrew Auernheimer, an American gray hat hacker better known as “weev,” tells The Internet Chronicle that his indictment in a New Jersey District Court over a June 2010 AT&T data breach is at its root an important free speech issue. Speaking to Chronicle.su’s Gray Phone, Mr. Auernheimer, a 27-year-old associate of Goatse Security, claims he made certain AT&T was aware of the breach in time to patch it, he never sought financial gain from what was in effect the the extraction of 114,000 iPad users’ email addresses, and that he never personally possessed more customer data than enough to communicate that the breach was bona fide. While prosecutors imply Mr. Auernheimer’s actions and statements may constitute computer fraud and foreknowledge of possible insider trading, he and his fellow Goatse Security associates saw themselves as merely tarnishing a company’s reputation due to its own reckless mishandling of customer data.
The actual extractor of iPad users’ email addresses, Daniel Spitler, 26, who may face as many as 10 years in prison, has already plead guilty to having gained unauthorized access to computers and identity theft. Mr. Spitler’s sentencing is forthcoming. Mr. Auernheimer served as a media liaison for the group, and only possessed iPad device signatures and email addresses related to media, such as Thomson Reuters and News Corporation.
Citing ’90s law enforcement debacles, such as the civilian deaths at Waco and the deaths in the Weaver family at Ruby Ridge, Mr. Auernheimer issued his appraisal of the honesty of federal law enforcement: “These are lying, perjurous, murderous thugs.”
He added, “If they will murder people, and no consequences of it will come for them, do you think they won’t manufacture evidence or coax false testimony? Give me break.”
“I’ve never shorted a stock, I’ve not solicited a third party to short a stock. And there’s nothing that I do that’s any different than what the financial press does. I’m issuing my opinion on AT&T’s — the information that they’ve made publicly accessible and giving my opinion of their infrastructure, as a result and of course Apple’s products.” He added, “There’s nothing illegal about this. This is protected by the First Amendment of the Constitution, and also there is a system in violation here in that they have denied my right to due process by allowing AT&T to arbitrarily after the fact of access determine what is and isn’t not an authorized without the use of Congress to determine what is or is not an illegal act.”
A New Jersey district court informational document reads, “[D]efendent SPITLER, [Mr. Auernheimer], and other Goatse Security members discussed who in the press had disclosed the data breach to At&T, since, contrary to the Gawker Article, neither defendant SPITLER, nor anyone from Goatse Security had.” The document goes on to catalog an exchange between Mr. Auernheimer and colleague “Nstyr” in which they intimate they have not informed AT&T tech support by telephone.
“I don’t fucking care [about calling AT&T directly.] [I] hope they sue me,” wrote Mr. Auernheimer, in private correspondence confiscated by federal investigators. Asked by The Internet Chronicle’s Gray Phone why he didn’t go to AT&T first, he was concerned about greater liability by even talking to the telecommunications giant.
“Many people that have direct dialogue with companies in this sort of situation are accused of extortion, and I specifically wanted to avoid being accused falsely of extortion,” he says. Mr. Auernheimer contacted at least one third party — whom he declined to name but AT&T identified as a “business customer” — and says he was certain the patch would be forthcoming before leaking the data to Gawker could cause any harm. The third party’s identity, he says, makes it “inherently obvious” that he or she would make AT&T knowledgeable.
AT&T, he says, doesn’t “need to be informed by me. They need to be informed by somebody.”
An associate named “Pynchon” wrote to Mr. Auernheimer, “[H]ey, just an idea [ -- ] delay this outing for a couple days[,] tomorrow short some [AT&T] stock[,] then out them on [T]uesday[,] then fill your short and profit[.]
With this quote posed to him by Chronicle.su, Mr. Auernheimer said, “I don’t believe that anybody had an interest in shorting a stock,” adding, “And I certainly did not solicit them, too, and I’ve received no kickbacks for doing so. And I don’t believe anybody did, or otherwise I’d be charged with a securities-related crime, which I of course am not.”
Mr. Auernheimer said he doesn’t recall writing a reply to “Pynchon’s” stock-shorting idea with the reply: “[I]f you want to do it[,] go nuts.” However for Mr. Auernheimer and ultimately Mr. Spitler, the only entity to have extracted and held all the data, prosecutors are sure to make much of the transcript’s mentioning of any of their associates’ even jesting about or humoring such a securities violation. To be sure Goatse Security has a long history of conducting operations simply for reputational gain or their laughter at others’ expense — known as “lulz.”
Mr. Spitler’s indictment falsely claims that AT&T is headquartered in New Jersey. Mr. Auernheimer characterized this as perjury motivated by venue shopping, intended to maximize chances at prosecution. AT&T is headquartered in Dallas, Texas.
In their analysis of chat logs federal prosecutors independently construed the sad-face emoticon “D8″ as the sexual metaphor “balls deep,” or as they put it, “to be deeply involved in an activity or to perform an activity to the greatest extent possible.” This revelation is not only humorous but shows, when taken in the context of Mr. Auernheimer’s relayed concern about civil, not criminal, liability for the data breach, Mr. Spitler was actually expressing fear.