Protected?
"conspiracy to access a protected computer without authorization"
I'd say that it wasn't protected. Of course, there's still plenty of other charges, but if the door isn't locked you can't be guilty of *breaking* and entering.
Two hackers accused of stealing personal data belonging to 120,000 early adopters of Apple's iPad tablet last year discussed the possibility of selling it to spammers or using it to promote Goatse, the collective of trolls they belonged to. According to a criminal complaint filed Tuesday, Andrew Auernheimer and Daniel Spitler …
This is more like putting the information on pieces of paper in glass boxes in a public hall and then complaining when someone comes around and notes the information on the papers down for themselves.
They can't be convicted of conspiracy to access a protected computer because they did not access any protected part of the computer. There was no request for authorisation or password, no checking of credentials, just an open webserver serving pages as intended to anyone who came by.
Conversely, AT&T need to be charged with breaching privacy laws, as the entire world had/has access to that information and they have no way of knowing who all copied it before they closed the security hole.
... the point is, access of this type to their systems was "Unauthorized Access".
If you want to access areas that are marked "Unauthorized", no matter how simple or complex your script, you should be ready to address the consequences.
These guys went after data for the purpose of 're-purposing' the data for their own short-term monetary gains, it even shows up in their child-like chat logs.
These two should have the book thrown at them. Caught red-handed. They weren't trying to do anything righteous, that's just a smoke screen.
You can try to nit pick the case against them apart, but a competent jury will find the information was protected even if it wasn't properly protected. The transcripts clearly outline that they were in this purely for personal gain, definitely not whitehat, and it would even be a stretch to label them grey.
To put it in another context: If you know of a weakness in certain door locks that allows you to open them without a key, does that give you the right to break into peoples' houses and look around? No.
AT&T should be prosecuted for failing to properly lock down the information, and these twits should be prosecuted for exploiting the weakness to steal information.